CIPP Elements
About 8 months in the past I’ve began a bigger open supply challenge referred to as CIPP. CIPP is a M365 Administration instrument geared toward Managed Companies Suppliers based mostly on Azure Static Internet Apps and a PowerShell backend. This weblog shares a few of the PowerShell code that’s used for the backend. CIPP is all the time in search of contributors on each the frontend and backend facet so soar in for those who’d like. Yow will discover the Github challenge right here.
Automating with PowerShell: Disabling Exercise based mostly timeout
This was a function request made some weeks in the past for CIPP, and I favored it sufficient to instantly implement it. This script prompts the Exercise Based mostly Timeout for M365 functions, which means if a person leaves their browser open for longer than 1 hour, you’ll get somewhat pop-up warning you that you just’re going to be logged out. The script makes use of the Safe Utility Mannequin to connect with all of your tenants and alter their settings.
This script requires the ‘Coverage.ReadWrite.ApplicationConfiguration’ permission, so ensure you have these set in your Safe Utility Mannequin app.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
#
$ApplicationId = 'AppID'
$ApplicationSecret = 'AppSecret'
$RefreshToken = "RefreshToken"
#
$credential = New-Object System.Administration.Automation.PSCredential($ApplicationId, ($ApplicationSecret | ConvertTo-SecureString -AsPlainText -Drive))
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal
Write-Host "Connecting to the Graph API to get all tenants." -ForegroundColor Inexperienced
$Contractheaders = @{ "Authorization" = "Bearer $($graphToken.accesstoken)" }
$Prospects = (Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/contracts?`$prime=999" -Methodology GET -Headers $Contractheaders).worth
foreach ($Buyer in $Prospects) {
strive {
$physique = @{
'useful resource' = 'https://graph.microsoft.com'
'client_id' = $ApplicationId
'client_secret' = $ApplicationSecret
'grant_type' = "client_credentials"
'scope' = "openid"
}
$ClientToken = Invoke-RestMethod -Methodology publish -Uri "https://login.microsoftonline.com/$($buyer.customerId)/oauth2/token" -Physique $physique -ErrorAction Cease
$headers = @{ "Authorization" = "Bearer $($ClientToken.access_token)" }
$Actbody = @"
{
"displayName": "DefaultTimeoutPolicy",
"isOrganizationDefault": true,
"definition":["{"ActivityBasedTimeoutPolicy":{"Version":1,"ApplicationPolicies":[{"ApplicationId":"default","WebSessionIdleTimeout":"01:00:00"}]}}"]
}
"@
(Invoke-RestMethod -Headers $headers -Uri "https://graph.microsoft.com/beta/insurance policies/activityBasedTimeoutPolicies" -Methodology POST -Physique $Actbody -ContentType "software/json")
Write-Host "Enabled Exercise Based mostly Timeout for $($Buyer.defaultdomainname)" -ForegroundColor Inexperienced
}
catch {
Write-Host "Couldn't allow Exercise based mostly timeout for $($buyer.defaultdomainname): $($_.Exception.Message)" -ForegroundColor crimson
}
}
|
Replace: Workplace Follina vulnerability
Proper earlier than I launched this weblog, a brand new situation arose for Microsoft Workplace that enables code execution. Fortunately, the workaround is simple and doesn’t appear to impression regular utilization. Use the next script to mitigate the Workplace Folina situation:
1
2
3
4
5
6
7
8
9
10
11
|
$ENV:ActivateWorkaround = "Sure"
if($ENV:ActivateWorkaround -eq "Sure") {
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Identify HKCR
Set-Merchandise -Path "HKCR:ms-msdt" -Worth "URL:ms-msdt_bak"
Rename-Merchandise -Path "HKCR:ms-msdt" -newName "ms-msdt_bak"
} else {
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Identify HKCR
Rename-Merchandise -Path "HKCR:ms-msdt_bak" -newName "ms-msdt"
Set-Merchandise -Path "HKCR:ms-msdt" -Worth "URL:ms-msdt"
}
|
and that’s it! As all the time, Glad PowerShelling
