Saturday, May 18, 2024
HomePowershellUtilizing Powershell to Examine Azure Advert Person Dangers
Powershell

Utilizing Powershell to Examine Azure Advert Person Dangers

superadmin
By superadmin
0
89


On this publish, I’ll clarify how you should use the PowerShell SDK for Microsoft Graph to analyze Dangerous Customers in your Azure Energetic Listing. I can even present you the way to use PowerShell to attach on to the Microsoft Graph and question the information from there. With the ability to question for riskDetections, dangerous customers, and sign-ins, lets you automate alerts or actions every time a person will get flagged in your danger coverage.

Utilizing Microsoft Graph PowerShell SDK to question danger detections

Microsoft is engaged on a PowerShell SDK for working with the Microsoft Graph API. This makes it extraordinarily straightforward to question knowledge from the API, with none extra profound information of the way to work with API’s. The SDK gives totally different PowerShell cmdlets as a substitute of getting to make totally different HTTP calls to an endpoint.

Connecting with the PowerShell SDK

First, you will want to obtain the PowerShell SDK or PowerShell Module. To do that run the next command in your PowerShell terminal

1

Set up-Module Microsoft.Graph -Scope CurrentUser

Now as a result of the Microsoft module we can be utilizing is in preview you will want to vary the PowerShell SDK to make use of the “Beta” profile. To do that it’s essential run the command:

1

Choose-MgProfile -Title "beta"

Then as soon as the module is put in, and you’ve got chosen the beta profile, you will want to connect with the Graph API with an admin account after which consent to the next permissions:

  • IdentityRiskyUser.Learn.All
  • IdentityRiskyUser.ReadWrite.All

To do that you possibly can run the next command:

1

Join-MgGraph -Scopes "IdentityRiskyUser.Learn.All", "IdentityRiskyUser.ReadWrite.All"

This may open a browser and you’ll be prompted to check in with an admin account. When you check in you’ll be requested to grant permissions to Microsoft Graph Powershell. Click on on “Settle for” to proceed.

/images/using-powershell-to-investigate-azure-ad-user-risks/granting-permissions-for-powershell-sdk.png

Downloading the Microsoft Preview Module For Dangerous Customers

To obtain the Microsoft Preview Module you will want to start out by cloning the repository to your PC.

1

git clone https://github.com/AzureAD/IdentityProtectionTools.git

Then navigate to the folder the place the module is situated:

1

cd ./IdentityProtectionTools/src/modules/IdentityProtectionTools

Then you possibly can import the Module instructions into your PowerShell classes:

1

Import-Module ./IdentityProtectionTools.psd1

You may see out there instructions by operating:

1

Get-Command -Module IdentityProtectionTools

output:

1
2
3
4
5

CommandType     Title                                               Model    Supply
-----------     ----                                               -------    ------
Perform        Get-AzureADIPRiskyUser                             0.0.3      IdentityProtectionTools
Perform        Invoke-AzureADIPConfirmCompromisedRiskyUser        0.0.3      IdentityProtectionTools
Perform        Invoke-AzureADIPDismissRiskyUser                   0.0.3      IdentityProtectionTools

Querying all of the dangerous customers

Now to get all customers with an elevated danger that had been up to date within the final 30 days you possibly can run the next command:

1

Get-AzureADIPRiskyUser -Verbose  -All -riskUpdatedSinceDays -30 | Choose-Object UserPrincipalName, RiskLevel, RiskDetail, RiskLastUpdatedDateTime, RiskState

Output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

VERBOSE: 64 Dangerous Customers Retrieved!
UserPrincipalName         RiskLevel RiskDetail                         RiskLastUpdatedDateTime RiskState
-----------------         --------- ----------                         ----------------------- ---------
[email protected]            none      userPerformedSecuredPasswordReset  06/01/2022 10:49:42     remediated
[email protected]            none      userPerformedSecuredPasswordReset  06/02/2022 07:21:17     remediated
[email protected]            medium    none                               06/17/2022 07:37:40     atRisk
[email protected]            none      userPerformedSecuredPasswordReset  06/02/2022 08:11:27     remediated
[email protected]            none      userPerformedSecuredPasswordChange 05/23/2022 06:33:20     remediated
[email protected]            low       none                               06/05/2022 11:46:28     atRisk
[email protected]            medium    none                               06/17/2022 01:09:50     atRisk
[email protected]            none      userPerformedSecuredPasswordReset  06/01/2022 14:10:35     remediated
[email protected]            low       none                               06/13/2022 08:28:06     atRisk
[email protected]           none      userPerformedSecuredPasswordReset  06/01/2022 12:23:34     remediated
[email protected]           none      userPerformedSecuredPasswordReset  06/08/2022 12:47:45     remediated

....

You can too specify the parameter “-RiskLevel” to outline that you just solely wish to question Customers with a “Excessive Danger”.

Dismiss or Verify the Person Danger for a person

You can too use the PowerShell Module for dismissing a person’s danger degree.

To do that I’ll begin by querying for dangerous customers, however this time I’ll Choose the property “Id” as properly to get the person’s Id.

1

Get-AzureADIPRiskyUser -Verbose  -All -riskUpdatedSinceDays -30 | Choose-Object UserPrincipalName, id, RiskLevel, RiskLastUpdatedDateTime

This may output:

1
2
3
4
5
6
7
8

VERBOSE: 64 Dangerous Customers Retrieved!
UserPrincipalName         Id                                   RiskLevel RiskLastUpdatedDateTime
-----------------         --                                   --------- -----------------------
[email protected]            asdasdb8-5s10c-4saab1-9186-8asd70768 none      06/01/2022 10:49:42
[email protected]            cd2aasd6dbd4-cd8d-4e5-986-9dasd9d505 none      06/02/2022 07:21:17
[email protected]            a3785asd2-df8-s81-bced5-9e962ffa53e0 medium    06/17/2022 07:37:40
[email protected]            5bb89637-6258-4ad8e-ad5f-aas7722c4fb none      06/02/2022 08:11:27
[email protected]            8671asdd4-44fdg-fasd-aeasd-1dqwe46gf none      05/23/2022 06:33:20

You may then seize the Id of the person you wish to dismiss the person danger degree from and use it within the following command:

1

Invoke-AzureADIPDismissRiskyUser -UserIds @("asdasdb8-5s10c-4saab1-9186-8asd70768")

And simply in addition to you possibly can dismiss the person danger you may as well Verify a compromised person with the command:

1

Invoke-AzureADIPConfirmCompromisedRiskyUser

Previous articleA Information to Intersection Observer
Next articlePHP Excel Export Code (Information to File)
superadmin
superadminhttps://thedevnews.com
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Load more

Recent Comments

ABOUT US

Thedevnews is your web development website. We provide you with the latest breaking news and videos straight from the web development industry.

POPULAR POSTS

POPULAR CATEGORY

Copyright 2022© thedevnews.com. All rights reserved.