Quick blogpost about the experience of AAD authentication for Windows VMs – https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows
Continue reading “Testing the AAD authentication for Windows VMs preview”Author: Marius Solbakken
Quick PowerShell cmdlet to get query parameters sent to localhost
When testing Azure AD applications or showing of things such as implicit flow, authorization code flow etc., it can be very useful to have a listener going on localhost in order to provide the browser a valid redirect url. The following cmdlet can be used to do this, without the need to install anything.
function Get-HttpQueryParametersSentToLocalhost
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$false,
ValueFromPipelineByPropertyName=$true,
Position=0)]
[int] $Port = 8080,
[Parameter(Mandatory=$false,
ValueFromPipelineByPropertyName=$true,
Position=1)]
[string] $Response = "Done"
)
$listener = New-Object System.Net.HttpListener
$listener.Prefixes.Add("http://localhost:$Port/")
Write-verbose "Waiting for request at http://localhost:$Port/"
$listener.Start()
$context = $listener.GetContext()
$Content = [System.Text.Encoding]::UTF8.GetBytes($Response)
$Context.Response.OutputStream.Write($Content, 0, $Content.Length)
$Context.Response.Close()
$listener.Dispose()
$Context.Request.RawUrl -split "[?&]" -like "*=*" | foreach -Begin {$h = @{}} -Process {$h[($_ -split "=",2 | select -index 0)] = ($_ -split "=",2 | select -index 1)} -End {$h}
}
$parameters = Get-HttpQueryParametersSentToLocalhost -Verbose -Port 8080
$parameters | Out-GridView
How, try to do to http://localhost:8080/asd/?test=a&idtoken=asdd&code=123 and check out what happens in PowerShell. 🙂
Ill create a new blog post that uses this to demonstrate different OpenID Connect flows later.
Building a multi tenant Azure AD application with roles
Through this blog post I will show how to build a multi tenant Azure AD application, where your customers can control role assignments through regular Azure AD app roles that they again can manage through Azure AD Entitlement Management, Access Reviews and dynamically assigned through dynamic groups.
The point of doing this kind of implementation is that you can externalize role management to the customer’s Azure AD, so that the customer can use all the great Azure AD features that exist for governing access, rather than needing to have yet another interface (your application) for assigning roles.
Continue reading “Building a multi tenant Azure AD application with roles”Clearing an attribute for all users through Microsoft Graph
Certain Azure AD attributes, such as businessPhones, are not available through the Azure AD PowerShell module. Here is a super quick way to work with the graph using PowerShell, without needing separate app registrations etc.
Continue reading “Clearing an attribute for all users through Microsoft Graph”PowerShell for verifying Norwegian social security number / personnummer
function Get-IsSSNValid
{
[CmdletBinding()]
[Alias()]
Param
(
# Param1 help description
[Parameter(Mandatory=$true,
ValueFromPipeline=$true,
Position=0)]
[String] $SSN
)
Process
{
$FirstPart = $SSN.Substring(0,9)
$Check = $SSN.Substring(9,2)
$k1 = 11 - ((3 * [int]::Parse($FirstPart.Chars(0)) + 7 * [int]::Parse($FirstPart.Chars(1)) + 6 * [int]::Parse($FirstPart.Chars(2)) + 1 * [int]::Parse($FirstPart.Chars(3)) + 8 * [int]::Parse($FirstPart.Chars(4)) + 9 * [int]::Parse($FirstPart.Chars(5)) + 4 * [int]::Parse($FirstPart.Chars(6)) + 5 * [int]::Parse($FirstPart.Chars(7)) + 2 * [int]::Parse($FirstPart.Chars(8))) % 11)
if($k1 -eq "11") {
$k1 = 0
}
$k2 = 11 - ((5 * [int]::Parse($FirstPart.Chars(0)) + 4 * [int]::Parse($FirstPart.Chars(1)) + 3 * [int]::Parse($FirstPart.Chars(2)) + 2 * [int]::Parse($FirstPart.Chars(3)) + 7 * [int]::Parse($FirstPart.Chars(4)) + 6 * [int]::Parse($FirstPart.Chars(5)) + 5 * [int]::Parse($FirstPart.Chars(6)) + 4 * [int]::Parse($FirstPart.Chars(7)) + 3 * [int]::Parse($FirstPart.Chars(8)) + 2 * $k1) % 11)
if($k2 -eq "11") {
$k2 = 0
}
return [int]::Parse($Check.Chars(0)) -eq $k1 -and [int]::Parse($Check.Chars(1)) -eq $k2
}
}
Get-IsSSNValid "12345678910"
Sending merged emails through the Microsoft Graph using PowerShell
Some times there is a need to send merged emails to users or customers, where certain placeholders are replaced by usernames, email addresses, names etc. This blog post contains a script that can do this for you, using the Microsoft Graph. You need a regular account with Office 365 and Exchange Online for this to work.
Continue reading “Sending merged emails through the Microsoft Graph using PowerShell”Getting all Azure AD consents using PowerShell
Customers should really start paying attention to their Azure AD application consents, which can be daunting. There are obviously tools for this, even provided by Microsoft through Cloud App Security (CAS), but you know – why not simply dump out everything in Excel and parse through it?
This blog post contains a simple PowerShell script that does exactly this.
Continue reading “Getting all Azure AD consents using PowerShell”Getting Azure AD domain authentication information using PowerShell
This is a quick blog post with an example PowerShell cmdlet allowing you to find out what type of authentication and branding exists for a domain in Azure AD.
function Get-AzureADDomainInfoFromPublicApi
{
[CmdletBinding()]
[Alias()]
Param
(
# Param1 help description
[Parameter(Mandatory=$true,
ValueFromPipeline=$true,
Position=0)]
[String] $Domain
)
Begin
{
}
Process
{
$Url = "https://login.microsoftonline.com/common/userrealm/?user=someone.random@" + $Domain + "&checkForMicrosoftAccount=true&api-version=2.1"
Invoke-RestMethod $Url
}
End
{
}
}
Get-AzureADDomainInfoFromPublicApi microsoft.com
Get-AzureADDomainInfoFromPublicApi innofactor.com
For example, in the output, if “AuthURL” contains a url you’ll see that ADFS is used and if is_dsso_enabled that means the Seamless SSO is active.
MIM – Finding users with certain changed attributes last 24 hours
This post contains a quick example on how to find users with certain attributes update the last 24 hours. The script uses the Lithnet PowerShell Module, which can be install using Install-Module LithnetRMA.
Continue reading “MIM – Finding users with certain changed attributes last 24 hours”Today I found out – Azure AD ID Token signed by “unknown KID”
Quick post today. Of course, when implementing Azure AD authentication, you should use the Microsoft Authentication Library. Some times, however, you have platform limitations that limits you to implement OpenID Connect “from scratch”. So one of my customers did, but we found the ID Token to be signed by a key with key identifier (kid) that we could not find in the jwks urls found in the OpenID Connect metadata. However, I found it eventually and here is how.
Continue reading “Today I found out – Azure AD ID Token signed by “unknown KID””
Good Workaround! 