Getting all Azure AD consents using PowerShell

Customers should really start paying attention to their Azure AD application consents, which can be daunting. There are obviously tools for this, even provided by Microsoft through Cloud App Security (CAS), but you know – why not simply dump out everything in Excel and parse through it?

This blog post contains a simple PowerShell script that does exactly this.

Continue reading “Getting all Azure AD consents using PowerShell”

Getting Azure AD domain authentication information using PowerShell

This is a quick blog post with an example PowerShell cmdlet allowing you to find out what type of authentication and branding exists for a domain in Azure AD.

function Get-AzureADDomainInfoFromPublicApi
{
    [CmdletBinding()]
    [Alias()]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        [String] $Domain
    )

    Begin
    {
    }
    Process
    {
        $Url = "https://login.microsoftonline.com/common/userrealm/?user=someone.random@" + $Domain + "&checkForMicrosoftAccount=true&api-version=2.1"
        Invoke-RestMethod $Url
    }
    End
    {
    }
}

Get-AzureADDomainInfoFromPublicApi microsoft.com
Get-AzureADDomainInfoFromPublicApi innofactor.com

For example, in the output, if “AuthURL” contains a url you’ll see that ADFS is used and if is_dsso_enabled that means the Seamless SSO is active.

Today I found out – Azure AD ID Token signed by “unknown KID”

Quick post today. Of course, when implementing Azure AD authentication, you should use the Microsoft Authentication Library. Some times, however, you have platform limitations that limits you to implement OpenID Connect “from scratch”. So one of my customers did, but we found the ID Token to be signed by a key with key identifier (kid) that we could not find in the jwks urls found in the OpenID Connect metadata. However, I found it eventually and here is how.

Continue reading “Today I found out – Azure AD ID Token signed by “unknown KID””

Checking Azure AD tenant id using PowerShell

This is a short blog post with a PowerShell cmdlet that will return you the Azure AD tenant id for a given domain.

function Get-AzureADTenantId
{
    [CmdletBinding()]
    [Alias()]
    [OutputType([string])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipelineByPropertyName=$true,
                   Position=0)]
        $DomainName
    )

    Begin
    {
        Load-Assembly System.Xml.Linq | Out-Null
    }
    Process
    {
        $FederationMetadata = Get-AzureADFederationMetadata -Domain $DomainName
        $FederationMetadata.EntityDescriptor.entityID -split "/" | where{$_ -match "^[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}$"}
    }
    End
    {
    }
}

Get-AzureADTenantId microsoft.com
Get-AzureADTenantId microsoft.onmicrosoft.com