TechMentor 2018 Seattle
On this page you’ll find my TechMentor presentations, scripts, etc.
T04 Nine O365 Security Issues Microsoft Probably Hasn’t Told You
1. DNS
Check the MX record to find out where mail is sent:
nslookup -q=MX seattle.o365life.com
The following output indicates that the organization is using Office 365:
seattle.o365life.com MX preference = 10, mail exchanger = seattle-o365life-com.mail.protection.outlook.com
Check the TXT (SPF) record to find out from where the mail is sent:
nslookup -q=TXT seattle.o365life.com
The following output indicates that the organization is using Office 365:
gerenios.com text =
"v=spf1 include:spf.protection.outlook.com -all"
2. Exchange Federation Trust
# Get list of organization's managed domains
Get-FederationInformation -DomainName seattle.o365life.com | Select -ExpandProperty DomainNames
3. User Realm REST API
# Get domain's authentication method and server
Invoke-RestMethod -Uri https://login.microsoftonline.com/GetUserRealm.srf?login=nn@seattle.o365life.com
The following output indicates that the domain is not used in Office 365:
State UserState Login NameSpaceType
----- --------- ----- -------------
4 1 nn@seattle.o365life.com Unknown
The following output indicates that the domain is managed and used in Office 365:
State : 4
UserState : 1
Login : nn@seattle.o365life.com
NameSpaceType : Managed
DomainName : seattle.o365life.com
FederationBrandName : O365 Life!
CloudInstanceName : microsoftonline.com
The following output indicates that the domain is federated and used in Office 365:
State : 3
UserState : 2
Login : nn@seattle.o365life.com
NameSpaceType : Federated
DomainName : seattle.o365life.com
FederationGlobalVersion : -1
AuthURL : https://sts.seattle.o365life.com/adfs/ls/?username=nn%40seattle.o365life.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=
FederationBrandName : O365 Life!
CloudInstanceName : microsoftonline.com
4. SharePoint sharing
# Require accepting account to match the invited account
Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $true
5. External users
Get all users of the site using a browser:
https://demoo365life.sharepoint.com/_api/web/siteusers
The output is an XML document similar to following:
<?xml version="1.0" encoding="utf-8"?>
<feed xml:base="https://demoo365life.sharepoint.com/_api/" xmlns="http://www.w3.org/2005/Atom" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml">
<id>b2e89c61-bdd6-485c-b0bf-8525fd1ff092</id>
<title />
<updated>2018-07-03T14:54:16Z</updated>
<entry>
<id>https://demoo365life.sharepoint.com/_api/Web/GetUserById(11)</id>
<category term="SP.User" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" href="Web/GetUserById(11)" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/Alerts" type="application/atom+xml;type=feed" title="Alerts" href="Web/GetUserById(11)/Alerts" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/Groups" type="application/atom+xml;type=feed" title="Groups" href="Web/GetUserById(11)/Groups" />
<title />
<updated>2018-07-03T14:54:16Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Id m:type="Edm.Int32">11</d:Id>
<d:IsHiddenInUI m:type="Edm.Boolean">false</d:IsHiddenInUI>
<d:LoginName>i:0#.f|membership|admin@demoo365life.onmicrosoft.com</d:LoginName>
<d:Title>admin demo</d:Title>
<d:PrincipalType m:type="Edm.Int32">1</d:PrincipalType>
<d:Email>admin@demoO365Life.onmicrosoft.com</d:Email>
<d:IsEmailAuthenticationGuestUser m:type="Edm.Boolean">false</d:IsEmailAuthenticationGuestUser>
<d:IsShareByEmailGuestUser m:type="Edm.Boolean">false</d:IsShareByEmailGuestUser>
<d:IsSiteAdmin m:type="Edm.Boolean">false</d:IsSiteAdmin>
<d:UserId m:type="SP.UserIdInfo">
<d:NameId>1003bffdabe606ee</d:NameId>
<d:NameIdIssuer>urn:federation:microsoftonline</d:NameIdIssuer>
</d:UserId>
</m:properties>
</content>
</entry>
<entry>
<id>https://demoo365life.sharepoint.com/_api/Web/GetUserById(15)</id>
<category term="SP.User" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" href="Web/GetUserById(15)" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/Alerts" type="application/atom+xml;type=feed" title="Alerts" href="Web/GetUserById(15)/Alerts" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/Groups" type="application/atom+xml;type=feed" title="Groups" href="Web/GetUserById(15)/Groups" />
<title />
<updated>2018-07-03T14:54:16Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Id m:type="Edm.Int32">15</d:Id>
<d:IsHiddenInUI m:type="Edm.Boolean">false</d:IsHiddenInUI>
<d:LoginName>i:0#.f|membership|christiec@demo.o365life.com</d:LoginName>
<d:Title>Christie Cline</d:Title>
<d:PrincipalType m:type="Edm.Int32">1</d:PrincipalType>
<d:Email>ChristieC@demo.o365life.com</d:Email>
<d:IsEmailAuthenticationGuestUser m:type="Edm.Boolean">false</d:IsEmailAuthenticationGuestUser>
<d:IsShareByEmailGuestUser m:type="Edm.Boolean">false</d:IsShareByEmailGuestUser>
<d:IsSiteAdmin m:type="Edm.Boolean">false</d:IsSiteAdmin>
<d:UserId m:type="SP.UserIdInfo">
<d:NameId>10037ffeabe8fa92</d:NameId>
<d:NameIdIssuer>urn:federation:microsoftonline</d:NameIdIssuer>
</d:UserId>
</m:properties>
</content>
</entry>
</feed>
List all groups of the site:
https://demoo365life.sharepoint.com/_api/web/SiteGroups
The output is an XML document similar to following:
<?xml version="1.0" encoding="utf-8"?>
<feed xml:base="https://demoo365life.sharepoint.com/_api/" xmlns="http://www.w3.org/2005/Atom" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml">
<entry>
<id>https://demoo365life.sharepoint.com/_api/Web/SiteGroups/GetById(16)</id>
<category term="SP.Group" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" href="Web/SiteGroups/GetById(16)" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/Owner" type="application/atom+xml;type=entry" title="Owner" href="Web/SiteGroups/GetById(16)/Owner" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/Users" type="application/atom+xml;type=feed" title="Users" href="Web/SiteGroups/GetById(16)/Users" />
<title />
<updated>2018-07-03T15:41:16Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Id m:type="Edm.Int32">16</d:Id>
<d:IsHiddenInUI m:type="Edm.Boolean">false</d:IsHiddenInUI>
<d:LoginName>SharingLinks.f04c0036-d015-476d-b61b-c7aa652dddbc.Flexible.3bd15f01-e1c2-4499-b365-c95aef9646db</d:LoginName>
<d:Title>SharingLinks.f04c0036-d015-476d-b61b-c7aa652dddbc.Flexible.3bd15f01-e1c2-4499-b365-c95aef9646db</d:Title>
<d:PrincipalType m:type="Edm.Int32">8</d:PrincipalType>
<d:AllowMembersEditMembership m:type="Edm.Boolean">false</d:AllowMembersEditMembership>
<d:AllowRequestToJoinLeave m:type="Edm.Boolean">false</d:AllowRequestToJoinLeave>
<d:AutoAcceptRequestToJoinLeave m:type="Edm.Boolean">false</d:AutoAcceptRequestToJoinLeave>
<d:Description>This group is for Flexible sharing links on item 'Shared Documents/Document.docx'</d:Description>
<d:OnlyAllowMembersViewMembership m:type="Edm.Boolean">true</d:OnlyAllowMembersViewMembership>
<d:OwnerTitle>System Account</d:OwnerTitle>
<d:RequestToJoinLeaveEmailSetting m:null="true" />
</m:properties>
</content>
</entry>
<entry>
<id>https://demoo365life.sharepoint.com/_api/Web/SiteGroups/GetById(17)</id>
<category term="SP.Group" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" href="Web/SiteGroups/GetById(17)" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/Owner" type="application/atom+xml;type=entry" title="Owner" href="Web/SiteGroups/GetById(17)/Owner" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/Users" type="application/atom+xml;type=feed" title="Users" href="Web/SiteGroups/GetById(17)/Users" />
<title />
<updated>2018-07-03T15:41:16Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Id m:type="Edm.Int32">17</d:Id>
<d:IsHiddenInUI m:type="Edm.Boolean">false</d:IsHiddenInUI>
<d:LoginName>SharingLinks.f04c0036-d015-476d-b61b-c7aa652dddbc.Flexible.8e726faf-df38-47d4-858e-b1f2633a3395</d:LoginName>
<d:Title>SharingLinks.f04c0036-d015-476d-b61b-c7aa652dddbc.Flexible.8e726faf-df38-47d4-858e-b1f2633a3395</d:Title>
<d:PrincipalType m:type="Edm.Int32">8</d:PrincipalType>
<d:AllowMembersEditMembership m:type="Edm.Boolean">false</d:AllowMembersEditMembership>
<d:AllowRequestToJoinLeave m:type="Edm.Boolean">false</d:AllowRequestToJoinLeave>
<d:AutoAcceptRequestToJoinLeave m:type="Edm.Boolean">false</d:AutoAcceptRequestToJoinLeave>
<d:Description>This group is for Flexible sharing links on item 'Shared Documents/Document.docx'</d:Description>
<d:OnlyAllowMembersViewMembership m:type="Edm.Boolean">true</d:OnlyAllowMembersViewMembership>
<d:OwnerTitle>System Account</d:OwnerTitle>
<d:RequestToJoinLeaveEmailSetting m:null="true" />
</m:properties>
</content>
</entry>
<entry>
<id>https://demoo365life.sharepoint.com/_api/Web/SiteGroups/GetById(5)</id>
<category term="SP.Group" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" href="Web/SiteGroups/GetById(5)" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/Owner" type="application/atom+xml;type=entry" title="Owner" href="Web/SiteGroups/GetById(5)/Owner" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/Users" type="application/atom+xml;type=feed" title="Users" href="Web/SiteGroups/GetById(5)/Users" />
<title />
<updated>2018-07-03T15:41:16Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Id m:type="Edm.Int32">5</d:Id>
<d:IsHiddenInUI m:type="Edm.Boolean">false</d:IsHiddenInUI>
<d:LoginName>Team Site Owners</d:LoginName>
<d:Title>Team Site Owners</d:Title>
<d:PrincipalType m:type="Edm.Int32">8</d:PrincipalType>
<d:AllowMembersEditMembership m:type="Edm.Boolean">false</d:AllowMembersEditMembership>
<d:AllowRequestToJoinLeave m:type="Edm.Boolean">false</d:AllowRequestToJoinLeave>
<d:AutoAcceptRequestToJoinLeave m:type="Edm.Boolean">false</d:AutoAcceptRequestToJoinLeave>
<d:Description m:null="true" />
<d:OnlyAllowMembersViewMembership m:type="Edm.Boolean">false</d:OnlyAllowMembersViewMembership>
<d:OwnerTitle>Team Site Owners</d:OwnerTitle>
<d:RequestToJoinLeaveEmailSetting/>
</m:properties>
</content>
</entry>
</feed>
List users of the specific group: Get all groups of the site:
https://demoo365life.sharepoint.com/_api/web/SiteGroups(17)/Users
The output is an XML document similar to following:
<?xml version="1.0" encoding="utf-8"?>
<feed xml:base="https://demoo365life.sharepoint.com/_api/" xmlns="http://www.w3.org/2005/Atom" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml">
<id>1b7dc2ad-d0c7-49ee-bc56-0a5aedae5d2c</id>
<title />
<updated>2018-07-03T15:45:04Z</updated>
<entry>
<id>https://demoo365life.sharepoint.com/_api/Web/GetUserById(18)</id>
<category term="SP.User" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" href="Web/GetUserById(18)" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/Alerts" type="application/atom+xml;type=feed" title="Alerts" href="Web/GetUserById(18)/Alerts" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/Groups" type="application/atom+xml;type=feed" title="Groups" href="Web/GetUserById(18)/Groups" />
<title />
<updated>2018-07-03T15:45:04Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Id m:type="Edm.Int32">18</d:Id>
<d:IsHiddenInUI m:type="Edm.Boolean">false</d:IsHiddenInUI>
<d:LoginName>i:0#.f|membership|urn%3aspo%3aguest#demo.o365life@gmail.com</d:LoginName>
<d:Title>demo.o365life@gmail.com</d:Title>
<d:PrincipalType m:type="Edm.Int32">1</d:PrincipalType>
<d:Email>demo.o365life@gmail.com</d:Email>
<d:IsEmailAuthenticationGuestUser m:type="Edm.Boolean">true</d:IsEmailAuthenticationGuestUser>
<d:IsShareByEmailGuestUser m:type="Edm.Boolean">true</d:IsShareByEmailGuestUser>
<d:IsSiteAdmin m:type="Edm.Boolean">false</d:IsSiteAdmin>
<d:UserId m:null="true" />
</m:properties>
</content>
</entry>
</feed>
6. Connected accounts
7. OneDrive sync
# Get GUID of the AD Domain
$guid=(Get-ADDomain).guid
# Set the allowed domain
Set-SPOTenantSyncClientRestriction -Enable -DomainGuids $guid
8. Office 365 Groups
# Connect to Office 365
Connect-AzureAD
# Get the current settings
$Setting = Get-AzureADDirectorySetting | where DisplayName -eq "Group.Unified"
# Create a new settings from the template if current settings are empty
$Settings=if(!$Settings){(Get-AzureADDirectorySettingTemplate | where DisplayName -eq "Group.Unified").CreateDirectorySetting()}else{$Settings}
# Add a UG_ prefix
$Settings["PrefixSuffixNamingRequirement"] = "UG_[GroupName]"
# Save the settings
Set-AzureADDirectorySetting -DirectorySetting $Settings -Id $Settings.Id
# Disable group creation
$Settings["EnableGroupCreation"] = $False
# Set the group allowed to create Office 365 groups
$Settings["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "O365GroupCreators").objectid
# Save the settings
Set-AzureADDirectorySetting -DirectorySetting $Settings -Id $Settings.Id
T08 The Weakest Link of Office 365 Security
1. Change mailbox permission
2. Reset password
Force password sync (credits: Abdul Farooque)
## Import ADSync module
Import-Module adsync
## Save AD and AAD connectors to variables
$adConnector = (get-adsyncconnector).name[1]
$aadConnector = (get-adsyncconnector).name[0]
# Get AD sync settings
$gs = Get-ADSyncGlobalSettings
# Create a new configuration parameter object for synchronization policy
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.SynchronizationPolicy", String, SynchronizationGlobal, $null, $null, $null
$p.Value = "Delta"
# Remove the old synchronization policy
$gs.Parameters.Remove($p.Name)
# Add the new synchronization policy
$gs.Parameters.Add($p)
# Save the settings
Set-ADSyncGlobalSettings -GlobalSettings $gs
# Get the AD connector
$c = Get-ADSyncConnector -Name $adConnector
# Create a new configuration parameter object for password sync and set it to force
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter “Microsoft.Synchronize.ForceFullPasswordSync”, String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
# Remove the old password sync policy
$c.GlobalParameters.Remove($p.Name)
# Add the new password sync policy
$c.GlobalParameters.Add($p)
# Add a new AD connector
$c = Add-ADSyncConnector -Connector $c
# Disable AAD connector
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
# Activate AAD connector
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true
3. Forge AD FS
# Backup the current rules
Get-AdfsRelyingPartyTrust -Name "Microsoft Office 365 Identity Platform" | Select -ExpandProperty IssuanceTransformRules | Out-File $HOME\oldrules.txt
# Get user's GUID and UPN
Get-ADUser DebraB | Select UserPrincipalName,ObjectGUID
# Base64 encode the GUID
[System.Convert]::ToBase64String((Get-ADUser DebraB).ObjectGUID.toByteArray())
# Create new issuance rules
notepad $HOME\newrules.txt
#=> issue(Type = "http://schemas.xmlsoap.org/claims/UPN", Value="DebraB@sso.o365life.com");
#=> issue(Type = "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID", Value=“oLz3wkUf9E+eAC6lEXeqIQ==");
# Apply new issuance rules
Set-AdfsRelyingPartyTrust -TargetName "Microsoft Office 365 Identity Platform" -IssuanceTransformRulesFile $HOME\newrules.txt
# Return the original rules
Set-AdfsRelyingPartyTrust -TargetName "Microsoft Office 365 Identity Platform" -IssuanceTransformRulesFile $HOME\oldrules.txt
