gerenios / aadinternals Goto Github PK
View Code? Open in Web Editor NEWAADInternals PowerShell module for administering Azure AD and Office 365
Home Page: http://aadinternals.com/aadinternals
License: MIT License
AADInternals PowerShell module for administering Azure AD and Office 365
Home Page: http://aadinternals.com/aadinternals
License: MIT License
Trying to obtain AT for OneDrive with PRT cookie ends up with following error:
Code not received!
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.6\PRT_Utils.ps1:409 char:13
+ throw "Code not received!"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Code not received!:String) [], RuntimeException
+ FullyQualifiedErrorId : Code not received!
After digging deeper Azure AD error is: InvalidReplyTo.
Command used. I am not using tenant domain, but tenant name. I tried with tenantID and received the same error
Get-AADIntAccessTokenForOneDrive -PRTToken ey[cut]fQ9s= -Tenant tenantname
Request sent captured with Fiddler:
GET /Common/oauth2/authorize?resource=https://tenantname-my.sharepoint.com/&client_id=ab9b8c07-8f02-4f72-87fa-80105867a763&response_type=code&redirect_uri=urn:ietf:wg:oauth:2.0:oob&client-request-id=7f3608b7-9e34-4de1-b261-82b0d9eb174f&mscrid=7f3608b7-9e34-4de1-b261-82b0d9eb174f&sso_nonce= HTTP/1.1
x-ms-RefreshTokenCredential: ey[cut]fQ9s=
Host: login.microsoftonline.com
Hi,
I'm trying to request a new BPRT and am getting the following error message. Everything was working fine a month ago, but now my co-worker and I get the same error message. We've updated to the latest version of AAD internals and tried from multiple computers. Do you have any ideas or suggestions we could try?
Thanks.
PS C:\Users\user> Get-AADIntAccessTokenForAADGraph -Resource urn:ms-drs:enterpriseregistration.windows.net -SaveToCache
AccessToken saved to cache.
Tenant User Resource Client
------ ---- -------- ------
5290229c-XXXX-XXXX-XXXX-XXXXXXXXXXXX [email protected] urn:ms-drs:enterpriseregistration.windows.net 1b730954-1685-4b74-9bfd-XXXXXXXXXXXX
PS C:\Users\user> $bprt = New-AADIntBulkPRTToken -Name "package_$(new-guid)"
WARNING: Got unauthorized_client error. Please try again.
AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"SourceAnchor is a required property for creation of a federated user."},"requestId":"f6ba90fe-6dd6-4560-9394-bff3d1fa3d18","date":"2023-05-03T13:50:30","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyErrorCode","value":"PropertyRequired"}]}}
Trace ID: 44181f8c-f803-4187-b2aa-dde6e1e85a00
Correlation ID: 5757b707-00c0-49c1-9449-0b2b6e20e3ee
Timestamp: 2023-05-03 13:50:30Z
At C:\Users\user\Documents\WindowsPowerShell\Modules\AADInternals\0.8.1\PRT.ps1:1724 char:13
+ throw $details.error_description
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (AADSTS650051: {...05-03 13:50:30Z:String) [], RuntimeException
+ FullyQualifiedErrorId : AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"SourceAnchor is a required property for creation of a federated user."},"requestId":"f6ba90fe-6dd6-4560-9394-bff3d1fa3d18","date":"2023-05-03T13:50:30","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyErrorCode","valu
e":"PropertyRequired"}]}}
Trace ID: 44181f8c-f803-4187-b2aa-dde6e1e85a00
Correlation ID: 5757b707-00c0-49c1-9449-0b2b6e20e3ee
Timestamp: 2023-05-03 13:50:30Z
Would it be possible for the access token / bulk enrollment token functionality to not be hardcoded to the commercial tenants?
Current behavior will result in an error related to cross-cloud functionality: ConvertFrom-Json : Invalid JSON primitive: AADSTS90038.
Hardcoded Endpoints | Azure Government (GCCH endpoints) |
---|---|
graph.microsoft.net | graph.microsoft.us |
urn:ms-drs:enterpriseregistration.windows.net | urn:ms-drs:enterpriseregistration.microsoftonline.us |
It does not appear possible to specify manually the right endpoints:
VERBOSE: ACCESS TOKEN HAS WRONG AUDIENCE: . Exptected: urn:ms-drs:enterpriseregistration.windows.net.
The audience of the access token () is wrong. Should be urn:ms-drs:enterpriseregistration.windows.net!
Reference:
I met an issue when remote executing: Join-AADIntDeviceToAzureAD -DeviceName "test" -DeviceType "Commodore" -OSVersion "Vic20" -JoinType Join
for some purpose, I need to setup my win10 computer to leave domain and then join AAD.
leave domain:
Invoke-Command -ComputerName $clientIp -Credential $domainCred -ScriptBlock {
param($domainCred)
Add-Computer -WorkgroupName test -Credential $domainCred -Restart -Force
} -ArgumentList $domainCred
After leave domain, I always failed to join AAD, then I found that private key is not generated in the pfx file.
Problem code is this line: $cspParameters.KeyContainerName ="AADInternals"
Looking forward to any workaround for this issue. Thanks a lot
The list of supported Protocols written in Get-EASAutoDiscover function are outdated. The application answer the following list of protocols when you send an unsupported value on Protocol parameter:
Rest,ActiveSync,Ews,Substrate,SubstrateSearchService,AutodiscoverV1,SubstrateNotificationService,OutlookMeetingScheduler,OutlookPay,Actions,Connectors,ConnectorsProcessors,ConnectorsWebhook,NotesClient,OwaPoweredExperience,ToDo,Weve,OutlookLocationsService,OutlookCloudSettingsService,OutlookTailoredExperiences,OwaPoweredExperienceV2,Speedway,SpeechAndLanguagePersonalization,SubstrateSignalService,CompliancePolicyService
It would be updated.
Any idea on how to accomplish this? I can't get it to work with access or refresh tokens, only with a registered app registration...
Hello,
I have been testing out the phishing function and it's working as expected. Once I have the token though it only seems like I can run a small set of insider commands. for example, I can run Invoke-AADIntReconAsInsider just fine, but Get-AADIntGlobalAdmins returns an error saying it can't find an access token. if I run Get-AADIntCache I see the tokens, so not sure why the other insider commands are not running as expected, maybe i'm missing a step in between.
also somewhat related but after i phish the user and grab the token, I run Open-AADIntOWA but it does not open the user's mailbox who i phished, but my work inbox. Thank you for the tool!
Hello. I wanted to report an error that occurs when attempting to import the aadinternals module into a powershell core session. The error is:
SetValueInvocationException: Exception setting "SecurityProtocol": "The requested security protocol is not supported."
This error does not occur when using windows powershell
It is not really an issue but a query.
Where are Get-AccessToken and Read-AccessToken defined? I looked in all .ps1 files and I can't find these functions code.
When running on Windows 1809 (not joined to domain or AAD):
Get-AADIntAccessTokenForAADJoin -SaveToCache
I receive following error:
PS C:\Windows\system32> Get-AADIntAccessTokenForAADJoin -SaveToCache
WARNING: WebBrowser control emulation not set for PowerShell or PowerShell ISE!
Would you like set the emulation to IE 11? Otherwise the login form may not work! (Y/N): Y
Emulation set. Restart PowerShell/ISE!
You cannot call a method on a null-valued expression.
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:1167 char:12
+ if($form.ShowDialog() -ne "OK") {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Cannot index into a null array.
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:1175 char:9
+ $response = [Web.HttpUtility]::ParseQueryString($form.Control ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : NullArray
Cannot index into a null array.
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:1178 char:9
+ $body = @{
+ ~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : NullArray
Cannot index into a null array.
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:1186 char:9
+ $form.Controls[0].Dispose()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : NullArray
Invoke-RestMethod : {"error":"invalid_request","error_description":"AADSTS900144: The request body must contain the following parameter: 'grant_type'.\r\nTrace ID:
da1f378d-681a-45eb-9283-507a1d4c1400\r\nCorrelation ID: 4b06d599-96d4-4c2d-ad93-c9f86295fa60\r\nTimestamp: 2020-12-21 10:51:44Z","error_codes":[900144],"timestamp":"2020-12-21
10:51:44Z","trace_id":"da1f378d-681a-45eb-9283-507a1d4c1400","correlation_id":"4b06d599-96d4-4c2d-ad93-c9f86295fa60","error_uri":"https://login.microsoftonline.com/error?code=900144"}
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:1193 char:23
+ ... sonResponse=Invoke-RestMethod -Uri "https://login.microsoftonline.com ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
Could not get OAuthInfo!
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:2380 char:17
+ throw "Could not get OAuthInfo!"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Could not get OAuthInfo!:String) [], RuntimeException
+ FullyQualifiedErrorId : Could not get OAuthInfo!
I'm getting this error when using some functions and can't find the function anywhere or find any reference about it in a file or online. Any idea how this works?
Thanks
Running Join-AADIntDeviceToIntune generates MDM certificates. However what is required to do change device state to complaint? The compliance policy assigned to the device is in the "Not evaluated" state. How to utilize received certificates?
Morever after enrolling device to Intune, its name in Intune is not the one specified by DeviceName parameter of Join-AADIntDeviceToIntune. Instead the name is in the format: username_OS_date
Hey @NestoriSyynimaa
I'm looking for a programmatic way to join real devices to AzureAD. Playing with your module, it appears that Join-AADIntDeviceToAzureAD creates a "fake" device and doesn't actual join your device.
Outside of Autopilot, the only supported way to programmatically join AzureAD is by creating and applying a provisioning profile using Windows Configuration Designer.
Windows Configuration Designer creates and accepts a "BPRT"
Then you get a BPRT value that starts with 0.
However when I run Get-AADIntAccessTokenForAADJoin I get a token that starts with eyJ
I believe the one it wants is encrypted as I'm not able to decode it using jwt.io
Is there a way your library can produce the BPRT in the format necessary for Windows Configuration Designer?
If it helps, it appears that Windows Configuration Designer spawns Microsoft.AAD.BrokerPlugin.exe to generate this token.
C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe -ServerName:App.AppXgvz9wxd0frjs1prgz5kvtcz083996jyv.mca
Any info or code on how to manage Intune devices and applications would be great!
Hello,
Is there a way to import Tokens into the Cache (that may captured with different tools) ?
I'm trying to get a refresh token using a service principal client secret like this:
$secret = Get-Content .\appreg.txt
$secure_secret = $secret | ConvertTo-SecureString -AsPlainText -Force
$pscredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "[ServicePrincipalId]", $secure_secret
Get-AADIntAccessToken -ClientId "1950a258-227b-4e31-a9cf-717495945fc2" -Resource "https://graph.microsoft.com" -IncludeRefreshToken $true -Credentials $pscredential
But I get the following error:
Get-OAuthInfo : User type of [ServicePrincipalId] is Unknown!
At AccessToken.ps1:1574 char:38
+ ... OAuthInfo = Get-OAuthInfo -Credentials $Credentials -ClientId $Client ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-OAuthInfo
Could not get OAuthInfo!
At AccessToken.ps1:1586 char:17
+ throw "Could not get OAuthInfo!"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Could not get OAuthInfo!:String) [], RuntimeException
+ FullyQualifiedErrorId : Could not get OAuthInfo!
However those credentials work using:
Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant [TenantId]
Is there a way to use AADInternals with service principal credentials?
I tried connecting to the partner center.
Seems like I get a working Access Token when using the following:
Get-AccessToken -Resource "https://api.partnercenter.microsoft.com" -ClientId "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
Just thought you might want to know.
Hey, I'm trying to use the 'Join-AADIntDeviceToAzureAD' command, as far as I can tell, it seems to be working.
I have tried using 'Get-AADIntAccessTokenForAADJoin -BPRT $BPRT' , 'Get-AADIntAccessTokenForAADJoin -SaveToCache' and 'Get-AADIntAccessTokenForAADJoin' for generating the token.
But I don't believe it is a permission issue.
Every time the command is ran a device is being created in AAD.
Most recent example -
However, at this stage, I was expecting I could reboot the device and it would be AAD Joined and ready to be signed into with an AAD account.
After a reboot that never occurs and when checking dsregcmd 'AzureAdJoined' is still 'NO'.
I have also attempted to split the steps by performing the 'register' first then 'join' but the result was the same.
Am I missing something or?
Using Token auth with Get-SPOSiteUsers , I found that it is using a non-existant variable and failing with the following error:
The audience of the access token (https://xxxxxx.sharepoint.com) is wrong. Should be https://.sharepoint.com!
This is because line 140 in SPO.ps1:
$AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://$Tenant.sharepoint.com/" -ClientId "9bc3ab49-b65d-410a-85ad-de819febfddc"
The variable $Tenant do not exists, this bug is corrected writing:
$AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource $Site -ClientId "9bc3ab49-b65d-410a-85ad-de819febfddc"
(Note that site should be in https://tenant.sharepoint.com format.
Thanks for your project.
Just curious what the workflow is for loading in a refresh token that was retrieved offline? I want to use this with AADInternals to do follow on enumeration, but don't see options or cmdlets to load it into the cache. Appreciate the help!
Hello,
I’am doing some tests and I’m wondering if it is possible to use the Access token retrieve from the Phishing for example, to setup an Outlook profile.
Thank you for your work on this script library.
I want to join a fake device but I have the following result doing so:
Get-AADIntAccessTokenForAADJoin -SaveToCache
Join-AADIntDeviceToAzureAD -DeviceName "MyComputer"
Register-DeviceToAzureAD : {"ErrorType":"AuthenticationError","Message":"Invalid JWT
token.","TraceId":"29922db7-0f4c-449f-bfc4-3bb835d4bd28","Time":"10-15-2022 9:58:46Z"}
Au caractère C:\Users\MyUser\Documents\WindowsPowerShell\Modules\AADInternals\0.7.3\PRT.ps1:464 : 31
+ ... tResponse = Register-DeviceToAzureAD -AccessToken $AccessToken -Devic ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Register-DeviceToAzureAD
I don't understand because Get-AADIntAccessTokenForAADJoin
generates a token specifically for this purpose but it is still considered as invalid?
Could you enlight me on what's happening? Is it because of a policy or MFA?
I tried the instructions in the https://o365blog.com/post/quest_for_guest/ blog post with a guest account in one of our tenants.
I used the -UseDeviceCode
option for getting an access token, so I executed this:
Get-AADIntAccessTokenForAzureCoreManagement -UseDeviceCode -Tenant 6e3846ee-e8ca-4609-a3ab-f405cfbd02cd -SaveToCache
I opened the "https://microsoft.com/devicelogin" URL, entered the displayed user_code and I got the following response:
Help us keep your device secure
Your sign-in was successful but your admin requires the device requesting access to be managed by Company Ltd. to access this resource.
I found this very strange, because when I initiated a device authorization grant flow with curl
using the very same URL and POST body as used by Get-AccessTokenUsingDeviceCode
, I got the expected success message:
Microsoft Office
You have signed in to the Microsoft Office application on your device. You may now close this window.
Eventually I've modified my local copy of AADInternals to use a debugging proxy (I prefer the Charles Web Debugging Proxy) with the Invoke-RestMethod
calls in the Get-AccessTokenUsingDeviceCode
function. As it turned out: the only difference between my successful attempts with curl
and the unsuccessful attempts with AADInternals was the User-Agent. :o
The requests from AADInternals (via Windows 10 and PowerShell 5.1) use the following User-Agent:
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
I tested the theory and added the following option to both Invoke-RestMethod
calls in Get-AccessTokenUsingDeviceCode
:
-UserAgent "curl/7.68.0"
With this modification my device authentication flows via Get-AADIntAccessTokenForAzureCoreManagement -UseDeviceCode -Tenant 6e3846ee-e8ca-4609-a3ab-f405cfbd02cd -SaveToCache
started to work, i.e. AzureAD gave a success message after I enter the user_code!
I'm not sure what AzureAD tenant configuration is the reason for this behaviour, but the error message that AAD gives here is total BS, since I'm pretty sure that curl
is not a device managed by Company Ltd.. :D
P.S.: for the purposes of this GH issue I took the tenant ID and company name from the "Quest for guest access" blog post, but of course I used other values in my own tests. :-)
P.S.2: thanks for AADInternals! It is a great toolkit for investigating AzureAD internals. :-)
I couldn't find this, how and for what duration are the tokens saved to Cache?
Hi Gerenios,
Thank for the great tool. But when I used it on powershell on Linux, it required some registry on windows to set browser.
Should we support powershell on linux at this time?
Best regards,
Severus
Running: Join-AADIntDeviceToAzureAD -AccessToken eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1d<cut>ku640TzItkBra0Jj4oZEGVl2uno4hFm019I7MBeSLWqmotb9yr20O4C06SdTXj9XlfGxuCkGU0HOlpyj27nkkrhO9gXuAqMquRDTAnxid-ZGanjHzyXLjefb5kJ84ksN3B2k9Nzkn1YjmqA9dWk_1IA -DeviceName "JoinTest" -DeviceType "Windows"
ends up with error:
Register-DeviceToAzureAD : {"ErrorType":"InvalidParameter","Message":"An Attribute key or value specified is invalid or exceeds length limits (512).","TraceId":"88a32c70-87ca-4f8f-a018-2d0ff3906f9f","Time":"06-24-2021
10:57:11Z"}
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.6\PRT.ps1:400 char:31
+ ... tResponse = Register-DeviceToAzureAD -AccessToken $AccessToken -Devic ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Register-DeviceToAzureAD
Below Fiddler trace capturing the HTTPS traffic when Join-AADIntDeviceToAzureAD was run
POST https://enterpriseregistration.windows.net/EnrollmentServer/device/?api-version=1.0 HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1d<cut>ku640TzItkBra0Jj4oZEGVl2uno4hFm019I7MBeSLWqmotb9yr20O4C06SdTXj9XlfGxuCkGU0HOlpyj27nkkrhO9gXuAqMquRDTAnxid-ZGanjHzyXLjefb5kJ84ksN3B2k9Nzkn1YjmqA9dWk_1IA
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1023
Content-Type: application/json; charset=utf-8
Host: enterpriseregistration.windows.net
Content-Length: 1769
Expect: 100-continue
{
"TransportKey": "UlNBMQAIAAADAAAAAAEAAAAAAAAAAAAAAQAB07jinw0y68+PPJtaIZAQX+z5ys0raRRazBMJMazXyhGFDWHMIqbC4y8qnjLritkwQUXkBrNdqb6y9XygNk04/rH6oytitEPMsCYl5bTfkPYLS7Pigj/C2Bk9zndg/DMtyFvQP7lNrUQ3qdwXE0Fi1daabttghen989X+ok6Z7IRPRjWarGkvOVMNlTUUKcDUXu53oOb4fUtG1EydSNAcok9Uo4UR15TIxC7RPDYK1LADYwLgcCIeXh2byUKpxK7UYkV+suXPcojl6f+TSeJ25x4SaB4Rp8SMX5O0Dz5GCfqWxr0BqzGlIf9NOrZL8WNXR33OiRkguclNfJGl1OB0+Q==",
"JoinType": 0,
"DeviceDisplayName": "JoinTest",
"OSVersion": "10.0.19041.804",
"CertificateRequest": {
"Type": "pkcs10",
"Data": "MIICdDCCAVwCAQAwLzEtMCsGA1UEAxMkN0U5ODBBRDktQjg2RC00MzA2LTk0MjUtOUFDMDY2RkIwMTRBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA07jinw0y68+PPJtaIZAQX+z5ys0raRRazBMJMazXyhGFDWHMIqbC4y8qnjLritkwQUXkBrNdqb6y9XygNk04/rH6oytitEPMsCYl5bTfkPYLS7Pigj/C2Bk9zndg/DMtyFvQP7lNrUQ3qdwXE0Fi1daabttghen989X+ok6Z7IRPRjWarGkvOVMNlTUUKcDUXu53oOb4fUtG1EydSNAcok9Uo4UR15TIxC7RPDYK1LADYwLgcCIeXh2byUKpxK7UYkV+suXPcojl6f+TSeJ25x4SaB4Rp8SMX5O0Dz5GCfqWxr0BqzGlIf9NOrZL8WNXR33OiRkguclNfJGl1OB0+QIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAMT/PAv8l9S847vWipru1UORibB4jYjke5IEWZjg77eVGPlm51VxEjbYe6H20m75lBXVnrOYzuqZ42/pXLMlFjCxuuc9JFFT7u+OtGLnoEYdnq+1ALLnAi+KqkV8g4qH0Fjl+HQ+WzXQ0BK2bHUtJQ1GoNjRyy17uqF86ueQ1YCBM1faCaDNcFdRMLWlZcag5X/QsmqIllx5m5q+vQD4jKFtmRZ7q3PvQKGB2Gv8NcwahDcrbk+0WwIZekVNZXWQEkb+3eK6O0ABYxj6w2fGGMeXGUz+OvjC/3wHa8Mv1CyLou0YpBZegLtu5mf6E6H29ACzY4foR6aahYYQBE27E+8="
},
"TargetDomain": "mydomain.com",
"DeviceType": "Windows",
"Attributes": {
"ReuseDevice": true,
"ReturnClientSid": true,
"SharedDevice": false
}
}
HTTP/1.1 400 Bad Request
Content-Length: 202
Content-Type: application/json
request-id: 88a32c70-87ca-4f8f-a018-2d0ff3906f9f
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Date: Thu, 24 Jun 2021 10:57:11 GMT
{"ErrorType":"InvalidParameter","Message":"An Attribute key or value specified is invalid or exceeds length limits (512).","TraceId":"88a32c70-87ca-4f8f-a018-2d0ff3906f9f","Time":"06-24-2021 10:57:11Z"}
I'm trying to use "Set-AADIntUserPassword" but it doesn't work, maybe I'm missing something?
Import-Module AADInternals
Get-AADIntAccessTokenForAADGraph -SaveToCache
AccessToken saved to cache.
Tenant User Resource Client
------- ---- -------- ------
****** [email protected] https://graph.windows.net ***************
Set-AADIntSyncFeatures -EnableFeatures PasswordHashSync
BlockCloudObjectTakeoverThroughHardMatch : False
BlockSoftMatch : False
DeviceWriteback : False
DirectoryExtensions : False
DuplicateProxyAddressResiliency : True
DuplicateUPNResiliency : False
EnableSoftMatchOnUpn : False
EnableUserForcePasswordChangeOnLogon : False
EnforceCloudPasswordPolicyForPasswordSyncedUsers : False
PassThroughAuthentication : False
PasswordHashSync : True
PasswordWriteBack : False
SynchronizeUpnForManagedUsers : False
UnifiedGroupWriteback : False
UserWriteback : False
Set-AADIntUser -UserPrincipalName "[email protected]" -ImmutableId [email protected]
Get-AADIntUser -UserPrincipalName "[email protected]" | select UserPrincipalName,ImmutableId
UserPrincipalName ImmutableId
----------------- -----------
[email protected] [email protected]
Set-AADIntUserPassword -SourceAnchor "[email protected]" -hash FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
CloudAnchor ExtendedErrorInformation
----------- ------------------------
CloudAnchor The password change request cannot be executed since it contains changes to one or more cloud only user objects, which is not supported. Please refer to https://docs.microsof...
Set-AADIntUserPassword -CloudAnchor "User_c4854aa3-bbbb-eeee-9999-26bedf6e8eb2" -Password "password123"
CloudAnchor ExtendedErrorInformation
----------- ------------------------
User_c4854aa3-bbbb-eeee-9999-26bedf6e8eb2 The password change request cannot be executed since it contains changes to one or more cloud only user objects, which is not supported. Please ...
If the user was not created by an azure ad connect it does not work ?
I have several suggestions on o365blog's AADInternals reference.
https://o365blog.com/aadinternals/
Get-AADIntAccessTokenForSARA
Get-AADIntAuthTokenForAADIAMAPI
, it should be Get-AADIntAccessTokenForAADIAMAPI
Open-AADIntOWA (O)
should be (E)
not (O)
?Get-AADIntAccessTokenForTeams
has (T)
and (TO)
? Search-AADIntTeamsUser (TO)
mark
for each entries on the table Functionality
/ Playing with access tokens
Token/API | Function | Mark | Remarks |
---|---|---|---|
No token needed | N/A | * | example: Get-AADIntTenantid |
AAD Graph | Get-AADIntAccessTokenForAADGraph | A | Functions using AAD Graph access token. |
MS Graph | Get-AADIntAccessTokenForMSGraph | M | Functions using MS Graph access token. |
Pass Through Authentication | Get-AADIntAccessTokenForPTA | P | Used when enabling/disabling PTA and Seamless SSO (Desktop SSO) |
Azure Admin Portal | Get-AADIntAccessTokenForAADIAMAPI | Z | Used when inviting guest users. |
Exchange Online | Get-AADIntAccessTokenForEXO | E | Used with Exchange Online and ActiveSync functions |
Support and Recovery Assistant | Get-AADIntAccessTokenForSARA | SARA? | Used with Support and Recovery Assistant functions |
SharePoint Online | Get-AADIntSPOAuthenticationHeader | S | Used with SharePoint Online functions |
OneDrive for Business | New-AADIntOneDriveSettings | O | Used with OneDrive for Business functions |
Azure Core Management | Get-AADIntAccessTokenForAzureCoreManagemnt | AC | Used with Azure Core Management functions |
Azure AD Join | Get-AADIntAccessTokenForAADJoin | J | Used with Azure AD join function |
Azure Intune MD | Get-AADIntAccessTokenForIntuneMDM | N/A | Used with Intune MDM functions |
Azure Cloud Shell | Get-AADIntAccessTokenForCloudShell | C | Used with Azure Cloud Shell |
(new) | Get-AADIntComplianceAPICookies | CA | |
(new) | Get-AADIntAccessTokenForMSCommerce | CM | |
(new) | Get-AADIntAccessTokenForMySignins | MY | |
(new) | Get-AADIntAccessTokenForTeams | T or TO | Set-AADIntTeamsStatusMessage (T) Search-AADIntTeamsUser (TO) |
(new) | Get-AADIntAccessTokenForTeams | TO | |
(new) | Get-AADIntAccessTokenForPTA | PTA | |
(new) | Get-AADIntAccessTokenForAdmin | AD | |
(new) | Get-AADIntAccessTokenForMSPartner | MP |
I can't use Invoke-AADPhishing using an external smtp provider, such as outlook or gmail.
I use credentials, but I always time out, I suspect I'm doing something wrong.
Thanks in advance.
The text to speech examples do not work. Windows 10 machine.
Get-AADIntAccessTokenForOneNote -SaveToCache
Start-AADIntSpeech -Text "Three Swedish switched witches watch three Swiss Swatch watch switches. Which Swedish switched witch watch which Swiss Swatch watch switch?" -Language "en-GB" -PreferredVoice Male
Tracing with Fiddler and it looks like I do have 200 for both content model and get speech
POST /learningtoolsapi/v2.0/getcontentmodelforreader HTTP/1.1
POST /learningtoolsapi/v2.0/GetSpeech HTTP/1.1
Before I start hunting down the issue on my machine was wondering if someone else could please run the sample above and tell me it works. It would be appreciated.
Thank you very much
I'm new to AADInternals, so this may be something I'm doing?
I'm trying to run Get-AADIntAccessTokenForGraph to get a BPRT token for bulk AzureAD domain join for devices. However I get the following set of messages:
the user account used in the above screen capture is a Global Admin, but I have tried with a standard user with the same results. I have also tried on different machines.
I'm referring to this code about the 1.2.840.113556.1.5.284.3
OID:
Lines 122 to 123 in 1561dc6
The code describes it as "ObjectId", same as in your article (very good one btw! thanks for sharing 😉): https://aadinternals.com/post/deviceidentity/#device-certificate-dkpub-dkpriv
When reading this, I understood it as meaning the device's Object ID. It felt redundant considering we already have the Device ID with 1.2.840.113556.1.5.284.2
, but I ignored this feeling... Anyway, I couldn't find the corresponding device in my AAD...
Then I found https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dvrj/850786b9-2525-4047-a5ff-8c3093b46b88 and https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dvre/76747b5c-06c2-4c73-9207-8ebb6ee891ea which describe 1.2.840.113556.1.5.284.3
as:
The objectGuid of the user object ([MS-ADSC] section 2.268) on the directory server that corresponds to the authenticating user.
And indeed, when looking for this "ObjectId" in my AAD, I confirm it refers to the Object ID of the user who registered the device, not the device's Object ID 🙂
So I suggest to rename it to "AuthUserObjectId" for example, to make it more explicit which object it refers to. What do you think?
I wanted to report it as an issue before submitting a PR because I see several other references in the code to fix, so I would have several tests to do after renaming to ensure there's no regression.
Hello,
I installed the module, but after running the import command got this error:
`
Unable to find type [System.Xml.XmlDictionary].
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.6.2\AzureADConnectAPI_utils.ps1:8 char:1
+ CategoryInfo : InvalidOperation: (System.Xml.XmlDictionary:TypeName) [], RuntimeException
+ FullyQualifiedErrorId : TypeNotFound
`
Tested on different tenants, recognition as outsider and insider works, but not as guest . is it a permissions problem in Graph?
Invoke-RestMethod : {"ClassName":"Microsoft.Portal.Framework.Exceptions.ClientException","Message":"Graph call failed with httpCode=Forbidden,
errorCode=Authorization_RequestDenied, errorMessage=Insufficient privileges to complete the operation., reason=Forbidden, correlationId
thanks in advice !!!
It would be nice if the AADInternals commands could support the WAM component integrated by default in Win10 for the authentication process.
This would allow a user to authenticate with its session certificate for example.
See https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Integrated-Windows-Authentication or the MSAL.PS Get-MsalToken.ps1 which use it for authentication.
When trying to use a PRT generated using AADInternals for azurehound I have the following error:
$rh = (Read-AADIntAccesstoken (Get-AADIntUserPRTToken)).refresh_token
.\azurehound.exe -r $rh list tenants --tenant "mytenant.com"
AzureHound v1.2.0
Created by the BloodHound Enterprise team - https://bloodhoundenterprise.io
2022-10-15T17:58:01+02:00 ERR encountered unrecoverable error error="Error: map[correlation_id:f754d2bb-1f63-4b6f-bf6e-d09b6ff0af34 error:invalid_grant error_codes:[7.000016e+06] error_description:AADSTS7000016: Primary refresh token is not signed with session key.\r\nTrace ID: 7f1d1d28-807d-41c2-9807-d7f3c97f1500\r\nCorrelation ID: f754d2bb-1f63-4b6f-bf6e-d09b6ff0af34\r\nTimestamp: 2022-10-15 15:58:01Z timestamp:2022-10-15 15:58:01Z trace_id:7f1d1d28-807d-41c2-9807-d7f3c97f1500]"
Which I don't have if I use MSAL.PS:
Get-MsalToken -ClientId 1950a258-227b-4e31-a9cf-717495945fc2
Enable-MsalTokenCacheOnDisk (Get-MsalClientApplication)
$cache_bin = [System.Security.Cryptography.ProtectedData]::Unprotect([System.IO.File]::ReadAllBytes("MSAL.PS.msalcache.bin3"), $null, 0)
$cache_json = ConvertFrom-Json ([System.Text.Encoding]::ASCII.GetString($cache_bin))
$rh = $cache_json.RefreshToken.'[SOME ID]'.secret
.\azurehound.exe -r $rh list tenants --tenant "mytenant.com"
AzureHound v1.2.0
Created by the BloodHound Enterprise team - https://bloodhoundenterprise.io
2022-10-15T18:19:05+02:00 INF finished listing all tenants count=3
What's the difference between how the PRT are requested to have one signed and not the other?
Hi Nestori Syynimaa,
Thanks for your article. It's look really cool.
I tested it in a test environment and I encountered some difficulty.
When using Invoke-AadIntPhishing, I successfully received the refresh token but it seems that I only get it for graph.windows.net.
And when I want to use the token to send a message (outlook or teams) I have the following error: "Device is not in required device state: compliant."
Looking forward to read you.
After enrolling device to Intune if I try to set it as compliant with Set-AADIntDeviceCompliant I receive following error:
Invoke-RestMethod : {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"7f1ca352-fcb8-4f69-bbef-f47eda0beb69","date":"2021-03-24T18:37:56"}}
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.6\MDM.ps1:795 char:9
Invoke-RestMethod -Method Patch -Uri "https://graph.windows.n ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What permissions user needs to have to run Set-AADIntDeviceCompliant?
Hi,
I am trying to get the sccauth & xsref cookies using this function.
It shows the form allright, but I subsequently get an error from the web page that there is a syntax error on line 1.
Line 1, char 106
Syntax error
https://res.cdn.office.net/scc/ww/sc/v17.00.9908.005/boot.js
I might be missing something obvious, but I cannot seem to get the Azure access token for tenants that require MFA. I get the Modern Authentication prompt when I execute the following cmdlet, but it simply doesn't ask me for an MFA code after email and password, so then it gives me an error.
Sample code:
$accessToken = Get-AADIntAccessTokenForAADGraph -Resource urn:ms-drs:enterpriseregistration.windows.net
Response after email and password are prompted via Modern Auth:
Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access . . .
Is there anyway to force the authentication prompt to allow me to enter the MFA code?
Good Evening,
I was looking at your project, and I've two questions:
#1. ) Where is the function [Create-LoginForm] defined? .. it's used in the following locations:
.\AccessToken.ps1
2232,15: $form=Create-LoginForm -Url $url -auth_redirect $auth_redirect
.\AzureManagementAPI_utils.ps1
603,17: $form = Create-LoginForm -Url $url -auth_redirect $auth_redirect
.\ComplianceAPI.ps1
35,17: $form = Create-LoginForm -Url $url -auth_redirect "https://login.microsoftonline.com/kmsi"
.\SPO_utils.ps1
88,17: $form = Create-LoginForm -Url $url -auth_redirect $auth_redirect -Headers "Cookie: $cookieHeaderValue"
C:\dev\ps1\AzurePurview\ComplianceAPI.ps1
36,17: $form = Create-LoginForm -Url $url -auth_redirect "https://login.microsoftonline.com/kmsi"
#2.) On your site, https://aadinternals.com/aadinternals/, you state, ""The module is a plain PowerShell script module...""; however, your project also contains a number of DLLs in the folder [./DSInternals] ...
i.e. ===
.\DRS_Utils.ps1
221,43: Add-Type -Path "$PSScriptRoot\DSInternals\NDceRpc.Microsoft.dll"
222,43: Add-Type -Path "$PSScriptRoot\DSInternals\DSInternals.Replication.Interop.dll"
223,43: Add-Type -Path "$PSScriptRoot\DSInternals\DSInternals.Replication.dll"
... where is the source code for them and/or a description of which methods are dependent upon them?
Thanks,
George
PS Note this is not to take away from all of the hard work you've done, & I greatly appreciate you're sharing your project. Thanks.
Hi, I am having some issues requesting user certificates using AADInternals, the issue code is
Line 784 in b4f082c
Upon following this Blog https://o365blog.com/post/mdm/ I hit a dead end with "Start-AADIntDeviceIntuneCallback -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7-MDM.pfx -DeviceName "SixByFour". The error itself was not clear, but after adding $_ to the error "throw "SyncML request failed: $($ | out-string)"_" This pretty string popped up:
SyncML request failed: Invoke-WebRequest : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.
I could start internet explorer, but i added -UseBasicParsing to line 602. That solved my problem.
Since the new version 0.9.0, there seems to be this exception following an authentication attempt:
Exception: C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.9.0\AccessToken_utils.ps1:2885
Line |
2885 | throw "Federated identities are not supported."
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Federated identities are not supported.
Hello,
Following the steps mentioned in https://o365blog.com/post/bprt/ , I joined a VM to Azure AD. I can see the machine under "Devices" page on the Azure portal.
However, when I run dsregcmd /status inside the VM, it says AzureAdJoined : NO.
Any idea why that is happening? There were no errors in executing the powershell commands and most importantly, the VM shows up on Azure AD devices page, so I am confused.
Thanks!
PS C:\WINDOWS\system32> $creds = Get-Credential
$prtKeys = Get-UserAADIntPRTKeys -PfxFileName .\ff78b0a3-5348-4e93-ba6d-b043540acd7c.pfx -Credentials $cred
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Get-UserAADIntPRTKeys : The term 'Get-UserAADIntPRTKeys' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the
name, or if a path was included, verify that the path is correct and try again.
At line:4 char:12
$prtKeys = Get-UserAADIntPRTKeys -PfxFileName .\ff78b0a3-5348-4e93-ba ...
~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : ObjectNotFound: (Get-UserAADIntPRTKeys:String) [], CommandNotFoundException
FullyQualifiedErrorId : CommandNotFoundException
Running into this error while attempting to debug a PRT issue. All of the other commands in the module have worked great so far, and I would GREATLY appreciate any assistance.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.