gerenios / aadinternals Goto Github PK

Trying to obtain AT for OneDrive with PRT cookie ends up with following error:

Code not received!
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.6\PRT_Utils.ps1:409 char:13
+             throw "Code not received!"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Code not received!:String) [], RuntimeException
    + FullyQualifiedErrorId : Code not received!
After digging deeper Azure AD error is: InvalidReplyTo.

Command used. I am not using tenant domain, but tenant name. I tried with tenantID and received the same error
Get-AADIntAccessTokenForOneDrive -PRTToken ey[cut]fQ9s= -Tenant tenantname

Request sent captured with Fiddler:
GET /Common/oauth2/authorize?resource=https://tenantname-my.sharepoint.com/&client_id=ab9b8c07-8f02-4f72-87fa-80105867a763&response_type=code&redirect_uri=urn:ietf:wg:oauth:2.0:oob&client-request-id=7f3608b7-9e34-4de1-b261-82b0d9eb174f&mscrid=7f3608b7-9e34-4de1-b261-82b0d9eb174f&sso_nonce= HTTP/1.1
x-ms-RefreshTokenCredential: ey[cut]fQ9s=
Host: login.microsoftonline.com

Hi,
I'm trying to request a new BPRT and am getting the following error message. Everything was working fine a month ago, but now my co-worker and I get the same error message. We've updated to the latest version of AAD internals and tried from multiple computers. Do you have any ideas or suggestions we could try?

Thanks.

PS C:\Users\user> Get-AADIntAccessTokenForAADGraph -Resource urn:ms-drs:enterpriseregistration.windows.net -SaveToCache
AccessToken saved to cache.

Tenant                               User                   Resource                                      Client
------                               ----                   --------                                      ------
5290229c-XXXX-XXXX-XXXX-XXXXXXXXXXXX [email protected] urn:ms-drs:enterpriseregistration.windows.net 1b730954-1685-4b74-9bfd-XXXXXXXXXXXX


PS C:\Users\user> $bprt = New-AADIntBulkPRTToken -Name "package_$(new-guid)"
WARNING: Got unauthorized_client error. Please try again.
AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"SourceAnchor is a required property for creation of a federated user."},"requestId":"f6ba90fe-6dd6-4560-9394-bff3d1fa3d18","date":"2023-05-03T13:50:30","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyErrorCode","value":"PropertyRequired"}]}}
Trace ID: 44181f8c-f803-4187-b2aa-dde6e1e85a00
Correlation ID: 5757b707-00c0-49c1-9449-0b2b6e20e3ee
Timestamp: 2023-05-03 13:50:30Z
At C:\Users\user\Documents\WindowsPowerShell\Modules\AADInternals\0.8.1\PRT.ps1:1724 char:13
+             throw $details.error_description
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (AADSTS650051: {...05-03 13:50:30Z:String) [], RuntimeException
    + FullyQualifiedErrorId : AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"SourceAnchor is a required property for creation of a federated user."},"requestId":"f6ba90fe-6dd6-4560-9394-bff3d1fa3d18","date":"2023-05-03T13:50:30","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyErrorCode","valu
   e":"PropertyRequired"}]}}
Trace ID: 44181f8c-f803-4187-b2aa-dde6e1e85a00
Correlation ID: 5757b707-00c0-49c1-9449-0b2b6e20e3ee
Timestamp: 2023-05-03 13:50:30Z

Would it be possible for the access token / bulk enrollment token functionality to not be hardcoded to the commercial tenants?

Current behavior will result in an error related to cross-cloud functionality: ConvertFrom-Json : Invalid JSON primitive: AADSTS90038.

It does not appear possible to specify manually the right endpoints:

VERBOSE: ACCESS TOKEN HAS WRONG AUDIENCE: . Exptected: urn:ms-drs:enterpriseregistration.windows.net.
The audience of the access token () is wrong. Should be urn:ms-drs:enterpriseregistration.windows.net!

Reference:

• https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-retrieve-an-azure-ad-bulk-token-with-powershell/ba-p/2944894
• https://learn.microsoft.com/en-us/azure/azure-government/compare-azure-government-global-azure

I met an issue when remote executing: Join-AADIntDeviceToAzureAD -DeviceName "test" -DeviceType "Commodore" -OSVersion "Vic20" -JoinType Join
for some purpose, I need to setup my win10 computer to leave domain and then join AAD.
leave domain:
Invoke-Command -ComputerName $clientIp -Credential $domainCred -ScriptBlock {
param($domainCred)
Add-Computer -WorkgroupName test -Credential $domainCred -Restart -Force
} -ArgumentList $domainCred
After leave domain, I always failed to join AAD, then I found that private key is not generated in the pfx file.

Problem code is this line: $cspParameters.KeyContainerName ="AADInternals"
Looking forward to any workaround for this issue. Thanks a lot

The list of supported Protocols written in Get-EASAutoDiscover function are outdated. The application answer the following list of protocols when you send an unsupported value on Protocol parameter:

Rest,ActiveSync,Ews,Substrate,SubstrateSearchService,AutodiscoverV1,SubstrateNotificationService,OutlookMeetingScheduler,OutlookPay,Actions,Connectors,ConnectorsProcessors,ConnectorsWebhook,NotesClient,OwaPoweredExperience,ToDo,Weve,OutlookLocationsService,OutlookCloudSettingsService,OutlookTailoredExperiences,OwaPoweredExperienceV2,Speedway,SpeechAndLanguagePersonalization,SubstrateSignalService,CompliancePolicyService

It would be updated.

Any idea on how to accomplish this? I can't get it to work with access or refresh tokens, only with a registered app registration...

Hello,

I have been testing out the phishing function and it's working as expected. Once I have the token though it only seems like I can run a small set of insider commands. for example, I can run Invoke-AADIntReconAsInsider just fine, but Get-AADIntGlobalAdmins returns an error saying it can't find an access token. if I run Get-AADIntCache I see the tokens, so not sure why the other insider commands are not running as expected, maybe i'm missing a step in between.

also somewhat related but after i phish the user and grab the token, I run Open-AADIntOWA but it does not open the user's mailbox who i phished, but my work inbox. Thank you for the tool!

Hello. I wanted to report an error that occurs when attempting to import the aadinternals module into a powershell core session. The error is:

SetValueInvocationException: Exception setting "SecurityProtocol": "The requested security protocol is not supported."

This error does not occur when using windows powershell

It is not really an issue but a query.
Where are Get-AccessToken and Read-AccessToken defined? I looked in all .ps1 files and I can't find these functions code.

When running on Windows 1809 (not joined to domain or AAD):
Get-AADIntAccessTokenForAADJoin -SaveToCache
I receive following error:

PS C:\Windows\system32> Get-AADIntAccessTokenForAADJoin -SaveToCache
WARNING: WebBrowser control emulation not set for PowerShell or PowerShell ISE!
Would you like set the emulation to IE 11? Otherwise the login form may not work! (Y/N): Y
Emulation set. Restart PowerShell/ISE!
You cannot call a method on a null-valued expression.
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:1167 char:12
+         if($form.ShowDialog() -ne "OK") {
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Cannot index into a null array.
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:1175 char:9
+         $response = [Web.HttpUtility]::ParseQueryString($form.Control ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

Cannot index into a null array.
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:1178 char:9
+         $body = @{
+         ~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

Cannot index into a null array.
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:1186 char:9
+         $form.Controls[0].Dispose()
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

Invoke-RestMethod : {"error":"invalid_request","error_description":"AADSTS900144: The request body must contain the following parameter: 'grant_type'.\r\nTrace ID:
da1f378d-681a-45eb-9283-507a1d4c1400\r\nCorrelation ID: 4b06d599-96d4-4c2d-ad93-c9f86295fa60\r\nTimestamp: 2020-12-21 10:51:44Z","error_codes":[900144],"timestamp":"2020-12-21
10:51:44Z","trace_id":"da1f378d-681a-45eb-9283-507a1d4c1400","correlation_id":"4b06d599-96d4-4c2d-ad93-c9f86295fa60","error_uri":"https://login.microsoftonline.com/error?code=900144"}
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:1193 char:23
+ ... sonResponse=Invoke-RestMethod -Uri "https://login.microsoftonline.com ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
Could not get OAuthInfo!
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:2380 char:17
+                 throw "Could not get OAuthInfo!"
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Could not get OAuthInfo!:String) [], RuntimeException
    + FullyQualifiedErrorId : Could not get OAuthInfo!

I'm getting this error when using some functions and can't find the function anywhere or find any reference about it in a file or online. Any idea how this works?

Thanks

Running Join-AADIntDeviceToIntune generates MDM certificates. However what is required to do change device state to complaint? The compliance policy assigned to the device is in the "Not evaluated" state. How to utilize received certificates?
Morever after enrolling device to Intune, its name in Intune is not the one specified by DeviceName parameter of Join-AADIntDeviceToIntune. Instead the name is in the format: username_OS_date

Hey @NestoriSyynimaa

I'm looking for a programmatic way to join real devices to AzureAD. Playing with your module, it appears that Join-AADIntDeviceToAzureAD creates a "fake" device and doesn't actual join your device.

Outside of Autopilot, the only supported way to programmatically join AzureAD is by creating and applying a provisioning profile using Windows Configuration Designer.

Windows Configuration Designer creates and accepts a "BPRT"

During creation you do this:

Then you get a BPRT value that starts with 0.

However when I run Get-AADIntAccessTokenForAADJoin I get a token that starts with eyJ

I believe the one it wants is encrypted as I'm not able to decode it using jwt.io

Is there a way your library can produce the BPRT in the format necessary for Windows Configuration Designer?

If it helps, it appears that Windows Configuration Designer spawns Microsoft.AAD.BrokerPlugin.exe to generate this token.
C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe -ServerName:App.AppXgvz9wxd0frjs1prgz5kvtcz083996jyv.mca

Any info or code on how to manage Intune devices and applications would be great!

Hello,

Is there a way to import Tokens into the Cache (that may captured with different tools) ?

I'm trying to get a refresh token using a service principal client secret like this:

$secret = Get-Content .\appreg.txt
$secure_secret = $secret | ConvertTo-SecureString -AsPlainText -Force
$pscredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "[ServicePrincipalId]", $secure_secret
 Get-AADIntAccessToken -ClientId "1950a258-227b-4e31-a9cf-717495945fc2" -Resource "https://graph.microsoft.com" -IncludeRefreshToken $true -Credentials $pscredential

But I get the following error:

Get-OAuthInfo : User type  of [ServicePrincipalId] is Unknown!
At AccessToken.ps1:1574 char:38
+ ... OAuthInfo = Get-OAuthInfo -Credentials $Credentials -ClientId $Client ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-OAuthInfo

Could not get OAuthInfo!
At AccessToken.ps1:1586 char:17
+                 throw "Could not get OAuthInfo!"
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Could not get OAuthInfo!:String) [], RuntimeException
    + FullyQualifiedErrorId : Could not get OAuthInfo!

However those credentials work using:

Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant [TenantId]

Is there a way to use AADInternals with service principal credentials?

I tried connecting to the partner center.

Seems like I get a working Access Token when using the following:

Get-AccessToken -Resource "https://api.partnercenter.microsoft.com" -ClientId "04b07795-8ddb-461a-bbee-02f9e1bf7b46"

Just thought you might want to know.

Our SOC lit up when we were running this on our systems because of a keyword match. Doesn't seem to have anything malicious anywhere else but seriously, is this line really necessary? And with this name?

Hey, I'm trying to use the 'Join-AADIntDeviceToAzureAD' command, as far as I can tell, it seems to be working.

I have tried using 'Get-AADIntAccessTokenForAADJoin -BPRT $BPRT' , 'Get-AADIntAccessTokenForAADJoin -SaveToCache' and 'Get-AADIntAccessTokenForAADJoin' for generating the token.

But I don't believe it is a permission issue.

Every time the command is ran a device is being created in AAD.

Most recent example -

PS Command Output:

AAD Device:

However, at this stage, I was expecting I could reboot the device and it would be AAD Joined and ready to be signed into with an AAD account.

After a reboot that never occurs and when checking dsregcmd 'AzureAdJoined' is still 'NO'.

I have also attempted to split the steps by performing the 'register' first then 'join' but the result was the same.

Am I missing something or?

Using Token auth with Get-SPOSiteUsers , I found that it is using a non-existant variable and failing with the following error:

The audience of the access token (https://xxxxxx.sharepoint.com) is wrong. Should be https://.sharepoint.com!

This is because line 140 in SPO.ps1:
$AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://$Tenant.sharepoint.com/" -ClientId "9bc3ab49-b65d-410a-85ad-de819febfddc"

The variable $Tenant do not exists, this bug is corrected writing:
$AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource $Site -ClientId "9bc3ab49-b65d-410a-85ad-de819febfddc"

(Note that site should be in https://tenant.sharepoint.com format.
Thanks for your project.

Just curious what the workflow is for loading in a refresh token that was retrieved offline? I want to use this with AADInternals to do follow on enumeration, but don't see options or cmdlets to load it into the cache. Appreciate the help!

Hello,

I’am doing some tests and I’m wondering if it is possible to use the Access token retrieve from the Phishing for example, to setup an Outlook profile.

Thank you for your work on this script library.

I want to join a fake device but I have the following result doing so:

Get-AADIntAccessTokenForAADJoin -SaveToCache
Join-AADIntDeviceToAzureAD -DeviceName "MyComputer"

Register-DeviceToAzureAD : {"ErrorType":"AuthenticationError","Message":"Invalid JWT
token.","TraceId":"29922db7-0f4c-449f-bfc4-3bb835d4bd28","Time":"10-15-2022 9:58:46Z"}
Au caractère C:\Users\MyUser\Documents\WindowsPowerShell\Modules\AADInternals\0.7.3\PRT.ps1:464 : 31
+ ... tResponse = Register-DeviceToAzureAD -AccessToken $AccessToken -Devic ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Register-DeviceToAzureAD

I don't understand because Get-AADIntAccessTokenForAADJoin generates a token specifically for this purpose but it is still considered as invalid?
Could you enlight me on what's happening? Is it because of a policy or MFA?

I tried the instructions in the https://o365blog.com/post/quest_for_guest/ blog post with a guest account in one of our tenants.

I used the -UseDeviceCode option for getting an access token, so I executed this:
Get-AADIntAccessTokenForAzureCoreManagement -UseDeviceCode -Tenant 6e3846ee-e8ca-4609-a3ab-f405cfbd02cd -SaveToCache

I opened the "https://microsoft.com/devicelogin" URL, entered the displayed user_code and I got the following response:

Help us keep your device secure
Your sign-in was successful but your admin requires the device requesting access to be managed by Company Ltd. to access this resource.

I found this very strange, because when I initiated a device authorization grant flow with curl using the very same URL and POST body as used by Get-AccessTokenUsingDeviceCode, I got the expected success message:

Microsoft Office
You have signed in to the Microsoft Office application on your device. You may now close this window.

Eventually I've modified my local copy of AADInternals to use a debugging proxy (I prefer the Charles Web Debugging Proxy) with the Invoke-RestMethod calls in the Get-AccessTokenUsingDeviceCode function. As it turned out: the only difference between my successful attempts with curl and the unsuccessful attempts with AADInternals was the User-Agent. :o

The requests from AADInternals (via Windows 10 and PowerShell 5.1) use the following User-Agent:
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682

I tested the theory and added the following option to both Invoke-RestMethod calls in Get-AccessTokenUsingDeviceCode:
-UserAgent "curl/7.68.0"

With this modification my device authentication flows via Get-AADIntAccessTokenForAzureCoreManagement -UseDeviceCode -Tenant 6e3846ee-e8ca-4609-a3ab-f405cfbd02cd -SaveToCache started to work, i.e. AzureAD gave a success message after I enter the user_code!

I'm not sure what AzureAD tenant configuration is the reason for this behaviour, but the error message that AAD gives here is total BS, since I'm pretty sure that curl is not a device managed by Company Ltd.. :D

P.S.: for the purposes of this GH issue I took the tenant ID and company name from the "Quest for guest access" blog post, but of course I used other values in my own tests. :-)

P.S.2: thanks for AADInternals! It is a great toolkit for investigating AzureAD internals. :-)

I couldn't find this, how and for what duration are the tokens saved to Cache?

Hi Gerenios,
Thank for the great tool. But when I used it on powershell on Linux, it required some registry on windows to set browser.

Should we support powershell on linux at this time?

Best regards,
Severus

hello,

I have BitDefender antivirus installed and its blocking the install, as per this screenshot:

The problem with the install is that everytime it is run, the folder name after ...\temp\ is random, so its impossible to add an exclusion for the path on the AV software.

Any options or ideas?

Running: Join-AADIntDeviceToAzureAD -AccessToken eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1d<cut>ku640TzItkBra0Jj4oZEGVl2uno4hFm019I7MBeSLWqmotb9yr20O4C06SdTXj9XlfGxuCkGU0HOlpyj27nkkrhO9gXuAqMquRDTAnxid-ZGanjHzyXLjefb5kJ84ksN3B2k9Nzkn1YjmqA9dWk_1IA -DeviceName "JoinTest" -DeviceType "Windows"
ends up with error:

Register-DeviceToAzureAD : {"ErrorType":"InvalidParameter","Message":"An Attribute key or value specified is invalid or exceeds length limits (512).","TraceId":"88a32c70-87ca-4f8f-a018-2d0ff3906f9f","Time":"06-24-2021
10:57:11Z"}
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.6\PRT.ps1:400 char:31
+ ... tResponse = Register-DeviceToAzureAD -AccessToken $AccessToken -Devic ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Register-DeviceToAzureAD

Below Fiddler trace capturing the HTTPS traffic when Join-AADIntDeviceToAzureAD was run

POST https://enterpriseregistration.windows.net/EnrollmentServer/device/?api-version=1.0 HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1d<cut>ku640TzItkBra0Jj4oZEGVl2uno4hFm019I7MBeSLWqmotb9yr20O4C06SdTXj9XlfGxuCkGU0HOlpyj27nkkrhO9gXuAqMquRDTAnxid-ZGanjHzyXLjefb5kJ84ksN3B2k9Nzkn1YjmqA9dWk_1IA
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1023
Content-Type: application/json; charset=utf-8
Host: enterpriseregistration.windows.net
Content-Length: 1769
Expect: 100-continue

{
    "TransportKey":  "UlNBMQAIAAADAAAAAAEAAAAAAAAAAAAAAQAB07jinw0y68+PPJtaIZAQX+z5ys0raRRazBMJMazXyhGFDWHMIqbC4y8qnjLritkwQUXkBrNdqb6y9XygNk04/rH6oytitEPMsCYl5bTfkPYLS7Pigj/C2Bk9zndg/DMtyFvQP7lNrUQ3qdwXE0Fi1daabttghen989X+ok6Z7IRPRjWarGkvOVMNlTUUKcDUXu53oOb4fUtG1EydSNAcok9Uo4UR15TIxC7RPDYK1LADYwLgcCIeXh2byUKpxK7UYkV+suXPcojl6f+TSeJ25x4SaB4Rp8SMX5O0Dz5GCfqWxr0BqzGlIf9NOrZL8WNXR33OiRkguclNfJGl1OB0+Q==",
    "JoinType":  0,
    "DeviceDisplayName":  "JoinTest",
    "OSVersion":  "10.0.19041.804",
    "CertificateRequest":  {
                               "Type":  "pkcs10",
                               "Data":  "MIICdDCCAVwCAQAwLzEtMCsGA1UEAxMkN0U5ODBBRDktQjg2RC00MzA2LTk0MjUtOUFDMDY2RkIwMTRBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA07jinw0y68+PPJtaIZAQX+z5ys0raRRazBMJMazXyhGFDWHMIqbC4y8qnjLritkwQUXkBrNdqb6y9XygNk04/rH6oytitEPMsCYl5bTfkPYLS7Pigj/C2Bk9zndg/DMtyFvQP7lNrUQ3qdwXE0Fi1daabttghen989X+ok6Z7IRPRjWarGkvOVMNlTUUKcDUXu53oOb4fUtG1EydSNAcok9Uo4UR15TIxC7RPDYK1LADYwLgcCIeXh2byUKpxK7UYkV+suXPcojl6f+TSeJ25x4SaB4Rp8SMX5O0Dz5GCfqWxr0BqzGlIf9NOrZL8WNXR33OiRkguclNfJGl1OB0+QIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAMT/PAv8l9S847vWipru1UORibB4jYjke5IEWZjg77eVGPlm51VxEjbYe6H20m75lBXVnrOYzuqZ42/pXLMlFjCxuuc9JFFT7u+OtGLnoEYdnq+1ALLnAi+KqkV8g4qH0Fjl+HQ+WzXQ0BK2bHUtJQ1GoNjRyy17uqF86ueQ1YCBM1faCaDNcFdRMLWlZcag5X/QsmqIllx5m5q+vQD4jKFtmRZ7q3PvQKGB2Gv8NcwahDcrbk+0WwIZekVNZXWQEkb+3eK6O0ABYxj6w2fGGMeXGUz+OvjC/3wHa8Mv1CyLou0YpBZegLtu5mf6E6H29ACzY4foR6aahYYQBE27E+8="
                           },
    "TargetDomain":  "mydomain.com",
    "DeviceType":  "Windows",
    "Attributes":  {
                       "ReuseDevice":  true,
                       "ReturnClientSid":  true,
                       "SharedDevice":  false
                   }
}
HTTP/1.1 400 Bad Request
Content-Length: 202
Content-Type: application/json
request-id: 88a32c70-87ca-4f8f-a018-2d0ff3906f9f
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Date: Thu, 24 Jun 2021 10:57:11 GMT

{"ErrorType":"InvalidParameter","Message":"An Attribute key or value specified is invalid or exceeds length limits (512).","TraceId":"88a32c70-87ca-4f8f-a018-2d0ff3906f9f","Time":"06-24-2021 10:57:11Z"}

I'm trying to use "Set-AADIntUserPassword" but it doesn't work, maybe I'm missing something?

Import-Module AADInternals
Get-AADIntAccessTokenForAADGraph -SaveToCache


AccessToken saved to cache.

Tenant                             User                          Resource                                Client
-------                             ----                          --------                                  ------
******                              [email protected]     https://graph.windows.net      ***************



Set-AADIntSyncFeatures -EnableFeatures PasswordHashSync


BlockCloudObjectTakeoverThroughHardMatch         : False
BlockSoftMatch                                   : False
DeviceWriteback                                  : False
DirectoryExtensions                              : False
DuplicateProxyAddressResiliency                  : True
DuplicateUPNResiliency                           : False
EnableSoftMatchOnUpn                             : False
EnableUserForcePasswordChangeOnLogon             : False
EnforceCloudPasswordPolicyForPasswordSyncedUsers : False
PassThroughAuthentication                        : False
PasswordHashSync                                 : True
PasswordWriteBack                                : False
SynchronizeUpnForManagedUsers                    : False
UnifiedGroupWriteback                            : False
UserWriteback                                    : False

Set-AADIntUser -UserPrincipalName "[email protected]" -ImmutableId [email protected]
Get-AADIntUser -UserPrincipalName "[email protected]" | select UserPrincipalName,ImmutableId

UserPrincipalName             ImmutableId
-----------------                -----------
[email protected]                  [email protected]

Set-AADIntUserPassword  -SourceAnchor "[email protected]" -hash  FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

CloudAnchor ExtendedErrorInformation
----------- ------------------------
CloudAnchor The password change request cannot be executed since it contains changes to one or more cloud only user objects, which is not supported. Please refer to https://docs.microsof...



Set-AADIntUserPassword  -CloudAnchor "User_c4854aa3-bbbb-eeee-9999-26bedf6e8eb2" -Password "password123"

CloudAnchor                               ExtendedErrorInformation
-----------                               ------------------------
User_c4854aa3-bbbb-eeee-9999-26bedf6e8eb2 The password change request cannot be executed since it contains changes to one or more cloud only user objects, which is not supported. Please ...

If the user was not created by an azure ad connect it does not work ?

I have several suggestions on o365blog's AADInternals reference.
https://o365blog.com/aadinternals/

• No mark for Get-AADIntAccessTokenForSARA
• Typo at table of Get-AADIntAuthTokenForAADIAMAPI, it should be Get-AADIntAccessTokenForAADIAMAPI
• Outlook related:
  • Open-AADIntOWA (O) should be (E) not (O)?
  • Get-AADIntAccessTokenForTeams has (T) and (TO)? Search-AADIntTeamsUser (TO)
• How about to put the column mark for each entries on the table Functionality / Playing with access tokens

I can't use Invoke-AADPhishing using an external smtp provider, such as outlook or gmail.
I use credentials, but I always time out, I suspect I'm doing something wrong.
Thanks in advance.

The text to speech examples do not work. Windows 10 machine.

Get-AADIntAccessTokenForOneNote -SaveToCache
Start-AADIntSpeech -Text "Three Swedish switched witches watch three Swiss Swatch watch switches. Which Swedish switched witch watch which Swiss Swatch watch switch?" -Language "en-GB" -PreferredVoice Male

Tracing with Fiddler and it looks like I do have 200 for both content model and get speech

POST /learningtoolsapi/v2.0/getcontentmodelforreader HTTP/1.1
POST /learningtoolsapi/v2.0/GetSpeech HTTP/1.1

Before I start hunting down the issue on my machine was wondering if someone else could please run the sample above and tell me it works. It would be appreciated.

Thank you very much

I'm new to AADInternals, so this may be something I'm doing?

I'm trying to run Get-AADIntAccessTokenForGraph to get a BPRT token for bulk AzureAD domain join for devices. However I get the following set of messages:

the user account used in the above screen capture is a Global Admin, but I have tried with a standard user with the same results. I have also tried on different machines.

I'm referring to this code about the 1.2.840.113556.1.5.284.3 OID:

The code describes it as "ObjectId", same as in your article (very good one btw! thanks for sharing 😉): https://aadinternals.com/post/deviceidentity/#device-certificate-dkpub-dkpriv

When reading this, I understood it as meaning the device's Object ID. It felt redundant considering we already have the Device ID with 1.2.840.113556.1.5.284.2, but I ignored this feeling... Anyway, I couldn't find the corresponding device in my AAD...

Then I found https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dvrj/850786b9-2525-4047-a5ff-8c3093b46b88 and https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dvre/76747b5c-06c2-4c73-9207-8ebb6ee891ea which describe 1.2.840.113556.1.5.284.3 as:

The objectGuid of the user object ([MS-ADSC] section 2.268) on the directory server that corresponds to the authenticating user.

And indeed, when looking for this "ObjectId" in my AAD, I confirm it refers to the Object ID of the user who registered the device, not the device's Object ID 🙂

So I suggest to rename it to "AuthUserObjectId" for example, to make it more explicit which object it refers to. What do you think?
I wanted to report it as an issue before submitting a PR because I see several other references in the code to fix, so I would have several tests to do after renaming to ensure there's no regression.

Hello,

I installed the module, but after running the import command got this error:

`
Unable to find type [System.Xml.XmlDictionary].
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.6.2\AzureADConnectAPI_utils.ps1:8 char:1

• [System.Xml.XmlDictionary]$xml_dictionary = $null

•   + CategoryInfo          : InvalidOperation: (System.Xml.XmlDictionary:TypeName) [], RuntimeException
    + FullyQualifiedErrorId : TypeNotFound
  

`

Tested on different tenants, recognition as outsider and insider works, but not as guest . is it a permissions problem in Graph?

Invoke-RestMethod : {"ClassName":"Microsoft.Portal.Framework.Exceptions.ClientException","Message":"Graph call failed with httpCode=Forbidden,
errorCode=Authorization_RequestDenied, errorMessage=Insufficient privileges to complete the operation., reason=Forbidden, correlationId

thanks in advice !!!

It would be nice if the AADInternals commands could support the WAM component integrated by default in Win10 for the authentication process.
This would allow a user to authenticate with its session certificate for example.
See https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Integrated-Windows-Authentication or the MSAL.PS Get-MsalToken.ps1 which use it for authentication.

When trying to use a PRT generated using AADInternals for azurehound I have the following error:

$rh = (Read-AADIntAccesstoken (Get-AADIntUserPRTToken)).refresh_token
.\azurehound.exe -r $rh list tenants --tenant "mytenant.com"
AzureHound v1.2.0
Created by the BloodHound Enterprise team - https://bloodhoundenterprise.io

2022-10-15T17:58:01+02:00 ERR encountered unrecoverable error error="Error: map[correlation_id:f754d2bb-1f63-4b6f-bf6e-d09b6ff0af34 error:invalid_grant error_codes:[7.000016e+06] error_description:AADSTS7000016: Primary refresh token is not signed with session key.\r\nTrace ID: 7f1d1d28-807d-41c2-9807-d7f3c97f1500\r\nCorrelation ID: f754d2bb-1f63-4b6f-bf6e-d09b6ff0af34\r\nTimestamp: 2022-10-15 15:58:01Z timestamp:2022-10-15 15:58:01Z trace_id:7f1d1d28-807d-41c2-9807-d7f3c97f1500]"

Which I don't have if I use MSAL.PS:

Get-MsalToken -ClientId 1950a258-227b-4e31-a9cf-717495945fc2
Enable-MsalTokenCacheOnDisk (Get-MsalClientApplication)
$cache_bin = [System.Security.Cryptography.ProtectedData]::Unprotect([System.IO.File]::ReadAllBytes("MSAL.PS.msalcache.bin3"), $null, 0)
$cache_json = ConvertFrom-Json ([System.Text.Encoding]::ASCII.GetString($cache_bin))
$rh = $cache_json.RefreshToken.'[SOME ID]'.secret

.\azurehound.exe -r $rh list tenants --tenant "mytenant.com"
AzureHound v1.2.0
Created by the BloodHound Enterprise team - https://bloodhoundenterprise.io

2022-10-15T18:19:05+02:00 INF finished listing all tenants count=3

What's the difference between how the PRT are requested to have one signed and not the other?

Hi Nestori Syynimaa,
Thanks for your article. It's look really cool.
I tested it in a test environment and I encountered some difficulty.

When using Invoke-AadIntPhishing, I successfully received the refresh token but it seems that I only get it for graph.windows.net.
And when I want to use the token to send a message (outlook or teams) I have the following error: "Device is not in required device state: compliant."
Looking forward to read you.

After enrolling device to Intune if I try to set it as compliant with Set-AADIntDeviceCompliant I receive following error:
Invoke-RestMethod : {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"7f1ca352-fcb8-4f69-bbef-f47eda0beb69","date":"2021-03-24T18:37:56"}}
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.6\MDM.ps1:795 char:9

•     Invoke-RestMethod -Method Patch -Uri "https://graph.windows.n ...
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
  • FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

What permissions user needs to have to run Set-AADIntDeviceCompliant?

Hi,

I am trying to get the sccauth & xsref cookies using this function.
It shows the form allright, but I subsequently get an error from the web page that there is a syntax error on line 1.

Line 1, char 106
Syntax error
https://res.cdn.office.net/scc/ww/sc/v17.00.9908.005/boot.js

I might be missing something obvious, but I cannot seem to get the Azure access token for tenants that require MFA. I get the Modern Authentication prompt when I execute the following cmdlet, but it simply doesn't ask me for an MFA code after email and password, so then it gives me an error.

Sample code:

$accessToken = Get-AADIntAccessTokenForAADGraph -Resource urn:ms-drs:enterpriseregistration.windows.net

Response after email and password are prompted via Modern Auth:

Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access . . .

Is there anyway to force the authentication prompt to allow me to enter the MFA code?

Good Evening,

I was looking at your project, and I've two questions:

#1. ) Where is the function [Create-LoginForm] defined? .. it's used in the following locations:

.\AccessToken.ps1
2232,15: $form=Create-LoginForm -Url $url -auth_redirect $auth_redirect

.\AzureManagementAPI_utils.ps1
603,17: $form = Create-LoginForm -Url $url -auth_redirect $auth_redirect

.\ComplianceAPI.ps1
35,17: $form = Create-LoginForm -Url $url -auth_redirect "https://login.microsoftonline.com/kmsi"

.\SPO_utils.ps1
88,17: $form = Create-LoginForm -Url $url -auth_redirect $auth_redirect -Headers "Cookie: $cookieHeaderValue"

C:\dev\ps1\AzurePurview\ComplianceAPI.ps1
36,17: $form = Create-LoginForm -Url $url -auth_redirect "https://login.microsoftonline.com/kmsi"

#2.) On your site, https://aadinternals.com/aadinternals/, you state, ""The module is a plain PowerShell script module...""; however, your project also contains a number of DLLs in the folder [./DSInternals] ...

i.e. ===

.\DRS_Utils.ps1
221,43: Add-Type -Path "$PSScriptRoot\DSInternals\NDceRpc.Microsoft.dll"
222,43: Add-Type -Path "$PSScriptRoot\DSInternals\DSInternals.Replication.Interop.dll"
223,43: Add-Type -Path "$PSScriptRoot\DSInternals\DSInternals.Replication.dll"

... where is the source code for them and/or a description of which methods are dependent upon them?

Thanks,

George

PS Note this is not to take away from all of the hard work you've done, & I greatly appreciate you're sharing your project. Thanks.

Hi, I am having some issues requesting user certificates using AADInternals, the issue code is

Upon following this Blog https://o365blog.com/post/mdm/ I hit a dead end with "Start-AADIntDeviceIntuneCallback -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7-MDM.pfx -DeviceName "SixByFour". The error itself was not clear, but after adding $_ to the error "throw "SyncML request failed: $($ | out-string)"_" This pretty string popped up:
SyncML request failed: Invoke-WebRequest : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.

I could start internet explorer, but i added -UseBasicParsing to line 602. That solved my problem.

Since the new version 0.9.0, there seems to be this exception following an authentication attempt:

Exception: C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.9.0\AccessToken_utils.ps1:2885
Line |
2885 | throw "Federated identities are not supported."
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Federated identities are not supported.

Hello,

Following the steps mentioned in https://o365blog.com/post/bprt/ , I joined a VM to Azure AD. I can see the machine under "Devices" page on the Azure portal.
However, when I run dsregcmd /status inside the VM, it says AzureAdJoined : NO.

Any idea why that is happening? There were no errors in executing the powershell commands and most importantly, the VM shows up on Azure AD devices page, so I am confused.

Thanks!

https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-is-becoming-microsoft-entra-id/ba-p/2520436

PS C:\WINDOWS\system32> $creds = Get-Credential

$prtKeys = Get-UserAADIntPRTKeys -PfxFileName .\ff78b0a3-5348-4e93-ba6d-b043540acd7c.pfx -Credentials $cred

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Get-UserAADIntPRTKeys : The term 'Get-UserAADIntPRTKeys' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the
name, or if a path was included, verify that the path is correct and try again.
At line:4 char:12
$prtKeys = Get-UserAADIntPRTKeys -PfxFileName .\ff78b0a3-5348-4e93-ba ...
~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : ObjectNotFound: (Get-UserAADIntPRTKeys:String) [], CommandNotFoundException
FullyQualifiedErrorId : CommandNotFoundException

Running into this error while attempting to debug a PRT issue. All of the other commands in the module have worked great so far, and I would GREATLY appreciate any assistance.

The HasCloudMX function should check whether the "*.mail.protection.outlook.com" MX record exists. However, in case this record does not exist, "False" is returned. When .Count is taken from this result this returns 1, which is greater than 0 and returns the whole function as True.