I'm trying to export AAD users from ADB2C to a csv file. I'm able to achieve this using the graph API "graph.windows.net" and some filter conditions. But with this approach, I can only get a limit of 999 records per response and I need to get the next link to do another API call and so on...
This process is taking a long time to fetch the AAD users. Hence I tried using Power shell scripts i.e using Get-AzureADUser, using this approach I was able to get all the users within a short duration. But the issue in this approach I'm not able to get all the attributes that I get via the rest call (i.e the attribute is userIdentites).
The reason I'm looking for userIdentites is, that I can filter out the users with social logins like gmail.com or facebook.com
How can I achieve this using PowerShell scripts? or using CLI or Python?
A sample response from the Graph API -
Powershell script to get the same attributes, but I'm getting blank userIdentites, which is wrong. Expected is few users are to get social logins as shows in Graph API Response
For($i=$index; $i -lt $regexArray.Length; $i++){
$regexArray[$i] | Out-File $tempLogFile -NoNewline
$blobFileName = $fileName + $i + ".csv"
Write-Output ("Exporting Users Information in a CSV File for Surname with Regex : " + $regexArray[$i])
Get-AzureADUser -All $true | where-Object { $_.Surname -cmatch $regexArray[$i]} |
select otherMails,DisplayName,userIdentites,UserPrincipalName,Department | Export-Csv $tempfilepath -NoTypeInformation
Set-AzureStorageBlobContent -Context $context -Container $container -File $tempfilepath -Blob $blobFileName -Force
Write-Output ("Exported File Name : " + $blobFileName)
Set-AzureStorageBlobContent -Context $context -Container $container -File $tempLogFile -Blob $logFile -Force
Write-Output ("Exporting completed for Surname with Regex : " + $regexArray[$i])
}
public static async Task ListUsers(GraphServiceClient graphClient)
{
Console.WriteLine("Getting list of users...");
try
{
// Get all users
var users = await graphClient.Users
.Request()
.Select(e => new
{
e.DisplayName,
e.Id,
e.Identities
})
.GetAsync();
// Iterate over all the users in the directory
var pageIterator = PageIterator<User>
.CreatePageIterator(
graphClient,
users,
// Callback executed for each user in the collection
(user) =>
{
Console.WriteLine(JsonSerializer.Serialize(user));
return true;
},
// Used to configure subsequent page requests
(req) =>
{
Console.WriteLine($"Reading next page of users...");
return req;
}
);
await pageIterator.IterateAsync();
}
catch (Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
Console.ResetColor();
}
}
https://learn.microsoft.com/en-us/samples/azure-samples/ms-identity-dotnetcore-b2c-account-management/manage-b2c-users-dotnet-core-ms-graph/
Related
I have about 30 SAML configurations from various vendors, all are metadata files that reside on the internet (Azure AD, Auth0 and a couple other identity providers).
Is there a tool that exists to extract the expiration date from the signing cert in the metadata file? So I can keep track of all the expiration? Preferably a CLI.
For workaround you can use this powershell command to get the expiry time of siging certificate that is uploaded in Azure AD application.
Based on your requirements you can edit the code and pull the certificate from metafiles rather than directly from AzureAD application.
$expired = Get-AzureADApplication -All:$true | ForEach-Object {
$app = $_
#(
Get-AzureADApplicationKeyCredential -ObjectId $_.ObjectId
$CustomKeyIdentifier = (Get-AzureADApplicationKeyCredential -ObjectId $_.ObjectID).CustomKeyIdentifier
)| Where-Object {
$_.EndDate }| ForEach-Object {
$id = "Not set"
if($CustomKeyIdentifier) {
$id = [System.Convert]::ToBase64String($CustomKeyIdentifier)
}
[PSCustomObject] #{
App = $app.DisplayName
ObjectID = $app.ObjectId
AppId = $app.AppId
Type = $_.GetType().name
KeyIdentifier = $id
EndDate = $_.EndDate
}
}
}
$expired | Export-CSV 'C:\test.csv
Reference : How to retrieve thumbprint expiry date of enterprises application in azuread
How to retrieve details which contains information of login user including domain for example let say domain\useralias from Azure AD for a user input? Note that domain names are there in onprem ad which were sync to Azure AD.
You can use the OnPremiseDistinguishedName extension property.
Example:-
foreach($line in Get-Content c:\users\myuser\users.txt) {
if($line -match $regex){
$onPremisesDistinguishedName = (Get-AzureADUserExtension -ObjectId $line).get_item("onPremisesDistinguishedName")
$domain = $onPremisesDistinguishedName.split(",")
$alias = $line.Split("#")
$sAMAccountName = ($domain[2]).Substring(3)
$sAMAccountName + "\" + $alias[0]
}
}
We use custom queries (against TFS databases: Tfs_DefaultCollection and Tfs_Warehouse) to check if all changesets have a workitem linked to it. We use the FactWorkItemChangeset table from the Tfs_Warehouse database.
Currently we are migrating to TFS Git and we want to update our custom queries to check if all the pull requests have a workitem linked to it.
For example:
Git pull request and its workitem
We don't know where in the Tfs_Warehouse or in the Tfs_Defaultcollection database the pull request is linked to the workitem. Does anyone know where this link is stored?
Cannot find the related table, however you can use the REST API to check if all the pull requests have a workitem linked to it. Please see Get Pull Requests By Project and Pull Request Work Items - List for details.
For example, below PowerShell script will retrieve all the Pull Requests from a specific project and list the linked work items for each of them, also output the Pull Requests which have no linked work items to a *.csv file ("D:\temp\1030.csv" in below sample).
Param(
[string]$collectionurl = "http://172.17.16.163:8080/tfs/DefaultCollection",
[string]$project = "GitTest",
[string]$user = "Domain\user",
[string]$token = "password"
)
# Base64-encodes the Personal Access Token (PAT) appropriately
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user,$token)))
#Get pull request list for a specific project
$prsurl = "$collectionurl/$project/_apis/git/pullrequests?api-version=2.0"
$prs = (Invoke-RestMethod -Uri $prsurl -Method Get -Headers #{Authorization=("Basic {0}" -f $base64AuthInfo)})
$prurls = $prs.value.url
#Get the associated work items to PRs
Clear-Host
foreach ($prurl in $prurls)
{
$baseurl = "$prurl/workitems"
$prwis = Invoke-RestMethod -Uri $baseurl -Method Get -Headers #{Authorization=("Basic {0}" -f $base64AuthInfo)}
write-host "Pull Reuquest:" $prurl
write-host "Count of Associated Work Items:"$prwis.count
foreach ($prwi in $prwis.value )
{
Write-Host "Associated workitem:"$prwi.id - $prwi.url
}
write-host `n
if ($prwis.count -lt 1)
{
#Write-host $prurl
# Output the Pull Requests which have no work items associated:
$prurl | Add-Content "D:\temp\1030.csv"
}
}
We finally found the link in de Tfs_DefaultCollection.WorkItemFiles! For example: select *
from [dbo].[WorkItemFiles]
where FilePath = 'vstfs:///Git/PullRequestId/4f39e226-6f44-4e56-a216-f45969d8147d%2fab3368e0-56ef-468f-8e14-43065c433a21%2f2619'
This yields this result:
ID 427787
FilePath vstfs:///Git/PullRequestId/4f39e226-6f44-4e56-a216-f45969d8147d%2fab3368e0-56ef-468f-8e14-43065c433a21%2f2619
The ID column contains the workitem id and the FilePath 2 hashes (separated by '%ef') and finally the pull request id. In this example workitem 427787 is linked to pull request 2619.
How to know the permissions of my azure ad app have for other APIs, such as Microsoft Grahp API .
In portal , i could check that in the [API Access]-->[Required permissions] , but how do i check that with powershell , i used
Get-AzureRmADApplication -ObjectId ,
Get-AzureRmADApplication -ObjectId xxxxx | fl *
But little attributes returned and AppPermissions is null , but with fiddle , i notice it use below request :
GET https://graph.windows.net/mytenant/applications/id?api-version=1.6 HTTP/1.1
And i could find a lot of attributes of that app ,which one shows the permission of the app and how do i get that in powershell ?
You could try the Azure Active Directory PowerShell Version 2 , the use command like :
$app = Get-AzureADApplication -Filter "appId eq '$appId'" | fl *
to get the RequiredResourceAccess claim ,that is the collection that is shown under "permissions to other applications" in the azure ad classic portal and "Required permissions" in new portal .
In addition , PowerShell essentially wraps the API's and just presents them to you in a simplified interface. If you don't find a command to do what you want you can always using PowerShell to invoke the Graph API directly. Please refer to below article for how to call Azure Active Directory Graph Api from Powershell :
https://blogs.technet.microsoft.com/paulomarques/2016/03/21/working-with-azure-active-directory-graph-api-from-powershell/
And here is a test code sample :
PS C:\Users\v-nany> $header = #{
>> 'Content-Type'='application\json'
>> 'Authorization'=$token.CreateAuthorizationHeader()
>> }
PS C:\Users\v-nany> $uriSAs = "https://graph.windows.net/xxxxxxx/applications/xxxxxx?api-version=1.6 "
PS C:\Users\v-nany> $appInfo = (Invoke-RestMethod -Uri $uriSAs –Headers $header –Method Get –Verbose)
PS C:\Users\v-nany> $appInfo.requiredResourceAccess
You will get resourceAppId represents the resource , and related resourceAccess which is a scope list.
I like to uncheck in the internet connection settings "Automatically detect settings", which is on by default. I tried to modify the default profile and I can verify that my script creates the correct entry, which is working on the current profile as well.
But as soon a new profile gets created, it is ignoring exactly this setting and sets it to the default.
Here is an excerpt of the script I am using (note: the default user hive was loaded before into xxtray:
$key = 'HKLM:\xxtray\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
$data = (Get-ItemProperty -Path $key -Name DefaultConnectionSettings).DefaultConnectionSettings
if ($data.Length -eq 0) {
$keyorg = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
$data = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections' -Name DefaultConnectionSettings).DefaultConnectionSettings
}
if ($data.length -eq 0) {
$data = ([byte[]](0x46,0x00,0x00,0x00,06,0x00,0x00,0x00,01,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2d,0x00,0x00,0x00,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x65,
...
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
}
if ($data.length -ne 0) {
$data[8] = 1
remove-itemproperty -Path $key -Name DefaultConnectionSettings
Set-ItemProperty -Path $key -Name DefaultConnectionSettings -Value $data
}
So, if I logon with a fresh profile, "Automatically detect settings" is on, byte 8 is set to 9, while it is set at the same time in the default user profile to 1
The question:
How can I override this behavior? It's not an option to place something as autologon to fix it.
Target OS is Windows Server 2008R2 and Windows Server 2012.
Thanks for help,
Rolf.