Intune policies through JSON (oData) template - azure-active-directory

I am trying to create a JSON template to create the Intune (based on Office 365) policies through Graph api. I am able to create policies for some of the URIs like terms and conditions but others. I tried creating for odata
microsoft.graph.iosEasEmailProfileConfiguration
it failed giving error 400.
i would like to know if it is working for anyone and how

If you get 400 errors in MS Graph API you can crete a case with Azure support.
I haven't tried the one you mention. But I have figured out a couple of them, after banging my head in the wall for some weeks with the poor Microsoft Graph API documentation.
Compliance policies:
POST https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies
{
"#odata.type": "microsoft.graph.androidCompliancePolicy",
"displayName": "Android",
"passwordRequired": true,
"passwordMinimumLength": 4,
"passwordRequiredType": "numericComplex",
"passwordMinutesOfInactivityBeforeLock": 15,
"storageRequireEncryption": true,
"scheduledActionsForRule":[{"ruleName":"Mark device noncompliaant","scheduledActionConfigurations":[{"actionType":"block","gracePeriodHours":72,"notificationTemplateId":""}]}]
}
Device Configuration policies:
POST https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations
{
"#odata.type": "#microsoft.graph.androidGeneralDeviceConfiguration",
"description": "",
"displayName": "Device restriction - Android",
"passwordBlockFingerprintUnlock": false,
"passwordBlockTrustAgents": false,
"passwordExpirationDays": null,
"passwordMinimumLength": 4,
"passwordMinutesOfInactivityBeforeScreenTimeout": 15,
"passwordPreviousPasswordBlockCount": null,
"passwordSignInFailureCountBeforeFactoryReset": 11,
"passwordRequiredType": "numericComplex",
"passwordRequired": true,
"storageRequireDeviceEncryption": true
}
I have also figured out branding, groups, setting MDM authority, setting update ring and adding windows hello settings.
But I cannot figure out how to assign compliance policies to groups.
The examples in the MS Graph API documentation just throws an error.
I also cannot find where in Graph API i can do condidtional access in Intune and how I control device settings in Azure AD.

You can do a POST to deviceManagement/deviceConfigurations with following sample payload:
{
"id": "00000000-0000-0000-0000-000000000000",
"displayName": "profile name",
"description": "profile description",
"scopeTags": [],
"#odata.type": "#microsoft.graph.iosEasEmailProfileConfiguration",
"blockMovingMessagesToOtherEmailAccounts": false,
"blockSendingEmailFromThirdPartyApps": false,
"blockSyncingRecentlyUsedEmailAddresses": false,
"durationOfEmailToSync": "userDefined",
"requireSmime": false,
"requireSsl": true,
"hostName": "outlook.microsoft.com",
"accountName": "Account name",
"usernameSource": "userPrincipalName",
"emailAddressSource": "userPrincipalName",
"authenticationMethod": "usernameAndPassword"
}

Related

How can I go about avoiding verification for a TikTok bot with proxies?

I am making a TikTok bot for fun. It does not automate posts/follows, it only scrapes information off the site. The issue I am finding is that after about 10-15 requests to the TikTok API it requires verification, spouting the following JSON:
{
"code":"10000",
"from":"",
"type":"verify",
"version":"",
"region":"sg",
"subtype":"slide",
"detail":"Hj4wDrDKZhDyu*bE94NlMgd3uQfAXw2eZJGOyoJXO-X9iLbeynU-spQiwbxyOkhJkGKbHNCyGHKuZ4jnJaJfnGedLadLrz8UMPAV*sriWIzRIEwj0PdWEmtZ25SbcEoytp4G631fwjn7y0498dMxisxkA8QnSTTGfswOFlkQBfyyMFYf5TlvDkfxmkjG7qKRHdCOhsnmSLbTCOd6MLcNFJA9WhlmcnhBrJnnVCs-HvoRzOdbpGbOmZ55HjpWIRz0JrQp2EdEjr8-qtQd5jpdpzuXxcfzrLbGFZTjWkyMHPf4vMb3J*q8hIs0zX2gP6IyCsa2et5BQPsB1KU2YyRA5VEvd*8*lZyRR60ZVs46UwtEXAu0l41Y2q0agUrayqnPnj8zpq7H7aK2VS46RZO0W3N7nZ-Jjq4QbAs.",
"verify_event":"",
"fp":"verify_kxe9l4xj_3jaJngfM_UEUu_47yj_Au6M_Kp0jwEVrqCJb",
"scene":"",
"verify_ticket":"",
"channel_mobile":"",
"sms_content":"",
"mobile":"",
"email":""
}
I am aware of sneaker bots using proxies to avoid these sorts of issues, however TikTok requires cookies authentication from a signed in account so I'm not sure if it will work. Some responses talk about using headless requests, etc., but I've had no luck thus far in preventing this verification process.
Does anyone with experience scraping TikTok have a resolution for this issue?
Thanks.
{
"code": "10000",
"from": "",
"type": "verify",
"version": "",
"region": "sg",
"subtype": "slide",
"detail": "Hj4wDrDKZhDyubE94NlMgd3uQfAXw2eZJGOyoJXO-X9iLbeynU-spQiwbxyOkhJkGKbHNCyGHKuZ4jnJaJfnGedLadLrz8UMPAVsriWIzRIEwj0PdWEmtZ25SbcEoytp4G631fwjn7y0498dMxisxkA8QnSTTGfswOFlkQBfyyMFYf5TlvDkfxmkjG7qKRHdCOhsnmSLbTCOd6MLcNFJA9WhlmcnhBrJnnVCs-HvoRzOdbpGbOmZ55HjpWIRz0JrQp2EdEjr8-qtQd5jpdpzuXxcfzrLbGFZTjWkyMHPf4vMb3Jq8hIs0zX2gP6IyCsa2et5BQPsB1KU2YyRA5VEvd8*lZyRR60ZVs46UwtEXAu0l41Y2q0agUrayqnPnj8zpq7H7aK2VS46RZO0W3N7nZ-Jjq4QbAs.",
"verify_event": "",
"fp": "verify_kxe9l4xj_3jaJngfM_UEUu_47yj_Au6M_Kp0jwEVrqCJb",
"scene": "",
"verify_ticket": "",
"channel_mobile": "",
"sms_content": "",
"mobile": ""
}

Can't get events with open extension in Microsoft Graph API

I created an event through a shared mailbox in Graph API.
https://graph.microsoft.com/v1.0/users/{shared-user-id}/calendars/{shared-calendar-id}/events
{
"subject": "New Event Test",
"body": {
"contentType": "HTML",
"content": "Mail FLow Test"
},
"start": {
"dateTime": "2021-01-29T12:00:00",
"timeZone": "Eastern Standard Time"
},
"end": {
"dateTime": "2021-01-30T14:00:00",
"timeZone": "Eastern Standard Time"
},
"attendees": [
{
"emailAddress": {
"address":"calendar#contoso.com",
"name": "Calendar Organizer"
},
"type": "required"
}
]
}
This creates an event successfully, and after that, I patched this event with extended data using open extension.
https://graph.microsoft.com/v1.0/users/{user-id}/calendars/{calendar-id}/events/{just-created-event-id}
{
"extensions": [
{
"#odata.type": "microsoft.graph.openTypeExtension",
"extensionName": "Com.Contoso.Events",
"courseId": 22,
"materialId": 75,
"courseType": "video"
}
]
}
This seems not to work. This responses Access is denied.
https://graph.microsoft.com/v1.0/users/{shared-user-id}/calendars/{shared-calendar-id}/events?$expand=extensions($filter=id eq 'Microsoft.OutlookServices.OpenTypeExtension.Com.Contoso.Events')
It responses ErrorAccessDenided with error message "Access is denied. Check credentials and try again".
But if I try this without expanding extensions, then it works.
I couldn't even to create an event because it responded with the same error and message "Access is denied. Check credentials and try again", so I added an API permission MailboxSettings.ReadWrite in my Azure AD that made work an event creation through the shared mailbox.
What is the reason why I can create or get events but not add or expand extensions?
Move my comment here so that this issue is treated as answered.
The method you are using is incorrect. Please refer to this sample to create the open extension.
But based on my test, we cannot use an admin (or a delegated user or a shared mailbox member) to create the extension for the shared mailbox (Even if I have added Calendars.Readwrite.Shared permission). It will give 403 error as you have encountered.
When I sign in with the shared mailbox user, it can create the open extension for itself.
So the conclusion is: when we use delegated permissions (user token), we can only create an open extension for the currently logged in user himself.

Problem with StatusReport trait in Smart Home Actions

I have a Security System with traits action.devices.traits.ArmDisarm and action.devices.traits.StatusReport and some other sensors: WaterLeak Sensor, Door Sensor ...
I report some errors about other devices with StatusReport state.
For example: when the door sensor detects that the door is open, the security system must give deviceOpen error.
When I say, "Is my security system ok?", my server's response to the query intent is the JSON below, but Google Assistant says that he couldn't reach my action (Unexpected error happened).
Is there anything wrong with this response?
{
"requestId": "10417064006786362499",
"payload": {
"devices": {
"3rL3QL7Kq2HrQjs53Y7o": {
"isArmed": true,
"currentStatusReport": [
{
"blocking": true,
"deviceTarget": "4BCIpzBWpgLA24mMI7r2",
"priority": 0,
"statusCode": "deviceOpen"
},
{
"blocking": true,
"deviceTarget": "MxRCd6ERRSWzYzyNTE8S",
"priority": 0,
"statusCode": "waterLeakDetected"
}
],
"status": "EXCEPTIONS",
"online": true
}
}
}
}
In Firebase Console there are no errors.
Logs in Firebase Console
Your response to the query intent looks right, but there might be an error in other parts of the process. You can follow the Troubleshooting Guide to see how your failed intent is counted in the Smart Home metrics and what are the details on your logs. (Firebase logs only gives info about your server. The logging mentioned in the guide (Google Cloud Logging) is a different and more comprehensive for the intent handling)

AAD group delta query does not return members#delta anymore?

I have a client application leveraging Microsoft Graph to get incremental changes for a certain AAD Group.
My BVT caught an issue and when I debugged, I found the Graph request does not return the members#delta collection any longer so the app did not receive any Group Membership changes.
Request:
https://graph.microsoft.com/v1.0/groups/delta?$expand=members&$select=id,displayName,mailNickName,onPremisesSecurityIdentifier,groupTypes,securityEnabled&$filter=id eq '9f63ad39-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx'
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups(id,displayName,mailNickname,onPremisesSecurityIdentifier,groupTypes,securityEnabled,members())",​
"#odata.nextLink": "https://graph.microsoft.com/v1.0/groups/delta?$skiptoken=duo2tEVrL.............................-Ay-zlyuo2tEVrLOUh0PUTdXM",​
"value": [​
{​
"displayName": "TestGroup-OneUser",​
"mailNickname": "9a234b7e8ad-3",​
"securityEnabled": true,​
"id": "9f63ad39-xxxx-xxxx-xxxx-xxxxxxxxxx",​
"members#delta": [​
{​
"#odata.type": "#microsoft.graph.user",​
"id": "18e2a00c-xxxx-xxxx-a9a9-xxxxxxxxxxxxx"​
}​
]​
}​
]​
}
Any idea what has changed?
You should add members to $select, change the request like this:
https://graph.microsoft.com/v1.0/groups/delta?$select=id,displayName,members&$filter=id eq '1068699c-044b-4846-b45a-4137e06a7ca2'

Visual Studio Code SQL Server connection to encrypted database with Azure Key Vault (Always Encrypted)

I'm trying to get a connection from VSCode on macOS to a SQL Server database that uses always encrypted mechanism to protect some of the columns. The master key is stored in an Azure Key Vault.
Using the always encrypted guide provided by Microsoft is was able to connect successfully to the database.
The same is true for a simple connection using VSCode on my mac without turning on the encryption/decryption. I used the mssql-extension plugin and providing the necessary information within the settings I was able to query the data
Settings
"mssql.connections": [
{
"server": "XXXXXXXX.database.windows.net",
"database": "AlwaysEncrypted",
"authenticationType": "SqlLogin",
"user": "XXXXX",
"password": "",
"emptyPasswordInput": false,
"savePassword": true,
"profileName": "AlwaysEncrypted"
}
]
Query
SELECT * FROM EmployeeDetails
Result
[
{
"EmployeeDetailsId": "1",
"EmployeeNo": "FE00000001",
"FirstName": "0x013EC8AB61767E1C3D934AB061BCA658B6948637812450C8245DCE4C447F59FD1D6252069A36A67E3477E1C5FB24D860E72FBCC65F98C92B92AB873CE55349672A",
"MiddleName": "0x015354526EC17EB1151AE918514E565507EDCB5691B4215C45798CA86EB11C47EECA579242926EDFE9F6543006177CBFC03E0F95CD0D8CAE6C941AE173AAF2B925",
"LastName": "0x0170B3FD2B0416E0607312FB2A67B0F42798EC1871FEAB90AB81235ADACDE1C4F5614099FA3B61E59FEB2D6AD599CB3A9FD031FE56F327F0C80F4BA963EE7E155A",
"DateOfBirth": "1985-08-12 00:00:00.000"
}
]
Following the two guides
https://learn.microsoft.com/en-us/sql/connect/odbc/using-always-encrypted-with-the-odbc-driver?view=sql-server-2017
https://github.com/Microsoft/vscode-mssql/wiki/manage-connection-profiles
I did try to create another connection using the mssql-extension and providing a ODBC Connection String but ultimately failed to get decrypted data when querying (the connection was established just fine). The result was the same as posted above
Settings with Connection String
"mssql.connections": [
{
"server": "XXXXXXXX.database.windows.net",
"database": "AlwaysEncrypted",
"authenticationType": "SqlLogin",
"user": "XXXXX",
"password": "",
"emptyPasswordInput": false,
"savePassword": true,
"profileName": "AlwaysEncrypted_WithKeyVault",
"connectionString": "SERVER=XXXXXX.database.windows.net;Trusted_Connection=Yes;DATABASE=AlwaysEncrypted;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultPassword;KeyStorePrincipalId=USER.NAME#DOMAIN.com;KeyStoreSecret=PASSWORD"
}
]
Can anyone help me to figure out how to setup the connections right, so that the encryption/decryption will he done transparently when using VSCode?
Bit of a stale question, but for anyone who also ends up finding this:
I managed to get a successfully connection on VS Code SQL Server by having the following settings in my settings.json mssql.connections array:
{
"server": "XXXX.serverhost.domain",
"database": "XXXX",
"authenticationType": "SqlLogin",
"user": "XXXX",
"password": "",
"savePassword": true,
"profileName": "XXXX",
// specifically the settings below were the important ones
"encrypt": true,
"trustServerCertificate": true,
"persistSecurityInfo": true
}

Resources