Anton Staykov astaykov

## update-az-webapp-container.sh
#!/usr/bin/env bash
az webapp list -g tonyco-saas-tenants --query "[].id" -o tsv | az webapp config container set --docker-custom-image-name astaykov/tonysaas:v0.8-beta --ids @-

## asc-mitigate-function-apps-tls-ftps.sh
#!/usr/bin/env bash
# first disable HTTP and force HTTPS only
az functionapp list --query "[].id" --output tsv | az functionapp update --set httpsOnly=true --ids @-

# then disable FTP in general.
# depending on your process, you might want to enforce FTPS (FtpsOnly) insted of completely disable it (Disabled).
az functionapp list --query "[].id" --output tsv | az functionapp config set --ftps-state Disabled --ids @-

# set client cert operation mode to optional
az functionapp list --query "[].id" --output tsv | az functionapp update --set clientCertMode=optional --ids @-

## AzureAD-ConsentAppRole-to-ManagedIdentity.ps1
# First, get the service principal object of the managed identity
# you can directly use the object, as it will be displayed on the managed identity properties
$miSP = Get-AzureADServicePrincipal -ObjectId 836955bf-0fe8-4b25-b1af-d1119558eec7

# second discover the service principal for the service you are looking to grant roles upon
# EXAMPLE: Microsoft Graph
# Note: the special GUID 00000003-0000-0000-c000-000000000000 is the application ID of Microsoft Graph
$resourceSP = Get-AzureADServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

# EXAMPLE Microsoft 365 Defender (Security Graph):

## AzureAD-ManagedIdentity-AssignedPermissions.ps1
# First, get the service principal object of the managed identity
# you can directly use the object, as it will be displayed on the managed identity properties
$miSP = Get-AzureADServicePrincipal -ObjectId 836955bf-0fe8-4b25-b1af-d1119558eec7

# EXAMPLE: Ge thte Microsoft Graph service principal
# Note: the special GUID 00000003-0000-0000-c000-000000000000 is the application ID of Microsoft Graph
$graphSP = Get-AzureADServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

# the following command will get all app role assignments that our managed identity has been consented
# Note, that since we are talking about managed identity, only application permissions are applicable

## az-webapp-config-set-tls.sh
#!/usr/bin/env bash
# first disable HTTP and force HTTPS only
az webapp list --query "[].id" --output tsv | az webapp update --https-only true --ids @-

# then force min-tls version
az webapp list --query "[].id" --output tsv | az webapp config set --min-tls-version '1.2' --ids @-

# then force FTPS in general.
# depending on your process, you might want to enforce FTPS (FtpsOnly) insted of completely disable it (Disabled).
az webapp list --query "[].id" --output tsv | az webapp config set --ftps-state FtpsOnly --ids @-

## UpdateAllUsers.ps1
# This script is used to clean users' tenants association for a demo environment

$extProps = New-Object System.Collections.Generic.Dictionary"[String,String]"
$extProps.Add("extension_f7032a421ae74f8b8919f15dad3b290b_TenantsAll","")
Get-AzureADUser -all $true | ForEach-Object { Set-AzureADUser -ObjectId $_.ObjectId -ExtensionProperty $extProps }

## DeleteAllAppObjects.ps1
 Connect-MgGraph -Scopes "Directory.AccessAsUser.All" -TenantId b2c.idhero.de
 Get-MgApplication -Filter "startswith(displayname,'Tonyco SaaS')" | ForEach-Object { Remove-MgApplication -ApplicationId $_.Id }

## ClaimsMappingPolicy-GroupFilter.ps1
# First, connect to Azure AD
Connect-AzureAD

# Make sure there is no same policy already defined
# Get your policies and inspect them
Get-AzureADPolicy

# modify your gorup filter as appropriate
# ref: https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-claims-mapping-policy-type#group-filter
$PolicyDefinitionString = "{

## SendgridCustomTemplateId.xml
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
    PolicySchemaVersion="0.3.0.0"
    TenantId="yourtenant.onmicrosoft.com"
    PolicyId="B2C_1A_SendgridCustomTemplateId"
    PublicPolicyUri="http://tonycosite.onmicrosoft.com/B2C_1A_SendgridCustomTemplateId"
    DeploymentMode="Development"
    UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights">

## AzureFunction-ParseToken.ps1
using namespace System.Net

# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)

function Parse-JWTtoken {

    [cmdletbinding()]
    param([Parameter(Mandatory=$true)][string]$token)
	#!/usr/bin/env bash
	az webapp list -g tonyco-saas-tenants --query "[].id" -o tsv \| az webapp config container set --docker-custom-image-name astaykov/tonysaas:v0.8-beta --ids @-
	#!/usr/bin/env bash
	# first disable HTTP and force HTTPS only
	az functionapp list --query "[].id" --output tsv \| az functionapp update --set httpsOnly=true --ids @-

	# then disable FTP in general.
	# depending on your process, you might want to enforce FTPS (FtpsOnly) insted of completely disable it (Disabled).
	az functionapp list --query "[].id" --output tsv \| az functionapp config set --ftps-state Disabled --ids @-

	# set client cert operation mode to optional
	az functionapp list --query "[].id" --output tsv \| az functionapp update --set clientCertMode=optional --ids @-
	# First, get the service principal object of the managed identity
	# you can directly use the object, as it will be displayed on the managed identity properties
	$miSP = Get-AzureADServicePrincipal -ObjectId 836955bf-0fe8-4b25-b1af-d1119558eec7

	# second discover the service principal for the service you are looking to grant roles upon
	# EXAMPLE: Microsoft Graph
	# Note: the special GUID 00000003-0000-0000-c000-000000000000 is the application ID of Microsoft Graph
	$resourceSP = Get-AzureADServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

	# EXAMPLE Microsoft 365 Defender (Security Graph):
	#!/usr/bin/env bash
	# first disable HTTP and force HTTPS only
	az webapp list --query "[].id" --output tsv \| az webapp update --https-only true --ids @-

	# then force min-tls version
	az webapp list --query "[].id" --output tsv \| az webapp config set --min-tls-version '1.2' --ids @-

	# then force FTPS in general.
	# depending on your process, you might want to enforce FTPS (FtpsOnly) insted of completely disable it (Disabled).
	az webapp list --query "[].id" --output tsv \| az webapp config set --ftps-state FtpsOnly --ids @-
	# This script is used to clean users' tenants association for a demo environment

	$extProps = New-Object System.Collections.Generic.Dictionary"[String,String]"
	$extProps.Add("extension_f7032a421ae74f8b8919f15dad3b290b_TenantsAll","")
	Get-AzureADUser -all $true \| ForEach-Object { Set-AzureADUser -ObjectId $_.ObjectId -ExtensionProperty $extProps }
	Connect-MgGraph -Scopes "Directory.AccessAsUser.All" -TenantId b2c.idhero.de
	Get-MgApplication -Filter "startswith(displayname,'Tonyco SaaS')" \| ForEach-Object { Remove-MgApplication -ApplicationId $_.Id }
	# First, connect to Azure AD
	Connect-AzureAD

	# Make sure there is no same policy already defined
	# Get your policies and inspect them
	Get-AzureADPolicy

	# modify your gorup filter as appropriate
	# ref: https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-claims-mapping-policy-type#group-filter
	$PolicyDefinitionString = "{
	<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
	PolicySchemaVersion="0.3.0.0"
	TenantId="yourtenant.onmicrosoft.com"
	PolicyId="B2C_1A_SendgridCustomTemplateId"
	PublicPolicyUri="http://tonycosite.onmicrosoft.com/B2C_1A_SendgridCustomTemplateId"
	DeploymentMode="Development"
	UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights">
	using namespace System.Net

	# Input bindings are passed in via param block.
	param($Request, $TriggerMetadata)

	function Parse-JWTtoken {

	[cmdletbinding()]
	param([Parameter(Mandatory=$true)][string]$token)