Anton Staykov astaykov

## AzureAD-ManagedIdentity-AssignedPermissions.ps1
# First, get the service principal object of the managed identity
# you can directly use the object, as it will be displayed on the managed identity properties
$miSP = Get-AzureADServicePrincipal -ObjectId 836955bf-0fe8-4b25-b1af-d1119558eec7

# EXAMPLE: Ge thte Microsoft Graph service principal
# Note: the special GUID 00000003-0000-0000-c000-000000000000 is the application ID of Microsoft Graph
$graphSP = Get-AzureADServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

# the following command will get all app role assignments that our managed identity has been consented
# Note, that since we are talking about managed identity, only application permissions are applicable

## AzureAD-ConsentAppRole-to-ManagedIdentity.ps1
# First, get the service principal object of the managed identity
# you can directly use the object, as it will be displayed on the managed identity properties
$miSP = Get-AzureADServicePrincipal -ObjectId 836955bf-0fe8-4b25-b1af-d1119558eec7

# second discover the service principal for the service you are looking to grant roles upon
# EXAMPLE: Microsoft Graph
# Note: the special GUID 00000003-0000-0000-c000-000000000000 is the application ID of Microsoft Graph
$resourceSP = Get-AzureADServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

# EXAMPLE Microsoft 365 Defender (Security Graph):

## asc-mitigate-function-apps-tls-ftps.sh
#!/usr/bin/env bash
# first disable HTTP and force HTTPS only
az functionapp list --query "[].id" --output tsv | az functionapp update --set httpsOnly=true --ids @-

# then disable FTP in general.
# depending on your process, you might want to enforce FTPS (FtpsOnly) insted of completely disable it (Disabled).
az functionapp list --query "[].id" --output tsv | az functionapp config set --ftps-state Disabled --ids @-

# set client cert operation mode to optional
az functionapp list --query "[].id" --output tsv | az functionapp update --set clientCertMode=optional --ids @-

## update-az-webapp-container.sh
#!/usr/bin/env bash
az webapp list -g tonyco-saas-tenants --query "[].id" -o tsv | az webapp config container set --docker-custom-image-name astaykov/tonysaas:v0.8-beta --ids @-

## GetAllServicePrincipalsWhoAreMemberOfAnyRoleInAzureAD.ps1
Connect-AzureAD
$roles = Get-AzureADDirectoryRole
foreach ($role in $roles)
{
    $members = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
    Write-Host "--- Service Principals members of " $role.DisplayName " ---"
    foreach ($member in $members)
    {
        if($member.ObjectType -eq "ServicePrincipal")
        {

## AuditAzureADB2C.ps1
## Use this script to quickly analyse your current Azure AD B2C Tenant
## Please use cloud only user (Global Admin) local to your B2C tenant
## This script uses Azure AD PowerShell for MS Graph + Azure AD PowerShell for Graph preview modeules
## https://docs.microsoft.com/en-us/powershell/azure/active-directory/overview?view=azureadps-2.0
## https://docs.microsoft.com/en-us/powershell/azure/active-directory/overview?view=azureadps-2.0-preview
## You must have both the modules to run this script
## The information is based on the Audit Logs of Azure AD B2C, which is only there for 7 days
## If you need to query data for more than 7 days, then you must export your Azure AD B2C Audit Logs
## Read More about how to export Azure AD B2C Audit Logs to Log Analytics Workspace:
## https://docs.microsoft.com/en-us/azure/active-directory-b2c/azure-monitor

## AddEmailVerifiedToIdTokensInAAD.ps1
Connect-AzureAD -Confirm
Import-Module AzeruADPreview

$appID = "...guid-of-the-AppID..."
$policyName = "Add email_verified to claims"

$sp = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq '$appID')"

$existingPolicies = Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId `
                    | Where-Object { $_.Type -eq "ClaimsMappingPolicy" }

## httpsig-in-postman-pre-request-script.js
function computeHttpSignature(config, headerHash) {
  var template = 'keyId="${keyId}",algorithm="${algorithm}",headers="${headers}",signature="${signature}"',
      sig = template;

  // compute sig here
  var signingBase = '';
  config.headers.forEach(function(h){
    if (signingBase !== '') { signingBase += '\n'; }
    signingBase += h.toLowerCase() + ": " + headerHash[h];
  });

## tenantdependentresources.sh
#!/bin/bash
function check_directory_dependencies() {
    echo "Checking for graph extension on Azure CLI..."
    echo "--------------------------------------------"
    PATTERN='resource-graph'
    string=$(az extension list | grep 'resource-graph')
    if [[ $string == *"resource-graph"* ]];
    then
        # az extension update --name resource-graph
        echo 'Graph extension is already installed...'

## LDAP_Sample_Queries
// basically gets all data about organization
ldapsearch -x -h fqdn.of.the.domain -D "upn" -w "password" -b 'dc=idcxp,dc=site'

// get data about single user object
// make sure you get the DN correct
ldapsearch -x -h fqdn.of.the.domain -D "upn" -w "password" -b 'CN=bdm-user bdmou,OU=AADDC Users,DC=idcxp,DC=site'
	# First, get the service principal object of the managed identity
	# you can directly use the object, as it will be displayed on the managed identity properties
	$miSP = Get-AzureADServicePrincipal -ObjectId 836955bf-0fe8-4b25-b1af-d1119558eec7

	# EXAMPLE: Ge thte Microsoft Graph service principal
	# Note: the special GUID 00000003-0000-0000-c000-000000000000 is the application ID of Microsoft Graph
	$graphSP = Get-AzureADServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

	# the following command will get all app role assignments that our managed identity has been consented
	# Note, that since we are talking about managed identity, only application permissions are applicable
	#!/usr/bin/env bash
	# first disable HTTP and force HTTPS only
	az functionapp list --query "[].id" --output tsv \| az functionapp update --set httpsOnly=true --ids @-

	# then disable FTP in general.
	# depending on your process, you might want to enforce FTPS (FtpsOnly) insted of completely disable it (Disabled).
	az functionapp list --query "[].id" --output tsv \| az functionapp config set --ftps-state Disabled --ids @-

	# set client cert operation mode to optional
	az functionapp list --query "[].id" --output tsv \| az functionapp update --set clientCertMode=optional --ids @-
	#!/usr/bin/env bash
	az webapp list -g tonyco-saas-tenants --query "[].id" -o tsv \| az webapp config container set --docker-custom-image-name astaykov/tonysaas:v0.8-beta --ids @-
	Connect-AzureAD
	$roles = Get-AzureADDirectoryRole
	foreach ($role in $roles)
	{
	$members = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
	Write-Host "--- Service Principals members of " $role.DisplayName " ---"
	foreach ($member in $members)
	{
	if($member.ObjectType -eq "ServicePrincipal")
	{
	## Use this script to quickly analyse your current Azure AD B2C Tenant
	## Please use cloud only user (Global Admin) local to your B2C tenant
	## This script uses Azure AD PowerShell for MS Graph + Azure AD PowerShell for Graph preview modeules
	## https://docs.microsoft.com/en-us/powershell/azure/active-directory/overview?view=azureadps-2.0
	## https://docs.microsoft.com/en-us/powershell/azure/active-directory/overview?view=azureadps-2.0-preview
	## You must have both the modules to run this script
	## The information is based on the Audit Logs of Azure AD B2C, which is only there for 7 days
	## If you need to query data for more than 7 days, then you must export your Azure AD B2C Audit Logs
	## Read More about how to export Azure AD B2C Audit Logs to Log Analytics Workspace:
	## https://docs.microsoft.com/en-us/azure/active-directory-b2c/azure-monitor
	Connect-AzureAD -Confirm
	Import-Module AzeruADPreview

	$appID = "...guid-of-the-AppID..."
	$policyName = "Add email_verified to claims"

	$sp = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq '$appID')"

	$existingPolicies = Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId `
	\| Where-Object { $_.Type -eq "ClaimsMappingPolicy" }
	function computeHttpSignature(config, headerHash) {
	var template = 'keyId="${keyId}",algorithm="${algorithm}",headers="${headers}",signature="${signature}"',
	sig = template;

	// compute sig here
	var signingBase = '';
	config.headers.forEach(function(h){
	if (signingBase !== '') { signingBase += '\n'; }
	signingBase += h.toLowerCase() + ": " + headerHash[h];
	});
	#!/bin/bash
	function check_directory_dependencies() {
	echo "Checking for graph extension on Azure CLI..."
	echo "--------------------------------------------"
	PATTERN='resource-graph'
	string=$(az extension list \| grep 'resource-graph')
	if [[ $string == "resource-graph" ]];
	then
	# az extension update --name resource-graph
	echo 'Graph extension is already installed...'
	// basically gets all data about organization
	ldapsearch -x -h fqdn.of.the.domain -D "upn" -w "password" -b 'dc=idcxp,dc=site'

	// get data about single user object
	// make sure you get the DN correct
	ldapsearch -x -h fqdn.of.the.domain -D "upn" -w "password" -b 'CN=bdm-user bdmou,OU=AADDC Users,DC=idcxp,DC=site'