Skip to content

Instantly share code, notes, and snippets.

View merill's full-sized avatar

Merill Fernando merill

347 followers · 19 following
View GitHub Profile
@merill
merill / Get-AllAffectedKeyCredentials.ps1
Last active December 9, 2021 15:40
This script will allow you to find all applications and service principals in Azure AD affected by https://aka.ms/CVE-2021-42306-AAD that need their keys to be rotated.
Install-Module AffectedKeyCredentials
Get-AffectedKeyCredentials -TenantId 0000-0000-0000-0000 -ObjectClass application -ScanAll
Get-AffectedKeyCredentials -TenantId 0000-0000-0000-0000 -ObjectClass servicePrincipal -ScanAll
@merill
merill / Get-LowTls.kql
Last active January 31, 2022 21:01
Gets a list of sign-ins that use older versions of TLS. This can be queried using either PowerShell or by querying log analytics. Learn more about AAD TLS deprecation today https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor#overview-of-new-telemetry-in-the-sign-in-logs
// Interactive sign-ins only
SigninLogs
| where AuthenticationProcessingDetails has "Legacy TLS"
and AuthenticationProcessingDetails has "True"
| extend JsonAuthProcDetails = parse_json(AuthenticationProcessingDetails)
| mv-apply JsonAuthProcDetails on (
where JsonAuthProcDetails.key startswith "Legacy TLS"
| project HasLegacyTls=JsonAuthProcDetails.value
)
| where HasLegacyTls == true
@merill
merill / GetGuestUserLastSignIn.ps1
Last active November 29, 2021 17:56
Install-Module Microsoft.Graph
Import-Module Microsoft.Graph
Connect-MgGraph
Select-MgProfile -Name beta
Get-MgUser -All -Filter "userType eq 'Guest'" -Select "mail,userPrincipalName,signInActivity" | Select-Object -Property mail,@{Name = 'LastSignIn'; Expression = {$_.signInActivity.lastSignInDateTime}}
@merill
merill / 1. B2B-ExtendedDomainSupport.md
Last active March 29, 2022 23:01

Extended Domain Support for Azure AD B2B

This page provides a workaround for organizations that are approaching the limit on the Allow/Block Domains for guest invites. The domain list is currently limited to 25kb.

Solution Overview

The high level overview for this solution involves

  • Creating a new extension attribute (eg 'approvedForCollab')
  • Create a Conditional Access policy that blocks all guests that don't have 'approvedForCollab' = Yes
  • Create a Logic app that runs every 5/10 minutes. This logic app will
    • Check for new guests invited to the tenant (querying /users)
  • Verify if the user's domain/tenant Id matches a known list (or is included in Connected orgs)
@merill
merill / GraphClient.cs
Last active September 30, 2020 22:57
using Microsoft.Graph;
using System;
using System.Collections.Generic;
using System.Linq;
using App.Azure.GuestInvite.Infrastructure.Authentication;
using App.Azure.GuestInvite.Model;
namespace App.Azure.GuestInvite.Infrastructure
{
public class GraphClient : IGraphClient
@merill
merill / functions.php
Created January 2, 2018 02:56
WordPress Micro Blog gist to hide a specific category from the default feed
/* Hide posts with the 'status' category from the default RSS feed but allow them to show in the site specific feed */
function exclude_category($query) {
if ( $query->is_feed ) {
if (is_category()) {}
else {
$query->set('cat', '-154');
}
}
return $query;
}