Last active
September 21, 2023 00:46
-
-
Save michevnew/89a82b0f9066ed83fcdf12b3760ad413 to your computer and use it in GitHub Desktop.
Use the Graph API endpoints to block access to MSOnline PowerShell cmdlets
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Set the authentication details | |
$tenantID = "tenant.onmicrosoft.com" #your tenantID or tenant root domain | |
$appID = "12345678-1234-1234-1234-1234567890AB" #the GUID of your app. For best result, use app with Policy.ReadWrite.Authorization scope granted. | |
$client_secret = "XXXXXXXXXXXXXXXxxxx" #client secret for the app | |
$body = @{ | |
client_id = $AppId | |
scope = "https://graph.microsoft.com/.default" | |
client_secret = $client_secret | |
grant_type = "client_credentials" | |
} | |
#Get a token | |
$authenticationResult = Invoke-WebRequest -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $body -ErrorAction Stop | |
$token = ($authenticationResult.Content | ConvertFrom-Json).access_token | |
$authHeader = @{'Authorization'="Bearer $token"} | |
#Call the /policies/authorizationPolicy/authorizationPolicy endpoint to check the current value | |
$res = Invoke-WebRequest -Headers $AuthHeader -Uri "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy" | |
$result = ($res.Content | ConvertFrom-Json) | |
$result | |
#Change the value to "true" via a PATCH operation | |
$body = (@{"blockMsolPowerShell"="true"} | ConvertTo-Json) | |
$authHeader = @{'Authorization'="Bearer $token";"Content-Type" = "application/json"} | |
$res = Invoke-WebRequest -Headers $AuthHeader -Uri "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy" -Method Patch -Body $body | |
#Call the /policies/authorizationPolicy/authorizationPolicy endpoint again to confirm the new value | |
$res = Invoke-WebRequest -Headers $AuthHeader -Uri "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy" | |
$result = ($res.Content | ConvertFrom-Json) | |
$result |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment