Nathan McNulty nathanmcnulty

## group-use-report.ps1
# Connect to Microsoft Graph if not already connected
if (-not (Get-MgContext)) {
    Connect-MgGraph -Scopes "Policy.Read.All","Group.Read.All","Application.Read.All","Directory.Read.All"
}

$results = @()

# Conditional Access Policies
$caPolicies = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies"
foreach ($policy in $caPolicies.value) {

## NRT KQL query
AuditLogs
| where ResultReason == @"User registered Fido2 Authentication Method"
| extend UserId = parse_json(TargetResources)[0]["id"]

## mi-graph-permissions.ps1
$SP_ID = '3b3c5db1-c095-41c7-af10-2a958ccaf91a'

Connect-MgGraph -Scopes appRoleAssignment.ReadWrite.All,Application.Read.All,Group.ReadWrite.All

$GraphSP = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
$AppRole = $GraphSP.AppRoles | Where-Object {$_.Value -eq "SecurityEvents.Read.All" -and $_.AllowedMemberTypes -contains "Application"}
New-MgServicePrincipalAppRoleAssignment -AppRoleId $AppRole.Id -ServicePrincipalId $SP_ID -ResourceId $GraphSP.Id -PrincipalId $SP_ID

## graph-api-reports-ca-blocked-sign-ins.txt
Graph PowerShell:

(Invoke-MgGraphRequest -Uri "/beta/reports/serviceActivity/getMetricsForConditionalAccessBlockedSignIn(inclusiveIntervalStartDateTime=$((Get-Date).AddMinutes(-5).ToString("yyyy-MM-ddTHH:mm:ssZ")),exclusiveIntervalEndDateTime=$((Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")),aggregationIntervalInMinutes=5)").value

Logic App:

{
    "definition": {
        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
        "contentVersion": "1.0.0.0",

## propertiesCatalog.json
{
    "description": "",
    "name": "Properties Catalog",
    "roleScopeTagIds": [
        "0"
    ],
    "platforms": "windows10",
    "technologies": "extensibility",
    "settings": [
        {

## gist:445aea7d5966a267e904f74525721233
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$session.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0"
$session.Cookies.Add((New-Object System.Net.Cookie("MC1", "<redacted>", "/", ".microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("ai_user", "<redacted>", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("MicrosoftApplicationsTelemetryDeviceId", "<redacted>", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("SSR", "<redacted>", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("msresearch", "<redacted>", "/", ".microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("MSFPC", "<redacted>", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("X-PortalEndpoint-RouteKey", "wusprod_westus", "/", "security.microsoft.com")))
$session.Coo

## gist:8c2e28b76f18dcdec12f78799724cffe
{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
  "id": "876aef31-50a3-4c79-b77a-7ba8f8941317",
  "createdDateTime": "2024-09-06T01:23:30.5342067Z",
  "displayName": "PIM - Require strong re-authentication from compliant device",
  "state": "enabledForReportingButNotEnforced",
  "conditions": {
    "clientAppTypes": [ "all" ],
    "signInRiskLevels": [ ],
    "userRiskLevels": [ ],

## gist:c353279b9704140a1a8a11c26932f969
# list of permissions
[array]$permissions = "Directory.Read.All","Policy.Read.All","Reports.Read.All","DirectoryRecommendations.Read.All","PrivilegedAccess.Read.AzureAD","IdentityRiskEvent.Read.All","RoleEligibilitySchedule.Read.Directory","RoleManagement.Read.All","Policy.Read.ConditionalAccess","UserAuthenticationMethod.Read.All"

# create application
$app = New-MgApplication -DisplayName "Maester DevOps"

# create service principal
$graphSpId = (Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'").Id
$sp = New-MgServicePrincipal -AppId $app.appId

## gist:7501f7cc6962dcf75d57a4343232535f
{
    "definition": {
        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
        "actions": {
            "Condition": {
                "actions": {},
                "else": {
                    "actions": {}
                },
                "expression": {

## gist:a9a92e41f0a5bec4b3019656a8bbe8b0
# Connect to Microsoft Graph
Connect-MgGraph -Scopes Application.Read.All

# Get all Entra ID applications
$allApps = Get-MgApplication -All $true
$array = @()
# Loop through each application
foreach ($app in $allApps) {
    Write-Host "Application Name: $($app.DisplayName)"
	# Connect to Microsoft Graph if not already connected
	if (-not (Get-MgContext)) {
	Connect-MgGraph -Scopes "Policy.Read.All","Group.Read.All","Application.Read.All","Directory.Read.All"
	}

	$results = @()

	# Conditional Access Policies
	$caPolicies = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies"
	foreach ($policy in $caPolicies.value) {
	AuditLogs
	\| where ResultReason == @"User registered Fido2 Authentication Method"
	\| extend UserId = parse_json(TargetResources)[0]["id"]
	$SP_ID = '3b3c5db1-c095-41c7-af10-2a958ccaf91a'

	Connect-MgGraph -Scopes appRoleAssignment.ReadWrite.All,Application.Read.All,Group.ReadWrite.All

	$GraphSP = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
	$AppRole = $GraphSP.AppRoles \| Where-Object {$_.Value -eq "SecurityEvents.Read.All" -and $_.AllowedMemberTypes -contains "Application"}
	New-MgServicePrincipalAppRoleAssignment -AppRoleId $AppRole.Id -ServicePrincipalId $SP_ID -ResourceId $GraphSP.Id -PrincipalId $SP_ID
	Graph PowerShell:

	(Invoke-MgGraphRequest -Uri "/beta/reports/serviceActivity/getMetricsForConditionalAccessBlockedSignIn(inclusiveIntervalStartDateTime=$((Get-Date).AddMinutes(-5).ToString("yyyy-MM-ddTHH:mm:ssZ")),exclusiveIntervalEndDateTime=$((Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")),aggregationIntervalInMinutes=5)").value

	Logic App:

	{
	"definition": {
	"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
	"contentVersion": "1.0.0.0",
	{
	"description": "",
	"name": "Properties Catalog",
	"roleScopeTagIds": [
	"0"
	],
	"platforms": "windows10",
	"technologies": "extensibility",
	"settings": [
	{
	$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
	$session.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0"
	$session.Cookies.Add((New-Object System.Net.Cookie("MC1", "<redacted>", "/", ".microsoft.com")))
	$session.Cookies.Add((New-Object System.Net.Cookie("ai_user", "<redacted>", "/", "security.microsoft.com")))
	$session.Cookies.Add((New-Object System.Net.Cookie("MicrosoftApplicationsTelemetryDeviceId", "<redacted>", "/", "security.microsoft.com")))
	$session.Cookies.Add((New-Object System.Net.Cookie("SSR", "<redacted>", "/", "security.microsoft.com")))
	$session.Cookies.Add((New-Object System.Net.Cookie("msresearch", "<redacted>", "/", ".microsoft.com")))
	$session.Cookies.Add((New-Object System.Net.Cookie("MSFPC", "<redacted>", "/", "security.microsoft.com")))
	$session.Cookies.Add((New-Object System.Net.Cookie("X-PortalEndpoint-RouteKey", "wusprod_westus", "/", "security.microsoft.com")))
	$session.Coo
	{
	"@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
	"id": "876aef31-50a3-4c79-b77a-7ba8f8941317",
	"createdDateTime": "2024-09-06T01:23:30.5342067Z",
	"displayName": "PIM - Require strong re-authentication from compliant device",
	"state": "enabledForReportingButNotEnforced",
	"conditions": {
	"clientAppTypes": [ "all" ],
	"signInRiskLevels": [ ],
	"userRiskLevels": [ ],
	# list of permissions
	[array]$permissions = "Directory.Read.All","Policy.Read.All","Reports.Read.All","DirectoryRecommendations.Read.All","PrivilegedAccess.Read.AzureAD","IdentityRiskEvent.Read.All","RoleEligibilitySchedule.Read.Directory","RoleManagement.Read.All","Policy.Read.ConditionalAccess","UserAuthenticationMethod.Read.All"

	# create application
	$app = New-MgApplication -DisplayName "Maester DevOps"

	# create service principal
	$graphSpId = (Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'").Id
	$sp = New-MgServicePrincipal -AppId $app.appId
	{
	"definition": {
	"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
	"actions": {
	"Condition": {
	"actions": {},
	"else": {
	"actions": {}
	},
	"expression": {
	# Connect to Microsoft Graph
	Connect-MgGraph -Scopes Application.Read.All

	# Get all Entra ID applications
	$allApps = Get-MgApplication -All $true
	$array = @()
	# Loop through each application
	foreach ($app in $allApps) {
	Write-Host "Application Name: $($app.DisplayName)"