poiriersimon

#For this example you need an Azure App registered with a Self Sign Cert and a user with EWS Access to grab email.
#You need AzureAD Module (Save-Module AzureAD -Path C:\temp)
#You need EWS API 2.2 (www.microsoft.com/en-us/download/details.aspx?id=35371)
#App need to have Office 365 API access to read email.
# Permission under Office 365 Exchange Online: 
#   Admin : Use Exchange Web Services with full access to all mailboxes
#   Delegate : Delegated permissions: full_access_as_user – Access mailbox as signed in user via Exc…
# Cert : https://github.com/Azure-Samples/active-directory-dotnet-daemon-certificate-credential/blob/master/Manual-Configuration-Steps.md
<#
$cert=New-SelfSignedCertificate -Subject "CN=Office365APIDemo" -CertStoreLocation "Cert:\CurrentUser\My"  -KeyExportPolicy Exportable -KeySpec Signature

poiriersimon

#Ref : https://www.michev.info/Blog/Post/1771/hacking-your-way-around-modern-authentication-and-the-powershell-modules-for-office-365
$TenantName = "TENANTNAME.onmicrosoft.com"
$UserPrincipalName = "user@domain.com"
$resourceUri = "https://outlook.office365.com"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$clientid = "a0c73c16-a7e3-4564-9a95-2bdf47383716"

#You need AzureAD Module (Save-Module AzureAD -Path C:\temp)
Add-Type -Path C:\Temp\AzureAD\Microsoft.IdentityModel.Clients.ActiveDirectory.dll

poiriersimon

#You need AzureAD Module (Save-Module AzureAD -Path C:\temp)
function GetAuthHeaders
{
    [cmdletbinding()]
    param(
[Parameter(Mandatory = $true)]
    [string]$Tenant = "",
[Parameter(Mandatory = $true)]
    [string]$UserPrincipalName = ""
    )

poiriersimon

#Create an Web Azure AD Application + Key
#Permission - Office 365 Management APIs (both App and Impersonation)
#	- Read service health information for your organization
#	- Read activity data for your organization
# Don't forget to click on Grant Permission
# Based on https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/O365InvestigationDataAcquisition.ps1

#Pre-reqs for REST API calls
$ClientID = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
$ClientSecret = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

poiriersimon

#Require an AzureAD App with Microsoft Graph API and
# App Permission
#   - Read mail in all mailboxes
# Impersonation Permission  
#   - Read user and shared mail
# Don't forget to grant permission

#Pre-reqs for REST API calls
$ClientID = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
$ClientSecret = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="

poiriersimon

function TrapInvalidAuth { 
  Trap {
    if($_ -like "*InvalidAuthenticationToken*"){
      $authheader = GetAuthHeaders;Invoke-RestMethod -Uri $uri –Headers $authHeader –Method Get
    }
  }
  Invoke-RestMethod -Uri $uri –Headers $authHeader –Method Get
}

function GetAuthHeaders

poiriersimon

#You need AzureAD Module (Save-Module AzureAD -Path C:\temp)
#You need EWS API 2.2 (www.microsoft.com/en-us/download/details.aspx?id=35371)


$UserPrincipalName = "user@TENANTNAME.onmicrosoft.com"
$resourceUri = "https://outlook.office365.com"
$AzureADDLLPath = "C:\Temp\AzureAD"

#EWSEditor ClientId used since it was already registered with the right permission
$clientid = "0e4bf2e2-aa7d-46e8-aa12-263adeb3a62b"

poiriersimon

# Based on : https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service

# webservice root URL
$ws = "https://endpoints.office.com"
$clientRequestId = [GUID]::NewGuid().Guid

# invoke endpoints method to get the new data
$endpointSets = Invoke-RestMethod -Uri ($ws + "/endpoints/Worldwide?clientRequestId=" + $clientRequestId)
# filter results for Allow and Optimize endpoints, and transform these into custom objects with port and category
$flatUrls = $endpointSets | where{$_.serviceArea -eq "Exchange" -or $_.serviceArea -eq "Common"}| ForEach-Object {

poiriersimon

$CollectorIp = Invoke-RestMethod -Uri 'http://ipinfo.io'
$DNSName = Resolve-DnsName "outlook.office365.com.g.office365.com"
$EXOIpsLocation = $(foreach($ip in $DNSName.ip4Address){Invoke-RestMethod -Uri "http://ipinfo.io/$($Ip)"}) |select -expandproperty Country -Unique
if($EXOIpsLocation -contains $CollectorIp.Country){Write-host "Ok"}

poiriersimon

#1 - List Managed Domain
$ManagedDomain = Get-MSOLDomain |where {$_.AuthenticationType -eq "Managed"}
#2 - Check if 1 users exist in those domain
$UsedManagedDomains = @()
foreach ($ManagedDomain in $ManagedDomains){$Users = @(); $users= Get-MSOLUser -All | where {$_.UserPrincipalName -like "*$($ManagedDomain.name)"} | select -First 1;if($Users.count -gt 0){$UsedManagedDomains+=$ManagedDomain}}
#3 - List Password Policies for all managed domain with at least 1 user
$NoPasswordPolicyDomain = @()
foreach($UsedManagedDomain in $UsedManagedDomain){$PasswordPolicy = Get-MsolPasswordPolicy -DomainName $ManagedDomain.name; if($PasswordPolicy.NotificationDays -eq $NULL -and $PasswordPolicy.ValidityPeriod -eq $NULL){$NoPasswordPolicyDomain += $UsedManagedDomain}}
#4 - If Password policy is not complex - Trigger 
If($NoPasswordPolicyDomain.count -eq 0){Write-host "PASS"}Else{Write-host "FAIL for Domain(s) : $($NoPasswordPolicyDomain.name -join ', ')" }