About…

Managing Office 365/Azure tenants using powershell

One of the fantastic benefits of having Microsoft partner portal access is the ability to remote manage your clients/tenants. One of the downsides of this is that the partner portal is sometimes somewhat slow, or has a convoluted approach for remote management. A great way to resolve this is by using PowerShell to manage the tenants instead. This is just a quick post that could help you understand the commands involved;

First off – You’ll need to download and install the tooling required to connect with the Azure Powershell objects

  • Download the Microsoft Online Services Sign-In Assistant for IT Professionals: here
  • Download the Microsoft Azure Active Directory Powershell objects here

After downloading these and following all the required reboots you’ll be able to connect to Azure/O365 by issuing the following command in your new Azure Powershell Module;

connect-msolservice

After connecting to the MSOL service you now have access to the Microsoft online service modules. To manage your allowed partners we’ll first try to retrieve the tenant IDs that are available to us by executing the following command:

Get-MsolPartnerContract  | fl

Of course, this gives us way too much information – We only need to see the tenant id, to make sure we get this we execute the following:

Get-MsolPartnerContract -All
OR
Get-MsolPartnerContract -Domainname ClientDomain.ORG

Now with this tenant ID, We’re able to execute PowerShell commands based on the tenant instead of our own environment simply by adding -tenantID to the normal MSOL commands. e.g.

Get-MsolUser -TenantId tenantID | set-msoluser -StrongPasswordRequired $true

Happy PowerShelling!

Using Azure MFA on an onsite RDS 2012R2

Azure MFA is a fantastic product – Its easy to setup and maintain, and not very costly to purchase (for pricing, click here). The great thing about Azure MFA is that it becomes very easy to secure your local directory, but also your remote desktop connections or RDS your 2008/2012 farms. There is just one downside; Out of the box Remote Desktop(terminal services) security does not work on Server 2012R2. I’m not sure why Microsoft decided to not support 2012R2 RDP access. I actually have a ticket outstanding with the Azure MFA team.

Of course there a solution; instead of securing direct RDP access, you can decide to secure Remote Desktop Gateway and have your users connect to the Remote Desktop Gateway. This might sound like a large change but I always advise my clients to use RD gateway – mostly due to it being accessible from almost all locations due to running on port 443 and having SSL security is a nice added bonus.

To add MFA to RD gateway we need to perform the following prerequisites ;

  1. Deploy a standard RD-Gateway, with NPS. This can be done on a separate server, or on the RDS server if you have a small farm.
  2. Deploy Microsoft Azure MFA on a different server, Please note: MFA and NPS cannot run on the same server due to NPS and MFA Radius clients running on the same ports. For a good tutorial on how to install Azure MFA see the following link: link
  3. Open port 443 to your RD gateway server.
  4. Choose a shared secret and note it – We’ll use the example “ThisIsNotASecret”

After performing the first 3 steps, its time to set up RD Gateway, NPS and the Azure MFA Server

RD Gateway setup:

  • Open the RD Gateway console, and right-click the server name, choose the tab “RD CAP Store”
  • Turn off the “Request clients to send a statement of health” check box if you have clients that are not NAP capable.
  • Select “Central server running NPS” and remove the current server if there is any, Now enter the hostname of the MFA server and our selected shared secret “ThisIsNotASecret”.
  • Close the Console – we’re done on this side. 🙂

NPS Setup:

  • Open the NPS console and go to RADIUS Clients, Right click and select New
  • Enter a friendly name – e.g. AzureMFA and note this.
  • enter the IP of the MFA server & our selected shared secret “ThisIsNotASecret”
  • click OK and move to “Remote Radius servers” in the left hand menu.
  • Double click the default TS Gateway Server Group and click edit, select the Azure MFA server from this list and click on load balancing.
    • Change the priority to 1 and the weight to 50
    • change the number of seconds before a connection is dropped to 45 seconds.(could be less, but I select 45 seconds to keep uniformity among servers)
    • Change the number of seconds before server is unavailable to 45 seconds.(could be less, but I select 45 seconds to keep uniformity among server
    • Click OK and close this window. Move to Connection Request Policies
  • You should see the default connection policy here – disable or delete this, as we will create our own policies.
  • Right click the policies and select “New” Name this policy “Receive MFA Requests”. The settings for this policy are:
    • NAS Port type: Virtual(VPN)
    • Client Friendly Name: AzureMFA
    • Authentication Provider: Local Computer
    • Override Authentication: Disabled
  • Create another policy and name this “Send MFA requests”. The settings for this policy are:
    • NAS Port type: Virtual (VPN)
    • Accounting provider name: TS GATEWAY SERVERS GROUP
    • Authentication Provider name: TS GATEWAY SERVER GROUP
    • Authentication provider: Forwarding request
  • And that concludes the NPS setup. Almost there! 🙂

Azure MFA Setup:

The last steps are fairly straight forward:

  • Open the MFA administrator console and select the RADIUS option in the left hand menu.
  • Enable Radius and on the clients tab add the IP of the NPS server.
  • enter the shared secret “ThisIsNotASecret”.
  • Now select the tab “Targets” and enter the IP of the RDS Server.
  • Go to the left hand menu and select user. Enable a user for tests with SMS messages or the app.
  • Open the Windows Firewall for inbound Radius traffic
  • Test! 🙂 If you followed the manual to the letter you now secured your RD Gateway with MFA.

 

Happy MFA’ing! 🙂

Forcing DFS to prefer the local DC, Without creating subnets and sites

I’ve recently did some temporary work on a legacy-environment for a client. This client recently added some 2012 servers as domain controllers and file servers, The only issue was that there was no way that the client could edit Sites and Services to create correct sites and associated subnets,  due to a legacy in-house application depending on the default site to contain all domain controllers.

The client only had 2 sites(Belgium and NL) and to resolve this we’ve simply edited the registry on both DC/File servers with the following key:

Name:PreferLogonDC
Type:dword(32 bit)
Value:1
Location:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dfs

Just note that this only does the magic for the default DFS shares NETLOGON, and SYSVOL, and of course I advised the client to stop using that awful in-house application 😉

Using powershell to backup SSH devices (And more!)

I’ve recently been moving to a new RMM product that offers better automation policies than the one I’ve used before. The new RMM product also has the ability to run scripts with in and output from the RMM product itself – e.g. if a network contains a Juniper router, You can run automation policies based on the devices in that network.

Of course this opens up great opportunities for automation of device based backups, like routers, switches, etc. I’ve created a powershell script to automate this. The script currently supports Draytek, Juniper SRX series, Juniper SSG series, and Sonicwall devices :). The script is pretty much self explanatory due to the comments.

#######################################
#script created by TeGek – http://www.cyberdrain.com
#Router / Juniper SRX backup script version 0.1
#Runs a backup of the juniper config, drops the file in C:\RouterBackups and uploads this file to a remote FTP site.
#Parameters: RouterIP, DeviceType, Username, Password
#######################################
Param(
[string]$RouterIP,
[string]$DeviceType,
[string]$Username,
[string]$Password
)
#######################################
#set variables and create a secure string for username/password of the router.
$date = Get-Date -format (“dd-M-yyyy”) #We get the date in the European format.
$clientID = $env:USERDNSDOMAIN #we’ll use the userDNSdomain to define the clien tname, it assists in FTP uploads and to clarify who this config file belongs to.
$secpasswd = ConvertTo-SecureString $Password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($username, $secpasswd)
$FTPSERVER = “1.1.1.1”
#######################################
#Set the correct command, we do this based on the device. You can simply add an item based by copy+pasting the statement and entering the correct SSH command. A case select probably would have been nicer here, But this statement is quicker to copy.
if($DeviceType = “Juniperssg”){ $command = “get config”}
if($DeviceType = “Junipersrx”){ $command = “cli show config”}
if($DeviceType = “draytek”){ $command = “sys config”}
if($DeviceType = “sonicwall”){ $command = “export current-config cli”}
#######################################
#Next, we try to create a new directory on C:\ to store the temporary files, You can also choose to keep this folder intact for local router backups 🙂
try{
New-Item -Path C:\RouterBackups -ItemType Directory -force
}catch{
write-host “Router Backups Directory exists, Moving on”
}
#######################################
#We download darkoperator/Carlos Perez’s SSH client. For more information goto: http://www.darkoperator.com/.
Try{
iex (New-Object Net.WebClient).DownloadString(“https://gist.github.com/darkoperator/6152630/raw/c67de4f7cd780ba367cccbc2593f38d18ce6df89/instposhsshdev”)
Import-Module “$env:homepath\documents\windowspowershell\modules\posh-ssh”
} catch {
write-host “Download SSH client failed! Backup Failed”
}
#######################################
#after downloading, we run a simple command that states we’d like to run the backup. Of course this depends on the type of device.
try{
New-SSHSession -ComputerName $RouterIP -Credential $mycreds
Invoke-SSHCommand -Index 0 -Command $command out-file C:\RouterBackups\$clientid-$date.txt
Get-SSHSession | Remove-SSHSession
}catch{
write-host “Could not connect to SSH, Backup Failed”
}
#######################################
#And here we try to upload the file – If its not required just delete this section 🙂
Try{
$file = “C:\RouterBackups\$clientid-$date.txt”
$ftp = “ftp://$FTPSERVER/$clientID-$date.txt”
“ftp url: $ftp”
$webclient = New-Object System.Net.WebClient
$uri = New-Object System.Uri($ftp)
“Uploading $File…”
$webclient.UploadFile($Uri, $File)
}catch{
write-host “Uploading file to FTP Failed!”
}