Featured image of post Automating with PowerShell: Deploying External e-mail markers

Automating with PowerShell: Deploying External e-mail markers

A while back I’ve blogged about deploying e-mail spoofing warnings. These warns inject a little bit of HTML into e-mails to let people know a e-mail is external or not trusted. For a while now Microsoft has a native option for this. You do need a somewhat recent version of Outlook but the native version works a little better than just injecting HTML.

A lot of bad actors these days understand we’re injecting HTML and have started adding CSS/HTML to their spoofed e-mails to hide this warning. Using Microsoft’s native warnings this cannot happen. These native warnings are actually a part of the client instead of just some injected code.

Deploying it is pretty easy; Microsoft has created a new cmdlet called “Set ExternalInOutlook”. Of course as Microsoft Partners we get to execute this for all of our partners using the Secure Application Model.

I’d really recommend to just set this up for all tenants, as it’s a nice and unobtrusive method of showing these warnings.

All Tenants Script

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ApplicationId = 'AppID'
$ApplicationSecret = 'AppSecret'
$RefreshToken = 'RefreshTokens'
$ENV:ExchangeRefreshToken = 'YourExchangeRefreshToken'
#
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, ($ApplicationSecret | ConvertTo-SecureString -AsPlainText -Force))
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal

Write-Host "Connecting to the Graph API to get all tenants." -ForegroundColor Green
$Contractheaders = @{ "Authorization" = "Bearer $($graphToken.accesstoken)" }
$Customers = (Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/contracts?`$top=999" -Method GET -Headers $Contractheaders).value
foreach ($Customer in $Customers) {
    try {
        $upn = "notRequired@required.com"
        $uri = "https://login.microsoftonline.com/$($customer.customerid)/oauth2/token"
        $body = "resource=a0c73c16-a7e3-4564-9a95-2bdf47383716&grant_type=refresh_token&refresh_token=$($ENV:ExchangeRefreshToken)"
        $token = (Invoke-RestMethod $uri -Body $body -ContentType "application/x-www-form-urlencoded" -ErrorAction SilentlyContinue -Method post).accesstoken | ConvertTo-SecureString -Force -AsPlainText
        $credential = New-Object System.Management.Automation.PSCredential($upn, $tokenValue)
        $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell-liveid?DelegatedOrg=$($customer.customerid)&BasicAuthToOAuthConversion=true" -Credential $credential -Authentication Basic -AllowRedirection -ErrorAction Continue
        Import-PSSession $session -ea Silentlycontinue -AllowClobber -CommandName "Set-ExternalInOutlook"
        Set-ExternalInOutlook -Enabled $true
        Get-PSSession | Remove-PSSession

    }
    catch {

write-host "Failed to set for $($customer.customerid)" }

}

And that’s it! as always, Happy PowerShelling. 🙂

All blogs are posted under AGPL3.0 unless stated otherwise
comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy