App Integration to key Cloud Providers

App Integration to key Cloud Providers

App Integration to key Cloud Providers

 

We’re delighted to announce a new addition to our core service lines – a tiered engagement model to help customers integrate applications to their cloud identity providers.  Cloudneo can help you realise the benefits and fully leverage your existing Single-Sign-On investments around OKTA, Microsoft Azure and other key vendors, providing build, operations and automation benefits in short order.

We offer a basic, custom and fully managed service for App Integration, guiding you through PoC, Pilot or full production implementations.  The option to engage Cloudneo’s fully managed service means App on-boarding and ownership are cost-optimised and quick to deploy.  A typical engagement will:

  • Assess the application landscape
  • Define the migration path to a cloud identity provider (Microsoft Azure, OKTA or others)
  • Test, deploy and document one or many applications
  • Up-skill your IT resources around Identity and App integration techniques

Find out more

Start your journey today.  Get in touch to discuss our App Integration services

Adopting Zero-Trust with Microsoft Azure – 1 Day Workshop

Adopting Zero-Trust with Microsoft Azure – 1 Day Workshop

Adopting Zero-Trust with Azure - Synopsis

 

Zero Trust has managed to both inspire and confuse the cyber security industry at the same time. A significant reason for the confusion is that Zero Trust isn’t a specific technology, but a security strategy.

Zero Trust will build on many of your existing security investments, so you may already have made progress on this journey.  Cloudneo can help shape that with you in a short, results-led workshop that unlocks and enables Zero Trust for your organisation, highlighting:

  • Describe the Zero Trust Journey and Maturity Model
  • Learn how to advance Zero Trust with your identity and user access strategy, incorporating password-less technology
  • Understanding and applying user and device compliance with Conditional Access
  • Secure Identities, devices, sessions and data on an un-trusted network with Azure and Intune
  • Map and plan your organisation’s approach for adoption and roll-out
  • Profiling your vendor technologies and roadmaps
  • Analyzing your core, perimeter and VPN networks to identify Zero-Trust capabilities

 

Schedule a workshop today

Services update for Mobile – Cloudneo partners with Lookout

Services update for Mobile – Cloudneo partners with Lookout

We're expanding our Mobile Security services with Lookout

With 2020 starting a new decade in Endpoint Security, the agile organisation will scrutinize their Mobile estate with the same focus as traditional PCs and Laptops.  Threat vectors are now as common and destructive on mobile platforms as anywhere else.

Cloudneo now support Lookout solutions across our service lines to support well-protected Azure and OKTA implementations.  To embrace Conditional Access features and create true Zero-Trust architectures for our clients, great Mobile Threat defence is key.

“Lookout is the leader in mobile security, protecting the device at the intersection of the personal you and the professional you. Our mission is to secure and empower our digital future in a privacy-focused world where mobile devices are essential to all we do for work and play. We enable consumers and employees to protect their data, and to securely stay connected without violating their privacy and trust. Our platform uses artificial intelligence to analyze data from more than 180 million devices and over 100 million apps to protect you from the full spectrum of mobile risk. As a result, Lookout delivers modern endpoint security with the most comprehensive protection from device, network, app and phishing threats without prying into your data.”

The Lookout Security Cloud delivers powerful and flexible protection features that integrate with your EMS solution:

Cloudneo Lookout

 

Together Cloudneo and Lookout can offer enterprise-grade compliance and telemetry from your mobile estate, including:

  • Rapid deployment of industry-grade mobile security features
  • Azure and OKTA integrated solutions for Entrprise Identity solutions
  • Integration with Defender ATP for holistic Endpoint Security Management
  • Rapid deployment services to any mobile device with Intune and other UEM solutions

Ask us about protecting your Mobile fleet

Cloud Identity and Security Assessment

Cloud Identity and Security Assessment

Cloud Identity and Security Assessment

A further addition to our core service lines, this multi-day assessment is targeted at helping customers evaluate current Cloud Identity and Security deployment patterns.  Cloudneo will carry out an analysis of your ‘current state’ and then evaluate this against best practices shared by vendors and our SMEs.  Whether your Cloud Estate is deployed on an OKTA, Microsoft Azure or Google platform, we can analyse and provide build, operations and automation benefits in short order.

This assessment is a One-week engagement with a pre-defined scope based on best practice, however we can adapt this to provide guidance on building a PoC, Pilot or full production implementation.   Typically, we will cover:

 

  • Expert analysis and report on current and desired state.
  • Cloud identity evaluation and alignment to vendor recommended practices
  • Recommendations on key areas to focus within cloud identity and security
  • Guidance provided to leadership teams, architects and system engineers.

Find out more

Start your journey today.  Get in touch to discuss our Cloud Identity and Security assessment

Azure AD Graph APIs using PowerShell

Azure AD Graph APIs using PowerShell

So you want to use the Graph API to interact with AzureAD or Intune?  Then normally you need to follow these generic steps to execute Graph APIs from your programs or scripts. 

  1. Register Application and Get App Key&ID 
  2. Assign appropriate Permissions  
  3. Request for Authorisation Token 
  4. Execute Graph APIs by passing the token in Request Header  

Let’s find an easier way!  Graph APIs are effective way to interact with Azure Active Directory and whilst the above steps are highly recommended for pragmatic application development, a System Admin can shave some effort off this with some PowerShell magic.   

The following explains how to execute Graph APIs on PowerShell Scripts using Global Admin credentials and WITHOUT registering the Applications on Azure AD (skipping steps 1 and 2 above) 

Note – before you start:  Ensure the Azure Module is installed. To install the Azure Module, execute PowerShell cmdlet install-module azure. 

Step 1:  Get the Authorisation Token for Azure AD PowerShell using well-known Application ID 
“1950a258-227b-4e31-a9cf-717495945fc2” 

You can use the following GetAuthzToken() function in your Script by passing parameters for Tenant Name and Global Admin Credentials 

 

Function GetAuthzToken

{

param

(

[Parameter(Mandatory=$true)]

$Tenant,

$user,

$Passwd

)

Import-Module Azure

$client_Id = “1950a258-227b-4e31-a9cf-717495945fc2”

$redirect_Uri = “urn:ietf:wg:oauth:2.0:oob”

$AppId_URI = “https://graph.microsoft.com”

$authority = “https://login.microsoftonline.com/$Tenant”

$authContext = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext” -ArgumentList $authority

$AADCredential = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential” -ArgumentList $user,$Passwd

$authResult = $authContext.AcquireToken($AppId_URI, $client_Id,$AADCredential)

 

return $authResult

}

 

$token=$null

# Enter Tenant Name

$AzureTenant=“<TenantName>.onmicrosoft.com”

# Enter GA Credentials

$username=“<GA Username >”  

$userPassword=“<Password>” 

$secureStringPwd = $userPassword | ConvertTo-SecureString -AsPlainText -Force

#Get Access token.

$token = GetAuthzToken -Tenant $AzureTenant -user $username -Passwd $secureStringPwd

Here’s the sample token output:

Step 2: Create the Authorization Header by adding Security Token, retrieved from step 1

Use the  CreateAuthorizationHeader() method to build the Authorisation header

 #Create Authorization Header

$authHeader = @{

‘Content-Type’=’application\json’

‘Authorization’=$token.CreateAuthorizationHeader()

}

Here’s the sample Authorization Header:

Step 3: Execute your Azure AD Graph API by passing the Authorization Header 

Use the Invoke-RestMethod cmdlet to execute Graph API. Basic syntax is as follows

Invoke-RestMethod -Uri <Graph API URI> –Headers $authHeader –Method Get

Tip: Use Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) to test the Graph APIs before adding into your PowerShell Script.

The following retrieves the Group Members of an Azure AD Group. The highlighted part is your choice of  the Azure AD Group ID 

$uri = “https://graph.microsoft.com/v1.0/groups/ed33efc5-70f8-4f87-8276-3ad2513929cc/members”

do

{

#Get Group Members

$Response=Invoke-RestMethod -Uri $uri –Headers $authHeader –Method Get

 

$uri =$Response.’@odata.nextLink’

foreach ($user in $Response.value)

{

 

$user.displayname

}

} while ($Response.’@odata.nextLink’)

Here’s the sample Output:

Putting it all together:  the whole script for you to re-use

To test this script, don’t forget to change the highlighted parameters 

Function GetAuthzToken

{

param

(

[Parameter(Mandatory=$true)]

$Tenant,

$user,

$Passwd

)

Import-Module Azure

$client_Id = “1950a258-227b-4e31-a9cf-717495945fc2”

$redirect_Uri = “urn:ietf:wg:oauth:2.0:oob”

$AppId_URI = “https://graph.microsoft.com”

$authority = “https://login.microsoftonline.com/$Tenant”

$authContext = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext” -ArgumentList $authority

$AADCredential = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential” -ArgumentList $user,$Passwd

$authResult = $authContext.AcquireToken($AppId_URI, $client_Id,$AADCredential)

 

return $authResult

}

 

$token=$null

# Enter Tenant Name

$AzureTenant=”<TenantName>.onmicrosoft.com”

# Enter GA Credentials

$username=”<Username of GA>

$userPassword=”<Password>

$secureStringPwd = $userPassword | ConvertTo-SecureString -AsPlainText -Force

#Get Access token.

$token = GetAuthzToken -Tenant $AzureTenant -user $username -Passwd $secureStringPwd

 

$authHeader = @{

‘Content-Type’=’application\json’

‘Authorization’=$token.CreateAuthorizationHeader()

}

 

#Replace Highlighted part with Group ID

$uri = “https://graph.microsoft.com/v1.0/groups/ed33efc5-70f8-4f87-8276-3ad2513929cc/members”

 

do

{

#Get Group Members

$Response=Invoke-RestMethod -Uri $uri –Headers $authHeader –Method Get

 

$uri =$Response.’@odata.nextLink’

foreach ($user in $Response.value)

{

 

$user.displayname

}

} while ($Response.’@odata.nextLink’)

Want to talk to us about PowerShell and AzureAD and Graph?  Get in touch

Chris Hudson

Chris develops our thinking for Identity Management and Azure AD integration.  He’s developed lots of cool snippets and and tools to help make Identity Sysadmins lives that little bit easier.  You can follow Chris on LinkedIn below