Modern Devices & UEM Archives • Cloudneo

Adopting Zero-Trust with Microsoft Azure – 1 Day Workshop

by Ananth Suraj | Jun 22, 2020 | Identity, Modern Devices & UEM, Workshops

Adopting Zero-Trust with Azure - Synopsis

Zero Trust has managed to both inspire and confuse the cyber security industry at the same time. A significant reason for the confusion is that Zero Trust isn’t a specific technology, but a security strategy.

Zero Trust will build on many of your existing security investments, so you may already have made progress on this journey. Cloudneo can help shape that with you in a short, results-led workshop that unlocks and enables Zero Trust for your organisation, highlighting:

Describe the Zero Trust Journey and Maturity Model
Learn how to advance Zero Trust with your identity and user access strategy, incorporating password-less technology
Understanding and applying user and device compliance with Conditional Access
Secure Identities, devices, sessions and data on an un-trusted network with Azure and Intune
Map and plan your organisation’s approach for adoption and roll-out
Profiling your vendor technologies and roadmaps
Analyzing your core, perimeter and VPN networks to identify Zero-Trust capabilities

Schedule a workshop today

Get in touch

Services update for Mobile – Cloudneo partners with Lookout

by Ananth Suraj | Jun 17, 2020 | Modern Devices & UEM, News

We're expanding our Mobile Security services with Lookout

With 2020 starting a new decade in Endpoint Security, the agile organisation will scrutinize their Mobile estate with the same focus as traditional PCs and Laptops. Threat vectors are now as common and destructive on mobile platforms as anywhere else.

Cloudneo now support Lookout solutions across our service lines to support well-protected Azure and OKTA implementations. To embrace Conditional Access features and create true Zero-Trust architectures for our clients, great Mobile Threat defence is key.

“Lookout is the leader in mobile security, protecting the device at the intersection of the personal you and the professional you. Our mission is to secure and empower our digital future in a privacy-focused world where mobile devices are essential to all we do for work and play. We enable consumers and employees to protect their data, and to securely stay connected without violating their privacy and trust. Our platform uses artificial intelligence to analyze data from more than 180 million devices and over 100 million apps to protect you from the full spectrum of mobile risk. As a result, Lookout delivers modern endpoint security with the most comprehensive protection from device, network, app and phishing threats without prying into your data.”

The Lookout Security Cloud delivers powerful and flexible protection features that integrate with your EMS solution:

Together Cloudneo and Lookout can offer enterprise-grade compliance and telemetry from your mobile estate, including:

Rapid deployment of industry-grade mobile security features
Azure and OKTA integrated solutions for Entrprise Identity solutions
Integration with Defender ATP for holistic Endpoint Security Management
Rapid deployment services to any mobile device with Intune and other UEM solutions

Ask us about protecting your Mobile fleet

Get in touch

Azure AD Graph APIs using PowerShell

by Ananth Suraj | May 14, 2020 | How-tos, Identity, Modern Devices & UEM

So you want to use the Graph API to interact with AzureAD or Intune? Then normally you need to follow these generic steps to execute Graph APIs from your programs or scripts.

Register Application and Get App Key&ID
Assign appropriate Permissions
Request for Authorisation Token
Execute Graph APIs by passing the token in Request Header

Let’s find an easier way! Graph APIs are effective way to interact with Azure Active Directory and whilst the above steps are highly recommended for pragmatic application development, a System Admin can shave some effort off this with some PowerShell magic.

The following explains how to execute Graph APIs on PowerShell Scripts using Global Admin credentials and WITHOUT registering the Applications on Azure AD (skipping steps 1 and 2 above)

Note – before you start: Ensure the Azure Module is installed. To install the Azure Module, execute PowerShell cmdlet install-module azure.

Step 1: Get the Authorisation Token for Azure AD PowerShell using well-known Application ID

“1950a258-227b-4e31-a9cf-717495945fc2”

You can use the following GetAuthzToken() function in your Script by passing parameters for Tenant Name and Global Admin Credentials

Function GetAuthzToken

{

param

(

[Parameter(Mandatory=$true)]

$Tenant,

$user,

$Passwd

)

Import-Module Azure

$client_Id = “1950a258-227b-4e31-a9cf-717495945fc2”

$redirect_Uri = “urn:ietf:wg:oauth:2.0:oob”

$AppId_URI = “https://graph.microsoft.com”

$authority = “https://login.microsoftonline.com/$Tenant”

$authContext = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext” -ArgumentList $authority

$AADCredential = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential” -ArgumentList $user,$Passwd

$authResult = $authContext.AcquireToken($AppId_URI, $client_Id,$AADCredential)

return $authResult

}

$token=$null

# Enter Tenant Name

$AzureTenant=“<TenantName>.onmicrosoft.com”

# Enter GA Credentials

$username=“<GA Username >”

$userPassword=“<Password>”

$secureStringPwd = $userPassword | ConvertTo-SecureString -AsPlainText -Force

#Get Access token.

$token = GetAuthzToken -Tenant $AzureTenant -user $username -Passwd $secureStringPwd

Here’s the sample token output:

Step 2: Create the Authorization Header by adding Security Token, retrieved from step 1

Use the CreateAuthorizationHeader() method to build the Authorisation header

#Create Authorization Header

$authHeader = @{

‘Content-Type’=’application\json’

‘Authorization’=$token.CreateAuthorizationHeader()

}

Here’s the sample Authorization Header:

Step 3: Execute your Azure AD Graph API by passing the Authorization Header

Use the Invoke-RestMethod cmdlet to execute Graph API. Basic syntax is as follows

Invoke-RestMethod -Uri <Graph API URI> –Headers $authHeader –Method Get

Tip: Use Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) to test the Graph APIs before adding into your PowerShell Script.

The following retrieves the Group Members of an Azure AD Group. The highlighted part is your choice of the Azure AD Group ID

$uri = “https://graph.microsoft.com/v1.0/groups/ed33efc5-70f8-4f87-8276-3ad2513929cc/members”

{

#Get Group Members

$Response=Invoke-RestMethod -Uri $uri –Headers $authHeader –Method Get

$uri =$Response.’@odata.nextLink’

foreach ($user in $Response.value)

{

$user.displayname

}

} while ($Response.’@odata.nextLink’)

Here’s the sample Output:

Putting it all together: the whole script for you to re-use

To test this script, don’t forget to change the highlighted parameters

Function GetAuthzToken

{

param

(

[Parameter(Mandatory=$true)]

$Tenant,

$user,

$Passwd

)

Import-Module Azure

$client_Id = “1950a258-227b-4e31-a9cf-717495945fc2”

$redirect_Uri = “urn:ietf:wg:oauth:2.0:oob”

$AppId_URI = “https://graph.microsoft.com”

$authority = “https://login.microsoftonline.com/$Tenant”

$authContext = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext” -ArgumentList $authority

$AADCredential = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential” -ArgumentList $user,$Passwd

$authResult = $authContext.AcquireToken($AppId_URI, $client_Id,$AADCredential)

return $authResult

}

$token=$null

# Enter Tenant Name

$AzureTenant=”<TenantName>.onmicrosoft.com”

# Enter GA Credentials

$username=”<Username of GA>“

$userPassword=”<Password>“

$secureStringPwd = $userPassword | ConvertTo-SecureString -AsPlainText -Force

#Get Access token.

$token = GetAuthzToken -Tenant $AzureTenant -user $username -Passwd $secureStringPwd

$authHeader = @{

‘Content-Type’=’application\json’

‘Authorization’=$token.CreateAuthorizationHeader()

}

#Replace Highlighted part with Group ID

$uri = “https://graph.microsoft.com/v1.0/groups/ed33efc5-70f8-4f87-8276-3ad2513929cc/members”

{

#Get Group Members

$Response=Invoke-RestMethod -Uri $uri –Headers $authHeader –Method Get

$uri =$Response.’@odata.nextLink’

foreach ($user in $Response.value)

{

$user.displayname

}

} while ($Response.’@odata.nextLink’)

Want to talk to us about PowerShell and AzureAD and Graph? Get in touch

Chris Hudson

Chris develops our thinking for Identity Management and Azure AD integration. He’s developed lots of cool snippets and and tools to help make Identity Sysadmins lives that little bit easier. You can follow Chris on LinkedIn below