19 April 2019

Enable Basic Authentication for one user - Exchange Online

Disable basic authentication, password spray attack, enable MFA, enable modern authentication now!!
These are the topics most blogs post about, Tweeters tweet about and Microsoft warns about.
Talk about a panic attack. Of course this is very important stuff and you should disable basic auth, enable modern auth with MFA, and implement password protection.

But what if you have an application made in 1990 that requires basic auth to access your Exchange Online environment?

You can bypass the modern auth requirement with a policy that allows you to turn on basic auth for one specific user. 😎

All this is done in Exchange Online PowerShell;
Create a policy:
New-AuthenticationPolicy -Name "Allow Basic Auth for some ancient application"
Specify what services are allowed to use basic auth:
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthWebServices:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthOutlookService:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthReportingWebServices:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthActiveSync:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthRest:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthPowershell:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthMapi:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthOfflineAddressBook:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthAutodiscover:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthRpc:$true
Check the policy settings:
Get-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" | fl AllowBasicAuth*
AllowBasicAuthActiveSync           : True            
AllowBasicAuthAutodiscover         : True            
AllowBasicAuthImap                 : False            
AllowBasicAuthMapi                 : True            
AllowBasicAuthOfflineAddressBook   : True            
AllowBasicAuthOutlookService       : True            
AllowBasicAuthPop                  : False            
AllowBasicAuthReportingWebServices : True            
AllowBasicAuthRest                 : False            
AllowBasicAuthRpc                  : True            
AllowBasicAuthSmtp                 : False            
AllowBasicAuthWebServices          : True            
AllowBasicAuthPowershell           : True
As you can see in the example above we do not allow SMTP, POP and IMAP to use basic auth, but ofcourse you could by adding:
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthSmtp:$true            
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthImap:$true            
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthPop:$true
Then grant a specific user the created policy:
Set-User -Identity LegacyUser -AuthenticationPolicy "Allow Basic Auth for some ancient application"
And check if all went well:
Get-User -Identity LegacyUser | fl auth*            
AuthenticationPolicy : Allow Basic Auth for some ancient application
Name                 : LegacyUser
To check all users with an authenticationpolicy assigned:
Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Get-User | Format-Table
DisplayName, AuthenticationPolicy, Sts*
Update:
I just found that if a user has the "Multi-factor Auth status" set to "Enforced", you need to set it to disabled here: https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx

And there you have it, now that one user is able to use basic auth.
Document this properly as this does pose a security threat, and these little exceptions tend to be forgotten over time.

02 April 2019

The PowerShellGallery - Find - Install - Deploy - Updating



Discovering packages from the PowerShell Gallery

Find packages in the PowerShell Gallery by using the Search control on the PowerShell Gallery's home page.
By browsing through the Modules and Scripts from the Packages page.
Running the Find-Module, Find-DscResource, and Find-Script cmdlets, depending on the package type, with -Repository PSGallery.

Installing packages from the PowerShell Gallery

To download a package from the Gallery for inspection, run either the Save-Module or Save-Script cmdlet.
Install a package from the Gallery for use, run either the Install-Module or Install-Script cmdlet.

Updating packages from the PowerShell Gallery

To update packages installed from the PowerShell Gallery, run either the Update-Module or Update-Script cmdlet.
When run without any additional parameters, [Update-Module][] attempts to update all modules installed by running Install-Module.
To selectively update modules, add the -Name parameter.

List packages that you have installed from the PowerShell Gallery

To find out which modules you have installed from the PowerShell Gallery, run the Get-InstalledModule cmdlet.
To find out which scripts you have installed from the PowerShell Gallery, run the Get-InstalledScript cmdlet.


Some examples:
Search through all scripts in the GridView window and install the selected script in the currentuser environment variable ($env:USERPROFILE\Documents\WindowsPowerShell\Modules):
Find-Script | Out-Gridview -Title "Select Script to install" -PassThru | Install-Script -Force -Scope CurrentUser

Search through all modules in the GridView window and install the selected module in the currentuser environment variable:
Find-Module | Out-Gridview -Title "Select Modules to install" -PassThru | Install-Module -Force -Scope CurrentUser

Update all installed modules without interaction:
Update-Module -Force

Update all installed script without interaction:
Update-Script -Force