Showing posts with label Remote PowerShell. Show all posts
Showing posts with label Remote PowerShell. Show all posts

16 September 2022

Disable Exchange Online Remote PowerShell for users with PowerShell

 A regular user has no need for remote PowerShell access to Exchange Online.
So, we're going to disable it.

This is not as easy as you might think, I saw an article by "The Cloudtechnologist" (disable-exchange-online-remote-powershell-for-users-as-a-scheduled-task) but this is for Global admins only. What if you have roles assigned to Exchange Admins that are not Global admins?

This might help:

At line26; edit your username
At line 28 to 40 you disable all user accounts that are synced from on-premises
At line 44 to 56 you disable all guest users
At line 59 to 71 you disable all roommailboxes
At line 73 to 80 you can create a list with all account that are still enabled for remote PowerShell, go through the list manually and use that list to disable the access for the remaining users.

You might need to change the filters to something that works for you, and as always with stuff found on the interwebs, test test test.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
#region functions
<#
.SYNOPSIS
Script to disable Exchange Online RemotePowerShell access for users, guests and RoomMailboxes
.DESCRIPTION
Disables Exchange Online RemotePowerShell acces for users, guests and roommailboxes, and let's the remaining users be disabled by file list.
.PARAMETERS
None
.EXAMPLE
Disable-EXOPowerShellForUsers
.By
Edwin van Brenk
.For
Company
.Version
1.0
.Date
13-09-2022
.SOA
SOA-212
#>


Import-Module -Name ExchangeOnlineManagement

Connect-ExchangeOnline -UserPrincipalName username@company.com

# Dir synced users

Write-Host "Disable-EXOPowerShellForUsers: process: Getting all dirsynced users from tenant"
$Users = Get-User -ResultSize unlimited | where-object {$_.isdirsynced -eq 'True'}

foreach ($User in $Users) {
            try {
                Write-Host "Disable-EXOPowerShellForUsers: process: Updating $($User.WindowsEmailAddress)"
                Set-User -Identity $User.WindowsLiveID -RemotePowerShellEnabled $false -Confirm:$false
            }
            catch {
                Write-Warning "Something went wrong with $($User.WindowsEmailAddress)"
                continue
            }
            $user = $null
        }

$number = $Users.Count
Write-host "$number of users have been updated"

# Guest users

Write-Host "Disable-EXOPowerShellForUsers: process: Getting all guest users from tenant"
$GuestUsers = Get-User -ResultSize unlimited | where-object {$_.RecipienttypeDetails -eq 'GuestMailUser'}

foreach ($GuestUser in $GuestUsers) {
            try {
                Write-Host "Disable-EXOPowerShellForUsers: process: Updating $($GuestUser.Identity)"
                Set-User -Identity $GuestUser.WindowsLiveID -RemotePowerShellEnabled $false -Confirm:$false
            }
            catch {
                Write-Warning "Something went wrong with $($GuestUser.WindowsLiveID)"
                continue
            }
            $GuestUser = $null
        }

$number = $GuestUsers.Count
Write-host "$number Guest users have been updated"

# Teams Rooms

Write-Host "Disable-EXOPowerShellForUsers: process: Getting all TeamRooms from tenant"
$TeamsRooms = Get-User -ResultSize unlimited | where-object {$_.RecipienttypeDetails -eq 'RoomMailbox'}

foreach ($TeamsRoom in $TeamsRooms) {
            try {
                Write-Host "Disable-EXOPowerShellForUsers: process: Updating $($TeamsRoom.WindowsEmailAddress)"
                Set-User -Identity $TeamsRoom.WindowsLiveID -RemotePowerShellEnabled $false -Confirm:$false
            }
            catch {
                Write-Warning "Something went wrong with $($TeamsRoom.WindowsLiveID)"
                continue
            }
            $TeamsRoom = $null
        }

$number = $TeamsRooms.Count
Write-host "$number TeamsRooms have been updated"

# Block for a list of users

$UserList = Get-Content "C:\Users\Username\OneDrive - Company\Security Optimization Assesment\2022\Scripts\userlist.txt"
$UserList | foreach {Set-User -Identity $_ -RemotePowerShellEnabled $false}


Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $true' | Select-Object Name, WindowsLiveID, WindowsEmailAddress, RecipientType, RecipientTypeDetails |` 
export-csv -Path "C:\Users\Username\OneDrive - Company\Security Optimization Assesment\2022\Scripts\AcceptedEnabledRemotePowerShellUserList.csv"

<#
-To display only those users who don't have access to Exchange Online PowerShell, run the following command:

Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $false'

-To display only those users who have access to Exchange Online PowerShell, run the following command:

Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $true'
#>
Posted by at No comments:
Labels: , ,
Location:Utrecht Utrecht, Netherlands

21 June 2017

Connect to Exchange Online with MFA enabled

Been searching a little while before I got this thru my skull.

I had enabled MFA for my account over at Exchange Online and tried to connect to the remote PowerShell. Immediately my screen turned red.
New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com 
failed with the following error message : [ClientAccessServer=VI1PR0101CA0080,
BackEndServer=am5pr10m 
b0595.eurprd10.prod.outlook.com RequestId=d3099d49-9287-419a-b22f-91e1bf7b888d,
TimeStamp=6/21/2017 10:43:42 AM] Access Denied For more information, see the 
about_Remote_Troubleshooting Help topic.

The access denied error is what triggered me to search for the MFA solution, because in the Office Portal I could log in just fine.



After some searching on the web I came across this:

https://technet.microsoft.com/library/mt775114.aspx

This just recently became available (for as far as I know), prior MFA had to be disabled for the Organisation Management account. Which is a terrible idea of course.



After installing the Exchange Online Remote PowerShell Module you get a new icon in your start menu.





After starting the new PowerShell module you're greated by this:





As you can see there's a new way to connect to Exchange Online with MFA enabled on your command.

The Connect-EXOPSSession is the new way, and a new commandlet not available in any of the installed modules the PowerShell Module directory.

I tried to find what module is explicitly loaded but was unsuccessful.

I think it downloads the module directly from the cloud, right after starting the module a black screen is briefly displayed and then the PowerShell window is shown.












Posted by



at





No comments:
  


















Labels:
,
,
,







Location:Utrecht
Utrecht, Netherlands














          

        

          

        

19 June 2017


          

        









Remote PowerShell login Office365, SkypeForBusiness Online, SharePoint Online, Exchange Online, Security and how to disconnect











Remote PowerShell login Office 365 all modules 

Requisites login into Office 365 Skype for Business Online are:

·         Running OS must be 64bit

·         Microsoft .NET Framework 4.5.x

·         PowerShell Version 3.0 or higher
 (if you need to install Version 3.0+, download and install Windows Management Framework 4.0: https://www.microsoft.com/en-us/download/details.aspx?id=40855) 

You need to install the modules that are required for Office 365, SharePoint Online, and Skype for Business Online:
Microsoft Online Service Sign-in Assistant for IT Professionals RTW
Windows Azure Active Directory Module for Windows PowerShell (64-bit version)


Download the Windows PowerShell module for Skype for Business Online
https://www.microsoft.com/en-us/download/details.aspx?id=39366 
After installation copy the SkypeOnline and the LyncOnline module folders found in:



C:\Program Files\Common Files\Skype for Business Online\Modules



to:



C:\Windows\System32\WindowsPowerShell\v1.0\Modules



This is because when running Import-Module SkypeOnline the modules can not be found.



By copying them to the default module directory for PowerShell they can be found and load right up.

MicrosoftOnlineLogin

Set-ExecutionPolicy RemoteSigned

$credential = Get-Credential
 Connect-MsolService -Credential $credential

SkypeForBusiness

Import-Module SkypeOnlineConnector
 $SfBoSession = New-CsOnlineSession -Credential $credential
 Import-PSSession $SfBoSession

SharePoint

Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
 Connect-SPOService -Url https://domainhost-admin.sharepoint.com -credential $credential

Exchange

$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication "Basic" -AllowRedirection
 Import-PSSession $exchangeSession -DisableNameChecking

Security

$ccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $credential -Authentication Basic -AllowRedirection
 Import-PSSession $ccSession -Prefix cc

Logout

Remove-PSSession $sfboSession
 Remove-PSSession $exchangeSession
 Remove-PSSession $ccSession
 Disconnect-SPOService



There is no disconnect or remove session option for MSOL, just close the PowerShell window.










Posted by



at





No comments:
  


















Labels:
,
,
,
,







Location:Utrecht
Utrecht, Netherlands










        

      









Subscribe to:
Posts (Atom)