Powershell LDAP query to find Azure / O365 users synchronised with AD Sync

 

Recently I needed to create a quick report that would allow me to see at a glance which accounts in that domain had been synchronised with AD Sync into Azure AD.  It wasn’t possible using Get-ADuser and I knew an LDAP query would do the trick.  First I had to download a powershell module called System.DirectoryServices.Protocols.  Once the module is downloaded run:

Add-Type -AssemblyName System.DirectoryServices.Protocols Import-Module C:\Cloudwyse\Tools\S.DS.P.psm1

Then to query the information I required I ran:

$MigratedUsers=Find-LdapObject -SearchFilter:"(msDS-ExternalDirectoryObjectId=*)" -SearchBase:"DC=contoso,DC=com" -LdapConnection:"server01.contoso.com" -PageSize 500

Conversely, if you wanted to find all users that HADN’T been synchronised you could run the following:

$MigratedUsers=Find-LdapObject -SearchFilter:"(!msDS-ExternalDirectoryObjectId=*)" -SearchBase:"DC=contoso,DC=com" -LdapConnection:"server01.contoso.com" -PageSize 500

I still had a few service accounts showing so I just filtered these in Excel based on the DN.  To export the fil just run…

Export-CSV C:\Cloudwyse\User_report.csv

 

 

Powershell Script to export a list of all proxyaddresses for all users in the O365 tenant

 

This script allows you to export a list of all users in the tenant and all associated proxy addresses.  It’s helpful to be able to get this as a csv filer for future reference so that you can quickly filter on whichever user you like.  It’s also been helpful for me on a recent migration where I was able to make sure that each user’s email addresses were properly migrated.

$LogFilePath = $env:LOCALAPPDATA + "\Cloudwyse\Logs\user_proxy_addresses_" + $(get-date -Format ddMMyy_HHmmss) + ".log" Start-Transcript -Path $LogFilePath -NoClobber $365Pass = cat C:\cloudwyse\securestring365.txt | convertto-securestring $365Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist "admin@contoso.com",$365Pass $DateTime = (Get-Date -Format "ddMMyyyy-HHmmss")   $365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $365cred -Authentication Basic -AllowRedirection Import-PSSession $365Session Connect-Msolservice -Credential $365Cred     Write-Host  -ForegroundColor Magenta "Pulling mailbox information for all users, please be patient..." $JobStart = Get-Date $getmailbox = get-Mailbox $JobEnd = Get-Date $JobSecondsTaken =($JobEnd - $JobStart) Write-Host  -ForegroundColor Yellow "Extract complete.  The Job took" $JobSecondsTaken.Seconds "seconds." $total = $null $Job2Start = Get-Date $userList = @() foreach ($user in $getmailbox)   { $lookup = get-msoluser -userprincipalname $user.userprincipalname        Write-Host  -ForegroundColor Magenta "Current user is" $user.userprincipalname        $addresses = $lookup.proxyaddresses        foreach ($address in $addresses) {        $us = New-Object PSObject              $us | Add-Member -type NoteProperty -Name 'UPN' -Value $lookup.userprincipalname              $us | Add-Member -type NoteProperty -Name 'ProxyAddresses' -Value $address              Write-Host  -ForegroundColor Cyan "Address is" $address              $userList += $us                                                                                               }        $total = $total +1                                                              } $Job2End = Get-Date $Job2SecondsTaken =($Job2End - $Job2Start) Write-Host -ForegroundColor Yellow "$total users processed in" $Job2SecondsTaken.Minutes "minute(s) and" $Job2SecondsTaken.Seconds "second(s)." Remove-PSSession $365Session $userlist | export-csv C:\Cloudwyse\user_proxy_addresses$datetime.csv Write-Host -ForegroundColor Yellow "Report exported to C:\Cloudwyse\user_proxy_addresses$datetime.csv"   Stop-Transcript

I’ve shared this before, but if you are unsure how to securely store credentials in a script without using plain text then follow the instructions here to create the securestring.txt.

 

 

Finally, a good but concise explanation of DMARC, DKIM and SPF - email security!

 

I’ve found that the information that’s out there about email authentication is either too detailed or too high level.  So I wanted to produce a quick guide for administrators that’s somewhere in between. We have three principle technologies at play. These technologies work together to provide an email security foundation. They are: 1.    Domain-based Message Authentication, Reporting & Conformance (DMARC) 2.    Sender Policy Framework (SPF) 3.    DomainKeys Identified Mail (DKIM) These technologies protect the recipient of the email more than the sender.  That is the validate the authenticity of the email that you are SENDING.  However large scale adoption means that the online community is able to come together to authenticate each other’s email traffic to help eliminate the effectiveness of phishing and spam emails. SPF There are two ‘from’ addresses in an email.  The ‘header from’ (AKA friendly from) and the ‘envelope from’ (AKA return path).  An organisation hosts its own SPF record in DNS.  This record can be used by the receiving organisation to confirm that mail received is from a valid source.  That is the receiving organisation will check the DNS records for domain in the ‘envelope from’ field within the email header.  Eg “contoso.com” to see if there is an SPF record.  If there is, then the server will check to see whether the mail was received from a server matching this record.  An example SPF record would be as follows: v=spf1 ip4:232.198.111.122 include:mail.contoso.com -all   If you’d like more information please look at this article. DKIM DKIM adds a digital signature the header section of an email.  This uses public key cryptography to ensure that the email was from a genuine source and that the message hasn’t been tampered with or altered en-route. The sending server creates a signature using it’s private key.  This can be decrypted using the public key, which is stored in a text file within the sender’s DNS.  Due to the high level of security provided by public key cryptography, this method gives those receiving the email peace of mind that the email is genuine. An example DKIM record would be as follows: v=DKIM1; p=Es34dfgRGE55ehYRJ54JYRsfMTYesfsdNTNJSRefdgGg54t35tJSR   DMARC This relatively recent authentication method was developed in 2007 by PayPal, with collaboration later being offered by Yahoo! and Google.  DMARC is like the ‘digital doorman’ ensuring that every email’s name is on both the SPF and DKIM list. DMARC will match the ‘header from’ domain name with the ‘envelope from’ domain name obtained from the SPF check, and will also match the ‘header from’ domain name with the ‘d= domain name’ in the DKIM signature.  As well as carrying out these tests, DMARC is also used to inform recipient mail servers on what to do with any email that is suspected of not being genuine. The sender can choose to: ·        Monitor all mail to gain an understanding of misuse of their brand name through spam email and to ensure genuine mail is authenticating properly. ·        Quarantine messages that fail DMARC ie ensure it lands in the recipient's spam folder ·        Reject messages that fail DMARC authentication ie request that the recipient's email server doesn't deliver the message at all. An example DMARC record would be as follows: "v=DMARC1; p=reject; pct=100; rua=mailto:postmaster@contoso.com"   It is a combination of SPF, DKIM and DMARC together that offers confidence and security to businesses, customers and other internet users that an email is genuine and not a phishing attempt or spam.

 

Extract Office 365 License information for all users using Powershell

 

This script gathers O365 license information for all active users.  It will populate fields within a csv for import into Excel which includes UPN, Licenses, whether it is a shared mailbox or not and whether or not the user is blocked.   A separate row will be created for each license, with the user’s UPN detailed on each row.  Once the export is complete, you can filter this list in excel to get whichever granular information you need.

$LogFilePath = $env:LOCALAPPDATA + "\Cloudwyse\Logs\user_license_report_" + $(get-date -Format ddMMyy_HHmmss) + ".log" Start-Transcript -Path $LogFilePath -NoClobber $365Pass = cat C:\cloudwyse\securestring365.txt | convertto-securestring $365Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist "admin@contoso.onmicrosoft.com",$365Pass $DateTime = (Get-Date -Format "ddMMyyyy-HHmmss")   $365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $365cred -Authentication Basic -AllowRedirection Import-PSSession $365Session Connect-Msolservice -Credential $365Cred     Write-Host  -ForegroundColor Magenta "Pulling mailbox information for all users, please be patient..." $JobStart = Get-Date $getmailbox = get-Mailbox $JobEnd = Get-Date $JobSecondsTaken =($JobEnd - $JobStart) Write-Host  -ForegroundColor Yellow "Extract complete.  The Job took" $JobSecondsTaken.Seconds "seconds." $total = $null $Job2Start = Get-Date $userList = @() foreach ($user in $getmailbox) {     $lookup = get-msoluser -userprincipalname $user.userprincipalname     Write-Host  -ForegroundColor Magenta "Current user is" $user.userprincipalname     $licenses = $lookup.licenses     foreach ($license in $licenses) {         $us = New-Object PSObject         $us | Add-Member -type NoteProperty -Name 'UPN' -Value $lookup.userprincipalname         $us | Add-Member -type NoteProperty -Name 'License' -Value $license.accountskuid         $us | Add-Member -type NoteProperty -Name 'IsShared' -Value $user.IsShared         $us | Add-Member -type NoteProperty -Name 'Blocked' -Value $lookup.BlockCredential         Write-Host  -ForegroundColor Cyan $license.accountskuid "was added to the list for" $lookup.userprincipalname         $userList += $us         }     $total = $total +1         } $Job2End = Get-Date $Job2SecondsTaken =($Job2End - $Job2Start) Write-Host -ForegroundColor Yellow "$total users processed in" $Job2SecondsTaken.Minutes "minute(s) and" $Job2SecondsTaken.Seconds "second(s)." Remove-PSSession $365Session $userlist | export-csv C:\Cloudwyse\user_license_report$datetime.csv Write-Host -ForegroundColor Yellow "Report exported to C:\Cloudwyse\user_license_report$datetime.csv"     Stop-Transcript

I’m happy to post the script as a text file if that will help anyone.