TL;DR This is just a random hodgepodge of notes regarding things we’ve been working on regarding Azure, AAD, M365, and Intune.
Background
I am happy to say that here at test.local we got a first time go on Cloud Security at WGU. As I am sure anyone who has perused many of our howtos is well aware, we have probably forgotten more about running an on prem domain than we know about the cloud. We had to write a roughly 4,000 word proposal, take 20 or so screenshots in WGU’s less than ideally setup lab, create a 12–15 slide presentation, and then record myself presenting the proposal.
In short we simply recommended
- Throwing out the mess that the fictional org’s last consultant had created before they abruptly left
- Creating a new Azure tenant & subscription
- Syncing the org’s AD to AAD via Azure AD Connect and/or Cloud Sync
- IaC the VMs (there were 3 in the fictional org’s Azure lab)
- Do it right this time (WGU’s VMs didn’t even have NSGs)
We used test.local as the “development environment” in our presentation. I was able to say that we had tested out our proposal in development … and I wasn’t just bullshitting.
We will be recommending AAD, M365, and Intune in the proposal we are working on for the next class. I didn’t want to talk out of my proverbial 4th point of contact, so I finally got around to getting Mishka a M365 Business Premium license.
Mishky’s Simple AD lab in Azure with a menu
We got this idea from someone on Reddit who was asking for help in getting their simple AD lab in Azure VMs to work right. Apparently a paid course had led them astray. We created a Proof of Concept IaC project and tested it out. It worked, but wasn’t very user friendly for someone who is very new to hypervisors, VMs, PowerShell, AD and managing them all from PowerShell on their standalone laptop.
The project is on our GitHub here.
All one has to do is create a trial Azure tenant and, run Mishky’s menu based tool, and then run Options 1 through 6 in order. The whole process takes 10–15 minutes and at the end they can RDP into the Member Server and start learning AD.
This project was great because it forced me to get hands on with using Azure as a hypervisor. I found Azure to actually be quite intuitive and easy to use for this, and simple to automate the whole process.
We created Cleanup.ps1 as an easy way to remove the entire thing from Azure once you’re done using it. This is important since VMs can cost some real money to run in Azure once the trial period is over. ‘Start & Stop all VMs.ps1’ allows one to easily fire up the lab using ‘Start-Lab’ and shut it all down by using ‘Stop-Lab’. This is important since leaving the lab running while it is not in use can quickly deplete one’s $200 credit during the trial period.
Finding WTH is running on the domain as a given user
We came across this one while screwing around with forwarding Windows logs to an Azure Log Analytics Workspace and looking for an answer to a question on Reddit. The question arose because a long since departed admin who had apparently gotten a bit sloppy with their domain had a service running as themselves.
The question was how do I find what service on what domain system is running as that user!?
We will use the MSOL_xyz account that Azure AD Connect creates and uses to sync AD to AAD as an example. Let’s find what service on what system is running as that account.
$User = (Get-ADUser -Filter {SamAccountName -like "*MSOL_*"}).SamAccountName
$Logins = Get-WinEvent -Path "$env:SystemRoot\System32\Winevt\Logs\ForwardedEvents.evtx" | Where-Object {($_.Id -eq "4624") -and ($_.Message -like "*$User*") -and ($_.TimeCreated -gt (Get-Date).AddHours(-1))}
$UserName = ($Logins | Select-Object -First 1 | Select-Object *).Properties[5].Value
$ClientIP = ($Logins | Select-Object -First 1 | Select-Object *).Properties[18].Value
$ServingDC = ($Logins | Select-Object -First 1 | Select-Object *).MachineName
$TimeCreated = ($Logins | Select-Object -First 1 | Select-Object *).TimeCreated
$ClientComputer = (Get-ADComputer -Filter * -Properties * | Where-Object {$_.IPv4Address -eq $ClientIP}).Name
Write-Host "$UserName logged in from IP address $ClientIP using DC $ServingDC at $TimeCreated."
Invoke-Command -ComputerName $ClientComputer {Get-ScheduledTask | Where-Object {$_.Principal.UserId -eq "$User"}}
Get-CimInstance -ClassName CIM_Service -ComputerName $ClientComputer | Where-Object {$_.StartName -like "*$User*"}
Checking true last logon via querying all DCs and sorting
Microsoft TechNet explains it pretty well here.
- The LastLogon attribute will be different on each DC as it does not replicate.
- The LastLogonTimeStamp replicates, but within a 14 day range.
- The LastLogonDate is simply an easily readable representation of the LastLogonTimeStamp
Therefore we can query all the DCs and use the most recent value in LastLogon as the Domain User’s true last activity.
$User = "Mishka"
$DomainRoot = (Get-ADDomain).DistinguishedName
$DCs = (Get-ADComputer -Filter * -SearchBase "ou=domain controllers,$DomainRoot" -Properties *).CN
ForEach($DC in $DCs)
{
Get-ADUser $User -Properties * -Server $DC | Select-Object LastLogon, SamAccountName, @{Name="DC";Expression={$DC}} | Export-Csv .\List.csv -Append
}
Get-Content .\List.csv | Select-Object -Skip 2 | Sort-Object -Descending
This method is handy if you don’t have logging enabled or need to see which DC tends to handle login requests and which don’t.
M365 & Intune
I signed our Azure tenant up for a M365 Business Premium trial. This gives you 25 licenses for M365 and Intune. I will probably keep one license for Mishka’s AAD account that’s synced with her Domain User in AD going forward. Right now she can either login on prem or on a VM that’s AAD joined using the same credentials and have access to the same email, Office applications, and One Drive. It would be handy for an employee that travels or works from home a bit if they have a desktop in the office on AD and a laptop for remote work.
All I had to do was get Mishka to add her work or school account to Windows in the Settings and copy/paste her UPN that AD and AAD use.
Pushing configs to AAD joined systems via Intune and PS1
What’s old is new again. One of the best ways to configure domain workstations is via Group Policy logon scripts, aka PS1s. One of the best ways I have found so far to configure endpoints via Intune is scripts.
Remember that Group Policy is simply using a UI to put a friendly interface on pushing registry keys.
The key takeaway? Create solid endpoint configs in PowerShell, aka IaC, and you can work fine with either Group Policy or Intune.
The difference is that Intune only runs the script once, not at every startup as Group Policy does. I tested this by simply writing the DTG the PS1 ran to a text file on the user’s desktop. All this PS1 does is disable NetBIOS. I’ll create a more useful one later than enforces SMB signing, disables LLMNR, etc.
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip* -Name NetbiosOptions -Value 2
$Time = Get-Date
Add-Content -Value "Testing $Time" -Path "C:\Users\Mishka\Desktop\Testing.txt"
Summary
I had been meaning to get a M365 subscription, start screwing around with Intune, and setup a Win10 VM as an AAD joined laptop for an employee to use off site even since we first setup hybrid AD. M365 and AAD were about as simple as can be on that VM. Intune on the other hand has not been super intuitive so far. The good news is that we can configure almost anything by simply using PS1s.
A future project is to start learning how to manage Intune via PowerShell as we have done with AAD and Azure VMs.
That’s it for now. I should get back to writing that college paper recommending a fictional office use AAD and Intune to manage their employee’s laptops, move their webserver to an Azure VM, and setup Sentinel to monitor it. At least now I halfway know what I’m rambling on about.
Did I ever mention I hate college style writing?
References
LastLogon vs LastLogonTimestamp / LastLogonDate: https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx
Push PS1s via Intune: https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
Microsoft.Graph.Intune: https://emsroute.com/2022/10/06/ms-graph-powershell-1/
Hybrid AD vs Azure AD Joined: https://www.spiceworks.com/tech/cloud/articles/legacy-ad-hybrid-ad-and-azure-ad-difference/
[formerly Azure AD Connect] Microsoft Entra Connect vs Cloud Sync: https://blog.quest.com/understanding-azure-ad-sync-an-overview-of-azure-ad-connect-sync-and-cloud-sync/#:~:text=Azure%20Active%20Directory%20sync%20often,services%20to%20on%2Dpremises%20servers.
