Skip to content

Commit ae7ba69

Browse files
committed
updated core api for entra and m365
1 parent 50dcc46 commit ae7ba69

31 files changed

+1760
-167
lines changed

core/api/auth/Connect-MonkeyCloud.ps1

Lines changed: 43 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -219,50 +219,52 @@ Function Connect-MonkeyCloud{
219219
Else{
220220
$O365Object.onlineServices.EntraID = $true
221221
}
222-
#Get actual userId
223-
If($O365Object.isConfidentialApp){
224-
$O365Object.userId = $O365Object.me.id;
225-
}
226-
Else{
227-
$authObject = $O365Object.auth_tokens.GetEnumerator() | Where-Object {$null -ne $_.Value} | Select-Object -ExpandProperty Value -First 1
228-
If($null -ne $authObject){
229-
$O365Object.userId = $authObject | Get-UserIdFromToken
222+
If($O365Object.onlineServices.EntraID){
223+
#Get actual userId
224+
If($O365Object.isConfidentialApp){
225+
$O365Object.userId = $O365Object.me.id;
230226
}
231-
}
232-
#Get Azure AD permissions
233-
If($O365Object.isConfidentialApp){
234-
$app_Permissions = Get-MonkeyMSGraphObjectDirectoryRole -ObjectId $O365Object.me.id -ObjectType servicePrincipal
235-
If($app_Permissions){
236-
$O365Object.aadPermissions = $app_Permissions
227+
Else{
228+
$authObject = $O365Object.auth_tokens.GetEnumerator() | Where-Object {$null -ne $_.Value} | Select-Object -ExpandProperty Value -First 1
229+
If($null -ne $authObject){
230+
$O365Object.userId = $authObject | Get-UserIdFromToken
231+
}
237232
}
238-
}
239-
Else{
240-
$user_permissions = Get-MonkeyMSGraphObjectDirectoryRole -ObjectId $O365Object.userId -ObjectType user
241-
If($user_permissions){
242-
$O365Object.aadPermissions = $user_permissions
233+
#Get Azure AD permissions
234+
If($O365Object.isConfidentialApp){
235+
$app_Permissions = Get-MonkeyMSGraphObjectDirectoryRole -ObjectId $O365Object.me.id -ObjectType servicePrincipal
236+
If($app_Permissions){
237+
$O365Object.aadPermissions = $app_Permissions
238+
}
239+
}
240+
Else{
241+
$user_permissions = Get-MonkeyMSGraphObjectDirectoryRole -ObjectId $O365Object.userId -ObjectType user
242+
If($user_permissions){
243+
$O365Object.aadPermissions = $user_permissions
244+
}
245+
}
246+
#Check If user can request MFA for users
247+
#Check Global Admin permissions
248+
$ga = Test-MonkeyAADIAM -RoleTemplateId 62e90394-69f5-4237-9190-012177145e10
249+
#Check Authentication administrator permissions
250+
$aa = Test-MonkeyAADIAM -RoleTemplateId c4e39bd9-1100-46d3-8c65-fb160da0071f
251+
#Check Privileged Authentication administrator permissions
252+
$paa = Test-MonkeyAADIAM -RoleTemplateId 7be44c8a-adaf-4e2a-84d6-ab2649e08a13
253+
If($ga){
254+
$O365Object.canRequestMFAForUsers = $true
255+
}
256+
ElseIf($aa){
257+
$O365Object.canRequestMFAForUsers = $true
258+
}
259+
ElseIf($paa){
260+
$O365Object.canRequestMFAForUsers = $true
261+
}
262+
ElseIf($O365Object.isConfidentialApp){
263+
$O365Object.canRequestMFAForUsers = $true
264+
}
265+
Else{
266+
$O365Object.canRequestMFAForUsers = $false
243267
}
244-
}
245-
#Check If user can request MFA for users
246-
#Check Global Admin permissions
247-
$ga = Test-MonkeyAADIAM -RoleTemplateId 62e90394-69f5-4237-9190-012177145e10
248-
#Check Authentication administrator permissions
249-
$aa = Test-MonkeyAADIAM -RoleTemplateId c4e39bd9-1100-46d3-8c65-fb160da0071f
250-
#Check Privileged Authentication administrator permissions
251-
$paa = Test-MonkeyAADIAM -RoleTemplateId 7be44c8a-adaf-4e2a-84d6-ab2649e08a13
252-
If($ga){
253-
$O365Object.canRequestMFAForUsers = $true
254-
}
255-
ElseIf($aa){
256-
$O365Object.canRequestMFAForUsers = $true
257-
}
258-
ElseIf($paa){
259-
$O365Object.canRequestMFAForUsers = $true
260-
}
261-
ElseIf($O365Object.isConfidentialApp){
262-
$O365Object.canRequestMFAForUsers = $true
263-
}
264-
Else{
265-
$O365Object.canRequestMFAForUsers = $false
266268
}
267269
#Check If requestMFA for users must be enabled by config
268270
try{

core/api/auth/azure/Connect-MonkeyAzure.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ Function Connect-MonkeyAzure{
5656
}
5757
}
5858
Process{
59-
if($null -ne $O365Object.auth_tokens.ResourceManager){
59+
If($null -ne $O365Object.auth_tokens.ResourceManager){
6060
$O365Object.subscriptions = Select-MonkeyAzureSubscription
6161
}
6262
}

core/api/auth/microsoft365/Connect-MonkeyM365.ps1

Lines changed: 19 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -216,18 +216,16 @@ Function Connect-MonkeyM365{
216216
}
217217
Write-Information @msg
218218
$O365Object.auth_tokens.SharePointAdminOnline = Connect-MonkeySPO @p -Admin
219-
#Connect to root site If ScanSites param is present or If ScanAllSites is true
220-
If(($O365Object.initParams.ContainsKey('ScanSites') -and @($O365Object.initParams.ScanSites).Count -gt 0) -or $scanSites){
221-
$msg = @{
222-
MessageData = ($message.TokenRequestInfoMessage -f "SharePoint Online")
223-
callStack = (Get-PSCallStack | Select-Object -First 1);
224-
logLevel = 'info';
225-
InformationAction = $O365Object.InformationAction;
226-
Tags = @('TokenRequestInfoMessage');
227-
}
228-
Write-Information @msg
229-
$O365Object.auth_tokens.SharePointOnline = Connect-MonkeySPO @p -RootSite
219+
#Always try to connect to root site
220+
$msg = @{
221+
MessageData = ($message.TokenRequestInfoMessage -f "SharePoint Online")
222+
callStack = (Get-PSCallStack | Select-Object -First 1);
223+
logLevel = 'info';
224+
InformationAction = $O365Object.InformationAction;
225+
Tags = @('TokenRequestInfoMessage');
230226
}
227+
Write-Information @msg
228+
$O365Object.auth_tokens.SharePointOnline = Connect-MonkeySPO @p -RootSite
231229
If($null -ne $O365Object.auth_tokens.SharePointAdminOnline){
232230
#Check If user is SharePoint administrator
233231
$p = @{
@@ -266,6 +264,15 @@ Function Connect-MonkeyM365{
266264
#Get Webs for user
267265
$O365Object.spoSites = Get-MonkeyCSOMSite @p
268266
}
267+
Else{
268+
$p = @{
269+
InformationAction = $O365Object.InformationAction;
270+
Verbose = $O365Object.verbose;
271+
Debug = $O365Object.debug;
272+
}
273+
#Get Webs for user
274+
$O365Object.spoSites = Get-MonkeyCSOMSite @p
275+
}
269276
#Check If connected to SharePoint
270277
If($O365Object.isSharePointAdministrator -or $null -ne $O365Object.spoSites){
271278
$O365Object.onlineServices.Item($service) = $true
@@ -413,7 +420,7 @@ Function Connect-MonkeyM365{
413420
#Connect to Admin blade
414421
$p = @{
415422
Resource = $O365Object.Environment.OfficeAdminPortal;
416-
AzureService = "AzurePowershell";
423+
AzureService = "AzureCli";
417424
InformationAction = $O365Object.InformationAction;
418425
Verbose = $O365Object.verbose;
419426
Debug = $O365Object.debug;

core/api/entraid/msgraph/helpers/PIM/Get-MonkeyMSGraphPIMRoleAssignment.ps1

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@ Function Get-MonkeyMSGraphPIMRoleAssignment{
4343
try{
4444
$new_arg = @{
4545
APIVersion = 'beta';
46+
Select = $O365Object.userProperties;
4647
}
4748
#Set Job params
4849
#Set Job params
@@ -131,7 +132,7 @@ Function Get-MonkeyMSGraphPIMRoleAssignment{
131132
$role = @($roleTemplates).Where({$_.id -eq $policy.roleDefinitionId})
132133
if($role.Count -gt 0){
133134
$roleObject = $role | New-MonkeyPIMRoleObject
134-
$roleObject.policy = $policy;
135+
$roleObject.policy = ($policy | Invoke-MonkeyMSGraphPIMRoleSettingsAnalyzer);
135136
[void]$allroleAssignments.Add($roleObject);
136137
}
137138
Start-Sleep -Milliseconds 500;
@@ -165,7 +166,7 @@ Function Get-MonkeyMSGraphPIMRoleAssignment{
165166
$myRole.activeAssignment.isUsed = $true;
166167
$myRole.roleInUse = $true;
167168
$activeMembers = $activeRole.Group | Select-Object principalId,startDateTime,endDateTime,assignmentType,memberType -ErrorAction Ignore
168-
if($null -ne $activeMembers){
169+
If($null -ne $activeMembers){
169170
#Set array
170171
$allUsers = [System.Collections.Generic.List[System.Management.Automation.PSObject]]::new()
171172
$allServicePrincipals = [System.Collections.Generic.List[System.Management.Automation.PSObject]]::new()
Lines changed: 108 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,108 @@
1+
# Monkey365 - the PowerShell Cloud Security Tool for Azure and Microsoft 365 (copyright 2022) by Juan Garrido
2+
#
3+
# Licensed under the Apache License, Version 2.0 (the "License");
4+
# you may not use this file except in compliance with the License.
5+
# You may obtain a copy of the License at
6+
#
7+
# http://www.apache.org/licenses/LICENSE-2.0
8+
#
9+
# Unless required by applicable law or agreed to in writing, software
10+
# distributed under the License is distributed on an "AS IS" BASIS,
11+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
# See the License for the specific language governing permissions and
13+
# limitations under the License.
14+
15+
Function Invoke-MonkeyMSGraphPIMRoleSettingsAnalyzer {
16+
<#
17+
.SYNOPSIS
18+
PIM Role settings analyzer
19+
20+
.DESCRIPTION
21+
PIM Role settings analyzer
22+
23+
.INPUTS
24+
25+
.OUTPUTS
26+
27+
.EXAMPLE
28+
29+
.NOTES
30+
Author : Juan Garrido
31+
Twitter : @tr1ana
32+
File Name : Invoke-MonkeyMSGraphPIMRoleSettingsAnalyzer
33+
Version : 1.0
34+
35+
.LINK
36+
https://github.com/silverhack/monkey365
37+
#>
38+
39+
[CmdletBinding()]
40+
Param (
41+
[Parameter(Mandatory=$True, ValueFromPipeline = $True, HelpMessage="Policy Object")]
42+
[Object]$InputObject,
43+
44+
[parameter(Mandatory=$false, HelpMessage="API version")]
45+
[ValidateSet("v1.0","beta")]
46+
[String]$APIVersion = "beta"
47+
)
48+
Begin{
49+
#Set args
50+
$new_arg = @{
51+
APIVersion = $APIVersion;
52+
}
53+
#Set job params
54+
$jobParam = @{
55+
ScriptBlock = { Get-MonkeyMSGraphGroupTransitiveMember -GroupId $_ -Parents @($_)};
56+
Arguments = $new_arg;
57+
Runspacepool = $O365Object.monkey_runspacePool;
58+
ReuseRunspacePool = $true;
59+
Debug = $O365Object.VerboseOptions.Debug;
60+
Verbose = $O365Object.VerboseOptions.Verbose;
61+
MaxQueue = $O365Object.nestedRunspaces.MaxQueue;
62+
BatchSleep = $O365Object.nestedRunspaces.BatchSleep;
63+
BatchSize = $O365Object.nestedRunspaces.BatchSize;
64+
}
65+
}
66+
Process{
67+
Try{
68+
#Get numbers of approvals within unifiedRoleManagementPolicyApprovalRule
69+
$approval_rule = @($InputObject.settings).Where({$_.'@odata.type' -like '*unifiedRoleManagementPolicyApprovalRule*'},[System.Management.Automation.WhereOperatorSelectionMode]::First)
70+
If($approval_rule.Count -eq 1){
71+
$number_of_approvals = 0;
72+
#Get approvers
73+
$approvers = $approval_rule[0].setting.approvalStages[0].primaryApprovers;
74+
#Get Groups and users
75+
$groups = @($approvers).Where({$_.'@odata.type' -like '*groupMembers*'}) | Select-Object -ExpandProperty Id -ErrorAction Ignore
76+
$users = @($approvers).Where({$_.'@odata.type' -like '*singleUser*'}) | Select-Object -ExpandProperty Id -ErrorAction Ignore
77+
If($null -ne $users){
78+
$number_of_approvals = @($users).Count;
79+
}
80+
If($null -ne $groups){
81+
$members = $groups | Invoke-MonkeyJob @jobParam
82+
If($null -ne $members){
83+
$number_of_approvals += @($members).Count;
84+
}
85+
}
86+
#Add to settings
87+
$approval_rule[0].setting.approvalStages[0] | Add-Member -MemberType NoteProperty -Name primaryApproversCount -Value $number_of_approvals -Force
88+
}
89+
}
90+
Catch{
91+
$msg = @{
92+
MessageData = $_;
93+
callStack = (Get-PSCallStack | Select-Object -First 1);
94+
logLevel = 'verbose';
95+
InformationAction = $O365Object.InformationAction;
96+
Verbose = $O365Object.verbose;
97+
Debug = $O365Object.debug;
98+
Tags = @('EntraIDPIMRoleSettingsAnalyzerError');
99+
}
100+
Write-Verbose @msg
101+
}
102+
#Return object
103+
return $InputObject
104+
}
105+
End{
106+
#Nothing to do here
107+
}
108+
}

core/api/entraid/msgraph/helpers/directoryrole/Get-MonkeyMSGraphEntraRoleAssignment.ps1

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@ Function Get-MonkeyMSGraphEntraRoleAssignment {
5353
$graphAuth = $O365Object.auth_tokens.MSGraph
5454
$new_arg = @{
5555
APIVersion = $APIVersion;
56+
Select = $O365Object.userProperties;
5657
}
5758
#Set Job params
5859
If($O365Object.isConfidentialApp){
@@ -158,7 +159,7 @@ Function Get-MonkeyMSGraphEntraRoleAssignment {
158159
#Invoke job
159160
$members = $allIds | Invoke-MonkeyJob @jobParam
160161
If($null -ne $members -and @($members).Count -gt 0){
161-
foreach($member in @($members)){
162+
ForEach($member in @($members)){
162163
[void]$extendedUniqueUsers.Add($member);
163164
}
164165
}
Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
# Monkey365 - the PowerShell Cloud Security Tool for Azure and Microsoft 365 (copyright 2022) by Juan Garrido
2+
#
3+
# Licensed under the Apache License, Version 2.0 (the "License");
4+
# you may not use this file except in compliance with the License.
5+
# You may obtain a copy of the License at
6+
#
7+
# http://www.apache.org/licenses/LICENSE-2.0
8+
#
9+
# Unless required by applicable law or agreed to in writing, software
10+
# distributed under the License is distributed on an "AS IS" BASIS,
11+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
# See the License for the specific language governing permissions and
13+
# limitations under the License.
14+
15+
Function Get-MonkeyMSGraphAppAndService {
16+
<#
17+
.SYNOPSIS
18+
Read the properties and relationships of a adminAppsAndServices object
19+
20+
.DESCRIPTION
21+
Read the properties and relationships of a adminAppsAndServices object
22+
23+
.INPUTS
24+
25+
.OUTPUTS
26+
27+
.EXAMPLE
28+
29+
.NOTES
30+
Author : Juan Garrido
31+
Twitter : @tr1ana
32+
File Name : Get-MonkeyMSGraphAppAndService
33+
Version : 1.0
34+
35+
.LINK
36+
https://github.com/silverhack/monkey365
37+
#>
38+
39+
[CmdletBinding()]
40+
Param (
41+
[parameter(Mandatory=$false, HelpMessage="API version")]
42+
[ValidateSet("v1.0","beta")]
43+
[String]$APIVersion = "v1.0"
44+
)
45+
Begin{
46+
$Environment = $O365Object.Environment
47+
#Get Graph Auth
48+
$graphAuth = $O365Object.auth_tokens.MSGraph
49+
}
50+
Process{
51+
$params = @{
52+
Authentication = $graphAuth;
53+
ObjectType = 'admin';
54+
ObjectId = 'appsAndServices';
55+
Environment = $Environment;
56+
ContentType = 'application/json';
57+
Method = "GET";
58+
APIVersion = $APIVersion;
59+
InformationAction = $O365Object.InformationAction;
60+
Verbose = $O365Object.verbose;
61+
Debug = $O365Object.debug;
62+
}
63+
Get-MonkeyMSGraphObject @params
64+
}
65+
End{
66+
#Nothing to do here
67+
}
68+
}

0 commit comments

Comments
 (0)