Manage-Applications.ps1
|
function Add-OrganizationPermissions { <# .SYNOPSIS The Add-OrganizationPermissions function is the inner function that handles adding the application to the Azure DevOps organizations #> param ( [Parameter(Mandatory = $true)] [String]$servicePrincipalId, [String]$logFile = "Add-OrganizationPermissions.log" ) Write-Warning "Please log in to Entra ID using a privileged account which has access to the targeted organizations" Connect-AzUser -logFile $logFile $token = Get-AzAccessToken -ResourceUrl "499b84ac-1321-427f-aa17-267ca6975798" -AsSecureString:$false -ErrorAction Stop $tenantId = (Get-AzTenant).Id $azureDevOpsOrganizationsRaw = Invoke-RestMethod -Headers @{Authorization = "Bearer $($token.Token)"} -Method Get -ContentType "application/json" -ErrorAction Stop -Uri "https://aexprodweu1.vsaex.visualstudio.com/_apis/EnterpriseCatalog/Organizations?tenantId=$tenantId" $azureDevOpsOrganizationsNameAndId = $azureDevOpsOrganizationsRaw | ConvertFrom-CSV | ForEach-Object {$_ | Select-Object "Organization Name", "Organization Id"} Write-Host "Your account has access to the following organizations:" "Your account has access to the following organizations:" | Write-Log -LogPath $logFile $azureDevOpsOrganizationsNameAndId | Out-Host $azureDevOpsOrganizationsNameAndId | Write-Log -LogPath $logFile $choice = Read-Host "Do you want to collect logs for all [a], specific [s] or no [N] organization ? [a/s/N]" if ($choice.ToUpper() -eq "A" -or $choice.ToUpper() -eq "S"){ if ($choice.ToUpper() -eq "S"){ [System.Collections.ArrayList]$wantedOrganizationsNameAndId = @{} $read = $True Write-Host "Leave Blank and press 'Enter' to Stop" while ($read){ $potentialOrganizationId = Read-Host "Please enter the organization IDs, one by one, and press 'Enter'" if ($potentialOrganizationId){ $selectedInput = $azureDevOpsOrganizationsNameAndId | Where-Object {$_."Organization Id" -eq $potentialOrganizationId} if ($null -ne $selectedInput){ $wantedOrganizationsNameAndId.Add($selectedInput) | Out-Null Write-Host "Added $potentialOrganizationId" } else { Write-Warning "Invalid organization ID, please try again" } } else { $read = $False } } } elseif ($choice.ToUpper() -eq "A"){ $wantedOrganizationsNameAndId = $azureDevOpsOrganizationsNameAndId } foreach ($organization in $wantedOrganizationsNameAndId){ $organizationName = $organization.'Organization Name' Write-Host "Adding service principal to organization $organizationName ($($organization.'Organization Id'))" "Adding service principal to organization $organizationName ($($organization.'Organization Id'))" | Write-Log -LogPath $logFile $isSuccess = (Invoke-RestMethod -Headers @{Authorization = "Bearer $($token.Token)"} -Method POST -ContentType "application/json" -ErrorAction Stop -Uri "https://vsaex.dev.azure.com/$organizationName/_apis/serviceprincipalentitlements?api-version=7.1-preview.1" -Body "{`"accessLevel`": {`"accountLicenseType`": `"stakeholder`"},`"servicePrincipal`": {`"origin`": `"aad`",`"originId`": `"$servicePrincipalId`",`"subjectKind`": `"servicePrincipal`"}}").isSuccess while ($isSuccess -ne "True"){ try { $isSuccess = (Invoke-RestMethod -Headers @{Authorization = "Bearer $($token.Token)"} -Method POST -ContentType "application/json" -ErrorAction Stop -Uri "https://vsaex.dev.azure.com/$organizationName/_apis/serviceprincipalentitlements?api-version=7.1-preview.1" -Body "{`"accessLevel`": {`"accountLicenseType`": `"stakeholder`"},`"servicePrincipal`": {`"origin`": `"aad`",`"originId`": `"$servicePrincipalId`",`"subjectKind`": `"servicePrincipal`"}}").isSuccess } catch { Write-Warning "Service principal is not yet available to $organizationName ($($organization.'Organization Id'))" "Service principal is not yet available to $organizationName ($($organization.'Organization Id'))" | Write-Log -LogPath $logFile -LogLevel Warning Start-Sleep -Seconds 1 } } $securityNamespaces = Get-AzDevOpsRestAPIResponseUser -uri "https://dev.azure.com/$organizationName/_apis/securitynamespaces" -logFile $logFile $auditLogServiceNamescapeId = $securityNamespaces | Where-Object {$_.displayName -eq "AuditLog"} | Select-Object -ExpandProperty namespaceId $auditLogReadBit = $securityNamespaces | Where-Object {$_.displayName -eq "AuditLog"} | Select-Object -ExpandProperty actions | Where-Object {$_.name -eq "Read"} | Select-Object -ExpandProperty bit $servicePrincipals = Get-AzDevOpsRestAPIResponseUser -uri "https://vssps.dev.azure.com/$organizationName/_apis/graph/serviceprincipals?api-version=7.1-preview.1" -logFile $logFile $domain = $servicePrincipals | Where-Object {$_.originId -eq $servicePrincipalId} | Select-Object -ExpandProperty domain $null = Invoke-RestMethod -Headers @{Authorization = "Bearer $($token.Token)"} -Method POST -ContentType "application/json" -ErrorAction Stop -Uri "https://dev.azure.com/$organizationName/_apis/AccessControlEntries/$auditLogServiceNamescapeId" -Body "{`"token`":`"AllPermissions`",`"merge`":true,`"accessControlEntries`":[{`"descriptor`":`"Microsoft.VisualStudio.Services.Claims.AadServicePrincipal;$domain\\$servicePrincipalId`",`"allow`":$auditLogReadBit,`"deny`":0}]}" } Write-Host "Done assigning roles on organizations for the application" "Done assigning roles on organizations for the application" | Write-Log -LogPath $logFile } else { Write-Warning "No organization was selected" "No organization was selected" | Write-Log -LogPath $logFile -LogLevel Warning } } function Add-SubscriptionPermissions { <# .SYNOPSIS The Add-SubscriptionPermissions function is the inner function that handles adding the application to the Azure Resource Manager subscriptions #> param ( [Parameter(Mandatory = $true)] [String]$servicePrincipalId, [String]$logFile = "Add-SubscriptionPermissions.log" ) Write-Warning "Please log in to Entra ID using a privileged account which has access to the targeted subscriptions" Connect-AzUser -logFile $logFile $subscriptionsNameAndId = Get-AzSubscription -ErrorAction Stop | Select-Object Name, Id Write-Host "Your account has access to the following subscriptions:" "Your account has access to the following subscriptions:" | Write-Log -LogPath $logFile $subscriptionsNameAndId | Out-Host $subscriptionsNameAndId | Write-Log -LogPath $logFile $choice = Read-Host "Do you want to be able to collect logs for all [a], specific [s] or no [N] subscription ? [a/s/N]" if ($choice.ToUpper() -eq "A" -or $choice.ToUpper() -eq "S"){ $alreadyExistingCheckRoleDefinition = Get-AzRoleDefinition -Name "LogCollectionDFIRO365RC" -ErrorAction Stop -WarningAction:SilentlyContinue if ($null -ne $alreadyExistingCheckRoleDefinition){ $role = $alreadyExistingCheckRoleDefinition } else { $role = Get-AzRoleDefinition "Reader" -ErrorAction Stop $role.Id = $null } $role.Name = "LogCollectionDFIRO365RC" $role.Description = "Can view activity logs" $role.Actions.Clear() $role.Actions.Add("Microsoft.Insights/eventtypes/*") $role.AssignableScopes.Clear() if ($choice.ToUpper() -eq "S"){ [System.Collections.ArrayList]$wantedSubscriptionsNameAndId = @{} $read = $True Write-Host "Leave Blank and press 'Enter' to Stop" while ($read){ $potentialSubscriptionId = Read-Host "Please enter the subscription IDs, one by one, and press 'Enter'" if ($potentialSubscriptionId){ $selectedInput = $subscriptionsNameAndId | Where-Object {$_.Id -eq $potentialSubscriptionId} if ($null -ne $selectedInput){ $wantedSubscriptionsNameAndId.Add($selectedInput) | Out-Null Write-Host "Added $potentialSubscriptionId" } else { Write-Warning "Invalid subscription ID, please try again" } } else { $read = $False } } } elseif ($choice.ToUpper() -eq "A"){ $wantedSubscriptionsNameAndId = $subscriptionsNameAndId } foreach ($subscription in $wantedSubscriptionsNameAndId){ Write-Host "Adding subscription $($subscription.Name) ($($subscription.Id)) to the list of scopes" "Adding subscription $($subscription.Name) ($($subscription.Id)) to the list of scopes" | Write-Log -LogPath $logFile $role.AssignableScopes.Add("/subscriptions/$($subscription.Id)") } if ($role.AssignableScopes.length -gt 0){ if ($null -ne $alreadyExistingCheckRoleDefinition){ $roleDefinition = Set-AzRoleDefinition -Role $role -ErrorAction Stop } else { $roleDefinition = New-AzRoleDefinition -Role $role -ErrorAction Stop } } else { Write-Warning "No subscription was selected" "No subscription was selected" | Write-Log -LogPath $logFile -LogLevel Warning } foreach ($subscription in $wantedSubscriptionsNameAndId){ $alreadyExistingCheckRoleAssignement = Get-AzRoleAssignment -ObjectId $servicePrincipalId -RoleDefinitionId $roleDefinition.Id -Scope "/subscriptions/$($subscription.Id)" -ErrorAction Stop if ($null -eq $alreadyExistingCheckRoleAssignement){ Write-Host "Assigning role for scope $($subscription.Name) ($($subscription.Id))" "Assigning role for scope $($subscription.Name) ($($subscription.Id))" | Write-Log -LogPath $logFile $null = New-AzRoleAssignment -ObjectId $servicePrincipalId -Scope "/subscriptions/$($subscription.Id)" -RoleDefinitionId $roleDefinition.Id -ErrorAction Stop } else { Write-Host "Scope $($subscription.Name) ($($subscription.Id)) is already assigned" "Scope $($subscription.Name) ($($subscription.Id)) is already assigned" | Write-Log -LogPath $logFile } } Write-Host "Done assigning roles on subscriptions for the application" "Done assigning roles on subscriptions for the application" | Write-Log -LogPath $logFile } else { Write-Warning "You have not selected any subscription" "You have not selected any subscription" | Write-Log -LogPath $logFile -LogLevel Warning } } function Update-Application { <# .SYNOPSIS The Update-Application function will update an existing application to add a certificate. The "-organizations" switch will allow the application to collect logs from Azure DevOps organizations. The "-subscriptions" switch will allow the application to collect logs from Azure Resource Manager subscriptions .EXAMPLE PS C:\>$certificateb64 = [Convert]::ToBase64String([IO.File]::ReadAllBytes("example.der")) PS C:\>New-Application -certificateb64 $certificateb64 Update the application to add a certificate ("example.der"). PS C:\>$certificateb64 = [Convert]::ToBase64String([IO.File]::ReadAllBytes("example.der")) PS C:\>New-Application -certificateb64 $certificateb64 -organizations -subscriptions Update the application to add a certificate ("example.der") and access to Azure DevOps organizations and Azure Resource Manager subscriptions. #> param ( [Parameter(Mandatory = $false)] [String]$certificateb64, [Parameter(Mandatory = $false)] [Switch]$subscriptions, [Parameter(Mandatory = $false)] [Switch]$organizations, [String]$logFile = "Update-Application.log" ) $currentPath = (Get-Location).path $logFile = $currentPath + "\" + $logFile Connect-MicrosoftGraphUser -logFile $logFile Write-Host "Check for already existing DFIR-O365 applications" "Check for already existing DFIR-O365 applications" | Write-Log -LogPath $logFile $alreadyExistingCheck = Get-MgApplication -Filter "startswith(DisplayName,'LogCollectionDFIRO365RC_')" -ErrorAction Stop if ($alreadyExistingCheck){ if ($alreadyExistingCheck.length -gt 1){ Write-Error $alreadyExistingCheck.length + " LogCollectionDFIRO365RC applications are present. Please delete all but one existing applications" $alreadyExistingCheck.length + " LogCollectionDFIRO365RC applications are present" | Write-Log -LogPath $logFile -LogLevel Error } else { $applicationName = "$($alreadyExistingCheck.DisplayName)" Write-Host "A LogCollectionDFIRO365RC application already exists: $applicationName" "A LogCollectionDFIRO365RC application already exists: $applicationName" | Write-Log -LogPath $logFile if ("" -ne $certificateb64){ $confirmation = Read-Host "Do you want to add the provided certificate to the application $applicationName ? [y/N]" if ($confirmation.ToUpper() -eq "Y"){ Write-Host "Loading the certificate" "Loading the certificate" | Write-Log -LogPath $logFile try { $rawCertificate = [Convert]::FromBase64String($certificateb64) $X509certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($rawCertificate) Write-Host "Adding the provided certificate to the existing application" "Adding the provided certificate to the existing application" | Write-Log -LogPath $logFile $keyCreds = @{ Type = "AsymmetricX509Cert"; Usage = "Verify"; key = $rawCertificate; startDateTime = $X509certificate.NotBefore; endDateTime = $X509certificate.NotAfter; displayName = $(New-Guid).Guid; } $alreadyExistingCheck.KeyCredentials += $keyCreds Update-MgApplication -ApplicationId $alreadyExistingCheck.Id -KeyCredentials $alreadyExistingCheck.KeyCredentials } catch { Write-Warning "Error loading and adding the new certificate. - $($_.Exception.Message)" "Error loading and adding the new certificate. - $($_.Exception.Message)" | Write-Log -LogPath $logFile -LogLevel Warning } } else { Write-Warning "Not adding the provided certificate to the existing application" "Not adding the provided certificate to the existing application" | Write-Log -LogPath $logFile -LogLevel Warning } } $alreadyExistingCheck = Get-MgServicePrincipal -ErrorAction Stop | Where-Object { $_.DisplayName.StartsWith("LogCollectionDFIRO365RC_") } if ($alreadyExistingCheck){ if ($alreadyExistingCheck.length -gt 1){ Write-Warning $alreadyExistingCheck.length + " LogCollectionDFIRO365RC_ service principals are present. Please delete all but one existing service principals" $alreadyExistingCheck.length + " LogCollectionDFIRO365RC_ service principals are present" | Write-Log -LogPath $logFile -LogLevel Warning } else { if ($subscriptions){ Add-SubscriptionPermissions -servicePrincipalId $alreadyExistingCheck.Id -logFile $logFile } if ($organizations){ Add-OrganizationPermissions -servicePrincipalId $alreadyExistingCheck.Id -logFile $logFile } } } } } else { Write-Error "No application was found. Please call New-Application to create an application instead" "No application was found. Please call New-Application to create an application instead" | Write-Log -LogPath $logFile -LogLevel Error } } function New-Application { <# .SYNOPSIS The New-Application function will create an application in Entra ID and corresponding service principals in Entra ID and Exchange Online, with the right permissions. This will be used to do the log collection. The function will take as an input a base64 (public) certificate to import into the application. The "-organizations" switch will allow the application to collect logs from Azure DevOps organizations. The "-subscriptions" switch will allow the application to collect logs from Azure Resource Manager subscriptions. .EXAMPLE PS C:\>$certificateb64 = [Convert]::ToBase64String([IO.File]::ReadAllBytes("example.der")) PS C:\>New-Application -certificateb64 $certificateb64 Create an application with the required permissions, with a certificate ("example.der"). PS C:\>$certificateb64 = [Convert]::ToBase64String([IO.File]::ReadAllBytes("example.der")) PS C:\>New-Application -certificateb64 $certificateb64 -organizations -subscriptions Create an application with the required permissions, with a certificate ("example.der") and access to Azure DevOps organizations and Azure Resource Manager subscriptions. #> param ( [Parameter(Mandatory = $true)] [String]$certificateb64, [Parameter(Mandatory = $false)] [Switch]$subscriptions, [Parameter(Mandatory = $false)] [Switch]$organizations, [String]$logFile = "New-Application.log" ) $currentPath = (Get-Location).path $logFile = $currentPath + "\" + $logFile $applicationName = "LogCollectionDFIRO365RC_" + $(New-Guid).Guid Connect-MicrosoftGraphUser -logFile $logFile $tenantPrincipalDomain = (Get-MgDomain | Where-Object { $_.Isdefault -eq $True }).Id Write-Host "Check for already existing DFIR-O365 applications" "Check for already existing CF66J756VDFIR-O365 applications" | Write-Log -LogPath $logFile $alreadyExistingCheck = Get-MgApplication -Filter "startswith(DisplayName,'LogCollectionDFIRO365RC_')" -ErrorAction Stop if ($alreadyExistingCheck){ Write-Error "A LogCollectionDFIRO365RC_* application already exists. Please call Update-Application instead" "A LogCollectionDFIRO365RC_* application already exists. Please call Update-Application instead" | Write-Log -LogPath $logFile -LogLevel Error } else { "Getting Entra ID permission 'Exchange.ManageAsApp' for 'Office 365 Exchange Online'" | Write-Log -LogPath $logFile $exchangeApi = (Get-MgServicePrincipal -Filter "AppID eq '00000002-0000-0ff1-ce00-000000000000'" -ErrorAction Stop) $exchangeManageAsAppPermission = $exchangeApi.AppRoles | Where-Object { $_.Value -eq 'Exchange.ManageAsApp' } $exchangeRequiredAccess = @{ ResourceAppId = $exchangeApi.AppId ; ResourceAccess = @( @{ Id = $exchangeManageAsAppPermission.Id ; Type = "Role" } ) } "Getting Entra ID permissions 'AuditLog.Read.All', 'AuditLogsQuery.Read.All', 'Application.Read.All', 'DelegatedPermissionGrant.Read.All', Device.Read.All' and 'Organization.Read.All' for 'Microsoft Graph'" | Write-Log -LogPath $logFile $graphApi = (Get-MgServicePrincipal -Filter "AppID eq '00000003-0000-0000-c000-000000000000'" -ErrorAction Stop) $graphAuditLogReadAll = $graphApi.AppRoles | Where-Object { $_.Value -eq 'AuditLog.Read.All' } $graphAuditLogsQueryReadAll = $graphApi.AppRoles | Where-Object { $_.Value -eq 'AuditLogsQuery.Read.All' } $graphApplicationReadAll = $graphApi.AppRoles | Where-Object { $_.Value -eq 'Application.Read.All' } $graphDelegatedPermissionGrandReadAll = $graphApi.AppRoles | Where-Object { $_.Value -eq 'DelegatedPermissionGrant.Read.All' } $graphDeviceReadAll = $graphApi.AppRoles | Where-Object { $_.Value -eq 'Device.Read.All' } $graphOrganizationReadAll = $graphApi.AppRoles | Where-Object { $_.Value -eq 'Organization.Read.All' } $graphRequiredAccess = @{ ResourceAppId = $graphApi.AppId ; ResourceAccess = @( @{ Id = $graphAuditLogReadAll.Id ; Type = "Role" }, @{ Id = $graphAuditLogsQueryReadAll.Id ; Type = "Role" }, @{ Id = $graphApplicationReadAll.Id ; Type = "Role" }, @{ Id = $graphDelegatedPermissionGrandReadAll.Id ; Type = "Role" }, @{ Id = $graphDeviceReadAll.Id ; Type = "Role" }, @{ Id = $graphOrganizationReadAll.Id ; Type = "Role" } ) } if ($null -eq $exchangeApi){ Write-Warning "Application 'Office 365 Exchange Online' could not be found in your tenant. You won't be able to use the Get-O365' functions" "Application 'Office 365 Exchange Online' could not be found in your tenant. You won't be able to use the Get-O365' functions" | Write-Log -LogPath $logFile -LogLevel Warning } Write-Host "Creating application $applicationName with the required permissions" "Creating application $applicationName with the required permissions" | Write-Log -LogPath $logFile if ($null -eq $exchangeApi){ if ($null -ne $graphApi){ $myApp = New-MgApplication -DisplayName $applicationName -RequiredResourceAccess $graphRequiredAccess -ErrorAction Stop } else { $myApp = New-MgApplication -DisplayName $applicationName -ErrorAction Stop } } else { if ($null -ne $graphApi){ $myApp = New-MgApplication -DisplayName $applicationName -RequiredResourceAccess $exchangeRequiredAccess,$graphRequiredAccess -ErrorAction Stop } else { $myApp = New-MgApplication -DisplayName $applicationName -RequiredResourceAccess $exchangeRequiredAccess -ErrorAction Stop } } "Creating service principal" | Write-Log -LogPath $logFile $mySP = New-MgServicePrincipal -AppId $myApp.AppID -ErrorAction Stop Write-Host "Loading the certificate" "Loading the certificate" | Write-Log -LogPath $logFile try { $rawCertificate = [Convert]::FromBase64String($certificateb64) $X509certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($rawCertificate) Write-Host "Adding credentials to the application" "Adding credentials to the application" | Write-Log -LogPath $logFile $keyCreds = @{ Type = "AsymmetricX509Cert"; Usage = "Verify"; key = $rawCertificate; startDateTime = $X509certificate.NotBefore; endDateTime = $X509certificate.NotAfter; displayName = $(New-Guid).Guid; } Update-MgApplication -ApplicationId $myApp.Id -KeyCredentials $keyCreds } catch { Write-Warning "Error loading and adding the certificate. The application will be created, but you will need to call Update-Certificate to add the certificate to the application (or do it using the GUI). - $($_.Exception.Message)" "Error loading and adding the certificate. The application will be created, but you will need to call Update-Certificate to add the certificate to the application (or do it using the GUI). - $($_.Exception.Message)" | Write-Log -LogPath $logFile -LogLevel Warning } $tenantID = (Get-MgOrganization -ErrorAction Stop).Id Write-Host "Sleeping 30 seconds for the application to be correctly deployed" Start-Sleep -Seconds 30 $consentURL = "https://login.microsoftonline.com/$tenantID/adminconsent?client_id=$($myApp.AppId)" Write-Warning "Please use a web browser to open the page $consentURL and do an admin consent for the application (error AADSTS500113 is expected after the consent)" "Displaying the URI for the admin consent" | Write-Log -LogPath $logFile $hasConsented = $False while (-not $hasConsented){ $roleAssignements = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $mySP.Id if ($roleAssignements){ if ($roleAssignements.length -gt 1){ foreach ($roleAssignement in $roleAssignements){ if ($roleAssignement.AppRoleId -eq $graphAuditLogReadAll.Id){ Write-Host "Admin consent: done" "Admin consent: done" | Write-Log -LogPath $logFile $hasConsented = $True } } } else { if ($roleAssignements.AppRoleId -eq $graphAuditLogReadAll.Id){ Write-Host "Admin consent: done" "Admin consent: done" | Write-Log -LogPath $logFile $hasConsented = $True } } } Start-Sleep -Seconds 1 } if ($subscriptions){ Add-SubscriptionPermissions -servicePrincipalId $mySP.Id -logFile $logFile } if ($organizations){ Add-OrganizationPermissions -servicePrincipalId $mySP.Id -logFile $logFile } Connect-ExchangeOnlineUser -logFile $logFile try { $exoSP = New-ServicePrincipal -AppId $myApp.AppId -ObjectId $mySP.Id -DisplayName $applicationName -ErrorAction Stop } catch { $_.Exception.Message | Write-Log -LogPath $logFile -LogLevel Error Write-Warning "Can't create Service Principal in Exchange Online. Please check that you have access to Exchange Online using PowerShell. You won't be able to use Get-O365' functions. Exiting" "Can't create Service Principal in Exchange Online. Please check that you have access to Exchange Online using PowerShell. You won't be able to use Get-O365' functions. Exiting" | Write-Log -LogPath $logFile -LogLevel Warning Write-Host "Done creating the application with some of the required permissions" Write-Host "Please use the following identifiers: " Write-Warning "AppID: $($myApp.AppID)" "AppID: $($myApp.AppID)" | Write-Log -LogPath $logFile Write-Warning "Tenant: $tenantPrincipalDomain" "Tenant: $tenantPrincipalDomain" | Write-Log -LogPath $logFile exit } $roleGroupName = $applicationName + "_RG" try { $null = New-RoleGroup -Name $roleGroupName -Roles "View-only audit logs" -Members $exoSP.Id -ErrorAction Stop Write-Host "Done creating the application with the required permissions" Write-Host "Please use the following identifiers: " Write-Warning "AppID: $($myApp.AppID)" "AppID: $($myApp.AppID)" | Write-Log -LogPath $logFile Write-Warning "Tenant: $tenantPrincipalDomain" "Tenant: $tenantPrincipalDomain" | Write-Log -LogPath $logFile } catch { $_.Exception.Message | Write-Log -LogPath $logFile -LogLevel Error Write-Warning "Organization Customization was not enabled on this tenant. Enabling it" "Organization Customization was not enabled on this tenant. Enabling it" | Write-Log -LogPath $logFile -LogLevel Warning Enable-OrganizationCustomization Write-Warning "Organization Customization was enabled. It may take up to 4 hours before being propagated. When it is propagated, please call Remove-Application and New-Application again" } } } function Remove-Application { <# .SYNOPSIS The Remove-Application function will delete every application, service principal and role groups which were created in Entra ID and Exchange Online for DFIR-O365RC. The "-organizations" switch will delete the application from Azure DevOps organizations. The "-subscriptions" switch will delete the application from Azure Resource Manager subscriptions. .EXAMPLE PS C:\>Remove-Application Deletes every application, service principal and role groups which were created in Entra ID and Exchange Online for DFIR-O365RC. PS C:\>Remove-Application -organizations -subscriptions Deletes every application, service principal and role groups which were created in Entra ID, Exchange Online, Azure DevOps organizations and Azure Resource Manager subscriptions for DFIR-O365RC. #> param ( [Parameter(Mandatory = $false)] [Switch]$subscriptions, [Parameter(Mandatory = $false)] [Switch]$organizations, [String]$logFile = "Remove-Application.log" ) $currentPath = (Get-Location).path $logFile = $currentPath + "\" + $logFile Connect-MicrosoftGraphUser -logFile $logFile Write-Host "Check for already existing DFIR-O365 applications" "Check for already existing DFIR-O365 applications" | Write-Log -LogPath $logFile $alreadyExistingCheck = Get-MgApplication -Filter "startswith(DisplayName,'LogCollectionDFIRO365RC_')" -ErrorAction Stop if ($alreadyExistingCheck){ if ($alreadyExistingCheck.length -gt 1){ foreach ($application in $alreadyExistingCheck){ Write-Host "Removing application: $($application.DisplayName)" "Removing application: $($application.DisplayName)" | Write-Log -LogPath $logFile $confirmation = Read-Host "Continue ? [y/N]" if ($confirmation.ToUpper() -eq "Y"){ Remove-MgApplication -ApplicationId $application.Id -Confirm:$false } } } else { Write-Host "Removing application: $($alreadyExistingCheck.DisplayName)" "Removing application: $($alreadyExistingCheck.DisplayName)" | Write-Log -LogPath $logFile $confirmation = Read-Host "Continue ? [y/N]" if ($confirmation.ToUpper() -eq "Y"){ Remove-MgApplication -ApplicationId $alreadyExistingCheck.Id -Confirm:$false } } } if ($subscriptions -or $organizations){ Write-Warning "Please log in to Entra ID using a privileged account which has access to the targeted subscriptions / organizations" Connect-AzUser -logFile $logFile if ($subscriptions){ Write-Host "Check for already existing DFIR-O365 Entra ID role assignments for role LogCollectionDFIRO365RC" "Check for already existing DFIR-O365 Entra ID role assignments for role LogCollectionDFIRO365RC" | Write-Log -LogPath $logFile try { $alreadyExistingCheckRoleAssignement = Get-AzRoleAssignment -RoleDefinitionName "LogCollectionDFIRO365RC" -ErrorAction Stop } catch { $errorMessage = $_.Exception.Message if ($errormessage -like "*No subscription was found in the default profile*"){ Write-Warning "No subsriptions were found" "No subsriptions were found" | Write-Log -LogPath $logFile -LogLevel Warning } else { Write-Error $errorMessage $errorMessage | Write-Log -LogPath $logFile -LogLevel Error } $alreadyExistingCheckRoleAssignement = $null } if ($alreadyExistingCheckRoleAssignement){ if ($alreadyExistingCheckRoleAssignement.length -gt 1){ foreach ($roleAssignement in $alreadyExistingCheckRoleAssignement){ Write-Host "Removing LogCollectionDFIRO365RC role assignement for object ID: $($roleAssignement.ObjectId)" "Removing LogCollectionDFIRO365RC role assignement for object ID: $($roleAssignement.ObjectId)" | Write-Log -LogPath $logFile $confirmation = Read-Host "Continue ? [y/N]" if ($confirmation.ToUpper() -eq "Y"){ Remove-AzRoleAssignment -RoleDefinitionName "LogCollectionDFIRO365RC" -ObjectId $roleAssignement.ObjectId } } } else { Write-Host "Removing LogCollectionDFIRO365RC role assignement for object ID: $($alreadyExistingCheckRoleAssignement.ObjectId)" "Removing LogCollectionDFIRO365RC role assignement for object ID: $($alreadyExistingCheckRoleAssignement.ObjectId)" | Write-Log -LogPath $logFile $confirmation = Read-Host "Continue ? [y/N]" if ($confirmation.ToUpper() -eq "Y"){ Remove-AzRoleAssignment -RoleDefinitionName "LogCollectionDFIRO365RC" -ObjectId $alreadyExistingCheckRoleAssignement.ObjectId } } } Write-Host "Check for already existing DFIR-O365 Entra ID role definitions" "Check for already existing DFIR-O365 Entra ID role definitions" | Write-Log -LogPath $logFile try { $alreadyExistingCheckRoleDefinition = Get-AzRoleDefinition -Name "LogCollectionDFIRO365RC" -ErrorAction Stop -WarningAction:SilentlyContinue } catch { $errorMessage = $_.Exception.Message if ($errormessage -like "No subscription was found in the default profile*"){ Write-Warning "No subsriptions were found" "No subsriptions were found" | Write-Log -LogPath $logFile -LogLevel Warning } else { Write-Error $errorMessage $errorMessage | Write-Log -LogPath $logFile -LogLevel Error } $alreadyExistingCheckRoleDefinition = $null } if ($alreadyExistingCheckRoleDefinition){ if ($alreadyExistingCheckRoleDefinition.length -gt 1){ foreach ($roleDefinition in $alreadyExistingCheckRoleDefinition){ Write-Host "Removing role definition LogCollectionDFIRO365RC, ID: $($roleDefinition.Id)" "Removing role definition LogCollectionDFIRO365RC, ID: $($roleDefinition.Id)" | Write-Log -LogPath $logFile $confirmation = Read-Host "Continue ? [y/N]" if ($confirmation.ToUpper() -eq "Y"){ Remove-AzRoleDefinition -Id $roleDefinition.Id -Confirm:$false -Force } } } else { Write-Host "Removing role definition LogCollectionDFIRO365RC, ID: $($alreadyExistingCheckRoleDefinition.Id)" "Removing role definition LogCollectionDFIRO365RC, ID: $($alreadyExistingCheckRoleDefinition.Id)" | Write-Log -LogPath $logFile $confirmation = Read-Host "Continue ? [y/N]" if ($confirmation.ToUpper() -eq "Y"){ Remove-AzRoleDefinition -Id $alreadyExistingCheckRoleDefinition.Id -Confirm:$false -Force } } } } if ($organizations){ Write-Host "Check for already existing DFIR-O365 service principals in DevOps organizations" "Check for already existing DFIR-O365 service principals in DevOps organizations" | Write-Log -LogPath $logFile $token = Get-AzAccessToken -ResourceUrl "499b84ac-1321-427f-aa17-267ca6975798" -AsSecureString:$false -ErrorAction Stop $tenantId = (Get-AzTenant).Id $azureDevOpsOrganizationsRaw = Invoke-RestMethod -Headers @{Authorization = "Bearer $($token.Token)"} -Method Get -ContentType "application/json" -ErrorAction Stop -Uri "https://aexprodweu1.vsaex.visualstudio.com/_apis/EnterpriseCatalog/Organizations?tenantId=$tenantId" if ($null -ne $azureDevOpsOrganizationsRaw){ $azureDevOpsOrganizationsNameAndId = $azureDevOpsOrganizationsRaw | ConvertFrom-CSV | ForEach-Object {$_ | Select-Object "Organization Name", "Organization Id"} foreach ($organization in $azureDevOpsOrganizationsNameAndId){ $organizationName = $organization.'Organization Name' Write-Host "Checking presence of DFIR-O365RC Service Principals in $organizationName ($($organization.'Organization Id')) Azure DevOps organization" "Checking presence of DFIR-O365RC Service Principals in $organizationName ($($organization.'Organization Id')) Azure DevOps organization" | Write-Log -LogPath $logFile $servicePrincipals = Get-AzDevOpsRestAPIResponseUser -uri "https://vssps.dev.azure.com/$organizationName/_apis/graph/serviceprincipals?api-version=7.1-preview.1" -logFile $logFile $servicePrincipalsToDelete = $servicePrincipals | Where-Object {$_.displayName -like "LogCollectionDFIRO365RC_*"} foreach ($servicePrincipalToDelete in $servicePrincipalsToDelete){ $storageKey = Invoke-RestMethod -Headers @{Authorization = "Bearer $($token.Token)"} -Method GET -uri "https://vssps.dev.azure.com/$organizationName/_apis/graph/storagekeys/$($servicePrincipalToDelete.descriptor)?api-version=7.1-preview.1" -ErrorAction Stop Write-Host "Deleting $($servicePrincipalToDelete.displayName) in $organizationName" "Deleting $($servicePrincipalToDelete.displayName) in $organizationName" | Write-Log -LogPath $logFile $confirmation = Read-Host "Continue ? [y/N]" if ($confirmation.ToUpper() -eq "Y"){ $null = Invoke-RestMethod -Headers @{Authorization = "Bearer $($token.Token)"} -Method DELETE -Uri "https://vsaex.dev.azure.com/$organizationName/_apis/serviceprincipalentitlements/$($storageKey.value)?api-version=7.1-preview.1" -ErrorAction Stop } } } } else { Write-Error "Error while fetching Azure DevOps Organizations" "Error while fetching Azure DevOps Organizations" | Write-Log -LogPath $logFile -LogLevel "ERROR" } } } Connect-ExchangeOnlineUser -logFile $logFile Write-Host "Check for already existing DFIR-O365 service principals in Exchange Online" "Check for already existing DFIR-O365 service principals in Exchange Online" | Write-Log -LogPath $logFile $alreadyExistingCheck = Get-ServicePrincipal -ErrorAction Stop | Where-Object { $_.DisplayName.StartsWith("LogCollectionDFIRO365RC_") } if ($alreadyExistingCheck){ if ($alreadyExistingCheck.length -gt 1){ foreach ($servicePrincipal in $alreadyExistingCheck){ Write-Host "Removing service principal: $($servicePrincipal.DisplayName)" "Removing service principal: $($servicePrincipal.DisplayName)" | Write-Log -LogPath $logFile $confirmation = Read-Host "Continue ? [y/N]" if ($confirmation.ToUpper() -eq "Y"){ Remove-ServicePrincipal -Id $servicePrincipal.ObjectId -Confirm:$false } } } else { Write-Host "Removing service principal: $($alreadyExistingCheck.DisplayName)" "Removing service principal: $($alreadyExistingCheck.DisplayName)" | Write-Log -LogPath $logFile $confirmation = Read-Host "Continue ? [y/N]" if ($confirmation.ToUpper() -eq "Y"){ Remove-ServicePrincipal -Id $alreadyExistingCheck.ObjectId -Confirm:$false } } } Write-Host "Check for already existing DFIR-O365 role groups in Exchange Online" "Check for already existing DFIR-O365 role groups in Exchange Online" | Write-Log -LogPath $logFile $alreadyExistingCheck = Get-RoleGroup | Where-Object { $_.Name.StartsWith("LogCollectionDFIRO365RC_") } if ($alreadyExistingCheck){ if ($alreadyExistingCheck.length -gt 1){ foreach ($roleGroup in $alreadyExistingCheck){ Write-Host "Removing role group: $($roleGroup.Name)" "Removing role group: $($roleGroup.Name)" | Write-Log -LogPath $logFile $confirmation = Read-Host "Continue ? [y/N]" if ($confirmation.ToUpper() -eq "Y"){ Remove-RoleGroup -Identity $roleGroup.Identity -Confirm:$false } } } else { Write-Host "Removing role group: $($alreadyExistingCheck.Name)" "Removing role group: $($alreadyExistingCheck.Name)" | Write-Log -LogPath $logFile $confirmation = Read-Host "Continue ? [y/N]" if ($confirmation.ToUpper() -eq "Y"){ Remove-RoleGroup -Identity $alreadyExistingCheck.Identity -Confirm:$false } } } } |