invictus-ir/Microsoft-Extractor-Suite

Graph beta install - more specific modules

Closed this issue ยท 6 comments

angry-bender commented

Hi again,

Just wondering what exact module is required for Microsoft.Graph.Beta would be awesome to narrow it down to a specific subset of packages to speed up pre-requisite install ๐Ÿ˜Š

Calvindd2f commented

I think Invoke-GraphRequest took out most of the beta usage as it is now declared in URL.

It seems the only Functions that depends on a graph modules (barring Microsoft.Graph.Authentication, which is used for Invoke-MgGraphRequest,Connect-MgGraph -are:

Get-MgIdentityConditionalAccessPolicy [Microsoft.Graph.Identity.SignIns]
Get-MgDirectoryRoleMember, [Microsoft.Graph.Identity.DirectoryManagement]
Get-MgUser, [Microsoft.Graph.Users]
Get-MgUserMessage, [Microsoft.Graph.Mail]
Get-MgUserMessageAttachment, [Microsoft.Graph.Mail]
Get-MgUserMessageContent [Microsoft.Graph.Mail]

These can also be replaced with API version in time. Along with the Get-OAuthPermissions if deemed necessary, I just used a new function in what I've half-assed for Get-OAuthPermissions

function Get-UriObject
{
	$uri = [PSCustomObject]@{
		uri                        = "https://graph.microsoft.com/v1.0"
		oauth2PermissionGrants     = "/oauth2PermissionGrants"
		getByIds                   = "/directoryObjects/getByIds"
		SPIDoauth2PermissionGrants = "/servicePrincipals/${servicePrincipal-id}/oauth2PermissionGrants"
		servicePrincipals          = "/servicePrincipals"
		organization               = "/organization"
		users                      = "/users"
		appRoleAssignedTo          = "/servicePrincipals/${servicePrincipal-id}/appRoleAssignedTo"
	}
	return $uri
}

Used like this:

$uri=Get-UriObject
$url=$uri.uri+$uri.oauth2PermissionGrants
#https://graph.microsoft.com/v1.0/oauth2PermissionGrants

checked using foreach ($f in $files){cat $f|Select-String -SimpleMatch "-Mg"}

Beta does not even appeared to be used in the api calls barring security/auditlog because there is no v1.0 endpoint for that.

PS> foreach ($f in $files){cat $f|select-string -SimpleMatch 'Beta' }

$response = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/security/auditLog/queries" -Body $body -ContentType "application/json"  
$apiUrl = "https://graph.microsoft.com/beta/security/auditLog/queries/$scanId"  
$apiUrl = "https://graph.microsoft.com/beta/security/auditLog/queries/$scanId/records"  

PS> foreach ($f in $files){cat $f|select-string -SimpleMatch 'v1.0' }  

$apiUrl = "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$filter=$encodedFilterQuery"  
$apiUrl = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=$encodedFilterQuery"  
$getMessage = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userIds/messages?filter=internetMessageId eq '$id'"  
$contentUri = "https://graph.microsoft.com/v1.0/users/$userIds/messages/$messageId/\$value"  
$getMessage = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userIds/messages?filter=internetMessageId eq '$internetMessageId'"  
$contentUri = "https://graph.microsoft.com/v1.0/users/$userIds/messages/$messageId/\$value"  
$getMessage = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userIds/messages?filter=internetMessageId eq '$internetMessageId'" -ErrorAction stop  
$response = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userIds/messages/$messageId/attachments"  
$uri = "https://graph.microsoft.com/v1.0/users/$userIds/messages/$messageId/attachments/$($attachment.Id)/\$value"  
$message = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userIds/messages?filter=internetMessageId eq '$internetMessageId'" -ErrorAction stop  
$nextLink = "https://graph.microsoft.com/v1.0/users"  
$contentUri = "https://graph.microsoft.com/v1.0/users/$($user.id)/authentication/methods"  
$nextLink = "https://graph.microsoft.com/v1.0/reports/authenticationMethods/userRegistrationDetails"    
$uri = "https://graph.microsoft.com/v1.0/identityProtection/riskyUsers"  
$uri = "https://graph.microsoft.com/v1.0/identityProtection/riskDetections"

There does not appear to be any beta module use anymore.

  • โค๏ธ1
angry-bender commented

Awesome I might do a PR for the docs on installation ๐Ÿ˜Š

angry-bender commented

Thanks for that

JoeyInvictus commented

Thanks @Calvindd2f, I can get used to having someone around to answer all angry-bender his questions ๐Ÿ˜œ

@angry-bender, a PR would be fantastic! If you have no experience with ReadTheDocs let me know I can go over it myself as well. You both are right, the Invoke-GraphRequest is replacing many of the specific PowerShell cmdlets and modules we previously needed.

  • ๐Ÿ˜„1
angry-bender commented

Thanks @Calvindd2f, I can get used to having someone around to answer all angry-bender his questions ๐Ÿ˜œ

@angry-bender, a PR would be fantastic! If you have no experience with ReadTheDocs let me know I can go over it myself as well. You both are right, the Invoke-GraphRequest is replacing many of the specific PowerShell cmdlets and modules we previously needed.

Not a problem, should be an easy fix, I'll see if I can find some time tomorrow ๐Ÿ˜Š

  • โค๏ธ2
JoeyInvictus commented

Hi,

I have removed the references to the Graph beta module from the Read The Docs. As mentioned by Calvindd2f, I will also replace the other Graph cmdlets with the API in the future.