search

invictus-ir / Microsoft-Extractor-Suite

A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.
https://microsoft-365-extractor-suite.readthedocs.io/en/latest/
GNU General Public License v2.0
481 stars 68 forks source link

Graph beta install - more specific modules #82

Closed angry-bender closed 3 months ago

angry-bender commented 4 months ago

Hi again,

Just wondering what exact module is required for Microsoft.Graph.Beta would be awesome to narrow it down to a specific subset of packages to speed up pre-requisite install 😊

Calvindd2f commented 4 months ago

I think Invoke-GraphRequest took out most of the beta usage as it is now declared in URL.

It seems the only Functions that depends on a graph modules (barring Microsoft.Graph.Authentication, which is used for Invoke-MgGraphRequest,Connect-MgGraph -are:

Get-MgIdentityConditionalAccessPolicy [Microsoft.Graph.Identity.SignIns] Get-MgDirectoryRoleMember, [Microsoft.Graph.Identity.DirectoryManagement] Get-MgUser, [Microsoft.Graph.Users] Get-MgUserMessage, [Microsoft.Graph.Mail] Get-MgUserMessageAttachment, [Microsoft.Graph.Mail] Get-MgUserMessageContent [Microsoft.Graph.Mail]

These can also be replaced with API version in time. Along with the Get-OAuthPermissions if deemed necessary, I just used a new function in what I've half-assed for Get-OAuthPermissions

function Get-UriObject
{
    $uri = [PSCustomObject]@{
        uri                        = "https://graph.microsoft.com/v1.0"
        oauth2PermissionGrants     = "/oauth2PermissionGrants"
        getByIds                   = "/directoryObjects/getByIds"
        SPIDoauth2PermissionGrants = "/servicePrincipals/${servicePrincipal-id}/oauth2PermissionGrants"
        servicePrincipals          = "/servicePrincipals"
        organization               = "/organization"
        users                      = "/users"
        appRoleAssignedTo          = "/servicePrincipals/${servicePrincipal-id}/appRoleAssignedTo"
    }
    return $uri
}

Used like this:

$uri=Get-UriObject
$url=$uri.uri+$uri.oauth2PermissionGrants
#https://graph.microsoft.com/v1.0/oauth2PermissionGrants

checked using foreach ($f in $files){cat $f|Select-String -SimpleMatch "-Mg"}

Beta does not even appeared to be used in the api calls barring security/auditlog because there is no v1.0 endpoint for that.

PS> foreach ($f in $files){cat $f|select-string -SimpleMatch 'Beta' }

$response = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/security/auditLog/queries" -Body $body -ContentType "application/json"  
$apiUrl = "https://graph.microsoft.com/beta/security/auditLog/queries/$scanId"  
$apiUrl = "https://graph.microsoft.com/beta/security/auditLog/queries/$scanId/records"  

PS> foreach ($f in $files){cat $f|select-string -SimpleMatch 'v1.0' }  

$apiUrl = "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$filter=$encodedFilterQuery"  
$apiUrl = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=$encodedFilterQuery"  
$getMessage = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userIds/messages?filter=internetMessageId eq '$id'"  
$contentUri = "https://graph.microsoft.com/v1.0/users/$userIds/messages/$messageId/\$value"  
$getMessage = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userIds/messages?filter=internetMessageId eq '$internetMessageId'"  
$contentUri = "https://graph.microsoft.com/v1.0/users/$userIds/messages/$messageId/\$value"  
$getMessage = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userIds/messages?filter=internetMessageId eq '$internetMessageId'" -ErrorAction stop  
$response = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userIds/messages/$messageId/attachments"  
$uri = "https://graph.microsoft.com/v1.0/users/$userIds/messages/$messageId/attachments/$($attachment.Id)/\$value"  
$message = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userIds/messages?filter=internetMessageId eq '$internetMessageId'" -ErrorAction stop  
$nextLink = "https://graph.microsoft.com/v1.0/users"  
$contentUri = "https://graph.microsoft.com/v1.0/users/$($user.id)/authentication/methods"  
$nextLink = "https://graph.microsoft.com/v1.0/reports/authenticationMethods/userRegistrationDetails"    
$uri = "https://graph.microsoft.com/v1.0/identityProtection/riskyUsers"  
$uri = "https://graph.microsoft.com/v1.0/identityProtection/riskDetections"

There does not appear to be any beta module use anymore.

angry-bender commented 4 months ago

Awesome I might do a PR for the docs on installation 😊

angry-bender commented 4 months ago

Thanks for that

JoeyInvictus commented 4 months ago

Thanks @Calvindd2f, I can get used to having someone around to answer all angry-bender his questions 😜

@angry-bender, a PR would be fantastic! If you have no experience with ReadTheDocs let me know I can go over it myself as well. You both are right, the Invoke-GraphRequest is replacing many of the specific PowerShell cmdlets and modules we previously needed.

angry-bender commented 4 months ago

Thanks @Calvindd2f, I can get used to having someone around to answer all angry-bender his questions 😜

@angry-bender, a PR would be fantastic! If you have no experience with ReadTheDocs let me know I can go over it myself as well. You both are right, the Invoke-GraphRequest is replacing many of the specific PowerShell cmdlets and modules we previously needed.

Not a problem, should be an easy fix, I'll see if I can find some time tomorrow 😊

JoeyInvictus commented 3 months ago

Hi,

I have removed the references to the Graph beta module from the Read The Docs. As mentioned by Calvindd2f, I will also replace the other Graph cmdlets with the API in the future.