Getting Azure Active Directory Logs and Azure Activity Logs

[Anny212]

Hi,

I have started using version 2.0.0 of the tool, but I can't extract the Azure Active Directory Logs and Azure Activity Logs (everything else is working fine).

In version 1.3.5, I was successful, but now I am getting an error stating that the module name isn't recognized. For example: [ERROR] An error occurred: The term 'Get-AzureADAuditSignInLogs' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

I am using the same user with the same permissions.

Hope you can help!

[JoeyInvictus]

Hi,

Thanks for using our tool! It looks like something is wrong with the imported module, as Get-AzureADAuditSignInLogs is the underlying cmdlet used by the Extractor to extract the sign-in logs. The error indicates that the cmdlet was not found, which usually means that the module was not imported or is not installed on the system.

Get-AzureADAuditSignInLogs is part of the AzureADPreview PowerShell module. If you run the following command, do you see AzureADPreview in the PowerShell modules list?

Get-Module -ListAvailable | Where-Object { $_.Name -eq "AzureADPreview" }

Additionally, you can run the following command to check if the relevant command is available:

Get-Command -Module AzureADPreview -Name Get-AzureADAuditSignInLogs

If the command is not found, I recommend installing the module and checking if it works afterward:

Install-Module AzureADPreview
Import-Module AzureADPreview

Let me know if this helps or if you have any additional questions!

[Anny212]

Thank you for your prompt response!

Firstly, I have just updated the version to 2.0.1, and the Azure Active Directory Logs modules are now working.

However, I am still experiencing issues with Azure Activity Logs. When I attempt to connect using the command Connect-AzureAZ, a popup window appears for account selection, but I receive the following error before I can make a selection:

WARNING: Unable to acquire token for tenant 'organizations' with error 'InteractiveBrowserCredential authentication failed: User canceled authentication. ' WARNING: Please run 'Connect-AzAccount -DeviceCode' if browser is not supported in this session. Connect-AzAccount : InteractiveBrowserCredential authentication failed: User canceled authentication. At C:.........\Microsoft-Extractor-Suite-2.0.1\Scripts\Connect.ps1:16 char:2

• Connect-AzAccount > $null

• 
  + CategoryInfo          : CloseError: (:) [Connect-AzAccount], AuthenticationFailedException
  + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand  

*** I’ve attached a screenshot of the issue.

As a workaround, I ran the command Connect-AzAccount -DeviceCode -TenantId , which allowed me to connect successfully. However, when I try to run the Get-ActivityLogs command, I encounter the following error:

Exception calling "AcquireAccessToken" with "1" argument(s): "Authentication failed against tenant

. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId '." At C:\.........\Microsoft-Extractor-Suite-2.0.1\Scripts\Get-AzureActivityLogs.ps1:76 char:2 + $token = $profileClient.AcquireAccessToken($currentContext.Tenant ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : AzPSAuthenticationFailedException [INFO] Retrieving all subscriptions linked to the logged-in user account [INFO] Ensure you are connected to Azure by running the Connect-AzureAz command before executing this script [ERROR] An error occurred: The remote server returned an error: (401) Unauthorized. Invoke-RestMethod : {"error":{"code":"AuthenticationFailedMissingToken","message":"Authentication failed. The 'Authorization' header is missing the access token."}} At C:\.........\Microsoft-Extractor-Suite-2.0.1\Scripts\Get-AzureActivityLogs.ps1:88 char:29 + ... sResponse = Invoke-RestMethod -Uri $subscriptionsUri -Headers $header ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExc eption + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand Do you have any ideas on how to resolve this? Thank you so much for your assistance! 

[JoeyInvictus]

I'm not sure to be honest, this is a new error for me, and I can't reproduce it in my test or production environment.

The steps taken by the script are listed below. It might be worth trying them one by one to see where it's going wrong.

$currentContext = Get-AzContext
$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
$profileClient = [Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient]::new($azureRmProfile)
$token = $profileClient.AcquireAccessToken($currentContext.Tenant.Id)

1. First, a connection/authentication is needed with the required PowerShell module. This can be achieved by running Connect-AzAccount. Sometimes, I also encounter the User canceled authentication error. This can happen occasionally and is resolved by trying again (for me atleast). Ensure that the authentication window isn't hidden behind another screen, as it may not always pop up to the front.

2. Get the Current Azure Context: $currentContext = Get-AzContext. This line retrieves the current Azure context, which contains information about the currently authenticated Azure subscription and account. The context includes details like the subscription ID, tenant ID, and account details.

If you print the $currentContext, do you see a successful authentication?

3. Retrieve the Azure RM Profile: $azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile

4. Create a Resource Manager Profile Client: $profileClient = [Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient]::new($azureRmProfile), This line creates a new instance of the RMProfileClient class using the Azure RM profile obtained in the previous step. The RMProfileClient class is used to interact with Azure Resource Manager profiles, needed in this scenario to acquiring the access token.

5. Acquire an Access Token: $token = $profileClient.AcquireAccessToken($currentContext.Tenant.Id) This line acquires an access token for the current tenant. The AcquireAccessToken method of the RMProfileClient class is called with the tenant ID from the current Azure context. This method returns an access token that can be used for authenticating API requests to Azure services.

Now you should have a token in the $token variable. If you print the $token variable, do you see anything? Based on the error you received, I guess it's failing to retrieve the token.

Invoke-RestMethod : {"error":{"code":"AuthenticationFailedMissingToken","message":"Authentication failed. The
'Authorization' header is missing the access token."}}

[Anny212]

As you suspected, it failed at this line: $token = $profileClient.AcquireAccessToken($currentContext.Tenant.Id) This means it couldn't acquire an access token.

And when I try to add the Tenant ID in the command "Connect-AzAccount," it doesn't work either.

Maybe it's related to the fact that when I defined $currentContext with the command: $currentContext = Get-AzContext I only get data in the Account and Environment fields; the data in the SubscriptionName and SubscriptionId fields is missing.

[JoeyInvictus]

Thanks for your response.

Can you try to set the correct subscription if not selected, use the following command to select it:

Set-AzContext -SubscriptionId <YourSubscriptionId>

Also do you have the right permissions to see the subscription details?

[Anny212]

Now I am trying with another user who has permission to see the subscription details, but it doesn't work. The error in the command Set-AzContext -SubscriptionId is:

The user has the following permissions: Security Administrator Compliance Data Administrator Compliance Administrator

[JoeyInvictus]

Mmm, it looks like you are not able to see or access the subscriptions. Do you get any output when running:

Get-AzSubscription

And just to make sure, if you visit the activity logs via the Azure portal, are you able to see them?

Not sure about the conditional access policies you are using, but there might be one blocking access to the subscription as the warning indicates.

[Anny212]

There is a failure when I run the command "Get-AzSubscription":

Regarding the activity logs in the Azure Portal, I can only see the logs of a specific subscription on which I have "Owner" permission.

As for conditional access, I am using my organization's Azure, but I am not aware of any policy that denies extracting logs via API. Two weeks ago, it worked with the same user and the same permissions, and there haven't been any changes to the policy.

[JoeyInvictus]

Hi, sorry, but I am not really sure how to help you since it seems unrelated to the Microsoft Extractor Suite. I never seen this error before but it looks like something is going wrong with the authentication.

[Calvindd2f]

It's an unsupported CA policy applying to the user you are attempting to run Extractor Suite as which is ultimately blocking you from generating a proper access token.

Here is a replication of the issue. More than likely a policy was changed where either Microsoft Azure PowerShell Application or the Resource Windows Azure Service Management API are not included within the policy

You can check if it is included or not if you go to the log and select Conditional Access >> the relevant policy that was blocked

It will likely look different for you but will give more insight to what blocked it, this is from a devtenant so it's just using a direct user exclusion which shouldn't be done outside of dev env.

If I were to guess, I am assuming the authentication strength for phishing-resistant authentication was enabled or something like that which forces interactive sign in and the Microsoft Azure PowerShell or Windows Azure Service Management API were not excluded from apps - the extractor suite uses Azure over API for 2.0.0+ with non-interactive sign-in way of generating the access token. If the policy is not a blanket one like require mfa for all users and is very specific to azure you could get away with excluding users assigned to the specific security roles you mentioned but that is a bit out of scope of this module.

Another alternative is just force installing 1.34/1.35 of the module as the authentication mechanism is fully delegated. However, with larger datasets issues will start to occur - which is one of the reasons, I am assuyming - it was changed over to api mode as it allows more granular control instead of being at mercy of the Microsoft modules.

You probably already know this but the whatif tool in ca policies will be your friend in trying to figure out the blocker.

[JoeyInvictus]

@Anny212 Hi, did you get a chance to check out @Calvindd2f suggestion regarding the issue you're experiencing?

[JoeyInvictus]

Will close this for now. Feel free to reopen it if needed.