So I am trying to fetch all sign-in logs that fails a particular Conditional Access that have been set in Report-Only mode.
The cmdlet is in preview and is unable to fetch all logs and then filtering using piping and powershell alone, so I am trying to query with a filter instead.
I currently have this query that runs successfully and returns lots of SignIn logs, but the results does not contains CA's with the result of "reportOnlyFailure" so something is wrong:
Get-AzureADAuditSignInLogs -Filter "AppliedConditionalAccessPolicies/any(c:c/id eq 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' and c/Result eq 'reportOnlyFailure')"
I found your post, because I have the exact same problem.
My Powershell skills are pretty low but I may have found one problem, even if I have no idean how to fix it.
IsnĀ“t the part "and c/Result eq 'reportOnlyFailure'" searching for the result of all ConditionalAccessPolicies and maybe failing because of that?
Whould it be possible to do it like you would with a nested Where-Object? Something like this:
$($.AppliedConditionalAccessPolicies | Where-Object {$.id -eq 'XXX' -or $_.id -eq 'XXX'}).result -eq "reportOnlyFailure"
I dont know the full syntax for the filter but maybe you could replace
AppliedConditionalAccessPolicies/any(...
with something like
AppliedConditionalAccessPolicies/(id eq 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx')(...
I hope maybe this is usefull or you already found a solution.
If you got a solution I would be very thankfull if you could post ist.
Have a nice day,
Christian
Related
I'm using the MS powershell modules for working with MsGraph, but the same rules/principles apply when providing a filter as to what you'd normally just put into the http query string.
I have the following which works okay and lists all 365groups that are teams:
Get-MgGroup -Filter "resourceProvisioningOptions/Any(x:x eq 'Team')"
What I would like to acheive, without having to pull ALL groups and then filtering locally, is basically the opposite of the above, something like this:
Get-MgGroup -Filter "resourceProvisioningOptions/Any(x:x ne 'Team')"
But because I'm doing this against a collection, it throws.
Get-MgGroup_List: Unsupported property filter clause operator 'NotEqualsMatch'.
Now I've tried every which way I an think of to get this to work, I've tried looking for a set of operators that would effectivly filter if resourceProvisioningOptions is null/empty as a collection. But nothing I try will work, I just seem to get errors. Anyone have any ideas?
Thanks,
Tom
According to this resourceProvisioningOptions is not nullable and not filterable using null.
ne negation operators are supported only with advanced queries which means that you need to add -ConsistencyLevel "eventual" and -CountVariable or -CountVariable "<number>" (I'm not familiar with Graph API SDK for PowerShell) parameters
Get-MgGroup -Filter "resourceProvisioningOptions/Any(x:x ne 'Team')" -ConsistencyLevel "eventual" -CountVariable "100"
It might look silly but I'm struggling with finding user with Powershell by providing his full name and his manager full name. Purpose of script is to get SamAccountName and Email Address by using mentioned values which are provided by other team (these are the only unique values I get - getting user by Full Name is not any kind of problem, but it's possible that it'll return multiple results, and that's why Manager Full Name would determine appropriate result).
First I was using simple command
Get-ADUser -server $gc -Filter { (CN -eq $uFullName) -and (extensionAttribute4 -eq $mFullName) }
It worked great, but unfortunately I noticed that not all accounts use extensionAttribute4 to hold manager full name. I thought of using Filter on manager property but when I tried to use (Manager -like "*value*") it returned that like operator isn't supported by this attribute.
I'm still trying to find solution for this but maybe someone will have some solution to this situation.
Thank you in advance.
I'm trying to get the Well Known SID (if it exists) from a group name.
So far I have:
$group = 'Administrators'
$account = New-Object System.Security.Principal.NTAccount($group)
$sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
This gives me the Sid object for the group which has a method 'IsWellKnown', so far so good. If I feed it a list of well known sids I've copied from the web, this works.
Web link here:
https://msdn.microsoft.com/en-us/library/system.security.principal.wellknownsidtype(v=vs.110).aspx
$wks = 'list from the web'
foreach ($s in $wks){ $sid.IsWellKnown($s)}
I don't want to have the list of well known sids copied from a web page, I'd like to find them out programmatically. I can sort of do it by making the IsWellKnown method error out with nonsense:
$sid.IswellKnown('*')
Will give me an error message with the list I need inside. Obviously I don't want to get the list from an error message I want to get it properly, does anyone know how?
Thanks in advance.
Try this:
[Enum]::GetValues([System.Security.Principal.WellKnownSidType])
I'm currently trying to sync additional attributes from the AD (Active Directory) for user objects in SCSM (System Center Service Manager) using a PowerShell script.
The extension I wrote for this, includes an attribute for the expiration date of a AD user account (DateTime value, named DateTimeAttribute in the example) if the user account doesn't expire it should be empty/null.
Using Import-SCSMInstance, which should be similar to a CSV import, it kind of works by passing "null" for the field. The problem is that Import-SCSMInstance seems to be quite unreliable and it doesn't offer any kind of information of why it works or doesn't work. Using Update-SCSMClassInstance seems to work a lot better but I can't figure out a way to clear the field using this and even using [DateTime]::MinValue will result in an error, stating that it's an invalid value.
So would anyone have an idea on how to clear the value using Update-SCSMClassInstance or figure out why Import-SCSMInstance might or might not work?
A simple example for this could look like the following:
$server = "<ServerName>"
$extensionGuid = "<GUID>"
Import-Module 'C:\Program Files\System Center 2012 R2\Service Manager\Powershell\System.Center.Service.Manager.psd1'
New-SCManagementGroupConnection -ComputerName $server
$extensionClass = Get-SCSMClass -Id $extensionGuid
$scsmUserObject = Get-SCSMClassInstance -Class $extensionClass -Filter 'UserName -eq "<User>"'
# Error
$scsmUserObject.DateTimeAttribute = ""
# Works but fails on Update-SCSMClassInstance
$scsmUserObject.DateTimeAttribute = $null
$scsmUserObject.DateTimeAttribute = [DateTime]::MinValue
# Works
$scsmUserObject.DateTimeAttribute = "01-01-1970"
Update-SCSMClassInstance -Instance $scsmUserObject
It seems that you can't clear a date once it's filled. When you write $null, it sets the date to 1-1-0001 01:00:00, which is an invalid date causing the update-scsmclassinstance to fail.
What we have set as a user's AD property when we don't want something to expire, is 2999-12-31 (yyyy-MM-dd). Perhaps this could help, although it's not directly what you asked for...
Also, you can use the pipeline to update a property in SCSM:
Get-SCSMClassInstance -Class $extensionClass -Filter 'UserName -eq "<User>"' | % {$_.DateTimeAttribute = <date>; $_} | update-scsmclassinstance
It doesn't look like it's currently possible to clear custom date attributes using the PowerShell cmdlets.
Hello im working with Active Directory Group and Users and i wanna check and set proper Users/Groups from AD to machines. Problem is when i iterate over Local Users/Groups on some machine and there is old Users/Group that no longer exists in AD POWERSHELL will stop working and will throw exception.
An error (1332) occurred while enumerating the group membership. The member's SID could not be resolved.
I know what causes this problem but i dont know how to work around it. The main issue here is that its not even possible to iterate over whole array of users if one is no longer valid. Only solution to this is manualy delete those invalid users.
I even saw some reports to Microsoft that this behaviour is wrong and should be fixed but nothing was done about it.
Anyone here encountered this issue?
Thank you for your help.
$ctype = [System.DirectoryServices.AccountManagement.ContextType]::Machine
$computer = "PC name"
$groupName = "Administrators"
$context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList $ctype, $computer
$idtype = [System.DirectoryServices.AccountManagement.IdentityType]::SamAccountName
$groupData = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($context, $idtype, $groupName)
$groupData.Members | select #{N='Server'; E={$computer}}, #{N='Domain'; E={$_.Context.Name}},#{N='Group'; E={$groupName}} , #{N='Account Name/Group'; E={$_.SamAccountName}}
Here is example of code that im using for iterating over Local users/groups on some PC.
Can You post the code that you are using, and the full error. Im guessing there is a workaround, but without seeing your code I can't see what could be wrong. If a terminating error is thrown it will stop the script or function from running further (with some gotchas, and exceptions), there are many ways of working around this
Also could you post the full error.
You will probably need to set the $erroractionpreference to silentlycontinue. And then review the $error variable to check the errors, but again I am only speculating.