Monday, December 10, 2018

Updates to the Exch-Rest PowerShell Module to support PowerShell Core, Azure Cloud Shell and more ADAL integration options

I've had some time recently to do some much needed updates to my Exch-Rest module so it now supports both Azure Cloud Shell and PowerShell Core on Linux (tested on RHEL,CentOS, Debian and Ubuntu). So now you can logon to an Office365 Mailbox using this Module with Powershell on Linux and send Email or a Skype for Business Message or do some mailbox reporting eg

The requirements on Linux is you need to be using the latest version of PowerShell core installed as per .This ensures that all the required .net Core libraries will be available as older version of .Net core didn't have some of the libraries I'm using and I didn't want to backport for older versions.  Also because there are no Linux forms to interact with for authentication you need to pass in the credentials to use via a PSCredential and the code will use the password grant to get the Token eg
$cred = Get-Credential -UserName
connect-exrmailbox -MailboxName -Credential $Cred
Azure Cloud Shell

As Cloud Shell is a browser based version of  PowerShell core running on Linux the same connection method of using the credentials as above is needed.

ADAL Integration

I've also added full integration with the ADAL library for authentication so in addition to the native dependency free script methods the module now distributes the ADAL libraries and supports Authentication using that library as well as Token refreshes for scripts that run over an hour etc (using Acquiretokenasync in the ADAL). This supports the following scenarios such as
To use the ADAL libraries for Logon use the following 

connect-exrmailbox -MailboxName -useADAL

To use the Never Prompt to use the ADAL Cache
connect-exrmailbox -MailboxName -useADAL -Prompt Never
For connecting using the currently logged on credentials use
connect-exrmailbox -MailboxName -useADAL -useLoggedOnCredentials -AADUserName

(The -AADUserName variable is optional but usually required read the GitHub link in the second bullet point)

For those who want to do something simular and are using EWS you will need something like the following to get the AccessToken using ADAL in a normal PowerShell Script.

    $ClientId = "d3590ed6-52b3-4102-aeff-aad2292ab01c"
    $ResourceURI = ""
    $EndpointUri = ''
    $Context = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext($EndpointUri)
    $AADCredential = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList ""
    $authResult = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions]::AcquireTokenAsync($Context, $ResourceURI, $ClientId, $AADcredential)
    if ($authResult.Result.AccessToken) {
        $token = $authResult.Result
    elseif ($authResult.Exception) {    
        throw "An error occured getting access token: $($authResult.Exception.InnerException)"    
    return $token

This also goes along with support for using the Module in an Azure Runbook which was added last month.

The Exch-REST Module is available from the PowerShell Gallery and GitHub

A big thankyou to all those people who provided feedback on using the module hopefully these upgrades make it easier to use in more scenarios.

Hire me - If you would like to do something similar to this or anything else you see on my blog I'm currently available to help with any Office365,Microsoft Teams, Exchange or Active Directory related development work or scripting, please contact me at (nothing too big or small).

Wednesday, November 21, 2018

Scripters guide to using Guest Access in Office365 to automate things

Guest access is one of the ways in Office365 of collaborating between different organizations which allows you to give certain people who are outside of your company access to a limited subset of the resources you have in the Cloud. This can be an Office365 unified Group or Microsoft Team but also other workloads like SharePoint and OneDrive can utilize this.
When it comes to scripting there are a number of value add things you can do to automate tasks for different people who have guest accounts in another tenant. The first step to automating with Guest Access is to Authenticate and generate an access token in the Guest tenant.
Getting the Guest Tenants Authorization Endpoint
Before you can authenticate you need to first obtain the Guest tenants Authorization endpoint for the tenant where the Guest Account exists in. To do this you can make a simple Get Request like the following
Invoke-WebRequest -uri ("[{0}/.well-known/openid-configuration" -f "")
this will return a JSON result that contains the Authorization endpoint for the guest tenant along with other information useful when authenticating.
While Invoke Web Request will do the job fine if you ever what to execute something like this from an Azure Run-book it better to use the httpclient object instead. Here is a simple function to get the Authorization endpoint
function Get-TenantId {
    [Parameter(Position = 1, Mandatory = $false)]
Begin {
    $RequestURL = "{0}/.well-known/openid-configuration" -f $DomainName
    Add-Type -AssemblyName System.Net.Http
    $handler = New-Object  System.Net.Http.HttpClientHandler
    $handler.CookieContainer = New-Object System.Net.CookieContainer
    $handler.AllowAutoRedirect = $true;
    $HttpClient = New-Object System.Net.Http.HttpClient($handler);
    $Header = New-Object System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/json")
    $HttpClient.Timeout = New-Object System.TimeSpan(0, 0, 90);
    $HttpClient.DefaultRequestHeaders.TransferEncodingChunked = $false
    $Header = New-Object System.Net.Http.Headers.ProductInfoHeaderValue("Get-TenantId", "1.1")
    $ClientResult = $HttpClient.GetAsync([Uri]$RequestURL)
    $JsonResponse = ConvertFrom-Json  $ClientResult.Result.Content.ReadAsStringAsync().Result
    return $JsonResponse.authorization_endpoint
Using the ADAL
Once you have the authorization endpoint your ready to Authenticate, using the ADAL library which is a popular method you would use something like the following (where I’m using the above function to get the endpoint in @line3
Import-Module .\Microsoft.IdentityModel.Clients.ActiveDirectory.dll -Force
$PromptBehavior  =  New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters -ArgumentList Auto
$EndpointUri  =  Get-Tenantid -DomainName
$Context  =  New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext($EndpointUri)
$token  = ($Context.AcquireTokenAsync("","d3590ed6-52b3-4102-aeff-aad2292ab01c","urn:ietf:wg:oauth:2.0:oob",$PromptBehavior)).Result
In the above example I’ve used the preapproved Office appId otherwise if you where to use your own AppId that would need to be authorized in the Guest tenant (which is a always a degree of difficulty when dealing with another companie's IT departments).
Once you have the Token you can then make a Request to the ./me endpoint to find a bit more about your account in the guest tenant eg
$Header = @{
        'Content-Type'  = 'application\json'
        'Authorization' = $token.CreateAuthorizationHeader()
Invoke-RestMethod -Headers $Header -Uri "" -Method Get -ContentType "application/json" 
Or to get the Groups or Teams your a member of you can use
Invoke-RestMethod -Headers $Header -Uri "" -Method Get -ContentType "application/json" 
And to get the Members or a particular Team or Group
Invoke-RestMethod -Headers $Header -Uri "" -Method Get -ContentType "application/json"
Where the Guid (938383f7-3060-4604-b3a5-cbdb0a5fc90f in this instance) is the id you retrieved when you used me/memberOf
This gives you access to all the raw data about each of the members of a Group you might be interacting with. For some real life uses of this take a look at the module section below
Other things you can do with this which I’ll go through below are
  • Export the Group members from  a Guest Teams/Group to CSV
  • Download or Upload Files to shared Team/Group drive
  • Export the Groups Calendar to a CSV file

Using a Module

If your looking for an easier way of using Guest Access check out my Exch-Rest Module on the PowerShell Gallery and gitHub . The following are samples for this module
To connect to a tenant as a Guest use
 Connect-EXRMailbox -GuestDomain -MailboxName
You can then execute the Me and MemberOf requests using

Export the members of a Group or Team your a member of as a Guest to CSV
The following can be used to Export the members of a Team or Unified Group in a Guest tenant to a CSV file. The Inputs you need a the SMTP address of the Group which you can get from running Get-EXRMemberOf in the Guest Tenant
$Group = Get-EXRUnifedGroups -mail
$GroupMembers = Get-EXRGroupMembers -GroupId $ -ContactPropsOnly
$GroupMembers |  Export-Csv -path c:\temp\groupexport.csv -noTypeInformation
If you wish to include the user photo in the export you can use (although the AppId you use to connect must have access to the userphoto)
$Group = Get-EXRUnifedGroups -mail
$GroupMembers = Get-EXRGroupMembers -GroupId $ -ContactPropsOnly
$GroupMembers |  Export-Csv -path c:\temp\groupexport.csv -noTypeInformation
Downloading a File from Group/Teams Shared Drive (Files) as a Guest
$Group = Get-EXRUnifedGroups -mail
$FileName = ""
$File = Get-EXRGroupFiles -GroupId $ -FileName $FileName
Invoke-WebRequest -Uri $File.'@microsoft.graph.downloadUrl' -OutFile ("C:\downloaddirectory\$FileName)
Export a Groups Calendar to CSV as a Guest
$Group = Get-EXRUnifedGroups -mail
Get-EXRGroupCalendar -GroupId $ -Export | export-csv -NoTypeInformation -Path c:\temp\calendarexport.csv
By default the next 7 days is exported by the time windows can be tweaked using -starttime and -sndtime parameter in the Get-EXRGroupCalendar cmdlet
Hire me - If you would like to do something similar to this or anything else you see on my blog I'm currently available to help with any Office365,Microsoft Teams, Exchange or Active Directory related development work or scripting, please contact me at (nothing too big or small).

Tuesday, November 13, 2018

Thursday, November 01, 2018

Reporting on Teams private Chat Activity using the TeamChat Folder in Exchange

This is a Segway from my last post on Reporting on Skype for Business Messaging Activity using the Conversation History Folder in Exchange .In this Post I'm going to be looking at the Private chat messages from Microsoft Teams that get stored in a hidden folder called TeamChat (see this post for how to get that folder in EWS) under the conversation History Folder as part of the compliance process for Teams.  As Teams is still a work in process a lot of those compliance properties have changed since my first post about getting this folder and looking at the history of even the limited dataset in my mailboxes there is a lot of fluidity in the compliance information that is being added (so its a little bit of a dogs breakfast in terms of data when you go back a number of months). The compliance properties themselves get added when the substrate process in the cloud copies the Chat Message from the skypespaces backend to the Mailbox.  To give you a visual representation on what these properties look like you can use a MAPI Editor 

Unlike Skype where there was one message that would represent multiple messages in a Chat Thread, with Teams there is a one to one basis for each private Chat message in a Thread. All the interesting meta-information that is needed for reporting is held in the above Extended properties. Take for instance the ToSkypeInternalIds property which contains the list of the recipients for Private Chats stored in a Multivalued string property. (this information also gets stored in the Recipient Collection of the Message in a resolved format)

Instead of SIP addresses like Skype, (for chat anyway) Teams has its own format which contains the AzureAd guid of the user (or Guest). If you want  to resolve this back into an EmailAddress or UPN the Graph API can be used to do this eg if I take a Teams address


using a simple Split to get just the guid portion of this string you can then do a simple Rest Get to get the user information as long as you have an underlying Token to use in the Graph API  eg

$GUID = "8:orgid:fb25746f-fa0c-4f01-b815-a7f7b878786f".Split(':')[2] "'" + $GUID + "')"

I've put together a script that first gets the TeamChat folder using EWS then enumerates the messages in that folder for a particular day time frame and using a number of the extended properties from the first screen shot to build some log entries that can then be summarised into some reports. 

EWS Meet Graph

Because EWS doesn't have a way of resolving the Guids from the From and To Address properties in Teams. I've integrated a bit of Microsoft Graph Code to the do the resolution. Because by default this script uses oAuth we can take the Refresh Token from the first auth used to get into EWS and then get another token for the GraphEndpoint without needing to re-prompt for authentication so this all fits together nicely.

So by default when you run the script you will get flat log entries back like

Or you can Group the threads together (based on the ThreadId) using the -GroupThreads Switch

Like the Conversation History script I have 3 base reports that look something like this in HTML

To use these Reporting options

Get-TeamsIMLog -MailboxName -Days 30 -reportbyDate 
-htmlReport | Out-file c:\temp\30dayreport.html
if you want the same report in csv use

Get-TeamsIMLog -MailboxName -Days 30
 -reportbyDate | ConvertTo-Csv -NoTypeInformation -path c:\temp\30dayreport.csv 
To report the top senders that sent this Mailbox in Direct Chats

Get-TeamsIMLog -MailboxName -Days 30
To report the top recipients of IM's

Get-TeamsIMLog -MailboxName -Days 30
I've put the code for this script up on Git Hub here 

Hire me - If you would like to do something similar to this or anything else you see on my blog I'm currently available to help with any Office365,Microsoft Teams, Exchange or Active Directory related development work or scripting, please contact me at too big or small).