Switching from O365 basic authentication to modern authentication using powershell - powershell-5.0

I have a powershell script to get the audit logs of O365 tenants. Basically, this script will give me the users who is accessing the PowerBI platform, usability, memory consumption,etc. This is currently having the basic authentication. I need to convert the basic authentication to modern authentication in the current script. As per the current implementation,I see the registry key has been added as per the basic authentication.
I have googled and could see, I need to install the EXO V2 module and try using the Connect ExchangeOnline. But I am not sure of whether, i need to add the registry key for modern authentication? Also, it will be great if someone can help me with process flow of how to proceed in here. What are the steps , I need to follow to ensure that the modern authentication is working as expected. I have tried out all the options but I could not achieve the output. Please help me here as I am new to powerShell.

Related

Microsoft Graph - Planner API in a Service

Im trying to make a little .core service to keep gitlab issue's and a board on Microsoft Planner in sync.
Gitlab side isn't an issue however talking to the planner aspect is proving problematic.
In Azure I have successfully added an App Registration and using the delegated permissions, I can do what I need, BUT when it gets the access token, I get the old
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ******** to authenticate.
Which as im trying to make this into a service, isn't great.
I then setup permission as a deamon but Planner dosn't allow assess to 'Application Permissions' which planner needs.
So is there another option?
Unfortunately Planner does not support Application Permissions. You can try to use a user account specifically created to act as your service as a workaround. There is currently no timeline for Planner supporting Application Permissions, however this is in our work backlog.
For example if you create a new Plannerplan then it works only with delegated permissions. It's not exposed with application permissions so that you can use it in daemon app. Unfortunately this is by design or in other words, it will work only with delegated permissions only at this point.
Unfortunately it won't work that way, but you may want to give a try. Being said that i would suggest you to file an Microsoft Uservoice or upvote an existing uservoice item talks about it - so that they can consider implementing it as a feature which support application permissions
Also you can see above #Tarkan confirmed the same and shared insight that its in their backlog too.

TFS 2015 Agent creation and usage

I have downloaded agent zip file and configured agent on the build machine. To authenticate agent Microsoft provided four ways PAT,Integrated,Negotiate,Alternate.
PAT should be used for Team Services they said but I don't understand how it works.
I have authenticated using negotiate but here agent is going to offline once build completed and I am manually using power shell making it run.
I am using previously XAML build definition and new to this can some one help how to make agent online continuously.
Compared with common alternate credentials, PAT is more secure.
When your 3rd party tool prompts you to sign in, you can provide your alternate credentials for authentication purposes, and it stored the credentials for later retrieval that may you don't want the tools to do some actions.
For non-Microsoft tools that integrate into Team Services but do not
support Microsoft account or Azure AD authentication interactions (for
example, Git, NuGet, or XCode), you need to set up personal access
tokens by using Git credential managers or by creating PATs manually.
You can also use personal access tokens when there is no "pop up UI"
such as with command-line tools, integrating tools or tasks into build
pipelines, or using REST APIs.
Personal access tokens essentially are alternate passwords that you
create in a secure way using your normal authentication, and
PATs can have expiration dates, limited scopes (for example, only certain REST APIs or command line operations are valid), and specific
Team Services accounts. You can put them into environment variables so
that scripts do not hardcode passwords. For more information, see
Authentication overview and scopes.
See use-personal-access-tokens-to-authenticate for details.
Once you create a PAT you can use it pretty much anywhere your user credentials are required for authentication. If you use a PAT for a 3rd party tool only to find out later that it is acting maliciously, you can deactivate that specific PAT and it immediately becomes invalid. You can also apply one or more scopes to a PAT so you can, for example, limit access to reading work items and nothing else.
Please reference below articles to understand the PAT:
https://roadtoalm.com/2015/07/22/using-personal-access-tokens-to-access-visual-studio-online/
http://blog.devmatter.com/personal-access-tokens-vsts/

SSO for web application hosted on S3

I have been scratching my head for a while now. Went through tons of documentations but everything seems very confusing. Please forgive if it appears to be a duplicate question, but believe me, the more content I find, the more its confusing me.
Below is the configuration of my project and what I need to achieve:
The project is a web based application developed using Spring framework with Java 8 that is hosted on S3(linux server). HTTP server used is Apache. JBoss is used as an application server and the exact version used is wildfly-8.2.0.Final.
Currently, the user enters his credentials which are validated against Microsoft Active directory using LDAP and is let in. The requirement now is that when the user logs into the machine using his AD credentials in his intranet environment, and he tries to open the application, he should directly log in and not prompted for credentials again. If he is outside his intranet network, the existing log in method should be followed.
While researching I found the below things I assume can be useful but not able to reach to a conclusion.
Kerberos along with Shibolleth: I went through below two references which somewhat matched with my requirement but not very sure am I looking at the right thing or not.
http://richardjohnson798.blogspot.in/2011/10/single-sign-on.html
http://gfivo.ncl.ac.uk/documents/UsingKerberosticketsfortrueSingleSignOn.pdf
My confusion revolves around the below things.
Is Shibolleth the right choice. If yes, what is the exact role of Shibboleth?
What things needs to be setup on the linux server(Kerberos implementation for example), and what changes would be needed in the client's AD environment?
Is the implementation possible on the Wildfly server? (as all the references have the thing implemented using Tomcat).
What are the security aspects I should be concerned about.
Help is much appreciated. Thank you.
Since you are using S3 I assume you are using AWS.
Go to IAM and add the Active Directory as a SAML provider
https://aws.amazon.com/blogs/mobile/announcing-saml-support-for-amazon-cognito/
Then use AWS Cognito Federated Identity Pool via the JavaScript SDK in the front end code you have hosted on S3.
http://docs.aws.amazon.com/cognito/latest/developerguide/using-amazon-cognito-user-identity-pools-javascript-examples.html

Is it possible to use OpenIddict and LDAP together?

I would like to authenticate users against Active Directory using LDAP. Is it possible with OpenIddict ?
Currently, I have Front end (Angularjs) + Back end (Web.API with ASP.NET Core and OpenIddict) which works perfect. Part of users use individual user accounts and they will continue. Another part of users should use AD accounts. It is inside internal network and would like to use already existing Active Directory for that.
Please suggest any solutions for that.
Thanks.
Please suggest any solutions for that.
OpenIddict is never responsible of the login/authentication part, so you can freely implement it to use LDAP with both interactive flows like the code flow and with non-interactive flows like the password flow.
If your AD servers can run Active Directory Federation Services, I'd recommend using it, as it's the best way to achieve what you want.
Depending on the version you're using, you'll be able to integrate with any ASP.NET Core app quite easily (the 2016 version supports OpenID Connect while the previous one supports OAuth2: both can be used with the OAuth2/OIDC middleware developed by the ASP.NET team).
If you can't use ADFS, another option is to use Integrated Windows Authentication. It's currently only supported when hosting your application behind IIS or when using WebListener.
If none of these options work for your scenario, you can opt for the "low-level LDAP validation" route. Though it's not officially supported by .NET Core, there are a few libraries developed by the community that you can use: https://github.com/dotnet/corefx/issues/2089#issuecomment-231994908.

Use everyauth package for authorizing users to access data via REST api calls

I am developing a google chrome extension that needs to communicate with a nodejs server. I was wondering if its possible to use everyauth package to simplify authentication. For starters, I just wanted to use simple password based authentication. But from the examples and the documentation ,as well according to my trial, it seems to me that everyauth is designed to be used for a webapp and gives me errors if i don't set the getLoginPath. Also i am not sure how to configure everyauth to send the user details or errors after user authenticate in a json payroll rather than redirecting user to a particular page. This is my first project with node.js and I am looking for some advice on how to go forward with this. I am open to using some other package/library that provides such authentication,
Since you are open to using other modules, as the developer of Passport, I'd suggest you look at it: https://github.com/jaredhanson/passport
Passport is designed to be a simple and unobtrusive authentication library, which makes it easy to get up and running quickly. It's also modular and extensible, which allows it to adapt to your applications needs over time.
The examples provided, along with the local strategy ( https://github.com/jaredhanson/passport-local ) are enough to get you started with username/password authentication. Let me know if you have any feedback or questions.
I was able to accomplish a REST-only interface to everyauth by overriding its handler methods: https://gist.github.com/2938492