Sunday, February 23, 2020

Getting EXO Mobile Device Report by using RobustCloudCommand

Getting mobile device statistics out of Exchange Online must be one of the most time consuming cmdlets. I once tried to generate a report in a tenant I consider large (around 60k users) and it took 2 weeks calendar time with connections expiring all the time and requests dropped due to throttling limits.

I'm currently ramping up Outlook App usage with my customers to get rid of ActiveSync. During that process reporting all EXO connected mobile devices is again required. I was already depressed by the fact that I must again run this sloooow and time consumig operation until I remembered that @nestafo (thanks again!) once mentioned some kind of "robust framework" for running long scripts.

After googling a bit I found it. The RobustCloudCommand. I thought I'd give it a go.

Using RobustCloudCommand


First you have to install it from PS Gallery. It installs also dependencies (CloudConnect, MSOnline, AzureAD). I already had AzureADPreview installed, so AllowClobber parameter was required to force installation of AzureAD module.


Install-Module RobustCloudCommand -AllowClobber
Import-Module RobustCloudCommand

Basically it has only few things to do:
- Create credential object
- Generate a CSV including objects you want to address with a script
- Write a script block for single object, whatever you want to do with single mailbox or user
- Pass all above to RobustCloudCommand and wait few days

RobustCloudCommand reconnects services automatically, adds delays to prevent throttling issues and even writes out estimates when script will be completed. Great!

Kudos to Matthew Byrd for developing the module!
Check his latest RobustCloudCommand post on Exchange Team Blog.

Mobile Device Statistics Report


Here's my take on "Exchange Online Mobile Device Statistics" script using RobustCloudCommand


# declare paths for csvs and log
$csvpath = "C:\Scripts\mbx.csv"
$reportpath = "C:\Scripts\mbx-mobiledevice-report.csv"
$logpath = "C:\Scripts\mbx-mobiledevice-report.log"

# create credentials and connect to EXO
$adminAccount = "exo.admin@tenant.onmicrosoft.com"
$securePassword = ConvertTo-SecureString -String "VeryComplex-pa$$w0rd" -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ($adminAccount, $securePassword)

Connect-ExchangeOnline -Credential $cred

# get list of mailboxes for processing
Get-EXOMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox | Select Displayname,PrimarySMTPAddress,Identity | Export-Csv $csvpath

# import mailboxes from csv
$mailboxes = Import-Csv $csvpath

# start processing
Start-RobustCloudCommand -Credential $cred -recipients $mailboxes -logfile $logpath -ScriptBlock {
 Get-MobileDeviceStatistics -Mailbox $input.PrimarySMTPAddress.tostring() -ErrorAction "SilentlyContinue" | Select @{name="PrimarySMTPAddress"; exp={$input.PrimarySMTPAddress.tostring()}}, FirstSyncTime,LastPolicyUpdateTime,LastSyncAttemptTime,LastSuccessSync,DeviceType,DeviceID,DeviceUserAgent,LastPingHeartbeat,DeviceModel,DeviceImei,DeviceFriendlyName,DeviceOS,DeviceOSLanguage,DevicePhoneNumber,DeviceEnableOutboundSMS,DeviceMobileOperator,Identity,Guid,Status,StatusNote,DeviceAccessState,DeviceAccessStateReason,DeviceAccessControlRule,DevicePolicyApplied,DevicePolicyApplicationStatus,ClientVersion,NumberOfFoldersSynced,SyncStateUpgradeTime,ClientType | Export-Csv $reportpath -Encoding UTF8 -NoTypeInformation -Append
}



Posted by at No comments:
Labels: , ,

Saturday, February 15, 2020

Hunting down accounts using Exchange Online basic authentication

Exactly 240 days to go when I'm writing this. World as we know it will end by Oct 13th 2020.

Microsoft claims it will shut down basic authentication for IMAP, POP, EWS, ActiveSync and PowerShell in Exchange Online on Oct 13th 2020. That means you'd have to use "modern authentication" for connecting these services in Office 365. This won't affect on-prem Exchange Servers, you'd "only" be worried about apps connecting cloud mailboxes.

Edit: Microsoft postponed deprecation of Exchange Online basic authentication due to COVID-19 situation. New estimated deadline is around Q2/2021.


Impact is brutal. Clients using basic authentication after deadline will fail to connect Exchange Online. That includes all Android devices using native mail or calendar clients, iOS devices OS older than 12.1 using native mail or calendar apps. Backend systems connecting mailboxes with Exchange Web Services, POP or IMAP. All dead. Död. Kaputt.

Remediation actions recommended by Microsoft: update backend systems to use OAuth and switch to Graph API. Instruct mobile users to use Outlook App.

So, how can I know if my organization is using basic auth?

Short answer: investigate Azure AD sign-in logs.

Azure Ad Sign-ins log

We can access AAD logs directly from Azure Active Directory - Monitoring - Sign-ins.
You can try to guess which client apps to follow. I'd say that basic "Sign-ins" logs view is only usable when investigating connectivity of a single account or a very narrow timeframe.


Azure Active Directory Workbooks

Relatively new AAD workbooks offer good overview of tenant sign-ins. First graph shows number of total signins and by clicking bars, you'll get individual signins of selected protocol. From details you can click yourself to Log Analytics Workspace query window.

Using AAD Workbooks requires connecting AAD logs to Log Analytics Workspace (or to Sentinel). If connection has been established and LA Workspace access granted, you can take advantage of pre-built workbooks like "Sign-ins using Legacy Authentication"



Log Analytics or Sentinel

In Azure you can do whatever you want. With AAD logs I mean. Build your own dashboards, hunting workbooks, analytics, alerts, playbooks... Here's couple of simple queries to start with.

List of all unique accounts using legacy client connectivity:

SigninLogs
| where ClientAppUsed in (
"Exchange ActiveSync",
"Other clients",
"IMAP4",
"POP3")
and ResultType == "0"
and AppDisplayName =~ "Office 365 Exchange Online"
and TimeGenerated > ago(30d)
| distinct UserPrincipalName , ClientAppUsed , Location , IPAddress

And overview of usage of the same set of selected client apps:

SigninLogs
| where ClientAppUsed in (
"Exchange ActiveSync",
"Other clients",
"IMAP4",
"POP3")
and ResultType == "0"
and AppDisplayName =~ "Office 365 Exchange Online"
and TimeGenerated > ago(30d)
| summarize dcount(UserPrincipalName) by ClientAppUsed
| sort by dcount_UserPrincipalName desc 
| render columnchart

NOTE that Microsoft has changed ClientAppUsed app names for all legacy clients starting Jan 25th. In case you have script/log analytics based monitoring, you should review new app names and update your kusto queries.

Old legacy auth ClientAppUsed values:
  • Exchange ActiveSync (supported)
  • Exchange ActiveSync (unsupported)
  • Other clients
  • Other clients; Older Office clients
  • Other clients; IMAP
  • Other clients; POP
  • Other clients; SMTP
  • Other clients; MAPI

New ones (visible in logs from Jan 25th until Feb 15th):
  • Exchange ActiveSync
  • Other clients
  • IMAP4
  • POP3
  • Authenticated SMTP

There might be others in the future. Logs are lacking EWS, AutoDiscover and PowerShell at least (were already clickable in AAD sign-ins filtering).

Custom scripting

There's Graph API available for reading sign-in logs: https://graph.microsoft.com/beta/auditLogs/signIns

I will be posting a separate article on that one. See you soon!


Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)