Category Archives: Microsoft

Client SMTP Email Submission & Graph API – Azure

I recently began playing with Azure DevOps Pipelines as a way to automate various aspects of my lab. As part of this I wanted to send email notifications that I could customize the content of, which I couldn’t get from the built-in notification capability.

Since the PowerShell cmdlet; Send-Mail Message is obsolete, I began investigating alternatives which is when I came across this article and decided to give it ago and share!

Overview

This solution is based on the usage of Microsoft’s Graph API (Send.Mail) and App Registrations being leveraged with PowerShell. Details of the API can be found here.

An Application or Service can call the email sending functionality by passing required data as parameters into the PowerShell script (or Function!) to provide a reusable approach to sending email.

You will need a couple of things for this to work, lets get started.

Configuration

Create a Shared mailbox

You will need a ‘From’ mailbox to use as the sending address. I will be using a Shared mailbox in O365 via my Business Basic subscription (Around £4.50 per user per month). Shared mailbox’s don’t require a license (Under 50GB), hence not costing you anything additional!

Head over to your Exchange Admin Center and select Recipients, Mailboxes, and select Add a shared mailbox.

Provide a Display Name and Email Address, as well as selecting a domain.

That’s the mailbox ready to go!

Create App Registration

Next we need to set up an App Registration in your tenancy.

In the Azure Portal, search for and select Azure Active Directory followed by App registrations.

Click New Registration…

…and provide your application a name. I have also stuck with the default single tenant option.

Once created, you will be able to see information that you will need later. Specifically the Application ID and the Tenant ID. You will need a third piece of information, a Secret Key. You can generate one by clicking client credentials.

Click Client secrets and select New client secret

Provide a meaningful name and select the duration you want the secret to be valid for.

You will then see your secret key.

You will need to take a copy of this key now and store it securely as you wont be able to get the key again without creating a new one.

We now need to provide some permissions. In this case we are wanting to be able to send an email.

Firstly, click API permissions and then Add a permission.

Select Graph API.

Select Application permissions and scroll down until you see Mail and select the Mail.Send option, and finally click Add permission at the bottom.

You will then notice that it require Admin consent. Click the Grant consent for ‘org’ option and confirm the prompt.

Things to consider!

An application that uses this will have access to send an email from any mailbox. You need to carefully consider the risks and mitigations.

You can limit which recipients can be sent to, by applying an Application Access Policy. More information here. Note for shared mailboxes, you need to add them to a mail enabled security group and reference that with the PolicyScopeGroupID parameter.

New-ApplicationAccessPolicy -AppId -PolicyScopeGroupId

The Code

There are 2 main sections, the first being the acquisition of an authorization token. Using the 3 values called out in the App Registration section earlier, we need to populate the TenantID, AppID and App Secret variables. Ideally you would want to be retrieving this from a secure location such as an Azure Key Vault (Look out of a future post on this!).

The second section is the collation of values required to send the email. Again you need to populate the variable values for the From, Recipient, Subject and Message Body which are then passed into a Invoke-RestMethod cmdlet with the URI of the API.

If you are using this as part of an automated solution, you aren’t going to be manually entering values, you are likely to be passing the values in from the rest of your code or pipeline.

#Get Authorization Token
$TenantId = ""
$AppId = ""
$AppSecret = ""

$uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$body = @{
    client_id     = $AppId
    scope         = "https://graph.microsoft.com/.default"
    client_secret = $AppSecret
    grant_type    = "client_credentials"
}
$tokenRequest = Invoke-WebRequest -Method Post -Uri $uri -ContentType "application/x-www-form-urlencoded" -Body $body -UseBasicParsing
$token = ($tokenRequest.Content | ConvertFrom-Json).access_token
$Headers = @{
    'Content-Type'  = "application\json"
    'Authorization' = "Bearer $Token"
}


# Create & Send Message
$From = "Azure-Pipeline-Notifications@domain.com"
$Recipient = "recipient@domain.com"
$Subject = "<Email Subject>"
$EmailBody = "<Email Body>"
$MessageSplat = @{
    "URI"         = "https://graph.microsoft.com/v1.0/users/$From/sendMail"
    "Headers"     = $Headers
    "Method"      = "POST"
    "ContentType" = 'application/json'
    "Body"        = (@{
            "message" = @{
                "subject"      = $Subject
                "body"         = @{
                    "contentType" = 'HTML'
                    "content"     = $EmailBody
                }
                "toRecipients" = @(
                    @{
                        "emailAddress" = @{"address" = $Recipient }
                    } )
            }
        }) | ConvertTo-JSON -Depth 6
}
Invoke-RestMethod $MessageSplat

Here is the result!

Example HTML Output

I have also put together a PowerShell Function that can be used as part of a larger piece of code. This way you are able to utilize it in a more efficient and reusable way.

Function Send-Email {
    <#
    .SYNOPSIS
        Send emails via O365.
    .DESCRIPTION
        Send emails via O365 using the Send.Mail Graph API.  Parameter values are expected to be variables.
    .PARAMETER TenantId
        Tenant ID found in Azure.
    .PARAMETER AppId
        ID of the App Registration.
    .PARAMETER AppSecret
        App Registration client key.
    .PARAMETER From
        Email sender address.
    .PARAMETER Recipient
        Recipient address, user, group or shared mailbox etc.
    .PARAMETER Subject
        Email Subject value.
    .PARAMETER Body
        Email body value.
    .LINK
        https://github.com/smctighevcp
    .EXAMPLE
        PS C:\> Send-Email -TenantId $value -AppId $value -AppSecret $value -From $value -Recipient $value -Subject $value -Body $value
        Takes the variable input and send a email to the specified recipients.
    .NOTES
        Author: Stephan McTighe
        Website: stephanmctighe.com
        Created: 10/03/2022

        Change history:
        Date            Author      V       Notes
        10/03/2022      SM          1.0     First release
    #>
    #Requires -Version 5.1

    [CmdletBinding()]
    param (
        [Parameter(Mandatory)]
        [string] $TenantId,
        [Parameter(Mandatory)]
        [string] $AppId,
        [Parameter(Mandatory)]
        [string] $AppSecret,
        [Parameter(Mandatory)]
        [string] $From,
        [Parameter(Mandatory)]
        [string] $Recipient,
        [Parameter(Mandatory)]
        [string] $Subject,
        [Parameter(Mandatory)]
        [string] $EmailBody
    )
    Begin {

        #
        $uri = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
        $body = @{
            client_id     = $AppId
            scope         = "https://graph.microsoft.com/.default"
            client_secret = $AppSecret
            grant_type    = "client_credentials"
        }

        $tokenRequest = Invoke-WebRequest -Method Post -Uri $uri -ContentType "application/x-www-form-urlencoded" -Body $body -UseBasicParsing
        #
        $token = ($tokenRequest.Content | ConvertFrom-Json).access_token
        $Headers = @{
            'Content-Type'  = "application\json"
            'Authorization' = "Bearer $Token"
        }
    }
    Process {
        # Create & Send Message
        $MessageSplat = @{
            "URI"         = "https://graph.microsoft.com/v1.0/users/$From/sendMail"
            "Headers"     = $Headers
            "Method"      = "POST"
            "ContentType" = 'application/json'
            "Body"        = (@{
                    "message" = @{
                        "subject"      = $Subject
                        "body"         = @{
                            "contentType" = 'HTML'
                            "content"     = $EmailBody
                        }
                        "toRecipients" = @(
                            @{
                                "emailAddress" = @{"address" = $Recipient }
                            } )
                    }
                }) | ConvertTo-JSON -Depth 6
        }
        Invoke-RestMethod @MessageSplat
    }
    end {

    }
}

Keep an eye out for a future blog post on how I am using this as part of an Azure DevOps Pipeline! This will include passing in variables within the pipeline as well as retrieving secrets from an Azure Key Vault.

If you like my content, consider following me on Twitter so you don’t miss out!

https://platform.twitter.com/widgets.js

Thanks for reading!

Get, Set and Remove Perennial Reservations Using PowerShell Functions

Having recently had to do some work with RDM perennial reservations I looked into ways to make this less of a manual headache. There are plenty of examples out there for doing this, which I took as a basis to make a PowerShell function. If anything it was a great way to refresh my PowerShell skills and an opportunity to learn some new skills.

Note: Although this has been tested in my environment, please make sure you test it appropriately before running against a production environment!

Lets take a look…

Get-PerennialReservation

This function targets a vSphere cluster, gets all RDM disks that are connected to VM’s and then queries each host in the cluster to check if the disk/storage device is perennially reserved or not.

You can find the code here.

There are multiple ways to use it, whether that is by specifying the target cluster using the -Cluster parameter or by piping it from Get-Cluster. You can also specify a specific canonical name or a comma separated string of them, if you just want the status of a single/select disk(s) using the -CanonicalName parameter. There is also an Export flag to export the results to CSV, if you wish to make use of the data outside of PowerShell. You can get the full usage information by running the following command once you have loaded the function into your PowerShell session:

Get-Help Get-PerennialReservation -full

Here it is in action:

Get-PerennialReservation -Cluster smt-lab-cl-mn-01
Get-Cluster | Get-PerennialReservation
Get-PerennialReservation -Cluster smt-lab-cl-mn-01 -CanonicalName naa.60003ff44dc75adcacba077cf38ccc60
Get-PerennialReservation -Cluster smt-lab-cl-mn-01 -ExportPath C:\temp

Set-PerennialReservation

This function again targets a vSphere cluster, gets all RDM disks that are connected to VM’s and sets the IsPerenniallyReserved flag too ‘True’ on all hosts.

You can find the code here.

There are multiple ways to use it like the Get function; specifying the target cluster using the -Cluster paramater or by piping it from Get-Cluster. You can still specify a specific canonical name or a comma separated string of them, if you just want to set the flag of a single/select disk(s) using the -CanonicalName parameter. There is still an Export function that will provide you an output to CSV. You can get the full usage information by running the following command once you have loaded the function into your PowerShell session:

Get-Help Set-PerennialReservation -full

Here it is in action:

Set-PerennialReservation -Cluster smt-lab-cl-mn-01
Get-Cluster | Set-PerennialReservation
Set-PerennialReservation -Cluster smt-lab-cl-mn-01 -CanonicalName naa.60003ff44dc75adc87371e49e5b78222
Set-PerennialReservation -Cluster smt-lab-cl-mn-01 -ExportPath C:\Temp\

Remove-PerennialReservation

To complete the set there is a Remove function. This function again targets a vSphere cluster, but this time you need to pass in the canonical name you wish to set the IsPerenniallyReserved flag too ‘False’ for.

You can find the code here.

To use this one, you need to specify the target cluster using the -Cluster paramater and specify a specific canonical name or a comma separated string of them, using the -CanonicalName parameter. There is still an Export function that will provide you an output to CSV. You can get the full usage information by running the following command once you have loaded the function into your PowerShell session:

Get-Help Remove-PerennialReservation -full

Here it is in action:

Remove-PerennialReservation -Cluster smt-lab-cl-mn-01 -CanonicalName naa.60003ff44dc75adc87371e49e5b78222
Remove-PerennialReservation -Cluster smt-lab-cl-mn-01 -CanonicalName naa.60003ff44dc75adcacba077cf38ccc60, naa.60003ff44dc75adcadc3f2be374bf90a
Remove-PerennialReservation -Cluster smt-lab-cl-mn-01 -CanonicalName naa.60003ff44dc75adc87371e49e5b78222, naa.60003ff44dc75adcacba077cf38ccc60, naa.60003ff44dc75adcadc3f2be374bf90a -Exportpath C:\Temp\

I hope this is of use to folks out there. There may be some updates/improvements added in the future so keep an eye on my GitHub for any updates!

I aim to bundle these, and other functions into a module in the near future!

As always, thanks for reading!

DFS NameSpace Issues – Migrating From FSR To DFSR Following AD Upgrade

I recently assisted a friend who had an issue with DFS Namespaces following an Active Directory Upgrade from 2008R2 to 2012R2.  They were faced with not being able to access the NameSpace following the demotion of the last 2008R2 controller and promotion of the final 2012R2 controller.

Upon opening the DFS NameSpace management console, the following error was displayed when selecting the required NameSpace – “The namespace cannot be queried. Element not found.”

After looking in the FRS (File Replication Service) and DFSR (Distributed File System Replication) event logs, I came to realise that the forest was using FRS for replication! This isn’t supported after 2008R2.  Ideally, you would have completed the migration from FRS to DFSR before upgrading the domain controllers.

Note: Always make sure you have a backup, snapshot or other reliable rollback method in place before doing anything in your live environment. This worked for me, it doesn’t guarantee it will work for you!

With FRS being the likely cause, I needed to confirm this.  I ran the following command to confirm the status –

Dfsrmig /getglobalstate

It returned the following result confirming that FRS was still in fact being used.

Current DFSR global state: 'Start'
Succeeded.

Before being able to look at the DFS NameSpace issue, this needed addressing.  Luckily you can still remediate this after upgrading the domain controllers. I would still advise confirming all the prerequisites are in place BEFORE upgrading!

Now onto the migration from FRS to DFSR.

Firstly, run the following command to move the state to the second of the four states.  The four states being; Start, Prepared, Redirected and Eliminated.

Dfsrmig /setglobalstate 1

You will then want to run a directory sync to speed things up, especially if you have a large replication interval!

Run the following RepAdmin command to get things moving.

Repadmin /syncall /AdeP

You can then monitor the progress by running –

Dfsrmig /getmigrationstate

You will then see any remaining domain controllers that are yet to have synchronized the new state.  Eventually you will see that all domain controllers have migrated to the second state; Prepared.

undefined

Now time to move to the Redirected state.  Same process as the previous set but this time specifying ‘setglobalstate 2’

Dfsrmig /setglobalstate 2
Repadmin /syncall /AdeP
Dfsrmig /getmigrationstate

Again run the RepAdmin to get replication moving and monitor using the ‘getmigrationstate’ command.  As in the previous step, you will eventually see that all domain controllers have migrated to the third state; Redirected.

undefined

Last one! Same as before, but this time you want to use ‘setglobalstate 3 –

Dfsrmig /setglobalstate 3
Repadmin /syncall /AdeP
Dfsrmig /getmigrationstate

Once complete you will get confirmation that you have reached the final state; Eliminated.

undefined

You will now be able to run the ‘net share’ command to see that the SYSVOL share has been moved to ‘C:\Windows\SYSVOL_DFSR\sysvol’ and that the FRS Windows service is stopped and set to disabled.

Output of the ‘net share’ command
File Replication Service Properties (Local Computer) 
General Ing On Recovery Dependencies 
Service name 
Display name 
File Replication Service 
chronizas folders wth fila servers that use Fila 
Cation Service (FRS) instead of the newer OFS 
Path to executable 
C exe 
Startup type 
Service status 
Start 
Stopped 
Stop 
Pause 
Resume 
You can specify the start parameters that apply when you start the service 
Start parameters: 
*ppb'
File Replication Service (FRS) service

This should now give you a correctly functioning directory again! You will want to now check the Directory Services, File Replication and DFSR Logs in Windows Event Viewer to ensure you have no further errors.

Now onto repairing the NameSpace.  I read a few different blogs and guides for this, some included deleting the NameSpace via ADSI Edit others didn’t.

I found I didn’t need to delete anything, bonus.

The get the NameSpace accessible again I found that right clicking the NameSpace and removing it, followed by recreating it using the  ‘New NameSpace Wizard’ did the trick. 

OFS Management 
File Action View Window Help 
z[öl 
OFS Management 
v Namespaces 
Folder I 
Folder 2 
Folder 3 
(Domain-based in Windows Server 2008 mode) 
Namespace Namespace Servers Delegation Search 
New Folder... 
Add Namespace Server... 
Delegate Management Permissions... 
\smt- lab.IocaI\D 
New Folder... 
Replication 
Remove Namespace from Displaym 
New Window from Here 
Delete 
Refresh 
Properties 
Help 
a 
Add Namespace Server... 
Delegate Management 
Remove Namespace fr... 
New Window from Here 
Delete 
Refresh 
Properties 
Help
New Namespace Wizard 
Con 
Namespace Server 
Namespace Name and Settings 
amespace ype 
Review Settings and Create 
Namespace 
You have successfully completed the New Namespace Wizard 
Tasks Enum 
Task 
Creat 
Status 
e namespace
OFS Management 
File Action View Window Help 
zbll O d 
OFS Management 
v Namespaces 
Folder I 
Folder 2 
Folder 3 
Replication 
(Domain-based in Windows Server 2008 mode) 
Namespace Namespace Servers Delegation Search 
FSRoot 
Type 
Name 
Folder I 
Folder 2 
Folder 3 
New Folder... 
Add Namespace Server... 
Delegate Management 
Remove Namespace fr... 
New Window from Here 
Delete 
Refresh 
Properties 
Help

Upon recreating it, all of the folders reappeared and were accessible again with no additional configuration required. (these screenshots are of my lab, not the live environment as it was not appropriate)

Thanks for reading!

Exporting and Importing Active Directory OU Structures

Recently I needed to build out some test Active Directory Forests that resemble production in order to complete some testing. One of the forests contained a significant amount of OU’s that I had no intention of manually recreating.

To run the New-ADOrganizationalUnit cmdlet, you need to provide the OU name and the Path where you want to create it. However, Get-ADOrganizationalUnit doesn’t provide the path, so you need to determine it from the DistinguishedName.

After a number of google searches, I couldn’t find exactly what I needed, so I began piecing together various bits of Powershell that I found. I ended up learning a bit of Regex in the process! Powerful tool if you know how to use it.

I came up with two versions in the end, you can see both below with the differences highlighted.

$OUs=Get-ADOrganizationalUnit -Filter * | select name,DistinguishedName,@{n=’OUPath’;e={$_.distinguishedName -replace '^.+?,',''}},@{n=’OUNum’;e={([regex]::Matches($_.distinguishedName, “OU=” )).count}} | Sort OUNum | export-csv C:\<Path_to_CSV>\OUTree.csv -NoTypeInformation
$OUs=Get-ADOrganizationalUnit -Filter * | select name,DistinguishedName,@{n=’OUPath’;e={$_.distinguishedName -replace '^.+?,(CN|OU|DC.+)','$1'}},@{n=’OUNum’;e={([regex]::Matches($_.distinguishedName, “OU=” )).count}} | Sort OUNum | export-csv C:\<Path_to_CSV>\OUTree.csv -NoTypeInformation

The first one effectively takes everything up to the first ‘,’ and replaces it with nothing, effectively removing the OU Name. The second one captures everything after the first ‘,’ and replaces the whole string with what was captured. Both have produced the same result in my scenario, but it was useful to understand both methods for future use of Regex.

Both also have a property called ‘OUNum’, this property counts how many time ‘OU=’ appears in the original DistigushedName string. OU’s need to be created in order, so that the parent OU exists before the child. This orders the OU’s in ‘tiers’ before exporting them to CSV. All OU’s in the root of the directory will get a value of 1, OU’s within these will get a value of 2 and so on. Credit to ‘David Z’ for this bit!

Once you have your data, you may or may not need to modify the domain. If you are importing it into a different domain, you’ll need to. In my case it was simple enough to do a find and replace in a text editor (eg. DC=lab,DC=local to DC=lab2,DC=local). You could look at using concepts from above to achieve this before exporting the data if you so wish.

Now you have your data, you need to import it. You can run the following in the target domain.

$OUs = import-csv C:\<Path_to_CSV>\OUTree.csv
ForEach ($OU in $OUs) 
          {New-ADOrganizationalUnit -Name $OU.Name -Path $OU.OUPath}

Hope this has been useful. Thanks for reading!