Tag: powershell

Did you know … you can list the members of your MS Team?

Without any special Administrative rights, you can list the members of the Azure AD groups that are used in MS Teams. If you don’t already have the AzureAD module installed, install it. In Windows, this is:

Install-Module -Name AzureAD

In Linux,you’ll need the preview of Azure AD:

# To run on Linux, you need the preview mode of AzureAD
Register-PackageSource -Trusted -ProviderName 'PowerShellGet' -Name 'Posh Test Gallery' -Location https://www.poshtestgallery.com/api/v2/
Install-Module -Name AzureAD.Standard.Preview
 

Connect to AzureAD. There is a separate command to list the group owners (Get-AzureADGroupOwner). I’ve always found the owner(s) in the member list as well, but it’s technically possible to have entries unique to the owner list.

Connect-AzureAD
Get-AzureADGroup -SearchString "Group Name Here" | Get-AzureADGroupOwner -All $True
Get-AzureADGroup -SearchString "Group Name Here" | Get-AzureADGroupMember -All $True

Redirect the output to a file if you wish to use the results elsewhere, or stash the returned member list in a variable and use Get-AzureADUser to get additional information for the user records.

$objMembers | ForEach-Object -Process {get-azureaduser -objectid $_.ObjectID}

Powershell Credentials

I’ve only recently started using PowerShell to perform automated batch functions, and storing passwords in plain text is a huge problem. In other languages, I crypt the password with a string stored elsewhere, then use the elsewhere-stored string in conjunction with the cipher text to retrieve the password. There’s a really easy way to accomplish this in PowerShell (although it does not split the credential into two separate entities that force an attacker to obtain something from two places {i.e. reading a file on disk is good enough} but if they’re already reading my code and on my server … the attacker could easily repeat the algorithmic process of retrieving the other string … which is a long way to say the PowerShell approach may seem less secure; but, effectively, it isn’t much less secure)

The first step is to store the password into a file. Use “read-host -AsSecureString” to grab the password from user input, pipe that to convertfrom-securestring to turn it into a big ugly jumble of text, then pipe that out to a file

read-host -assecurestring | converfrom-securestring | out-file -filepath c:\temp\pass.txt

View the content of the file and you’ll see … a big long hex thing

Great, I’ve got a bunch of rubbish in a file. How do I use that in a script? Set a variable to the content of the file piped through convertto-securestring and then use that password to create a new PSCredential object

$strPassword = get-content -path c:\temp\pass.txt | convertto-securestring
$cred = new-object -typename PSCredential -argumentlist ‘UserID’,$strPassword

Voila, $cred is a credential that you can use in other commands.