microsoft / aad-app-credential-tools Goto Github PK

The script (https://github.com/microsoft/aad-app-credential-tools/blob/main/azure-automation/CVE-2021-42306-AutomationAssessAndMitigate.ps1) used to determine if Automation accounts are vulnerable to CVE-2021-42306 and mitigate the issue appears to be Windows only.

Running it with PowerShell 7.2 and PowerShell Core gives the error below.

./CVE-2021-42306-AutomationAssessAndMitigate.ps1: The script 'CVE-2021-42306-AutomationAssessAndMitigate.ps1' cannot be run because it contained a "#requires" statement for PowerShell editions 'Desktop'. The edition of PowerShell that is required by the script does not match the currently running PowerShell Core edition.

Please can a cross-platform version of the script be provided.

Hi there,

I am working with multiple Azure tenants and trying to run this module. For the tenants without multiple subscriptions, it works great. For the tenant with the multiples it throws an error:

PS C:\WINDOWS\system32> Get-AffectedKeyCredentials -tenantID -ObjectClass application -ScanAll
WARNING: Are you sure you want to run the commandlet for all applications in your tenant? The commandlet may take a
long time to run, and requests for a large number of applications could be throttled.

Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): A
WARNING: This script requires the powershell module 'Az.Accounts' to installed.
WARNING: If this is not installed, you will be asked to install the module.
WARNING: Please refer: https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-6.5.0

Connecting to AAD tenant...
WARNING: TenantId '' contains more than one active subscription. First one will be
selected for further use. To select another subscription, use Set-AzContext.
Connected to

Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.
At C:\Program Files\WindowsPowerShell\Modules\AffectedKeyCredentials\0.2\AffectedKeyCredentials.psm1:139 char:29

• ... jectCount = Invoke-RestMethod -Uri $url -Headers $authHeader -Method ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExc
    eption
  • FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

Do you know of any issues when working with this scenario?

For users with multiple AAD-tenants the scripts are very noisy (lots of warnings when trying to iterate over stuff not in the currently authenticated tenant) or do not work properly at all. Adding a parameter to enforce using a specific tenant should mitigate this.

When authenticating to an Azure AD tenant with Continuous Access Evaluation enabled, an "InvalidAuthenticationToken" error occurs. This makes it impossible to see the affected apps.

Since I am not a native English speaker, I use a machine translation tool. I apologize if the text is difficult to understand.

Issue on: https://github.com/microsoft/aad-app-credential-tools/blob/main/azure-site-recovery/AadCertRollover.ps1

Line 569 reads as follows:

Import-PFXCertificate -CertStoreLocation Cert:\localmachine\My �Exportable -FilePath $newPFXCertLocation

Note that there is an unrecognized character before the Exportable parameter flag.

It should be

Import-PFXCertificate -CertStoreLocation Cert:\localmachine\My -Exportable -FilePath $newPFXCertLocation

(A dash before Exportable)

This was breaking the script code execution and hence halting the rollover process.

Hi Team,

From this cmdlet example: https://github.com/microsoft/aad-app-credential-tools/blob/main/azuread/azuread-application-credential-assessment-powershell-guide.md#examples

I always get prompted with the 'Sign-in to your account' when I loop through the command for each of my Azure subscriptions.

Is this a bug or am I missing something here to make the code loop through multiple Azure subscriptions without a prompt?

Hello team. I have Azure Migrate running in some Tenants, in all of them I get "No appliances registered under Migrate project PROJECTNAME details..Aborting..." for the Mitigration-Script, although the assessment script shows one affected App (Azure Migrate). What should I do? I guess it is because of multiple Subscriptions where the Azure Migrate project is in a different Subscription then the default one.