Jet Mariano

Tag: Security

Pulling M365 Sign-in Locations via AzureADPreview
Excerpt

Needed a quick “where did this user sign in from?” report without swapping modules. I used AzureADPreview to export a clean CSV (timestamp, IP, country/state/city, app, client, result). All identifiers below are redacted; mailbox shown as [email protected].

Intro

Security asked for a last-30-days sign-in report. I didn’t want to migrate the host that already had AzureADPreview, so I stayed on that and exported the fields they care about. Notes are redacted and portable.

Notes from {Speaker}
- Context: Windows PowerShell 5.x (STA) + AzureADPreview.
- Avoided Microsoft Graph SDK on this box.
- Output: CSV with location + app/client details.
Perspective (direct quotes)

“Use Windows PowerShell (not PS7) so the AzureAD auth control behaves.”
“If you change the date range, re-run the query—don’t reuse the old $logs.”

Practice (today, not someday)

Use this redacted snippet; replace only the UPN line if needed.
```
# Connect (Windows PowerShell 5.x)
Import-Module AzureADPreview
Connect-AzureAD -AccountId "[me]"

$targetUpn = "[email protected]"   # user to report
$from = (Get-Date).AddDays(-30).ToString("o")   # adjust if you have longer retention
$to   = (Get-Date).ToString("o")

# Query sign-in logs (AzureADPreview)
$logs = Get-AzureADAuditSignInLogs -All $true `
  -Filter "userPrincipalName eq '$targetUpn' and createdDateTime ge $from and createdDateTime le $to"

# Shape the report
$report = $logs | Select-Object `
  createdDateTime, userPrincipalName, ipAddress,
  @{n='Country';e={$_.location.countryOrRegion}},
  @{n='State';e={$_.location.state}},
  @{n='City';e={$_.location.city}},
  appDisplayName, clientAppUsed,
  @{n='MFA';e={$_.mfaDetail.authMethod}},
  @{n='CAResult';e={$_.conditionalAccessStatus}},
  @{n='Result';e={ if ($_.status.errorCode -eq 0) { 'Success' } else { $_.status.additionalDetails } }}

# Export (redacted path example)
$dest = "C:\Reports"
if (-not (Test-Path $dest)) { New-Item -ItemType Directory -Path $dest | Out-Null }
$csv = Join-Path $dest "Janedoe_SignIns_Last30Days.csv"
$report | Export-Csv $csv -NoTypeInformation -Encoding UTF8

"$($report.Count) rows -> $csv"
```
Final Reflection

Sticking with AzureADPreview is fine when you only need sign-in logs—just remember: PowerShell 5.x, re-query after changing dates, and export only the fields the requester needs.

Pocket I’m Keeping

“Query fresh, then shape.” Most delays come from reusing an old $logs object after changing the date window.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
September 30, 2025
When a “Microsoft” alert hijacks your screen after a spoofed Facebook call
Tech-support scam pop-up mimicking Microsoft Defender with a bogus support line 877-415-4519 — DO NOT CALL.

Intro

Tonight’s “video call” looked like it came from a friend. The moment you tapped Accept, your browser flipped full-screen: “Microsoft has shut down your internet. Do not turn off your computer. Call now.” That’s a classic tech-support scam—built to scare, not to help.

─────────────────────────────────────────

What’s really happening
- It’s only a web page (often opened by the call link) that abuses pop-ups, full-screen mode, and fake Windows/Defender art.
- Microsoft/Apple/your ISP never lock your device through a browser or post a phone number to call.
- If you call, they’ll try to remote in, install “fixers,” and charge you—or steal data.
─────────────────────────────────────────

Do this immediately (quick exit)
1. Do not call. Do not click.
2. Kill the browser.
  - Windows: Ctrl+W (close tab). If stuck, Alt+F4 or open Task Manager (Ctrl+Shift+Esc) and End task on the browser.
  - Mac: ⌘+W (close tab). If stuck, Force Quit with ⌥+⌘+Esc.
  - iPhone/iPad/Android: swipe up and force-close the browser app.
3. Reopen safely (prevents the bad tab from restoring):
  - Windows/Mac: hold Shift while launching the browser to block session restore.
  - iPhone Safari: Settings ▸ Safari ▸ Clear History and Website Data.
  - Chrome mobile: Chrome ▸ ⋮ ▸ History ▸ Clear browsing data (Time range: All time).
─────────────────────────────────────────

Clean up (2–5 minutes)
- Run a scan. Windows: Windows Security ▸ Virus & threat protection ▸ Quick scan (then a Full scan later). Mac/mobile: update OS; run your trusted AV if installed.
- Remove permission junk.
  - Browser Notifications/Permissions: Settings ▸ Privacy & security ▸ Site settings ▸ Notifications ▸ remove unknown sites.
  - Extensions/Add-ons: remove anything you don’t recognize.
- Messenger/Facebook safety.
  - Tell your friend their account may be compromised.
  - Facebook ▸ Settings ▸ Password & security ▸ Where you’re logged in ▸ Log out of unknown sessions; Turn on two-factor.
- If you entered info / installed software / called them:
  - Disconnect from the internet.
  - Uninstall any remote tools they had you add (AnyDesk, TeamViewer, Quick Assist sessions).
  - From a clean device, change passwords (email first).
  - Run Microsoft Defender Offline scan (Windows Security ▸ Scan options).
  - Contact your bank if you paid or shared card info.
─────────────────────────────────────────

Prevent the next one
- Treat surprise video calls as suspect. Decline and message the friend to confirm.
- Lock calling down in Messenger: Settings ▸ Privacy ▸ Message delivery / Who can call you ▸ restrict to Friends.
- Keep autosaving tabs off if you don’t need it.
- Update OS and browsers; updates close the tricks these pages use.
- Never let strangers remote into your device. Real companies don’t cold-call you for support.
─────────────────────────────────────────

Final Reflection

Scams run on panic. Breathe, quit the tab, then clean up. A browser page can’t “brick” your computer—but fear can make us hand over the keys.

─────────────────────────────────────────

What I hear now
- Close first, investigate second.
- Call no numbers that pop up on a web page.
- Verify with the friend; secure your accounts; turn on 2FA.
- Slow is smooth, and smooth is fast.
© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
August 31, 2025
Secure Automation with PowerShell SecretManagement: Simplifying Credential Management for IT Pros
Introduction:
In enterprise environments, automation is only as secure as the credentials it uses. Hardcoding passwords into scripts is a security disaster waiting to happen. Enter PowerShell SecretManagement — a cross-platform module that allows IT professionals to store, retrieve, and manage credentials securely while keeping scripts clean, compliant, and automation-ready.

Description & Guide:
1. What is SecretManagement?
  The SecretManagement module provides a unified way to work with secrets across different vaults like Windows Credential Manager, Azure Key Vault, KeePass, or HashiCorp Vault — without locking you into a single storage provider.
2. Installing the Modules
```
Install-Module Microsoft.PowerShell.SecretManagement
Install-Module Microsoft.PowerShell.SecretStore
```
3. Registering a Vault
For a local secure store:
```
Register-SecretVault -Name LocalVault -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault
```
4. Adding a Secret
```
Set-Secret -Name MySQLAdmin -Secret (Get-Credential)
```
5. Retrieving a Secret in Scripts
```
$cred = Get-Secret -Name MySQLAdmin -AsCredential
Invoke-Sqlcmd -ServerInstance "SQL01" -Username $cred.UserName -Password $cred.GetNetworkCredential().Password
```
6. Why This Matters
- Eliminates plaintext passwords in scripts
- Centralizes secret management for easier updates
- Works seamlessly with CI/CD pipelines and scheduled tasks
Conclusion:
Security and automation don’t have to be enemies. With PowerShell SecretManagement, you can protect sensitive credentials without sacrificing automation speed or flexibility. For IT pros managing hybrid environments, this module is a must-have in your PowerShell toolbox.

If you’d like to go beyond this post and see what Microsoft officially recommends, here are my go-to resources:

Microsoft Docs – SecretManagement Overview

Microsoft Docs – SecretStore vault extension

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
August 12, 2025
Fixing Disabled Azure AD Accounts: PowerShell vs Portal
Minutes before boarding at Salt Lake City International Airport, I received an urgent text about a disabled Azure AD account. I opened my laptop, tethered to my phone’s hotspot, connected to Cisco VPN, and got to work—resolving the issue securely without relying on public Wi-Fi

Introduction:
Last Friday, just as I was getting ready to board my flight to JFK from the Salt Lake City airport, I received a message from an end user:

“I think I’m blocked. I can’t access Outlook, Teams, or OneDrive.”

Time was limited, and I was already seated at the gate with my laptop ready. Instead of panicking, I tethered through my phone’s personal hotspot and launched Cisco AnyConnect VPN. I deliberately avoided the airport’s public Wi-Fi to reduce the risk of a security breach.

Once I authenticated and connected securely, I logged into Azure. I discovered that the user’s account in portal.azure.com was disabled. Fortunately, there are two ways to quickly resolve this kind of issue:

✅ Method 1: PowerShell (Quickest & Most Efficient)

If you have the AzureAD or Microsoft Graph PowerShell module installed and proper permissions, this method is the fastest.

Step-by-step using Microsoft Graph PowerShell:
```
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All"

# Re-enable the disabled account
Update-MgUser -UserId [email protected] -AccountEnabled $true
```
Note: Replace [email protected] with the actual UPN or Object ID of the affected user.

Advantages:
- Fast (under 30 seconds)
- No GUI needed
- Can be scripted for multiple accounts
🧭 Method 2: Azure Portal (GUI Approach)

If you’re not ready to run PowerShell or don’t have the module available, the Azure Portal offers a visual way to fix it.

Steps:
1. Go to https://portal.azure.com
2. Navigate to Azure Active Directory
3. Click on Users
4. Search for the affected user
5. Click the Edit button at the top
6. Set Account Enabled to Yes
7. Click Save
Advantages:
- Good for admins who prefer a visual interface
- Easier to audit changes
- Helpful for one-off account fixes
🧠 Final Thoughts

Both approaches—PowerShell and the Azure portal—get the job done. However, for IT professionals constantly on the move, PowerShell is king. It’s fast, efficient, and doesn’t rely on a graphical interface.

That said, having the flexibility to switch between GUI and scripting tools is essential. Some situations demand precision and speed; others might call for a visual confirmation or audit trail.

In the end, what matters most is being prepared. Whether you’re at your desk or at an airport gate, the ability to jump in and resolve an issue on the fly is what defines a reliable IT Engineer.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
July 29, 2025

error: Content is protected !!