VSCode Virtual Environments using your Browser

It’s no secret I’m a huge fan of virtual environments and PowerShell. Late last year I wrote this series on Nested Virtual PowerShell Desktop Environments on Windows 10 & Windows Server 2019 in Azure A lot of the back story for that three post series was to have virtual environments for PowerShell.

Moving forward six months and I’m at the beginning of the journey towards migrating from PowerShell Desktop to PowerShell Core. The quickest way to get started with PowerShell Core is to use the Windows 10 feature of Windows Subsystem for Linux. Of course you should also have made (or be making) the migration from PowerShell ISE to VSCode.

So what if you could have Virtual VSCode environments accessible via a browser as your IDE for building and using PowerShell Core? Well you can.

Here is VSCode running a PowerShell Core command via a browser from a Ubuntu based Windows Subsystem for Linux environment in a Windows 10 Virtual Machine running in Azure.

Powershell Core on Linux on Windows via VSCode in Browser.PNG

Prerequisites

A key component of this magic is Code Server. Code Server is an open source self-contained environment for VSCode designed to offload the IDE from lower powered environments (tablets, Chromebooks etc) and is currently supported on Linux and Mac (OSX) with Windows coming soon.

If you have an environment with either of those then all good, as you were. If you only have Windows then on Windows 10 install Windows Subsystem for Linux via the Microsoft Store App. My Windows System for Linux flavour is Ubuntu.

WSL Ubuntu.PNG

Code Server

Download Code Server from the Github Releases page here and save it to your local machine. Running Ubuntu I downloaded the Linux binary. Untar it using

tar -xf yourDownloadedversion.tar.gz

Untar Code Server

Change into the extracted directory with the code-server executable in and run code-server

./code-server

Take note of the password as you will need this when you connect to Code Server via your browser.

Start Code Server

If the host you are running Code Server is remote (as mine is, in Azure) make sure you have networking configured for the default port (8443). I had to update my NSG for the inbound port of 8443.

Note: this isn’t a normal configuration, allowing source any for incoming ports. I have this locked down to the necessary source IP’s (but I’m not going to show them here).

Inbound Security Rules.PNG

Then in your browser you can hit the your host on port 8443 and provide the password that was displayed when starting Code Server. You will then have VSCode running in essentially a Virtual Environment accessible via a browser.

VSCode running in a Browser

PowerShell Core

My Windows Subsystem for Linux Ubuntu version is currently 18.04 and I already had downloaded and installed PowerShell Core for Ubuntu 18.04

lsb_release -a

Installation Instructions are here

Ubuntu Windows Subsystem for Linux Version.PNG

Install the PowerShell VSCode Extension along with any of the other extensions you regularly use. BOOM, you now have a Virtual VSCode environment for use with PowerShell Core on (and in my case on Ubuntu under Windows 10).

PowerShell VSCode Extension

Summary

What a crazy time to be in the IT industry. Nested disparate operating systems running IDE’s in browsers executing cross-platform scripting languages. Wow.

To run multiple sessions on the same host use the -p (port) command to specify a different port for each instance.

Code Server specifying Port.PNG

Winner: Microsoft Graph Security Hackathon

Recently I entered my second Hackathon. My submission was my first ever Web Application for the Devpost / Microsoft Graph Security Hackathon. This morning (Australian time) the winners were announced and ……. I WON.

To say I’m thrilled and honoured would be an understatement as the hackathon was judged by the esteemed Ann Johnson, Scott Hanselman, Troy Hunt, Rick Howard, Mark Russinovich and Olli Vanhoja. Big thanks also have to go to Preeti Krishna from Microsoft who was super responsive on queries around the Microsoft Security Graph.

Microsoft Security Graph Hackathon Judges.PNG

My entry; Microsoft USER (User Security Evaluation Reporter) is an application that reports on any user within an Active Directory/Azure Active Directory and their associated security posture with respect to Risk Events, Enrolled MFA Methods, Password Pwned Status and Azure Password Reset Events. The UI provides a quick summary overview as shown immediately below with the ability to then drill down into each evaluation area.

User Secure Score Summary

Additional details about my submission can be found here including the architecture and technical details but here is a walk through demo of it.

 

Empowering your long running PowerShell Automation Scripts with SMS/Text Notifications

18 months ago I wrote this post that detailed integrating Push Notifications into your scripts. That still works great, but does require that you have the associated Push Bullet application installed in your browser or on your devices. More recently I wrote about using Burnt Toast for Progress Dialogs’ for long running scripts. That too is all great if you are present on the host running those scripts. But what if you want something a little more native and ubiquitous? Notifications for those autonomous or long running scripts where you aren’t active on the host running them, and you don’t want the hassle of another application specific for that purpose? How about SMS/Text notifications?

This post details how to use Twilio (a virtual telco) from your PowerShell scripts to send SMS/Text alerts from your scripts so you can receive notifications like this;

Everything is on Fire.PNG

Twilio

Twilio is a virtual telco (amongst other products), that allows you to use services such as the mobile network via your application. For their SMS/TXT service they even give you a credit to get started with their service. To send SMS/TXT messages using their service from Australia each message is AU$0.0550.

Sign-up for a Twilio trial account, enable and verify your account. Take note of the following items as you will need them for your script;

  • service mobile number (initially Trial Number)
  • Account SID
  • your Auth Token

Using these pieces of information via the Twilio API we can send SMS/Text Notifications from your PowerShell scripts (well any language, but I’m showing you how with PowerShell). You can get your Service Number, Account SID and Auth Token from the Dashboard after registering for a Trial Account.

Trial Account Dashboard.PNG

To enable SMS/TXT go to the Twilio Programmable SMS Dashboard here and create a New Messaging Service.

For my use (notifications from scripts) I selected Notifications, Outbound Only.

Create New Messaging Service.PNG

Once created you will see the following on the Programmable SMS Dashboard. That’s it, you’ve activated SMS/TXT in Trial Mode.

SMS Dashboard.PNG

The Script

Here is a Send-TextNotification PowerShell Function that takes;

  • Mobile Number to send the notification to
  • Mobile Number the message is coming from
  • Message to send
  • AuthN info (Account SID and Account Token)
  • Account SID

Line 46 sends a SMS/TXT notification using my Send-TextNotification script. Update;

  • Line 32 for your Twilio Account SID
  • Line 34 for your Twilio Account Token
  • Line 40 for the mobile number to send the message to
  • Line 42 for the authorised number you verified to send from
  • Line 44 for your notification message

Summary

Using the Twilio service, my small function and a few parameters you can quickly add SMS/TXT notifications to your PowerShell scripts. Once you have it up and running I encourage you to upgrade your account and pay the few dollars for use of the service which also removes the “Sent from your Twilio trial account” text from the messages. Twilio also has a WhatsApp Notification Service.

IMG-9658.JPG

 

Indexing a SailPoint IdentityNow Attribute in an Identity Cube for use in Correlation Rules

Joining/Matching rules in any Identity and Access Management Solution can make or break an Identity Lifecycle Management implementation. Out of the box SailPoint IdentityNow provides a number of common Identity Attributes that can be used for Correlation rules (joining/matching) from Identity Sources (connected systems).

Often though you want to add additional attributes to the list of Identity Attributes that can be used for correlation. The IdentityNow Portal does not provide this functionality, but it is possible via the IdentityNow API. However the documentation and guidance around this is a little sparse. This post details how to use the API to enable additional attributes for use with correlation rules.

NOTE: The guidance is to be pragmatic with the number of additional attributes that you add as Identity Attributes for Correlation. The guidance is a maximum of 7 additional attributes 

Prerequisites

  1. Authentication. I using the v3 method that I detail here
  2. On an Identity Profile you’ll need to map the attribute from a Source to an attribute in the Identity Profile.
    • In the IdentityNow Portal go to Admin => Identities => Identity Profiles => Your Identity Profile => Mappings => Add Attribute

Process

I’m using PowerShell, but the process can be transposed to any language that you can use to make Web Requests. The high-level process is;

  1. Get the list of Identity Attributes
  2. Locate the attribute you want to be available for Correlation rules
    • this is required as addressing the attribute to make it available is case-sensitive
  3. Update the object to make it Searchable
    • making the attribute Searchable promotes it to being available for Correlation Rules

The Script

The steps in the script below assume you are authenticated to the IdentityNow API as detailed in the prerequisites. You should only need to then update line 12 for the attribute name you want to make searchable and available for correlation rules.

The script steps (that you will want to manually step through);

  •  Get the list of Identity Attributes
    • The attribute you want to promote to be searchable should be present, as you’ve mapped it in an Identity Profile as detailed in the prerequisites
  • Get the attribute to modify
  • Modify the attribute object to make it searchable
    • modify other aspects of the Identity Attribute to allow the attribute changes to be written back to IdentityNow
  • Update the attribute in IdentityNow

Summary

As the script above shows, the process to update an attribute to make it searchable and available for correlation rules is a little more involved that just flipping an attribute value, but once you know how reasonably trivial.

Building SailPoint IdentityNow Azure AD Source Filters

When you have a large Azure AD tenant it is likely that you want to scope your SailPoint IdentityNow Source based on the different type of identities it contains. Using the Filtering and Scoping section of the Azure AD Source Configuration Guide from Compass I first started constructing queries as I normally would with Azure AD against the Microsoft Graph API.

However the queries/filters I was using against Microsoft Graph were not working for the Azure AD IdentityNow Source. On aggregation the Source Connector would throw errors such as;

….java.lang.RuntimeException – sailpoint.connector.ConnectorException: Exception occurred. Error message – Exception occurred in processReadRequest. Error – Response Code – 400 Error – Bad Request Property ‘msGraphAADAttribute’ does not exist as a declared property or extension property…..

Following some discussions with the IdentityNow Professional Services guys I learned that the IdentityNow Azure AD Source Connector uses the Azure AD v1 Graph API endpoint.

With this information I was then able to use the Azure Active Directory v1 Graph API Explorer to develop queries that would then work for ‘User Filters’.  This is extremely quick and useful. For guidance on using Azure AD Filters this Microsoft document will get you started.

Azure AD v1 Graph Filter Tester.PNG

Configuring Azure AD Source Filters

To configure Source Filters for the IdentityNow Azure AD Source I use PowerShell as per the many IdentityNow Configuration and Automation posts I’ve previous written.

SailPoint IdentityNow Authentication

The script snippets below just show the commands to create three different Azure AD Source Filters (if you need all three like me you will need to configure three separate Sources with a different filter on each). In order to utilise these you will need to be authenticated to the SailPoint IdentityNow API. This post details connecting to the SailPoint IdentityNow v3 API endpoint using PowerShell.

Below shows three snippets for scoping the Azure AD Source down to specific User Types;

  • AAD Guest Accounts (B2B)
  • AAD Hybrid Accounts (On Premise AD and Azure AD)
  • AAD Cloud Only Accounts

To update a source you send a POST request to the Update Source API where yourOrg is your Tenant Org Name and SourceNumber is the number of the Source to update (e.g. 12345). The body is the connector_userFilters attribute with the value for the filter.

https://yourOrg.api.identitynow.com/cc/api/source/update/SOURCENumber

Hybrid Accounts

The following shows the tail of the output from the returned object after updating the Source for a filter for Azure AD Hybrid Accounts;

dirSyncEnabled eq true and userType eq 'member'

Hybrid Users.PNG

Azure AD Cloud Only Accounts

The following shows the tail of the output from the returned object after updating the Source for a filter for Azure AD Cloud Only Accounts;

dirSyncEnabled eq false and userType eq 'member'

Cloud Only Users.PNG

Azure AD Guest (B2B) Accounts

The following shows the tail of the output from the returned object after updating the Source for a filter for Azure AD Cloud Only Accounts;

userType eq 'guest'

B2B Guests.PNG

Summary

Knowing the API the IdentityNow Azure AD Source is using allows us to construct filters to scope the Azure AD Source to the specific users for an implementation.

CIRCUITPY Volume not visible for an Adafruit Circuit Playground Express on Windows 10 1803

I’ve just returned from the US and whilst there I picked myself up an Adafruit Circuit Playground Express. I plugged it into my computer and by all reports it should just appear as a removable drive on Windows 10. Alas that didn’t happen for me. I could get it into BOOT mode by pressing the Reset switch, but no matter what I did I couldn’t get the expected CIRCUITPY volume to be visible in File Explorer. Here’s how I got it working along with configuring VSCode as the editor.

Prerequisites

  • Visual Studio Code
    • Python Extension (from Microsoft) for VSCode. Install through VSCode Extensions

Environment Configuration

    1. Install the Arduino IDE from the Microsoft Store
    2. Open VSCode and install the Arduino Extension (from Microsoft)
      • go to the Command Palette and open Preferences: Open User Settings
      • under Arduino: Pathadd the path to Arduino. It should be something like C:\Program Files\WindowsApps\ArduinoLLC.ArduinoIDE_1.8.21.0_x86__mdqgnx93n4wtt depending on the version you have
      • under Arduino: Additional Urlsselect edit in settings.json and add the following line and save the file
        • “https://adafruit.github.io/arduino-board-index/package_adafruit_index.json
      • Open the Command Palette and select Arduino Board Config. Select Adafruit Circuit Playground
    3. Verify that the Adafruit Circuit Playground board is showing in the VSCode system tray along with the COM port is using on your computer.
    4. Update the Bootloader
      • Currently the latest bootloader is available from here https://github.com/adafruit/uf2-samdx1/releases/latest
        • for Circuit Playground Express you are looking for the update-bootloader-circuitplay_m0-v2.0.0-adafruit.VERSION.uf2 file
      • Click the reset button (in the middle of the board) and you should see the CPLAYBOOT drive volume in your computer File Explorer
      • Drop the bootloader uf2 file onto the drive
    5. Update to the latest Circuit Python Release
      • That is available from here https://circuitpython.org/board/circuitplayground_express/
        • Currently that is v3.1.2
      • Drop the updated Circuit Python .u2f file onto the CPLAYBOOT volume
    6. Restore the Demo Python Script
      • The demo is available from here https://github.com/adafruit/Adafruit_Learning_System_Guides/raw/master/Introducing_CircuitPlaygroundExpress/CPXDemoContent.zip
      • Unzip the download and drop the demo script (main.py and *.wav files)  onto the CIRCUITPY volume
      • It will restart and go through the neopixel demo (with startup sound)
    7. Using VSCode open the main.py file from the CIRCUITPY volume
      • update the following line from False to True and save the file
        • TOUCH_PIANO =True

         

With that all done I was up and running.

Hopefully that helps someone else get quickly starting and avoid all the troubleshooting I went through to get up and running.

Changing SailPoint IdentityNow Identity Profiles Priorities using PowerShell

In SailPoint IdentityNow a single user is highly likely to be represented on multiple Sources, that in turn are likely to be authoritative for differing SailPoint IdentityNow Identity Profiles. Often the first or last Identity Profile you create isn’t the one you wish to have the highest or lowest profile and you therefore need to change an Identity Profiles precedence so that the correct Identity Profile is associated with your identities.

The priority of IdentityNow Identity Profiles cannot be changed through the Portal, but it is possible to perform the change via the API as detailed in this Compass document.

Rather than following the Postman path described in that document, knowing I’m going to need to do this irregularly but relatively quickly I’ve written a little PowerShell script to make the changes.

By default an Identity Profile when created is added to the bottom of the list and their priority increased by 10 from the last Identity Profiles’ priority. The script will by default make the Identity Profile you choose 5 higher that the Identity Profile you’re moving it above.

The following screenshot shows 5 Identity Profiles in their priority order. Let’s say we wanted to move the System Accounts Identity Profile from the bottom priority to between Cloud Identities and Badged Identities.

IdentityNow Priority List.PNG

Using the script (at the bottom of this post) we can authenticate to IdentityNow and retrieve the IdentityNow Profiles with their Priorities. It will ask which IdentityNow Profile you wish to increase the priority of. By default it defaults to the one at the lowest priority.

Identity Profile Priority Changer 1.PNG

You are then prompted for where you would like to move it. Type the name of the Identity Profile you want to move it above.

Identity Profile Priority Changer 2a.PNG

Confirm your selections by typing ‘y’. Anything else will cancel the operation.

Identity Profile Priority Changer 3.PNG

The update will be made in IdentityNow and the output will indicate the updated priority given to the Identity Profile that was moved.

Identity Profile Priority Changer 4.PNG

Checking in the IdentityNow Portal we can see that they Identity Profile was moved from the bottom to between Cloud Identities and Badged Identities.

IdentityNow Priority List Updated.PNG

The Script

Below is the script that performs the changes to Identity Profiles priorities. Update the following script for;

  • Line 2 for your Client ID
  • Line 4 for your Client Secret
  • Line 8 for your Org name
  • Line 10 for your Admin Account name
  • Line 11 for your Admin Account password

Summary

Using this script is a quick way to change the priority of Identity Profiles in SailPoint IdentityNow.

SailPoint IdentityNow Identity Profiles Mapping Report

Last year I wrote this post here that detailed using the SailPoint IdentityNow API to generate an IdentityNow Sources HTML Report using PowerShell.
In a similar vein here is a post that does a similar function, but for the IdentityNow Identity Profiles. The example script below will connect to IdentityNow and extract all the Identity Profiles and pull out the details for the Mappings and create an HTML Report with a section for each Identity Profile.

SailPoint IdentityNow Identity Profiles Report.PNG

Report Script

Update the script below for;

  • Line 2 for your v1 API ClientID
  • Line 4 for your v1 API Client Secret
  • Line 8 for your Org Name
  • Line 10 for your Admin Name
  • Line 11 for your Admin Password
  • Line 22 for an image path for the report
  • Line 27 for the output path for the report

The Report

The resulting report that will be located in the output path you specified, will let you expand each of your Identity Profiles and see the attributes mapping configuration associated with it. A snippet of an Identity Profile is shown below.

SailPoint IdentityNow Identity Profiles Report Details.PNG

Summary

The ability to report on the attribute mappings for Identity Profiles gives a quick way to document or report on the attribute mappings. If you’re so inclined the script can be easily extended to report on all other aspects of the configuration items of an IdentityNow Identity Profile.

The image I’m using in the report is from this page and sized at 240 x 82 px.

Darren’s PowerShell Snippets Volume 1

I live in PowerShell and my memory is pretty good. There are a number of common PowerShell commands and one-liners or functions that I use a lot and I can remember them. However, then there are the ones I use less regularly and I often find myself trying to recall the last time I used them in a script, in order to locate that script just to get those couple of lines. So I’m posting a bunch of them in this post, if for nothing else to help me find them quickly. Let’s consider this as my common PowerShell Snippets and Volume 1.

Unix Time

For a number of API’s I interact with I need to provide the current time in Unix format as part of the API request. This online liner around Get-Date does that.

$utime = [int][double]::Parse((Get-Date -UFormat %s))

the output looks like this

1551906706

URL Encode

Often you need to encode a URL or query. The following shows taking a query and URL encoding it.

$query = "attributes.firstname='Darren' AND attributes.lastname='Robinson'"
Add-Type -AssemblyName System.Web
$queryEncoded = [System.Web.HttpUtility]::UrlEncode($query)

The encoded query then looks like

attributes.firstname%3d%27Darren%27+AND+attributes.lastname%3d%27Robinson%27

Basic Authentication Header

The following will create a Basic Authentication Header from a ClientID and Client Secret that can then be used with Invoke-RestMethod or Invoke-WebRequest

$clientID = 'abcd1234567'
$clientSecret = 'abcd12345sdkslslfjahd'
$Bytes = [System.Text.Encoding]::utf8.GetBytes("$($clientID):$($clientSecret)")
$encodedAuth =[Convert]::ToBase64String($Bytes)
$header = @{Authorization = "Basic $($encodedAuth)" }

You then use the $header variable in your web request e.g

invoke-restmethod -method get -uri "https://webservice.com" -headers $header

Converting a String to Proper/Title Case

Sometimes you get a string that is SHOUTING at you. Or just badly formatted and you need to make it look as it should. The following will convert a string to Title Case

$Surname = (Get-Culture).textinfo.totitlecase("BaDlY-ForMAtted SurNAME".tolower())

The BaDlY-ForMAtted SurNAME will then become

Badly-Formatted Surname

TLS

I have written this up before in more detail for a slightly different scenario here. But often the quick one-liner to force PowerShell to use TLS 1.2 for web requests is

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Splitting a Large Collection into manageable chunks

Way to regularly I have a data-set of 100k+ objects. In order to parallelise the processing of that data into multiple threads I need to break that 100k+ collection into smaller chunks.

The following takes LARGEDATASET, say a collection of 10’s or 100’s of thousands of objects and splits it into collections of 1000.

$counter = [pscustomobject] @{ Value = 0 }
$groupSize = 1000
$groups = $LARGEDATASET | Group-Object -Property { [math]::Floor($counter.Value++ / $groupSize) }

You can then determine how many it created with

$groups.Count

and then checkout each Group by incrementing through the collection array

$groups[0].Group

Parallel Processing

As an extension of splitting a large collection into smaller collections you may then want to process a collection with multiple threads (e.g in Parallel).

The following snippet leverages the Invoke-Parallel Function from Rambling Cookie Monster that I’ve mentioned previously such as here.

Change the Throttle switch for the number of threads. Change the timeout if required (if for instance you are smashing your (not someone else’s) API.

& .\PATH-TO\invoke-parallel.ps1
$result = Invoke-Parallel -InputObject $CollectionOfObjects -throttle 10 -runspaceTimeout 60 -ImportVariables -ImportModules -ScriptBlock {
   try {
        $query = Invoke-RestMethod -method Get -uri "https://api.application.com" -headers $header
      } catch {
        write-host $_
      }
   @($query)
}
$result.Count

Join Large Collections

This I mentioned previously in this post here.  This snippet is the ability to quickly join objects between two large collections. It utilises the Join-Object function again from Rambling Cookie Monster

$reportData = Join-Object -Left $collection1 -Right $collection2 -LeftJoinProperty UserPrincipalName -RightJoinProperty UserPrincipalName -Type AllInLeft

Un-escaping a JSON Document

Using ConvertTo-JSON will escape special characters as shown below.

{"description": "Australian G\u0026f Logistics Ltd"}

Using the following will unescape the JSON document (if the system you’re interfacing with doesn’t unescape on consumption).

$jsonString | ConvertTo-Json | % { [System.Text.RegularExpressions.Regex]::Unescape($_) }

The JSON document will then become

{"description": "Australian G&f Logistics Ltd"}

That’s it for Vol 1 of Darren’s PowerShell snippets. I’ll start compiling others as I search for them and don’t find them in this Vol.

Aggregating SailPoint IdentityNow Sources via API with PowerShell

Aggregating an IdentityNow Source can be achieved in a number of ways, but when you are in a development environment there will be times where you need to add additional attributes for a Source to load. If the additional attribute(s) is/are used for Correlation, it’s at this time you will need to perform a full aggregation from a Source to re-evaluate each object with the new Correlation rules and to bring in the additional attributes for each identity on the Source.

The LoadAccounts API briefly mentions this in this SailPoint IdentityNow Compass document. It also details the option that needs to be disabled disableOptimization so that each identity is imported and re-evaluated.

This post details how to call the LoadAccounts API using PowerShell and disable optimization.

Prerequisites

The LoadAccounts API is a Private API that has a different authentication process that the v2 and v3. In this post I detail accessing the v1 Private API’s using PowerShell.  That post gives some more detail around the v1 Private API’s.

The following script will aggregate a SailPoint IdentityNow Source disabling optimisation.

Update;

  • Line 2 with your API ClientID
  • Line 4 with your API Client Secret
  • Line 8 with your IdentityNow Org Name
  • Line 10 with your IdentityNow Admin Account Name
  • Line 11 with your IdentityNow Admin Account Password
  • Line 25 with the SourceID (5 digit number) for the Source to Aggregate

Line 29 contains the Web Request Post Body disableOptimization=true” that disables optimisation for the aggregation. If you just require an aggregation of a source omit the body.

Executing the script with valid credentials and a Source will result in the aggregate variable returning a summary for the trigger of the aggregation. You will notice in the attributes that optimizedAggregation is disabled.

Returned Object when initiating IdentityNow Aggregation via API with optimisation disabled.PNG

This is also reflected in the Aggregation Summary from the Portal when completed.

IdentityNow Aggregation via API with optimisation disabled.PNG

Summary

Using the above script it is possible to quickly perform a full aggregation and re-evaluation of correlation rules for an IdentityNow Source.