mastodon.world is one of the many independent Mastodon servers you can use to participate in the fediverse.
Generic Mastodon server for anyone to use.

Server stats:

9K
active users

#microsoftgraph

1 post1 participant0 posts today

Some Graph API fun today.

The Graph API knows `applications` (learn.microsoft.com/en-us/grap) and `servicePrincipals` (learn.microsoft.com/en-us/grap).

The Azure Portal knows `App Registrations` and `Enterprise Applications`.

App Registrations (Portal) = applications (Graph API)
Enterprise Applications (Portal) = servicePrincipals (Graph API)

Applications (App Registrations) and servicePrincipals (Enterprise Applications) have a unique, individual `ObjectId` but the ones that belong together hold the same `ApplicationId` which glues them together.

Fortunately, the Graph API documentation is clear and relatively consistent on what is expected for requesting an object - either the `objectId` or the `applicationId`:

```
GET /servicePrincipals/{id}
GET /servicePrincipals(appId='{appId}')
GET /applications/{applicationObjectId}
GET /applications(appId='{appId}')
```

When searching for servicePrincipals (Enterprise Applications) in the portal, it is not that clear since the terms are mixed up a bit.

In May 2024, Kaspersky's Global Research and Analysis Team (GReAT) uncovered a new advanced persistent threat (APT) group named CloudSorcerer. This sophisticated group has been actively targeting Russian government entities, leveraging cloud services such as Microsoft Graph, Yandex Cloud, and Dropbox for command-and-control (C2) and data exfiltration. CloudSorcerer's techniques echo the CloudWizard APT from 2023, utilizing GitHub and Mail.ru for initial communications and using encoded strings to interact with cloud services.

The malware used by CloudSorcerer is particularly notable for its ability to dynamically adapt its behaviour based on the process it runs in, highlighting its sophistication. The malware collects system information, manipulates files, executes shell commands, and creates processes using COM interfaces. These capabilities, combined with its use of cloud infrastructure for C2, underline the advanced nature of this cyber espionage toolset. Although there are similarities to CloudWizard, the distinct differences in code and functionality suggest that CloudSorcerer is a unique actor employing similar techniques but developing its tools.

Also this morning, I was able to finally update a #Microsoft365 licensing #Powershell script that we've used for user provisioning for years. I updated from the now-deprecated #MSOnline module to use the newer #MicrosoftGraph modules.

I have been banging my head against it for a while now and finally had breakthroughs in understanding that allowed it to click in my brain and get it working.

I still need to monitor it for a couple of weeks, but I think we're through the hard part.

𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗚𝗿𝗮𝗽𝗵 𝗔𝗰𝘁𝗶𝘃𝗶𝘁𝘆 𝗟𝗼𝗴 𝗶𝘀 𝗡𝗼𝘄 𝗔𝘃𝗮𝗶𝗹𝗮𝗯𝗹𝗲 𝗶𝗻 𝗣𝘂𝗯𝗹𝗶𝗰 𝗣𝗿𝗲𝘃𝗶𝗲𝘄

With Microsoft Graph Activity Logs, you can now investigate the complete picture of activity in your tenant – from token request in SignIn logs, to API request activity (reads, writes, and deletes) in Microsoft Graph Activity Logs, to ultimate resource changes in Audit logs.

techcommunity.microsoft.com/t5

Another fun day with #MicrosoftGraph trying to find allowed collaboration domains. Docs says to use azuread preview powershell module. Module doesn't work in powershell 7. Import module in powershell 5 and receive a banner directing me to use graph. It did provide the info in the end but it's just such a complete mess