Create secure connection to EXO & MSOL and record all cmdlets / activities done by admins
Background:
You may wonder a situation how to secure the connection to Exchange Online PowerShell with my administrators since Exchange Online PowerShell doesn’t support Multi-factor authentication till now
I had similar situation and after lot of R&D I could come up with below script which helped me to achieve my goal
Script does 3 activity:
One is to connect to Exchange online with encrypted password
Second load PowerShell commands in secure way and
Record all the activities done by Exchange Online Admins
You may please use this script in your test tenant first and move it to production as needed, in my case I put all my scripts in central shared location in NAS box and restricted the access logs, scripts by windows security so my admins will have access only to script READ permission and they won’t be able to edit / modify any content into it
Creating AES key with random data and export to file:
- Open the PowerShell in your server as an administrator and follow below procedure
Command 1:
$KeyFile = "<share location UNC Path>\AES.key"
Command 2:
$Key = New-Object Byte[] 16
Command 3:
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)
Command 4:
$Key | out-file $KeyFile
Creating SecureString object means secured password:
Open the PowerShell in your server as an administrator
And then proceed with below steps to create secured password and use it in below PowerShell script
Command 1:
$PasswordFile = "<share location UNC Path>\Password.txt"
Command 2:
$KeyFile = "<share location UNC Path>\AES.key"
Command 3:
$Key = Get-Content $KeyFile
Command 4:
$Password = "<TYPE THE PASSWORD OF SERVICE ACCOUNT HERE>" | ConvertTo-SecureString -AsPlainText -Force
Command 5:
$Password | ConvertFrom-SecureString -key $Key | Out-File $PasswordFile
NOW THE ACTUAL SCRIP BEGINS, Please make sure you have AES.KEY & PASSWORD.TXT file generated already
################################################################################################################################################################
# Script does 3 activity. One is to connect to Exchange online with encrypted password, second load powershell commands in secure way and record all the activities done by Exchange Online Admins
#
# Office365Username - Mandatory - Administrator login ID for the tenant we are querying
# Office365Password - Mandatory - Encrypted password
#
################################################################################################################################################################
# Setting the PowerShell background to "Dark Blue" Colour
$Host.UI.RawUI.BackgroundColor = ($bckgrnd = 'DarkBlue')
Clear-Host
function start-Trans([switch]$debug)
{
# to see debuging information startTrans -debug
if($debug)
{
$debugPreference = "continue"
} #end if debug
$dte = [dateTime]::Get_Today().DayOfWeek.tostring()
write-debug $dte
$dte = $dte + "_" + [dateTime]::now.hour
$duser = $([Environment]::UserName)
write-debug $dte
if(([datetime]::now.toLocalTIme()) -match "AM")
{
Write-debug "Inside if ..."
$dte = $dte + "_AM"
write-debug $dte
} #end if...
else
{
write-debug "Inside else ..."
$dte = $dte + "_PM"
write-debug $dte
} #end else
write-debug "Starting transcript ... <UNC Path>\dte.txt"
start-transcript -path "<UNC PATH>\duser$dte.txt"| Write-Host -ForegroundColor "DarkBlue"
} #end
start-Trans
#start-transcript -<TRANSCRIP PATH HERE>\([Environment]::UserName)$(get-date -format 'MMddyyyy').txt| Write-Host -ForegroundColor "DarkBlue"
Write-Host "Connecting to <TENANT NAME HERE> Secured Exchange Online PowerShell Administration" -ForegroundColor "magenta"
#Input of the user name to connect to YOUR TENANT Office 365 credential
$TenantUname = <SERVICE ACCOUNT HERE>
$TenantPass = <PASSWORD TEXT FILE LOCATION HERE>
$KeyFile = <AES.KEY LOCATION HERE>
$Key = Get-Content $KeyFile
$TenantCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $TenantUname, (Get-Content $TenantPass | ConvertTo-SecureString -Key $key)
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $TenantCred -Authentication Basic -AllowRedirection
Import-PSSession $Session
Sleep 5
cls
Write-Host "Connected to <UR TENANT NAME> secured Production Exchange Online PowerShell Administration, now connecting to MSOL service" -ForegroundColor magenta
Sleep 5
cls
Import-Module MSOnline
Connect-Msolservice -Credential $TenantCred
Write-Host "Connected to <TENANT NAME> secured Production Exchange Online PowerShell Administration & also MSOL PowerShell administration, unauthorized use of this box will be reported as a security violence incident" -ForegroundColor magenta