[PowerShell] When ExpandProperty is not good enough

The ExpandProperty parameter in select-object cmdlet is useful to view full values of a compound property (e.g. when a property's value is an array or an object). However the limitation is also obvious. It accepts only one property, so we are forced to write a script block to process all results, using a different way to convert/expand properties one by one, before we can finally assembly the output.

The other way to do it is to use inline expression. See below

$targetedProperties=@(

    samaccountname,

    @{l='membership'; e={$_.memberof}}

    @{l='allEmailAddresses'; e={$_.proxyAddresses}}

) 

$uObj = get-aduser 'johnDoe' -properties *

$expandedObj = $uObj | select $targetedProperties

 

Array that includes most meaningful AD attributes for admins

$meaningfulP = @(

    "AccountExpirationDate"

    #"accountExpires" # above converted value is readable to human - blank means never

    "AccountLockoutTime"

    "AccountNotDelegated"

    "AllowReversiblePasswordEncryption"

    #"BadLogonCount" # these are temporary values that are reset by AD periodically

    #"badPasswordTime"

    #"badPwdCount"

    "c"

    "CannotChangePassword"

    "CanonicalName"

    "City"

    "CN"

    "co"

    "codePage"

    "Company"

    "Country"

    "countryCode"

    "Created"

    "createTimeStamp"

    "Deleted"

    "Department"

    #"departmentNumber"

    @{l="deptNumber";e={$_.departmentNumber}}

    "Description"

    "DisplayName"

    "DistinguishedName"

    "Division"

    "EmailAddress"

    "EmployeeID"

    "EmployeeNumber"

    "employeeType"

    "Enabled"

    "extensionAttribute12"

    "extensionAttribute14"

    "extensionAttribute2"

    "extensionAttribute3"

    "extensionAttribute4"

    "extensionAttribute5"

    "extensionAttribute6"

    "extensionAttribute8"

    "extensionAttribute9"

    "Fax"

    "GivenName"

    "HomeDirectory"

    "HomedirRequired"

    "HomeDrive"

    "HomePage"

    "HomePhone"

    "Initials"

    "instanceType"

    "isDeleted"

    "l"

    "LastBadPasswordAttempt"

    "LastKnownParent"

    "LastLogonDate"

    "legacyExchangeDN"

    "LockedOut"

    "lockoutTime"

    "logonCount"

    "LogonWorkstations"

    "mail"

    "mailNickname"

    "Manager"

    #"MemberOf"

    @{l='membership';e={($_.Memberof)[0..20]}} #to prevent this value to become too large to fit into Excel cell limit

    "MNSLogonAccount"

    "MobilePhone"

    "Modified"

    "modifyTimeStamp"

    "Name"

    "ObjectCategory"

    "ObjectClass"

    "Office"

    "OfficePhone"

    "Organization"

    "OtherName"

    "PasswordExpired"

    "PasswordLastSet"

    "PasswordNeverExpires"

    "PasswordNotRequired"

    "physicalDeliveryOfficeName"

    "POBox"

    "PostalCode"

    "preferredLanguage"

    "ProfilePath"

    "ProtectedFromAccidentalDeletion"

    #"proxyAddresses"

    @{l='allEmailAddr';e={$_.proxyAddresses}}

    "SamAccountName"

    "sAMAccountType"

    "ScriptPath"

    "sDRightsEffective"

    #"ServicePrincipalNames"

    @{l='SPN';e={$_.ServicePrincipalNames}}

    "SmartcardLogonRequired"

    "sn"

    "st"

    "State"

    "StreetAddress"

    "Surname"

    "targetAddress"

    "Title"

    "TrustedForDelegation"

    "TrustedToAuthForDelegation"

    "UseDESKeyOnly"

    "userAccountControl"

    "UserPrincipalName"

    "whenChanged"

    "whenCreated"

)

Demo - Regex

•  any string as is but a particular string: ^(?!particularString$).*
• Grouped match (it will return named group, give a host FQDN, below will return domainName   ^.*?\.(?<domainName>.*)
• Matches duplicate line ^((?-s).+?)\R(?=(?s).*?^\1(?:\R|\z))
• AD domain NETBIOS name when standalone
  [a-zA-Z0-9](?!.*[,:~!@#\$%\^'\.\(\)\{\}_ \/\\]).{0,14}\\
  
• SAMaccountName
  ^(?!.*[\"\/\\\[\]:;|=,\+\*\?<>]).{1,19}$

• AD domain NETBIOS name when followed by \userName (this also groups domain/user)
  ([a-zA-Z0-9](?![^\\]*[,:~!@#\$%\^'\.\(\)\{\}_ \/]).{0,14})\\((?!.*[\"\/\\\[\]:;|=,\+\*\?<>]).{1,19})
• same for powershell match
  
  -match '^    ([a-zA-Z0-9](?![^\\]*[,:~!@#\$%\^''\.\(\)\{\}_ \/]).{0,14})\\((?!.*[\"\/\\\[\]:;|=,\+\*\?<>]).{1,19})'
• DN --> OU path (stripping CN name)
  -match '^((.+?),)(OU=.*|CN=.*)' $OUPath = $matches[3]

Azure AD: Risky User VS. Risky Sign-in

 

Differences between “Risky Sign-In” and “Risk User”

• Risky sign-in: abnormally in sign in activities, such as unusual location, impossible travels etc.
• Risky user: An account that MS believes to have high probability of having been comprised (e.g. leaked credential)

 

More importantly, the difference lies in how they are dealt with:

• Risky Sign-in: requires additional authentication (e.g. MFA)
• Risky User: Make old credential invalid (e.g. reset password)

 

If we are to target “Risky Users”, Risky User Policy can be used to force password change. 

 

Similarly, If we are to target “Risky Sign Ins”, we can use “Risky Sign in Policy” to enforce MFA.