73 lines
2.9 KiB
PowerShell
73 lines
2.9 KiB
PowerShell
#!/usr/bin/env pwsh
|
|
$ErrorActionPreference = "Continue"
|
|
$env:PGPASSWORD = "admin123"
|
|
|
|
# Install Microsoft Graph module if needed
|
|
if (!(Get-Module -ListAvailable Microsoft.Graph.Identity.SignIns)) {
|
|
Write-Host "Installing Microsoft.Graph.Identity.SignIns..."
|
|
Install-Module Microsoft.Graph.Identity.SignIns -Force -Scope CurrentUser -AllowClobber 2>$null
|
|
}
|
|
|
|
$tenants = @(
|
|
@{Admin="sysadmin_5578@accoff03.onmicrosoft.com"; Tenant="accoff03.onmicrosoft.com"},
|
|
@{Admin="sysadmin_1652@accoff05.onmicrosoft.com"; Tenant="accoff05.onmicrosoft.com"},
|
|
@{Admin="sysadmin_8754@accoff04.onmicrosoft.com"; Tenant="accoff04.onmicrosoft.com"}
|
|
)
|
|
|
|
foreach ($t in $tenants) {
|
|
$email = $t.Admin
|
|
$tenant = $t.Tenant
|
|
|
|
$pw = (& psql -h localhost -U admin -d adx_system -t -A -c "SELECT admin_password FROM office_accounts WHERE admin_email = '$email' LIMIT 1").Trim()
|
|
|
|
Write-Host "`n=== $tenant ==="
|
|
|
|
try {
|
|
$secPwd = ConvertTo-SecureString $pw -AsPlainText -Force
|
|
$cred = New-Object System.Management.Automation.PSCredential($email, $secPwd)
|
|
|
|
# Connect to Graph
|
|
Connect-MgGraph -TenantId $tenant -Credential $cred -NoWelcome -ErrorAction Stop
|
|
|
|
# Disable Security Defaults
|
|
$body = @{
|
|
isEnabled = $false
|
|
} | ConvertTo-Json
|
|
|
|
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter $body -ErrorAction Stop
|
|
Write-Host " Security Defaults: DISABLED"
|
|
|
|
Disconnect-MgGraph -ErrorAction SilentlyContinue
|
|
}
|
|
catch {
|
|
Write-Host " Graph Error: $($_.Exception.Message.Substring(0, [Math]::Min(100, $_.Exception.Message.Length)))"
|
|
|
|
# Fallback: try via REST API directly
|
|
try {
|
|
$tokenBody = @{
|
|
grant_type = "password"
|
|
client_id = "1b730954-1685-4b74-9bfd-dac224a7b894" # Azure AD PowerShell client ID
|
|
resource = "https://graph.microsoft.com"
|
|
username = $email
|
|
password = $pw
|
|
scope = "openid"
|
|
}
|
|
$tokenResp = Invoke-RestMethod -Method POST -Uri "https://login.microsoftonline.com/$tenant/oauth2/token" -Body $tokenBody -ErrorAction Stop
|
|
$token = $tokenResp.access_token
|
|
|
|
# Disable Security Defaults via Graph API
|
|
$headers = @{
|
|
Authorization = "Bearer $token"
|
|
"Content-Type" = "application/json"
|
|
}
|
|
$disableBody = '{"isEnabled":false}'
|
|
$r = Invoke-RestMethod -Method PATCH -Uri "https://graph.microsoft.com/v1.0/policies/identitySecurityDefaultsEnforcementPolicy" -Headers $headers -Body $disableBody -ErrorAction Stop
|
|
Write-Host " Security Defaults: DISABLED (via REST)"
|
|
}
|
|
catch {
|
|
Write-Host " REST Error: $($_.Exception.Message.Substring(0, [Math]::Min(100, $_.Exception.Message.Length)))"
|
|
}
|
|
}
|
|
}
|
|
|
|
PWSEOF 2>&1 |