This month (November 2020) marks the two-year anniversary of my Microsoft Cloud Tech blog! This blog post contains a couple of celebration announcements that I like to share with you, but first I want to thank you all for your support during these two years! Your feedback and appreciation is what keeps me doing this! The blog has grown into something I did not expect and now I want to take this work to the next level.
PowerShell Toolbox for Microsoft 365 Security
If you have followed me for some time, then you know that I often write about Microsoft 365, zero trust implementation, Conditional Access, and similar security related topics. I’ve posted different PowerShell scripts on the blog and shared the different tools I use in my daily work. Many of you have expressed your appreciation for the scripts and I’m so glad that so many find them useful!
To make it easier for everyone to find and use the tools, from now on, everything I build with PowerShell will be included in a PowerShell module called DCToolbox. I’ve already included the latest versions of my Conditional Access automation tools and my PowerShell Graph functions in the module, but this will also be the home for all upcoming tools I’m working on! One module to rule them all π
GitHub Repository
I’m sharing the source code for the module and all included CMDlets on GitHub. If you are interested in learning how they work, or maybe you want to modify your own versions, feel free to clone the source code to do so.
https://github.com/DanielChronlund/DCToolbox
PowerShell Gallery
I’m also providing the module in the official Microsoft PowerShell Gallery. This means that you can install the module on your Windows 10 device with a single command line.
Install the module from the PowerShell Gallery by running:
Install-Module DCToolbox
If you already installed it, update to the latest version by running:
Update-Module DCToolbox
PowerShell Gallery link: https://www.powershellgallery.com/packages/DCToolbox
When you have installed it, to get started, run:
Get-DCHelp
Explore and copy script examples to your clipboard with:
Copy-DCExample
The examples includes instructions, guidance, complete scripts and snippets. You don’t need to invent the wheel again π As always, I recommend using Visual Studio Code for the best PowerShell action!
Summary
My goal is to provide a comprehensive set of PowerShell tools in a single module for your security, automation and zero trust needs. This module will be under constant development so make sure you update it on a regular basis (Update-Module DCToolbox) to receive the latest features and fixes.
Please follow me here, on LinkedIn and on Twitter!
Daniel Chronlund Cloud Tech Blog 
I love the script, and can think of a number of uses for it to keep the system healthy.
I did wonder though, what is the real use for the TOR network component? it doesnt feel like a suitable fit with all the other functions?
Thank you Ivan!
More is coming soon! I will add my different PoC attack tools to the module shortly. I use them to demonstrate the value of features like Azure AD Identity Protection, where anonymous IP is one of the threats it can protect you against. That’s where Tor comes in. Stay tuned!
Thank you for your work. I can’t wait to use it. Do you have any idea why after running the install command nothing works? It prompts for my approval to install “All” and that completes. Then the commands will not run. They give the error “Get-DCHelp : The term ‘Get-DCHelp’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.”
Thank you Brian! Did you run the install command as an admin? Does other modules you install through the PowerShell gallery work?
Hay Daniel, I found some issues with running the MS Graph API query. I put in a couple of issues in Github for you to look at.https://github.com/DanielChronlund/DCToolbox/issues
Thank you Ivan! Yes, I’ve had a quick look at them. Top filtering/limiting doesn’t work. I will try to resolve them in a future release.
If I am invited as a Guest to another tenant and added to the global admin role in that tenant, what do I need to do to use your toolbox to export CA policies?
There are limitations of what you can do with a guest account and PowerShell when it comes to Graph. I haven’t been able to make this work. Sorry.
I have figured out how to add a tenantID as a parameter to your code and got some of it to work
Great π Please submit a pull request in my GitHub repo and I can have a look at it.
I created app registration with relevant delegated permissions and when running “New-DCConditionalAccessAssignmentReport” with an global admin user I’m getting:
“Sorry, but weβre having trouble signing you in. AADSTS500113: No reply address is registered for the application.”
Any idea what am I doing wrong?
Please, check your redirect URI and make sure it is configured according to this article (there is a screenshot in the article):
https://danielchronlund.com/2018/11/19/fetch-data-from-microsoft-graph-with-powershell-paging-support/
Hello Daniel ..
I’m trying to use your tool and when i execute the “New-DCConditionalAccessPolicyDesignReport”
I have this error ..
VERBOSE: Generating Conditional Access policy design report…
Invoke-RestMethod : The remote server returned an error: (404) Not Found.
At C:\Program Files\WindowsPowerShell\Modules\DCToolbox\1.0.17\DCToolbox.psm1:895 char:29
+ … ryRequest = Invoke-RestMethod -Headers $HeaderParams -Uri $GraphUri – …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
Not sure if can help to see what i’m doing wrong .. π
Hello Daniel
I have this error when try to execute ”New-DCConditionalAccessPolicyDesignReport”
Any idea what i’m doing wrong
VERBOSE: Generating Conditional Access policy design report…
Invoke-RestMethod : The remote server returned an error: (404) Not Found.
At C:\Program Files\WindowsPowerShell\Modules\DCToolbox\1.0.17\DCToolbox.psm1:895 char:29
+ … ryRequest = Invoke-RestMethod -Headers $HeaderParams -Uri $GraphUri – …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
Please try to update the module with Update-Module DCToolbox. I’ve recently released a new version with some bug fixes. I hope it helps!
The ‘(404) Not Found’ error when running New-DCConditionalAccessAssignmentReport or New-DCConditionalAccessPolicyDesignReport is caused by issues with one or more Conditional Access policies. These need remediating before the scripts will complete. Edit each Conditional Access policy in turn. If any errors are found, such as deleted users being referenced, then you’ll be prompted to save the policy. You don’t need to remove the users manually – saving the policy with no changes will do this for you. Once done, the scripts should complete.
Getting the same error as bruma879
Hi Daniel,
I was able to export and import using the JSON file, I was also able to Export Conditional Access Assignment Report to Excel but, Iβm also getting the same error with New-DCConditionalAccessPolicyDesignReport even after updating the moduleβ¦ Any idea?
Here is the error referring to
VERBOSE: Connecting to Microsoft Graph…
VERBOSE: Generating Conditional Access policy design report…
Invoke-RestMethod : The remote server returned an error: (404) Not Found.
At C:\Program Files\WindowsPowerShell\Modules\DCToolbox\1.0.18\DCToolbox.psm1:895 char:29
+ … ryRequest = Invoke-RestMethod -Headers $HeaderParams -Uri $GraphUri – …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
Difficult to say. I would try troubleshooting the Graph queries with Graph Explorer to see if there are any query issues.
Hi, found your module and was eager to try it… however I get this error. What might be the reason?
New-DCConditionalAccessPolicyDesignReport @Parameters
VERBOSE: Connecting to Microsoft Graph…
VERBOSE: Generating Conditional Access policy design report…
Invoke-RestMethod : EtΓ€palvelin palautti virheen: (404) Ei lΓΆydy.
At C:\Program Files\WindowsPowerShell\Modules\DCToolbox\1.0.23\DCToolbox.psm1:1220 char:29
+ … ryRequest = Invoke-RestMethod -Headers $HeaderParams -Uri $GraphUri – …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
404 means that something doesn’t exist. Are you targeting a user that has been deleted or blocked in Azure AD maybe?
No, I am using my normal Global Admin account to generate CA report.
Difficult to say. Are you pointing any of your CAP policies to an object that does not exist in Azure AD anymore, a group or user for example?