
Sorry, this entry is only available in Italian.
Through Powershell it is possible to connect to a Microsoft 365 tenant to perform operations on users, groups and any other element of the tenant. When you use this tool, Powershell presents you with the mask for entering your account and password. You can write accounts and passwords directly in the Powershell script but it would be a serious security compromise.
An alternative is to build a software that connects directly to the Tenant through customized keys present in the Tenant itself. In other words, it is necessary to communicate to the Tenant that there is a certain application that is authorized to access the Tenant. Furthermore, for each operation that you want to perform on the Tenant it is necessary to specify the appropriate permissions. To create these applications, we recommend that you follow the excellent tutorial “.Net Core console application for calling Microsoft Graph“. This post proposes the images present in the previous tutorial only to specify how the application must be prepared on the Microsoft Tenant.
Open a browser and navigate to the Azure Portal. Login using your account. Select the resource “Azure Active Directory”. On the left side menu, select “App regitstration”. Click New registration from the current page.
On the Register an application page, specify the following values:
(*) The Redirect URI value must be unique within your domain. This value can be changed at a later time and does not need to point to a realy hosted URI.
It is now necessary to store 2 values that will be used in your application:
Click Certificates & secrets.
After the screen has updated with the newly created client secret copy the VALUE of the client secret. This secret string is never shown again, so make sure you copy it now.
Click API permissions.
Now you have to choose between the permissions to authorize your app. For example, to create an application to read alla information about Tenant’s users, in the “Select permissions” search box type “User”.Select User.Read.All from the filtered list. At the end, on the API permissions content blade, click Grant admin consent for the Tenant.
Let’s see what data your application needs to connect and operate on the Microsoft Tenant.
Documentation
Invalid option ‘option’ for /langversion. Use ‘/langversion:?’ to list supported values.
For example
Invalid option ‘6’ for /langversion; must be ISO-1, ISO-2, 3, 4, 5 or Default
Right click on your project and select “Properties” from menu.
Select Build menu and, in the bottom, click on button “Advanced”.
In the next form you don’t have any voice for the field “Language Version”
Select “default”
Done
To check the outcome of Microsoft Azure Backup execution we can take advantage of the fact that, if the backup fails, some events are generated.
Copy and paste the following code in a new file and modify it with your data (mail server, user, password, messages).
$SMTPServer = "YOUR SMTP SERVER" $SMTPPort = "25" $Username = "USERNAME TO ACCESS SERVER" $Password = "PASSWORD" $to = "Email recipient" # $cc = "cc email recipient" $subject = "Error Backup MyServer" $body = "backup failed" # $attachment = "" $message = New-Object System.Net.Mail.MailMessage $message.subject = $subject $message.body = $body $message.to.add($to) # $message.cc.add($cc) $message.from = $username # $message.attachments.add($attachment) $smtp = New-Object System.Net.Mail.SmtpClient($SMTPServer, $SMTPPort); $smtp.EnableSSL = $true $smtp.Credentials = New-Object System.Net.NetworkCredential($Username, $Password); $smtp.send($message) write-host "Mail Sent"
Save it as file with extension .ps1
<QueryList> <Query Id="0" Path="CloudBackup"> <Select Path="CloudBackup">*[System[(Level=1 or Level=2) and (EventID=5 or EventID=10 or EventID=11 or EventID=12 or EventID=13 or EventID=14 or EventID=16 or EventID=18)]]</Select> </Query> </QueryList>
From now on, an email should be sent to you when the backup fails.
AlphaVSS is a .NET class library providing a managed API for the Volume Shadow Copy Service also known as VSS
if you have error loading the library probabilly you need to install on the machine the Visual C++ 2017 Redist package.
You can find it at this link
To control shadow copy, created using alphavss library, you have to open a command prompt whith administrative priviliges and type
vssadmin
to list your shadow copy you have to type :
vssadmin list shadows
Subnet: If you use the default address space, a default subnet is created automatically.
On the Security tab, at this time, leave the default values:
So we will have this configuration (as example) :
SKU: Select the gateway SKU from the dropdown. For Openvpn you need to select VpnGw1 because
Gateway subnet address range: This field only appears if your VNet doesn’t have a gateway subnet. If possible, make the range /27 or larger (/26,/25 etc.)
In this example :
GatewaySubnet: 10.1.1.0/27
Certificates are used by Azure to authenticate clients connecting to a VNet over a Point-to-Site VPN connection. You have two options : use a root certificate that was generated with an enterprise solution (recommended), or generate a self-signed certificate.
Two steps : generate root certificate; generate client certificate.
From a computer running Windows 10 or Windows Server 2016, open a Windows PowerShell console in Admin mode.
Use the following example to create the self-signed root certificate. The following example creates a self-signed root certificate named ‘TestVPNRootCert’ that is automatically installed in ‘Certificates-Current User\Personal\Certificates’.
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=TestVPNRootCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
You can view the certificate by opening certmgr.msc, or Manage User Certificates.
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate.
From a computer running Windows 10 or Windows Server 2016, open a Windows PowerShell console in Admin mode. Identify the self-signed root certificate that is installed on the computer. This cmdlet returns a list of certificates that are installed on your computer.
Get-ChildItem -Path "Cert:\CurrentUser\My"
As output you will see a string and a name for every certificate installed on your machine.
For example :
AED812AD883826FF76B4D1D5A77B3C08EFA79F3F CN=MyOldVPNRootCert 7181AA8C1B4D34EEDB2F3D3BEC5839F3FE52D655 CN=TestVPNRootCert
Declare a variable for the root certificate using the string from the previous step:
$cert = Get-ChildItem -Path “Cert:\CurrentUser\My\7181AA8C1B4D34EEDB2F3D3BEC5839F3FE52D655”
Modify and run the example to generate a client certificate. The result of the following example is a client certificate named ‘TestVPNClientCert’
New-SelfSignedCertificate -Type Custom -DnsName TestVPNClientCert -KeySpec Signature -Subject "CN=TestVPNClientCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
The client certificate that you generate is automatically installed in ‘Certificates – Current User\Personal\Certificates’ on your computer.
To obtain a .cer file from the certificate, open Manage user certificates. Locate the self-signed root certificate, typically in ‘Certificates – Current User\Personal\Certificates’, and right-click. Click All Tasks, and then click Export. This opens the Certificate Export Wizard.
Select No, do not export the private key, and then click Next
On the Export File Format page, select Base-64 encoded X.509 (.CER)., and then click Next.
For File to Export, Browse to the location to which you want to export the certificate. For File name, name the certificate file. Then, click Next.
Click Finish to export the certificate. You’ll find a file .cer in location selected.
To export a client certificate, open Manage user certificates. The client certificates that you generated are, by default, located in ‘Certificates – Current User\Personal\Certificates’. Right-click the client certificate that you want to export, click all tasks, and then click Export to open the Certificate Export Wizard.
Select Yes, export the private key, and then click Next. IMPORTANT!!!!
On the Export File Format page, leave the defaults selected. Make sure that Include all certificates in the certification path if possible is selected
On the Security page, you must protect the private key, using a password.
On the File to Export, Browse to the location to which you want to export the certificate. For File name, name the certificate file. Then, click Next.Click Finish to export the certificate.
The client address pool is a range of private IP addresses that you specify. The clients that connect over a Point-to-Site VPN dynamically receive an IP address from this range. Use a private IP address range that does not overlap with the on-premises location that you connect from, or the VNet that you want to connect to.
Open virtual network gateway configuration page, navigate to the Settings section of the virtual network gateway page. In the Settings section, select Point-to-site configuration. Select Configure now to open the configuration page.
In the Address pool box, add the private IP address range that you want to use. VPN clients dynamically receive an IP address from the range that you specify.
For example : 172.16.0.0/24
Tunnel Type : OpenVpn
Authentication Type : Azure certificate
In root certificate section you have to put the root certificate name (in this example TestVPNRootCert).
Open the root certificate file (.cer) with a text editor, such as Notepad. Copy the text as in image and past it in “Public certificate data”
Save Point to Site Configuration.
Download vpn Client clicking on “Download vpn Client” 🙂
https://slproweb.com/products/Win32OpenSSL.html
Using OpenSSL on your machine is one way. The profileinfo.txt file contains the private key and the thumbprint for the CA and the Client certificate
openssl pkcs12 -in “C:\myfolder\clientcert_vpn_test.pfx” -nodes -out “C:\myfolder\profileinfo.txt”
Unzip the profile downloaded from virtual network point to site configuration. Next, open the vpnconfig.ovpn configuration file from the OpenVPN folder using Notepad. Open profileinfo.txt in Notepad and copy and paste in vpnconfig.ovpn the sections :
# P2S client certificate # please fill this field with a PEM formatted cert <cert> $CLIENTCERTIFICATE </cert>
# P2S client root certificate private key # please fill this field with a PEM formatted key <key> $PRIVATEKEY </key>
IMPORTANT :certificate and kay need to be insert in openvpncon with —- begin — and —-end —–