Skip to content

Latest commit

 

History

History
77 lines (44 loc) · 1.82 KB

REFS.md

File metadata and controls

77 lines (44 loc) · 1.82 KB

References / Links

Invalidate O365 Sessions

Revoke-AzureADUserAllRefreshToken -ObjectId <UserGuid>
  • Invalidates the refresh tokens issued to applications for a user
Revoke-SPOUserSession -User <UserSpn>
  • Invalidates a user's O365 sessions across all their devices

Use case

Invalidates active O365 session and OAuth session refresh tokens

Requirements

Azure AD Module

SharePoint Online Module

Sources

https://docs.microsoft.com/en-us/powershell/module/azuread/revoke-azureaduserallrefreshtoken

https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/Revoke-SPOUserSession

HAWK

Designed to ease the burden on O365 administrators who are performing forensic analysis in their M365 tenant. It accelerates the gathering of data from multiple sources in the service.

Installation:

Install-Module -Name Hawk
Import-Module -Name Hawk

Getting Started:

Start-HawkTenantInvestigation
Start-HawkUserInvestigation -UserPrincipalName <UPN>

Sources

https://www.powershellgallery.com/packages/HAWK

https://github.com/Canthv0/hawk

Capturing and Visualizing Office 365 Security Logs

Uses Python 3 and the AAD reporting API to retrieve Sign-In and Audit Logs, then store them in an S3 bucket

https://journeyofthegeek.com/2019/01/30/capturing-and-visualizing-office-365-security-logs-part-1/

https://github.com/mattfeltonma/lambda-azureadlogs

US-CERT CISA O365 Security Observations

https://www.us-cert.gov/ncas/analysis-reports/AR19-133A

Licensing Comparison Charts

https://github.com/AaronDinnage/Licensing