AD Connect – password sync notifications

For a customer I setup AD Connect (AD Sync) along with password sync. However the customer needed more visibility and an easy way to be notified when passwords were actually changed in Azure AD (Office 365). Passwords can be changed with on-prem Active Directory (AD), however it’s a slight delay when the password sync actually makes the actual password change in Azure AD – the slight delay being up-to 2 minutes.

The scenario being if a user needed their password changed by IT, IT can change the password and simply say to the user “when you get an SMS, you’ll be able to log on”. The user can hang up without waiting any further, when the SMS is sent through they can confidently logon with their new password.

The way it works, a PowerShell script is configured as an action to a specific scheduled task which monitors the event log for an Application based event ID 656 and sends an SMS text message to the admin as well as the end user as soon as password sync has taken place.

To setup the scheduled task, simply have a look in the Application event log for an existing event ID 656 on the AD Connect server, right click this and choose Attach Task To This Event.

2016-02-02_1545

The action for the scheduled task is setup like this below, however in the real world you might not want to put the PowerShell script on the desktop.

2016-02-09_1235

The requirement is for the user to have their mobile number setup in Active Directory. This is based on Australian mobile numbers and the PowerShell script below is setup to handle and accept mobile numbers in formats being “0401234567” or “+61401234567“. The PowerShell script further below sources the mobile number field out of Active Directory based on the user who is having their password changed and the search happens in real time.

2016-02-09_1213

Based on access needed to Active Directory and access to the event log on AD Connect, obviously the best and only place to have this PowerShell based scheduled task setup is on the AD Connect (AD Sync) server itself (unless you use Remote PowerShell). However, you would need to install the AD PowerShell module on the AD Connect server.

Install-WindowsFeature -Name RSAT-AD-PowerShell

As for the SMS text messages, you can setup and register an account with https://dev.telstra.com/. Once the account has been approved, you can then setup an app for the purpose of sending SMS’s using the Telstra SMS API. Please note, when the Telstra site asks for the callback URI, this can be any regular website – for what we are using it for this will suffice.

Below is the PowerShell code which does all the work and what is setup as the action in the scheduled task. Please note, this is not perfect, meaning, the thought process behind this is if a single user has their password changed within the space of a single password sync session, this is classed as a single user password change and an SMS is sent to both the user and the administrator. Remember, it takes roughly up-to 2 minutes for password sync to take place and if you do two single user password changes in a short space of time before password sync has had a change to run, then the two password changes would sync together and be classed as a bulk change. In the instance of more than one password sync’ing at anytime, this is classed as a bulk password change and the end user doesn’t get an SMS, only the administrator. Please note, also in the instance of a bulk password change the administrator would only get the information of the first user in the group of users that are having their passwords changed at once, as an SMS has a limitation or 160 characters.


$adminnumbers = @("0402345678", "0401234567")
# Get the latest event of the password change
$who = (Get-EventLog LogName Application | where {$_.EventID -eq "656"} | select First 1).Message | Select-String Pattern 'CN=(.*?),' AllMatches |
ForEach-Object {$_.Matches} |
ForEach-Object {$_.Groups[1].Value}
$when = (Get-EventLog LogName Application | where {$_.EventID -eq "656"} | select First 1).Message | Select-String Pattern 'Change\sDate\s:\s(.*?)[\n]' AllMatches |
ForEach-Object {$_.Matches} |
ForEach-Object {$_.Groups[1].Value}
if($who.count -eq 1){$message = $who + " password has been changed in O365: " + $when} else{$message = $who[0] + " password has been changed in O365: " + $when[0]}
#Get Telstra API access – https://dev.telstra.com/
$app_key = "<My_Key>"
$app_secret = "<My_Secret>"
$auth_string = "https://api.telstra.com/v1/oauth/token?client_id=" + $app_key + "&client_secret=" + $app_secret + "&grant_type=client_credentials&scope=SMS"
$auth_values = Invoke-RestMethod $auth_string
# Send SMS to admin
foreach($adminnumber in $adminnumbers){
$tel_number = $adminnumber
$token = $auth_values.access_token
$body = $message.TrimEnd()
$sent_message = Invoke-RestMethod "https://api.telstra.com/v1/sms/messages" ContentType "application/json" Headers @{"Authorization"="Bearer $token"} Method Post Body "{`"to`":`"$tel_number`", `"body`":`"$body`"}"
$sent_message
}
if($who.count -eq 1){
# Connect to on-prem AD
Import-Module ActiveDirectory
$OU = 'OU=RT Users,DC=rtdc,DC=local'
$aduserrawmob = (Get-ADuser SearchBase $OU Filter * Properties mobile | where {$_.Name -eq $who}).mobile
$adusermob = $aduserrawmob.replace('+61','').replace(' ','')
# Send SMS to user
$tel_number = $adusermob
$token = $auth_values.access_token
$body = $message.TrimEnd()
$sent_message = Invoke-RestMethod "https://api.telstra.com/v1/sms/messages" ContentType "application/json" Headers @{"Authorization"="Bearer $token"} Method Post Body "{`"to`":`"$tel_number`", `"body`":`"$body`"}"
$sent_message}

view raw

Password-Sync-Notifications.ps1

hosted with ❤ by GitHub

 

Categories: Computers and Internet

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s