Automated Deployment of a Zero Trust Azure Automation Environment

December 30, 2024 Brad Wyatt Comments 0 Comment

Overview

A common and recommended security practice is only allowing access to an Azure Storage Account via a whitelisted IP address. While this is generally a good idea, a problem arises when you need an Azure Automation Account to access one of these Storage Accounts. Currently, even if you whitelist an entire Azure region, your automation runbook will fail to connect to your Storage Account. Instead, you must use an Azure Private Link to connect Azure Automation to your PaaS Azure Resources securely, but “in the current implementation of Private Link, Automation account cloud jobs cannot access Azure resources that are secured using private endpoint. For example, Azure Key Vault, Azure SQL, Azure Storage account, etc. To workaround this, use a Hybrid Runbook Worker instead. Hence, on-premises VMs are supported to run Hybrid Runbook Workers against an Automation Account with Private Link enabled.” ¹

This configuration isn’t as simple as … Continue...

Automatically Detect and Prevent Secrets Leaked into Code within Azure DevOps

December 9, 2024 Brad Wyatt Comments 0 Comment

Objective

Security vulnerabilities introduced by hardcoded secrets, passwords, or tokens in your source code can significantly compromise the safety of your application and/or infrastructure. A single API key or database connection string committed to a repository can be a gateway for attackers. But how do you ensure sensitive information never enters your codebase? The answer lies in automation.

In this blog post, you’ll learn how to automate secret detection in Azure DevOps using Gitleaks. We’ll set up a pipeline that listens for pull requests (PRs), fetches the latest code changes, and scans them for leaks — failing the PR if any secrets are found.

Why Do We Need Secret Detection

According to GitGuardian’s 2024 report, “State of Secrets Sprawl”, nearly 13 million new secrets were discovered in public GitHub commits, marking a 28% increase. Out of the 1.1 billion commits scanned, more than 1 in … Continue...

Leveraging OpenAI to Enhance Pull Request Management in Azure DevOps

June 24, 2024 Brad Wyatt Comments 0 Comment

Objective

Our goal is to create an automation that significantly enhances the efficiency of our development process. A service hook is triggered when a new Pull Request is created in Azure DevOps, sending a webhook to an Azure Function. This function analyzes the request body, gets all commits in the Pull Request, and sends it to Open AI’s API, which generates a Pull Request message detailing all of the proposed changes from the commits and writes it back to the Azure DevOps Pull Request.

The diagram below gives a high-level overview of how automation works from start to finish.

OpenAI

Generate a new API Key

The first step is to obtain an OpenAI API key to interact with the API. To do so, go to the following website.

Once you have signed in, click + Create new secret key

Give it a descriptive name, and for permissions, in my … Continue...

Automate Azure DevOps Work Item Updates with Azure Functions and the Azure DevOps API

June 18, 2024 Brad Wyatt Comments 0 Comment

Objective

I use Azure DevOps Boards for agile project management, allowing me to plan, track, and discuss automation and DevOps tasks. I also create reporting dashboards from the data within the work items. One such metric I report on is how much time we save when implementing a new automation. To do this, I have a field called “Estimated Manual Time (min)” and “Annual Occurrences“. The first field is how long it takes someone to do the task manual right now, and the second field is how many times per year this certain task is done. The last field is “Time Saved Annually (hours),” which takes the first field, multiply it by the second field, and then divides that number by 60.

In this article, I will show you how I automated the “Time Saved Annually (hours)” value whenever a new work … Continue...

How The ConnectWise Manage API Handles Pagination with PowerShell

June 6, 2024 Brad Wyatt Comments 3 comments

If you have ever worked with the Microsoft Graph API, you may be familiar with how it handles pagination, which is returning an @odata.nextLink property in the response containing a URL to the following results page.

I was initially confused when I started working with the ConnectWise PSA API. Although I could specify a pageSize and page parameter, there never seemed to be an indication of where to go for the next page of results. This write-up will show you several ways to do pagination within the API and how to form your headers and requests for each type.

The documentation for pagination from Connectwise can be found here.

Query Parameters

The first item to discuss is query parameters. Query parameters are key-value pairs that filter, sort, or paginate data an API returns. Below is a table of the query parameters we will use when paginating data and what … Continue...

Upload a file to Connectwise and Attach it to a Service Ticket with PowerShell

May 9, 2024 Brad Wyatt Comments 4 comments

I have recently been automating a lot within Connectwise PSA. One of the items I set out to do is to upload a file and attach it to a service ticket. This led me to the following article, but after doing some testing, I found that some file types were not properly rendering on the Connectwise side, making me believe there was something wrong with the encoding.

I could upload a .txt file without issues, but I also tried with a .docx and a .pdf, and the file would be corrupted or blank.

The process to upload a file and then link it to a service ticket is first to upload the file to the endpoint /system/documents and then, from there, link the uploaded document to an existing service ticket.

Multipart/Form-Data

The first thing to know about how Connectwise wants a document uploaded is that it uses what is … Continue...

Getting Started with GitHub Copilot in the CLI

March 22, 2024 Brad Wyatt Comments 1 comment

It was announced recently that GitHub Copilot in the CLI has reached General Availablity for all Individual, Business, and Enterprise customers. In this post, I will show you how you can get download and install the CLI and Copilot extension, authenticate to use Copilot, and the available commands and use cases.

Install the GitHub CLI

Windows

With Windows, we can install the GitHub CLI via the command line (Winget, Chocolatey, or Scoop) or manually from here.

Winget

With Winget, we can install the GitHub CLI using the following command:

winget install --id GitHub.cli

MacOS

With MacOS, we can install the GitHub CLI via homebrew or manually from here.

Homebrew

Using homebrew, run the following command:

brew install gh

Authenticate

Note: In order to use Copilot in the CLI, you must have an active GitHub Copilot subscription.

Once you have a valid subscription to use Copilot, run the … Continue...

View and Export your Intune Device Management Scripts Using the Microsoft Graph PowerShell SDK

March 15, 2024 Brad Wyatt Comments 0 Comment

Introduction

If you’re familiar with Intune, you’re likely aware of its capability to deploy platform or PowerShell scripts to your endpoint devices. Unfortunately, once you upload your script to the portal, there is (at the time of writing this) no easy way to view the script content or download it.

Resolution

To quickly and easily get Intune scripts, I created a function that allows me to export all the scripts from a tenant en masse and view them in the shell or terminal. Sometimes, I am auditing a new tenant and have no need to download the scripts to my local machine; I need to audit the code behind it to get an idea of what is being performed. Additionally, I added some other quality-of-life features that I did not find in other scripts online.

Features

Platform Agnostic

The function will work on PowerShell Core (pwsh) and Windows PowerShell. Allowing … Continue...

Automatically Schedule Microsoft Teams Do Not Disturb Presence Based on Outlook Calendar Events

January 3, 2024 Brad Wyatt Comments 1 comment

In this article I will be showing you how you can automatically have Microsoft Teams set its presence to Do Not Disturb, or any other presence, based on events in your Outlook Calendar. I also looked into leveraging Power Automate but it began to require premium connectors and at that cost, going the serverless automation route was much cheaper.

An overview of this automation is as follows:

Run on a set schedule.
Get all users within the tenant, if the user does not have a mailbox, proceed to the next user, if the user does have a mailbox proceed to the next step.
Get the users events that will occur within the next 1 hour (configurable value)
See if there is an event that matches what we are looking for. In my instance, if an event title/subject is “DND” (not case-sensitive) then proceed to the next step, otherwise go to

… Continue...

Automated Alerts on Azure (Entra ID) Application Secret Expirations

December 16, 2023 Brad Wyatt Comments 43 comments

Monitoring Azure AD (Entra ID now) application secret expirations in an enterprise is a critical aspect of maintaining robust security and ensuring uninterrupted service. When application secrets expire without timely renewal, it can disrupt business operations by causing application failures. Proactive management of application secret expirations helps enterprises avoid last-minute issues, enabling a more secure and efficient operational environment.

During my brief research in finding an automated approach to monitoring application secret expirations, I found multiple write-ups and articles but many only showed the code on how to get the expiration property without walking through setting up the automation itself. Another issue was not converting the default UTC time to local time to get more accurate expiration datetimes, and also dealing with applications with multiple secrets that expire at different times.

This article will walk one through the code’s logic, including converting time and dealing with multiple values, and creating … Continue...