DSInternals

DSInternals copied to clipboard

Hello!

DSInternals uses Azure AD Graph API to read the key material from Azure AD. Microsoft has announced that Azure AD Graph API will be decomissioned on the 30th of June. This will include the endpoint graph.windows.net which is currently used by DSInternals.

In Microsoft Graph, one can obtain all (currently supported) authentication methods by calling GET /users/{id}/authentication/methods (see here and here for more info). For example, this can return the resource type windowsHelloForBusinessAuthenticationMethod, which seems to be designed to:

• list keys for users
• ascertain weakness/strength
• map keys to devices (the advertised NavigationProperty device does not seem to work, but one can use ?$expand=device)
• delete keys

Most notably, obtaining the raw key material does not seem to be supported (I didn't find a way to obtain the key material, but maybe someone else will).

Assuming Microsoft actually decomissions Azure AD Graph on the 1st of July, some functionality of this module will be lost. While most can be regained by switching to Microsoft Graph endpoints, it seems that some functionality will simply not be available there.

In any case, I just wanted to draw your attention to this. :-)

Thanks @nielsranosch . I am aware of the AAD Graph API deprecation. There even is a Microsoft-provided PowerShell wrapper of the new MS Graph API BETA, e.g., Get-MgUserAuthentication, although it is very poorly documented.

On the other hand, some features of the old API currently do not have any counterpart in the new API.