SecOps on Alfred van Ster

Cloud Identity: Entra ID Stale Guest Reaper

Sun, 03 May 2026 00:00:00 +0000

The Workflow
The Implementation

External guest accounts are frequently provisioned for vendors but rarely decommissioned, creating a lingering attack surface. This script uses the Microsoft Graph API to identify and remove guest accounts that have been inactive for over 90 days.

1. The Workflow

The script performs the following steps:

Authentication: Uses App Registration credentials to silently authenticate to MS Graph.
Filtering: Queries all users where userType equals “Guest”.
Evaluation: Checks the signInActivity property against a 90-day threshold.
Purge: Identifies stale guest accounts to close the security loop.

2. The Implementation

$ThresholdDate = (Get-Date).AddDays(-90).ToString("yyyy-MM-ddTHH:mm:ssZ")
$Url = "[https://graph.microsoft.com/beta/users](https://graph.microsoft.com/beta/users)?`$filter=userType eq 'Guest'&`$select=displayName,userPrincipalName,signInActivity"
$Guests = Invoke-RestMethod -Uri $Url -Method Get -Headers $Headers

foreach ($Guest in $Guests.value) {
 if ([string]::IsNullOrEmpty($Guest.signInActivity.lastSignInDateTime) -or ($Guest.signInActivity.lastSignInDateTime -lt $ThresholdDate)) {
 Write-Host "Stale Guest Found: $($Guest.displayName)"
 }
}

Endpoint Security: BitLocker Key Escrow to IT Glue

Sun, 03 May 2026 00:00:00 +0000

The Workflow
The Implementation

Relying on manual documentation for BitLocker recovery keys often results in locked data when an endpoint fails. This script automates the escrow process, pulling the active numeric password from the local disk and pushing it directly into an IT Glue configuration record via their REST API.

1. The Workflow

The script performs the following steps:

Extraction: Queries the WMI namespace for the active, 48-digit BitLocker Numeric Password on the OS drive.
Authentication: Connects to the IT Glue API using a secure organizational API key.
Payload Delivery: Matches the local Hostname to the IT Glue Configuration ID and PATCHes the “BitLocker Key” custom field with the extracted key.

2. The Implementation

# IT Glue API Configuration
$ITGKey = "YOUR_ITGLUE_API_KEY"
$ITGBaseUrl = "[https://api.itglue.com](https://api.itglue.com)"
$Header = @{
 "x-api-key" = $ITGKey
 "Content-Type" = "application/vnd.api+json"
}

$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
$RecoveryKey = ($BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }).RecoveryPassword

$SearchUri = "$ITGBaseUrl/configurations?filter[name]=$env:COMPUTERNAME"
$ConfigRecord = Invoke-RestMethod -Uri $SearchUri -Method Get -Headers $Header

if ($ConfigRecord.data) {
 $Payload = @{
 data = @{
 type = "configurations"
 attributes = @{
 "custom-fields" = @{
 "bitlocker-recovery-key" = $RecoveryKey
 }
 }
 }
 } | ConvertTo-Json -Depth 10

 Invoke-RestMethod -Uri "$ITGBaseUrl/configurations/$($ConfigRecord.data[0].id)" -Method Patch -Headers $Header -Body $Payload
}

M365 Security: Unauthorized Mailbox Forwarding Auditor

Sun, 03 May 2026 00:00:00 +0000

The Workflow
The Implementation

A classic BEC tactic involves configuring an inbox rule to forward emails to an external address. This script audits an entire Exchange Online tenant for any mailboxes with active forwarding rules to external domains.

1. The Workflow

The script performs the following steps:

Connection: Authenticates to Exchange Online via module parameters.
Auditing: Iterates through all user mailboxes checking forwarding properties.
Evaluation: Compares the forwarding destination against the tenant’s accepted domains.
Alerting: Outputs a high-priority warning if external exfiltration is detected.

2. The Implementation

Connect-ExchangeOnline -ShowBanner:$false
$AcceptedDomains = (Get-AcceptedDomain).Name

foreach ($Mailbox in (Get-Mailbox -ResultSize Unlimited)) {
 if ($Mailbox.ForwardingSmtpAddress) {
 $ForwardDestination = $Mailbox.ForwardingSmtpAddress.Replace("smtp:","")
 if ($ForwardDestination -notmatch ($AcceptedDomains -join "|")) {
 Write-Host "⚠️ EXTERNAL FORWARD: $($Mailbox.UserPrincipalName) -> $ForwardDestination" -ForegroundColor Red
 }
 }
}