The isEncrypted with Steve Zissou

This short blog will be about a question I received on Linkedin. The question was about Graph Explorer and why it wasn’t returning the OMA-URI values configured. It only showed some nice ****

Afbeelding met tekst  Automatisch gegenereerde beschrijving

I will divide this blog into multiple parts

  1. Replicating the Problem
  2. What Happening?
  3. Fixing the Problem

If we need to fix the problem, we need to experience the problem ourselves. To start replicating the problem I opened the graph explorer first.

Graph Explorer is an excellent tool when you are starting with creating Graph API requests. So the tool can be used when you need to check some settings.

Let’s take a look at what settings are returned when we run this query.

https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/99b324ca-937e-4494-ac54-b06d889b04e8

As shown above, the value has some nice **** instead of the real values. So what’s happening?

When taking another good look at the screenshot above, you could also have noticed another funny setting: “IsEncrypted”: True

I guess it’s obvious what “isencrypted” means when it’s configured to 1. If not… the official documentation says the value field is encrypted.

So, Microsoft has suddenly switched the default value of isencrypted to 1 last month? I guess I missed that announcement?

But okay, no problem… Encryption is always a good thing. How are we going to decrypt it? When looking at the outcome of the query, we also noticed the “Secretreferencevalueid” in it.

Okay… So we can use this “id/key” to decrypt the oma settings value. But luckily there is no official documentation to tell us how?

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Looking back at the wonderful history of GitHub commits, I noticed the “isencrypted” and the needed “secretreferencevalueid” appeared in the commit from 14 April

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Okay, but how are we going to get back the URI we need? Fiddler to the rescue! When we need some more information about what happens when we are configuring Intune, we need to use fiddler. If you want to know how it works, please visit this blog.

So how does the URI looks like?

I guess we have everything we need now, let’s create a PowerShell script to get back the values ourselves.

And the PowerShell script with all the stuff in it, we discussed in this blog. Please test it out yourself but don’t forget to change the device configuration id to your liking

$authResult = Get-MsalToken -ClientId 'd1ddf0e4-d672-4dae-b554-9d5bdfd93547' -Scopes 'https://graph.microsoft.com/.default'
$headers1b = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}

$deviceconfigid = "99b324ca-937e-4494-ac54-b06d889b04e8"

#get the device configuration
$url = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/$deviceconfigid"
$deviceconfiguration = Invoke-RestMethod -Uri $url -Headers $headers1b -Method get

#get the secretid needed to unencrypt the data
$secretid = $deviceconfiguration.omasettings.secretReferenceValueId

#parsing the secretid to unencrypt it
$Value = Invoke-restmethod -Headers $headers1b -Method get -uri "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/$deviceConfigid/getOmaSettingPlainTextValue(secretReferenceValueId='$($secretid)')"
$value | fl

When I need to choose between spending my free evening watching some series or helping someone with a question I didn’t have the answer for? (at that time)

What You're Thinking When Painting | Steve zissou, Giphy, Zissou

I guess you all know what my choice was.

avatar
Rudy Oomshttps://call4cloud.nl/
Rudy is a Modern workplace architect and currently working for a company in the Netherlands, called Deltacom Steenbergen. He has been working in IT since he was 16 years old. Within these years, he gained a lot of experience in different kinds of expertise. I guess like most of you, he started working with active directory environments. In June 2021 he received the MVP status in the category Enterprise Mobility for the first time. The multi-tenant PowerShell scripted Deltacom-Cloud environment is one of his creations.

Related Articles

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay Connected

6,065FollowersFollow
5,933FollowersFollow

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Latest Articles