Close Encounters of Fiddler

Close Encounters of Fiddler

This blog will show you how to combine the power of Fiddler, MDM and PowerShell.

Did you ever wonder how you could automate your Microsoft365 deployments or capture some MDM traffic? It’s a lot of work to configure conditional access, device configurations, update settings, and compliance settings manually… and we haven’t even talked about the risk of human error.

I am going to device this blog into multiple parts:

  1. Capturing HTTPS traffic to automate stuff
  2. Basic Fiddler Tips
  3. Capturing MDM Traffic

1.How does it work?

First, we need Fiddler and PowerShell. Download and install Fiddler.

https://www.telerik.com/download/fiddler

When you have installed Fiddler please make sure you enable the possibility to decrypt HTTPS. Otherwise, you wouldn’t see much information.

Now we have everything in place, open the Intune web portal.

Go and create a conditional access rule in Intune. When saving your conditional access rule, you will need to take a good look at Fiddler. Make sure you select inspectors and text view(or raw).

Very Nice… Now you’ve got all the information you need to replicate it with PowerShell.

  1. The host address: main.iam.ad.ext.azure.com. You will need to make a REST API on Azure.  Remember the resource: 74658136-14ec-4630-ad9b-26e160ff0fc6 –> Azure PowerShell
  2.  The URL, Add the host address: https://main.iam.ad.ext.azure.com/api/policies.
  3.  JSON: Copy/paste the information into a variable.

Okay? What now? One script to rule them all!

login-azurermaccount

$context = Get-AzureRmContext
$tenantId = $context.Tenant.Id
$refreshToken = @($context.TokenCache.ReadItems() | where {$_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date)})[0].RefreshToken
$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'

$header = @{
'Authorization' = 'Bearer ' + $apiToken.access_token
'Content-Type' = 'application/json'
    'X-Requested-With'= 'XMLHttpRequest'
    'x-ms-client-request-id'= [guid]::NewGuid()
    'x-ms-correlation-id' = [guid]::NewGuid()
    }

$url = "https://main.iam.ad.ext.azure.com/api/Policies"

$content = 'PUT JSON CONTENT HERE'

Invoke-RestMethod –Uri $url –Headers $header –Method Post -Body $content -ErrorAction Stop

Please beware it’s still using the login.windows.net this will be deprecated next year so read this blog if you want to change/migrate your scripts

Now take a look at your conditional access rules, that’s what I call automation! Please don’t forget to turn Off the conditional rules before you export them.

You could really lock yourself out when importing enabled conditional access rules in another tenant!

2. Basic Fiddler Tips

First, some basic tips, before I show you how to solve it

  • Please make sure before you start with https decrypting, you “Exampt All” immersive apps. As you don’t want those apps being blocked from sending network traffic to the local computer
  • When needed you could run Fiddler as system with the use of psexec, but normally capturing the information with the user itself should be sufficient.
  • Configure the automatic export of logs each minute. So you are 100% sure you are not missing something. You could do so by clicking on “view” –> “tab” –> “autosave”
  • Of course make sure you have enabled HTTPS decrypting and accepted all the warnings. If not click on Actions and click on “trust root certificate”

3. Capturing MDM Traffic

Now we have seen how we could capture some website traffic with fiddler, let’s take a look at how you could capture traffic from and to Intune/Endpoint Manager.

I guess everyone knows this error when you want to “capture” some Microsoft 365 stuff with Fiddler. The server [r.manage.microsoft.com or manage.microsoft.com] requests a client certificate.

We have got 2 options here to solve this and or maybe not get some good logging.

1. Excluding:

Exclude manage.microsoft.com and *.manage.microsoft.com (so also r.manage.microsoft.com) from the HTTPS decryption so you won’t receive any errors! :P… but this is not the way when you want to capture some traffic

2. Adding the Intune Client Certificate:

A way better option would be to export the Intune MDM client certificate the moment you receive it. Why? Your Intune MDM device certificate is needed for trusted communication with intune, so why not export it so fiddler can use it to decrypt traffic?

Open the local computer certificate store and export the certificate. Give it the filename ClientCertificate.cer and place it inside the %username%documents\fiddler2 folder. Restart Fiddler after it and watch it log!

Please note, this trick will only work when you have started Fiddler as a user when you executed Fiddler as system you could guess what’s missing… the system document folder. So how to solve this?

Open the Fiddler Script editor by clicking on “Rules” and “customize rules”

And add this part to the “static function OnBeforeRequest(oSession: Session)” part

if (oSession.HostnameIs("r.manage.microsoft.com")) {
			oSession["https-Client-Certificate"] = "C:\\test\\someCert.cer";
		} 
if (oSession.HostnameIs("manage.microsoft.com")) {
			oSession["https-Client-Certificate"] = "C:\\test\\someCert.cer";
		} 

So it looks somehow like this:

Conclusion:

If you want to know how to change a Microsoft 365 setting with PowerShell, use Fiddler! Conditional access rules are just one of the many examples you could automate. You could even capture MDM traffic with Fiddler, isn’t that great!

Congratulations, you just automated the deployment of compliance settings, device configurations, and azure settings with PowerShell.

The Riddler GIFs - Get the best GIF on GIPHY

Leave a Reply

Your email address will not be published. Required fields are marked *

5  +  4  =