Category: Uncategorized

Working on some security stuff over the next few weeks and decided to write up a blog post on all the Microsoft Security features.  Aka, what they are and what uses them and how you actually find them!  You will also realize that the same name is used a couple of times (“Advanced Threat Protection”) and some things aren’t really products but a marketing term for a “set of products”.  In some cases, the names have changed so Google/Bing search results are crazy!
Someone needs to manage product names with SEO in mind at Microsoft!

• Azure Key Vault
  • What is it and what does it do?
    • Allows you store keys used for encryption activities across various systems and platforms
  • What uses it?
    • Virtual Machines, Resource Manage template deployments, and Azure Disk Encryption
    • Used to store your Office 365 bring your own encryption key
  • How do you get to it?
    • https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.KeyVault%2Fvaults
• Advanced Threat Analytics (ATA)
  • What is it and what does it do?
    • A proprietary network parsing engine that captures authentication and authorization data.
    • ATA will discover a well known set of attack types such as Pass-the-ticket,  Pass-the-hash, Overpass-the-hash, and many more!
  • What uses it?
    • It uses other systems (like a span port on a switch).
  • How do you get to it?
    • ATA is an on-premises software solution (download it here – amazingly not in the MSDN download center).  You must install it and configure it to monitor the traffic on your network.
    • ATA has to be configured to received data from your SIEM, Windows Event Forwarding and Windows Event Collectors
• Office 365 Advanced Threat Protection
  • What is it and what does it do?
    • Protects your email from various different attack vectors including “possible” zero-day protection.  Provides the following:
      • Safe LInks, Safe attachments, spoof intelligence, quarantine, anit-phishing
  • What uses it?
    • Exchange Online and if enabled, your Hybrid setup of your on-premises Exchange
  • How do you get to it?
    • You have to add a subscription that contains this feature, once enabled you will have reports in your Exchange Online portal to view all security events
• Windows Defender Advanced Threat Protection (aka Windows Defender Security Center)
  • What is it and what does it do?
    • An agent-less built in feature of Windows 10 OS that utilizes “sensors” to analyze user and app behavior to detect anomalies.
  • What uses it?
    • Windows 10 (v1703+)
  • How do you get to it?
    • Do a search for “Windows Defender Security Center” on your windows 10 device.
• Compliance Manager
  • What is it and what does it do?
    • A new tool that will be release later this year that will score your environment on its compliance abilities to common laws and regulations.
  • What uses it?
    • Office 365 services
  • How do you get to it?
    • TBD
• Azure Conditional Access
  • What is it and what does it do?
    • Allows you to prevent a user or app to login based on policies and threat analytics
  • What uses it?
    • Azure Active Directory
  • How do you get to it?
    • Open your Azure Portal
    • Find the Azure Active Directory you want to configure, select it
    • Click “Conditional Access”
• Office 365 Conditional Access
  • What is it and what does it do?
    • Allows you to drill down into the sites in SharePoint Online that you’d like to lock down based on limited policy (Modern Auth, IP)
  • What uses it?
    • SharePoint Online
  • How do you get to it?
    • Open your Office 365 Portal
    • Click “SharePoint”
    • Click  “Access Control”
• Windows Hello
  • What is it and what does it do?
    • Allows you to use Biometric based factors for authentication
  • What uses it?
    • Windows 10+
  • How do you get to it?
    • It is a part of the Windows 10 Operating System.  You can enable it with these steps:
      • Open “Settings”
      • Click “Accounts”
      • Click “Sign in options”
• Multi-Factor Authentication
  • What is it and what does it do?
    • Only using a password has become bad practice.  Enabling both a password and a token are common place (even though many people have not protected their Azure Admin account with MFA!)
  • What uses it?
    • Anything and everything that utilize authentication via Azure AD or even Hotmail\Passport
  • How do you get to it?
    • You can get there by selecting a user in your Office 365 admin page, then click “Manage multi-factor authentication or browse to Azure AD here
    • Tokens are available via the Microsoft Authenticator app (iPhone, Android)
• Cloud App Security (used to be called “Office 365 Advanced Security Management”)
  • What is it and what does it do?
    • This tool will monitor your employee application usage (including cloud based apps) and give you an idea of what rouge IT solutions may be lingering on your network.
    • A Cloud App catalog can be constructed that would allow you to trust or untrust applications.  Example, If you have chosen OneDrive as your personal file solution, then all instances of Box and DropBox should be disallowed (after migration of course).
  • What uses it?
    • It runs behind the scenes gathering data and information on the apps that are running on your users computers.  The data that is gathered is anonymous so that you abide by various new laws (such as our friends in the EU have enacted).
  • How do you get to it?
    • https://portal.cloudappsecurity.com
• Data Loss Prevention
  • What is it and what does it do?
    • Allows you to control the type of data that is being sent from your Office 365 environments
  • What uses it?
    • Exchange, SharePoint, Skype
  • How do you get to it?
    • Login to the Security and Compliance center
    • Click “Data Loss Prevention”
• Customer Lockbox
  • What is it and what does it do?
    • It prevents Microsoft engineers from accessing your content in Office 365.
  • What uses it?
    • Office 365 systems
  • How do you get to it?
    • Open your O365 admin portal
    • Expand the “SERVICE SETTINGS” node
    • Click “Customer Lockbox”
    • Toggle the switch to “On”
    • NOTE:  When a Microsoft Engineer needs to access your environment to fix an issue, be aware that the Customer Lockbox requests have a default lifetime of 12 hours, after which they expire.
• Windows Information Protection
  • What is it and what does it do?
    • An extension to the Information Rights Management (IRM) conversation.  WIP is designed to be seemless.  The idea is that data that starts on your network should stay on your network. If it needs to go somewhere else, then policy should define the rules.  WIP does this.
  • What uses it?
    • Windows 10 (v1607+) with all Microsoft Office products and Microsoft Edge. Universal Windows Apps support WIP but have to be enabled to do so (Microsoft is working with 3rd parties).
    • Azure Rights Management (cloud based IRM) will kick in if your have to share data outside your network (such as with Business Partners).
  • How do you get to it?
    • You can enable WIP by configuring a policy in your Intune portal or utilize System Center Configuration Manager (SCCM) – steps here.
• Azure Storage Service Encryption
  • What is it and what does it do?
    • Encrypts all the blobs in your storage account using an encryption key
  • What uses it?
    • Azure Storage Accounts
  • How do you get to it?
    • Go to your Azure Portal and select “Storage Accounts”
    • Select a Storage Account
    • In the properties window, select “Encryption”, click “Enabled”
      • NOTE:  If you are missing the “Encryption” node, then is could be:
        • The storage account is “classic”
        • The storage account is not “Blob Storage”
      • NOTE: You cannot utilize your own key with this services (aka, no BYOK)
      • NOTE:  If you enable after you have created an account, only new blobs are encrypted!
      • NOTE:  It is also possible that the Azure Security Center may “recommend” you enable encryption for your older storage accounts
• Device Guard
  • What is it and what does it do?
    • A group of features.  Combined they lock down a system such that only trusted applications are allowed to execute, thereby preventing malware from ever running on your computer.
  • What uses it?
    • Windows 10 and Windows Server 2016 operating systems
  • How do you get to it?
    • You have to have UEFI running in Native Mode on Windows 64bit, Second Layer Address Translation (SLAT) and Virtualziation Extensions (Intel VT or AMD v) and preferably with a Trusted Platform Module (TPM)
    • Install the “Hyper-V Hypervisor” feature
    • You have to create a Code Integrity Policy and then deploy it to the targeted systems.  This file is called SIPolicy.p7b and lives in the C:\Windows\System32\CodeIntegrity or <EFI System Partition>\Microsoft\Boot for UEFI computers
    • NOTE:  These policies can get very complex very fast, check out all the stuff you can do here
• Windows Defender Credential Guard
  • What is it and what does it do?
    • Prevents credential theft attacks such as Pass-the-Hash or Pass-the-Ticket.
    • Sets up a virtualization like approach to allow only access to the system software that should be able to get to them
    • Uses the new Virtual Secure Mode (VSM) to secure data in memory, also called Virtualization Based Security (VBS)
  • What uses it?
    • Any software that has to do NTLM or Kerberos authentication
  • How do you get to it?
    • This is a part of the operating system in Windows 10 and Server 2016
• UEFI Secure Boot
  • What is it and what does it do?
    • Ensures that all software loaded at boot time is trusted.  No “Bootkits” can be loaded.
  • What uses it?
    • Pretty much all of the latest hardware (laptops, servers) have a UEFI bios now, so you get this by default.  You can turn it off, but you would only do so if your operating system was not a part of the trusted set of software
  • How do you get to it?
    • When you computer loads, jump into the UEFI bio settings,  from there you can turn it on or off.  Unless you have a really special Linux distro (or your own) you should probably leave it on!
    • NOTE:  Secure Boot does not require a TPM
• Trusted Boot Process
  • What is it and what does it do?
    • It is the steps after the Secure Boot process ends.  It makes sure that all the Windows OS level items are secure and trusted.  No “Rootkits” can be loaded.
    • These include:
      • OS Loader, Kernel, System drivers, System Files, ELAM Driver
    • What uses it?
      • Windows 8.1+ and Server OSes
  • How do you get to it?
    • Nothing to “see” here
• Enterprise Mobility + Security
  • What is it and what does it do?
    • It is a subscription in Office 365.  It is not “technically” a product, but a set of services that will light up in your tenant if you purchase it
  • What uses it?
    • Office 365 and Azure (in terms of “lighting up” available services)
  • How do you get to it?
    • Open your Office 365 portal
    • Click “Billing”
    • Click “Subscriptions”
    • Click “Add subscription”
    • Search for “Enterprise Mobility + Security”
    • Select it, Buy It!
• MDM for Office 365
  • What is it and what does it do?
    • It allows you to do some really basic mobile device policy enforcement such as password requirements, data encryption, no jail broken phones.
    • You can also enforce things like blocking cloud backup, screen capture, app store, and bluetooth.
  • What uses it?
    • Policies are enforced by the applications you download such as Outlook for iPhone, etc
  • How do you get to it?
    • Open the Security and Compliance page
    • Expand “Data loss prevention”
    • Click “Device security policies”
• Microsoft Intune
  • What is it and what does it do?
    • Microsoft’s hard core MDM solution.  It goes waaay past the basic MDM you get with Office 365.
    • Intune adds many more features and functionality around device management such as windows updates and software push aka Mobile App Management (MAM).
  • What uses it?
    • Any registered or unregistered devices that want to access your cloud services
  • How do you get to it?
    • Open your Office 365 portal, in the “Admin Centers”, select “Intune” or just go to the Intune Portal
• Intelligent Security Graph
  • What is it and what does it do?
    • Marketing term mainly…not really a product
    • It is a network of security related systems and events that are continually analyzed to determine what attackers are trying to do against the Microsoft Cloud Infrastructure.
  • What uses it?
    • Nothing you are directly exposed too.  This is a behind the scenes system of systems that uses various algorithms to find attack patterns.
  • How do you get to it?
    • Its abstracted away from you, nothing to see here…literally.
• Azure Monitor
  • What is it and what does it do?
    • It is the log aggregator for all Azure services.  Any future products will also send their data here.
  • What uses it?
    • All Azure services are monitored by Azure Monitor
  • How do you get to it?
    • It has many entry points to gain access to the monitoring data.  Azure Portal, PowerShell, CLI, REST and a .NET SDK
• Azure Advisor
  • What is it and what does it do?
    • Evaluates your Azure subscriptions for several categories of security.  High Availability, Security, Performance, and Cost
  • What uses it?
    • Nothing technically uses this feature, but it does provide you will recommendations on how to best use Azure and its many features in an optimal manner
  • How do you get to it?
    • Go here
• Database Threat Protection
  • What is it and what does it do?
    • Protects your Azure Databases from potential internet based threats.  This can be super helpful for when you want to ensure that your developers have actually followed best practices when designing the applications that make calls into your database.
  • What uses it?
    • Azure SQL Databases, possibly other db platforms in the future
  • How do you get to it?
    • Open your Azure Portal
    • Navigate to the “” category
    • Select your SQL Database
    • Click the “Auditing and Threat Detection” node
    • Toggle the buttons to enable “Auditing” and “Threat Detection”
    • NOTE:  It costs $15/server/month
• Azure Network Monitor (aka Network Watcher, aka Network Performance Monitor)
  • What is it and what does it do?
    • Similar to the Solarwinds Traffic Analyzer and Network Performance Monitor, Azure Network Monitor allows you to setup monitors between services and servers in your Azure instance.  You can also monitor your ExpressRoute traffic if you have that setup.
  • What uses it?
    • Nothing really uses it other than you.
  • How do you get to it?
    • Go here
• Office 365 Secure Score
  • What is it and what does it do?
    • This tool will evaluate your Office 365 tenant and compare your settings and service configurations to over 364 different reference points
  • What uses it?
    • Nothing uses it, its another recommendation tool like Azure Advisor
  • How do you get to it?
    • Go here
• Operation Management Suite (OMS)
  • What is it and what does it do?
    • Its your SCOM server in the cloud, only, much cooler!  You can utilize events to fire off configuration tasks similar to how SolarWinds uses its NCM product to push configurations to Cisco devices
    • OMS is not really a single product, but a set of services, these include:
      • Log Analytics
      • Automation
      • Backup
      • Site Recovery
  • What uses it?
    • OMS uses everything else.  It can make changes to your infrastructure based on the data it is receiving.
  • How do you get to it?
    • Open your Azure Portal
    • The OMS services are under the “MONITORING + MANAGEMENT” category

Recently had a customer with an issue with accessing Office 365\SharePoint site.  They were complaining that the performance was not great.  So I needed to see what issues they might be having with their network.  Results were really interesting, they were being routed (via ATT) from SJC to CHI to NYC to DUB then back to LAX and finally to the US West data center in SJC.  Woah…that’s definitely not good!
Decided to write down all the tools I use and the script commands I execute to test a sites connectivity to Office 365.

1. Fiddler
   1. Open a site collection, sort the HTTP requests by latency\execution time
2. MeasurementLab tools
3. Ping – Network level
4. Tracert – Transport level
5. WireShark – For really tough, weird things that don’t show up in regular network tools (Session, Transport issuse)

Services to ping:

• Exchange
  • ping outlook.office365.com
    • Ensure you are getting the closest data center:
      • outlook-namcentral3.office365.com – 40.97.125.146
      • outlook-namnorthwest.office365.com – 40.97.134.178
      • outlook-apacsouth.office365.com – 40.100.17.34
      • outlook-emeawest.office365.com – 40.101.69.226
      • etc…
  •  SharePoint
    • Resolve-DnsName tenant.sharepoint.com
      • Determine DNS servers serving your requests
    • ping tenant.sharepoint.com -t
    • ping 104.146.168.28 (tenant.sharepoint.com)
      • Target latency = <100ms
    • ping 40.97.119.178 (outlook.office365.com)
      • Target latency = <50ms
•  Skype
  • ping global.tr.skype.com
  • ping 13.107.8.2 -t
    • Target latency = <20ms
• Azure
  • Find local data center – http://azurespeedtest.azurewebsites.net/
• Other IPs

Services to tracert (use the db-ip.com service to find their locations):

• tracert 13.107.8.2
• tracert 40.97.119.178

Look up each ip along the way…to see if unnecessary routing is occurring.  If it is, then ISP needs to configure route to data center or customer needs to setup ExpressRoute.
https://db-ip.com/{IPADDRESS}
Painful Example:

• 192.168.25.12 – local router (San Jose)
• 12.251.115.241 – Chicago (ATT)
• 12.122.110.58 – New York (ATT)
• 12.122.163.34 – New York (ATT)
• 12.122.158.9 – New York (ATT)
• 104.44.9.183 – Dublin (Microsoft)
• 104.44.4.105 – Los Angeles (Microsoft)
• 104.44.4.102 – Los Angeles (Microsoft)
• 104.44.9.215 – Los Angeles (Microsoft)
• 40.97.119.178 – San Jose (Microsoft)

Helpful references:

• GeoLocation DNS
• Azure ExpressRoute for Office 365
  • Locations

You may run into an issue with your Nintex Services not starting on your non-central administration servers as in this image:

You can attempt to browse the web and Nintex support pages, but they will be of little help:

• Install-ExternalPlatform does not work
• Manual install live service

It turns out that the services did not get installed as part of the solution deployment.  In otherwards, the Nintex Services are missing on your SharePoint server.

In this case, you have to install the services manually in order to start them and have your server be compliant. The three services are:

• Nintex Connector Workflow Queue Service – (C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\NintexWorkflow\Nintex.Workflow.Connector.QueueService.exe)
• Nintex External Relay Service -(C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\ExternalPlatform\Nintex.External.RelayService.exe)
• Nintex Workflow Start Service – (C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\NintexWorkflowStart\Nintex.Workflow.Start.Service.exe)

You can manually install these services to the other servers by running the .net installutil utility (Except in the case for two of them you have to use the “sc” tool).  Note that there are two versions of this tool, 32bit and 64bit.  If you use the wrong one, you will get the dreaded “System.BadImageFormatException”, and if it does successfully run, the service won’t be visible to SharePoint due to Nintex “programming practices”.  The install tool is located in:

• C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

The series of commands in an administrator command (cmd.exe) window would be:

• sc create “Nintex Connector Workflow Queue Service” binPath=”C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\NintexWorkflow\Nintex.Workflow.Connector.QueueService.exe” DisplayName=”Nintex Connector Workflow Queue Service” start=auto
• C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe “C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\ExternalPlatform\Nintex.External.RelayService.exe”
• sc create “Nintex Workflow Start Service” binPath=”C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\NintexWorkflowStart\Nintex.Workflow.Start.Service.exe” DisplayName=”Nintex Workflow Start Service” start=auto

Why do you have to use “sc create”?  Because the internal name of the Queue Service is actually “Nintex Connector Workflow Queue Service Recycle”.  For the other, the name ends up being “NWStart”…SharePoint doesn’t like it when services don’t match what they expect!

Once you run the install commands, the services will display in your Services applet:

Once they are installed, switch back to Central Administration, click “Start” on the servers.  They should now start without error and your servers will be in “compliance”!

Enjoy!
Chris

You always wondered why, but then you were never in the healthcare industry or work at an exec level to know how the tech systems work at a typical hospital…
Here’s a quick education into the healthcare disaster! 
When you go into the hospital, a chart is written up based on your comments and the doctors evaluation and actions (draw blood, tap your knee, whatever). This chart is then translated into a series of medical codes so they know how to charge them to you or your insurance.  The charts are evaluated by a series of medical “coders”, no, they don’t know C# or Java or JavaScript, they just match the words to “codes” (ICD9/ICD10).
Each chart is “coded” to a specific set of codes.  The codes are then sent off to the billing system.  The billing system will match the codes to the patients insurance (or lack thereof) such that the base charge rate is multiplied times a discount (or again, a lack thereof) or “forced” charge amount for that particular insurance contract (Blue Cross, Medicaid, Medicare, etc).
Most insurance companies want a “discount” on your particular services\codes.  They can negotiate or force (depending how big they are) just about anything for a set of codes.
The crazy part about this is that the base rate that the hospital charges (the “charge master” database system) is pretty much a let’s run a sql query against the database and increase everything by 7%  EVERY YEAR (or some rate adjustment, possibly matching inflation or exec\board discretion).
You should be saying…”wait what”?
Yup, every year, a non-qualified individual will increase the pricing of stuff because the execs tell them too.  Remember the movie “Independence Day” when the jewish guy says something about the price of the hammer…yeah…$400 for a hammer.
Aka, $20 for a bandaid!
Why?  Because the charge master simply gets incremented by a percentage every year in a blanket fashion!
Ok…so the charge master is broken.  Yup.  That’s where the government comes in.  Obama actually kicked some serious ass with this.  He forced certain codes to be charged at a base rate that is run by the government (and you have to follow them for any ACA insurance policies).  If you send in a bill with a code that has a price over the base, REJECTED!  It forced everyone to reevaluate their charge masters (at least for government stuff).
I applaud him for that.
But…here’s the kicker.  The “coders” that “code” your chart.  Those people are instructed to interpret the words in such a way that they can set the chart to match the most expensive codes!  Even though those codes may not even really match!  It’s up to the patient and the insurance company to do a review of the worded chart to see if the codes have been applied appropriately!
This review happens very rarely.
Now that I know how this works, believe me…every time I go into the doctor’s office I ask for my chart and the codes that were sent for it.  I actually got $250 back for this last visit!
What else happens?  Oh, execs and doctors are “spiffed” for overdoses of various items.  Example, you get bit by a snake and need the anti-venom, guess what, you only need one dose…but how many do you actually get?  Anywhere from 1-5 doses!  Each dose (back in the day) can be up to $20K each.  Where does the money go?  The doc, the hospital and the execs get a kickback!   What?!?!  Yup…there is shadiness that occurs for all kinds of things.
And that is your 10 min run down of how corrupt the medical system in America is and why we don’t have universal health care, everyone has a different charge master that no one can agree to the price of anything!
Enjoy!
Chris

So I’m renewing my CISSP and will be making a push into the security space pretty hard in the next few months.   Part of that will be doing things like in this post.
I am deep into identity and auth flows and have been doing a ton with ADFS/OAuth with Intune etc.
A few days ago it hit me that a person has the ability to modify the claims that ADFS sends to O365.  That got me to thinking…
What will happen if O365 does its realm redirect where a user logs in as one person yet the claim for the UPN is different than the original?  Will it work and if so, what are the ramifications of it?
So, here’s my general thinking of what I want to do (didn’t end up being how to do…keep reading):

• Setup ADFS and a federated domain in O365 (chrisgivens.com)
• Modify the O365 ADFS claims to be someone\something other than what the actual login implied.
  • IE…I login as chris@chrisgivens.com, but the claim that is sent back is actually spoof@chrisgivens.com

• Share a site with spoof@chrisgivens.com
• See if it all works…

So…first part.  ADFS.  When you setup the O365 relay it adds in its own claims rules so that it gets what it is expecting.  The general set of claims that get sent are:

• http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
• http://schemas.xmlsoap.org/claims/UPN
• http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID

In addition to the other basic claims as seen here:

Ok, cool.  So here’s my goal.  Set it such that no matter who logs in, the identity and claims that get sent to O365 are really someone else!  That requires a bit of claim manipulation.  Here’s an example:

See what I’m doing?  I’m setting the email to be something else other than the original value from the auth’d AD user!  I do this for all the email claim fields.  The though is that Azure AD will utilize the email\UPN as its “source of truth” for who the user is.  Ok, great.  So let’s try it out!
Going to the faithful login.microsoftonline.com, I enter in a set of credentials for my federated domain, and get redirected to ADFS.  I log in to ADFS page, and the first go around, I got this error:

After removing competing claim rules and re-trying the login, this is the beauty you end up:

It worked…kinda.  Notice that id.  That is what I though was the valid ObjectGUID.  Nope, its a bit different than that.  So how the heck do I view the claims that ADFS is sending?
Well, good luck with that with the out of box logging of ADFS.  You can attempt to follow this post to turn on all the verbose logging, but its only helpful for resolving the competing claims issue or the fact I did not have the SAML Consumer setup on the replying party.
So, what do you do?  You swing over to Auth0.com and you setup your ADFS with them, then you can use all their cool debugging tools to see what is actually coming across!  Awesome…

So, after looking at the logs and seeing the original claim rule applied, I see that the ObjectGUID is base64 encoded.  So I copy it and paste it into my claim rule.
Ok, let’s try this again…I sign on, type a username and password, ADFS does its thing, I get redirected back to the site, and whala…I’m in as the other user!  Holy shizer balls, it worked…
It wasn’t what I though would happen being that I had to find the ObjectGUID and that is what Azure AD goes off of, not the email claims.
So what does this mean?  It means whoever has access to ADFS for the remote federated domain, can open up the ADSI edit tool, find the ObjectGUID for a user (or even use basic powershell such as “Get-ADUser username -Properties ObjectGUID | Select *”), paste in some rules and BAM…they are in as that user in the O365 application layer.  
They do NOT have to be a domain admin to query Active Directory for ObjectGUID, nor do you have to be a domain admin to manage ADFS.  You can simply be an ADFS Admin.
This is significant in that unlike a domain admin, when a domain admin changes a password or an AD object, the AD object changes are very likely audited and red flags thrown!
In my experience, a change to ADFS claim rules is very rarely audited and monitored and if it is, it is unlikely to throw up any major red flags.  Any ADFS admin can make a change and login at any time and bam, you can be anyone, anytime.  This leads to…log your ADFS 510 events:

Hope you trust whoever is running the target federated auth server (no matter what it is).  Or that you trust whoever you are sharing things with if they are doing federation and not Azure AD directly!
I think it would be nice to be able to set in the configuration settings that I don’t want to allow my users to share data with a domain that has federation enabled and that it must be managed by Azure AD!  Maybe even be able to set it at a very specific level such as Site/Web.

Have had this in my back pocket for a while.  I just checked to see if it still works and sure enough…it does.  You can see I tore deep into the SP App Store design with this 4 year old post.  What I didn’t show was how one can get the app packages for free and by pass paying for the apps.
This only works with Apps that have a “trial”.  Ones that you have to pay for will not be open to this hack as you would have to buy them first.  But technically once you have bought it, you can use this same hack to then go post their app package on the internet.
How does it work you ask?  If you read through the steps of the post referenced above, one of the back end abstracted parts is to download the app package such that it can be deployed to the target web.  The app package will not be put into the database and is required to be downloaded each and every time you request it.  In the App Mgmt database you will find the RawXMLEntitlementToken.

This is generated when you click through the Microsoft billing portion of the app install.  All apps (Free, Trial, Paid) have to run through this in order to get the token.  Once you have this token, you can use it to download the app package by simply pasting this into your browser window:
https://store.office.com/appinstall/unauthenticated?cmu=en-US&clienttoken=%3cr%20v%3d%221%22%3e%3ct%20aid%3d%22WA103532495%22%20pid%3d%22%7b1d39b4be%2D60e0%2D45d3%2D9084%2D186800df12e2%7d%22%20cid%3d%225B0427C7B8C9F259%22%20did%3d%22%7b4AA4B65C%2D9085%2D41B7%2DBC31%2D4553E50D3AAA%7d%22%20ts%3d%220%22%20sl%3d%22true%22%20et%3d%22Free%22%20ad%3d%222013%2D10%2D05T01%3a32%3a24Z%22%20sd%3d%222013%2D10%2D05%22%20te%3d%222018%2D05%2D31T22%3a44%3a03Z%22%20ss%3d%220%22%20%2f%3e%3cd%3e0o9KoXMWV%2bOazF2J02jVoMDkzptamrbN9%2fIZw0m09V8%3d%3c%2fd%3e%3c%2fr%3e&ret=0&build=15.0.4763.1000&av=OSU150&origin=EC101785291&corr={96ae724f-5d59-49b3-8fcd-79191c3e1728}
This will download the .cab file for the target app.  Once you have this, you don’t need to pay for the App when the trial expires.  Just install it to your app catalog or directly into the site.
Enjoy!
Chris

You may run across this in your dealings with SharePoint 2013 or 2016 when attempting to move things to the Records Center and leave a link behind.
It used to be because the file was checked out, but with all the new features of SharePoint these days, you get many components stepping on each others toes.
In this case, you will find the actual error is not bubbling up from the lower levels in the stack.  A quick search in the ULS logged will point you to this gem:
“Version of this item cannot be deleted because it is on hold”
Ah ha…remove the hold that is placed on the document (if you were testing anyway) and then you can continue the move process.  The unfortunate thing is that the document does successfully get submitted to the records center, so a resubmissions will trigger the whole versioning or _ASDSF randomness.  Such is life in SharePoint when you have end points calling other end points that live outside one another’s thread space.