DOWST.DEV

by a scope, writing them back to onpremises Active Directory, including group memberships.

Graph module) comes in two versions. The general availability version is intended for production while the preview version (AzureADPreview) contains the cmdlets from the general availability version plus some new cmdlets under development group. The current version of the AzureADPreview module is 2.0.2.105, released in July.

encourage you to try the Microsoft Graph PowerShell SDK. The Microsoft Graph PowerShell SDK is where all our current and future investments are being made.

aspect of maintaining robust security and ensuring uninterrupted service. When application secrets expire without timely renewal, it can disrupt business operations by causing application failures. Proactive management of application secret expirations helps enterprises avoid last-minute issues, enabling a more secure and efficient operational environment.

documentation with a new option to also document Azure AD Conditional Access policies.

expiration. In other words, the default lifetime of tokens issued by Azure AD is too short to allow the script to complete before the token expires. Two solutions exist. Use a token lifetime policy to prolong access token lifetimes or check in code for potential expiration and renew when necessary.

Graph and PowerShell. Whilst this is great at a user level, Azure AD Authentication Methods Summary Reports at an organization level are often requested by IT Management. And whilst they can be obtained from the Azure Portal (Azure Active Directory > Security > Authentication Methods > Activity) how can we get them programmatically? In this post l will show how to extract Azure AD Authentication Methods Summary Reports using Microsoft Graph and PowerShell.

B2C configuration settings to local .json files.

deprecation of the Azure AD and MS Online modules.

by the Azure Active Directory Product Group in conjunction with the Microsoft Detection and Response Team (DART), to assist in compromise response.

including a look at the old and a focus on the new!

lot. If you want to restrict the number of devices then you came to the right place.

helper functions to gather configuration information of your tenant e.g. logs and reports of licenses, apps (incl. expired secrets).

a hierarchy that is then created in a visual org chart using a program called GraphViz

Conditional access policies. This can give you some nice options to backup, document and restore Conditional access policies. In my opinion, the PowerShell cmdlets aren't all that intuitive, which is the reason I want to show in this post how to backup and restore Conditional Access Policies with PowerShell.

available or not. I also had to challenge this scenario while scripting for a customer. After this I thought this is something many people may need. So here is my solution with some explanation to use it in your own script.

users in AzureAD that have enabled passwordless sign-in with the Microsoft Authenticator app. Previously I usually made use of the Script for Azure MFA authentication method analysis but that script uses the MSOnline PowerShell mode where the Get-Msoluser cmdlet doesn't expose the information about these newer Authentication Methods.

virtual machines, which are ideal as I can simply dispose of them after. But you also need to cleanup the device records that were created in Azure Active Directory, Intune, the Autopilot registration service, Microsoft Endpoint Manager (if you're using it) and Active Directory in the case of Hybrid-joined devices.

images, the logos, or even help with localization. To check out all the options I suggest grabbing the documentation by Microsoft here. Remember that you need a P1 subscription or higher for branded portals.

Sign-in allows you to sign in using your M365 credentials and multifactor authentication token, or using a Azure AD Temporary Access Pass. Web-Sign in is pretty cool as users get presented with a modern authentication pop-up dialog when signing in, the same one they are used to seeing when logging into the Office suite applications.

action against user accounts. The new property is available through the Graph beta endpoint. Quite a difference can exist between the last successful sign in and the last sign in, as explored in this article.

PowerShell Module I authored named AzureADTenantID. Its sole purpose was to take a domain name (e.g., darrenjrobinson.com) and lookup return any associated Azure AD (now Entra ID) TenantID.... keep reading

a Principal Product Manager on Microsoft's Entra team. Our discussion unveiled an in-depth look at Microsoft Entra, providing listeners with tips and tricks. Merill generously shared his journey in becoming a PM, emphasizing the pivotal role of learning and sharing knowledge within our tech community. We also delved into the emerging importance of transitioning from the AzureAD module towards a more streamlined approach using Graph. Not to miss, Merill spotlighted his widely acclaimed tools such as [akasearch.net](http://akasearch.net), idPowerToys, and entra. news, and more, opening up an array of exciting possibilities for our listeners. Join us as we explore these topics and a whole lot more in yet another riveting session of the PowerShell Podcast.

module that does it for you. So now you will be able to find which FIDO2 keys are attestation compatible with Entra right from your terminal. In the very near future I will have individual functions

plays a crucial role in effectively managing user accounts, optimizing licenses, enhancing security, and meeting compliance requirements. So, let's see how to check inactive users

how to use PowerShell find accounts that have an Office365 Admin role that don’t use MFA.

After a few years, the proliferation of 'Guest' accounts usually becomes a focus, especially for larger tenants. As Azure AD has matured the meta data associated with accounts, along with Microsoft Graph improvements is making it easier to define and locate stale Azure AD B2B Guest Accounts. In this post I investigate Azure AD with Microsoft Graph API's to find stale Azure AD B2B Guest Accounts.

properly authenticate. Accounts with username and password might have Active Directory alert you when your password expires, however, what can we use...

automating. Knowing how to automate is truly one of the most versatile skills you can have as a Systems Engineer and today I'm going to share a script I wrote to be able to get azure conditional access policy changes using Powershell.

authentication methods, something very similar to this Get MFA Methods using Graph API script I wrote a while back. However, I haven't really seen a script to show me what their per-user MFA status is.

will fully be decommissioned on June 30, 2022.

access capabilities for app service. More organizations are now harnessing the security capabilities of Azure AD into the apps they create for an additional layer of authentication. This post will cover how to register an app to Azure AD via PowerShell to take advantage of this.

managing Azure resources like virtual machines.

directory. A PowerShell script does the job, even if some constraints in how Entra ID processes membership rules means that the rules can't be quite as precise as I would like them to be.

many years of working with Conditional Access deployments, baselines, and automation tools, I wanted to package all that knowledge, experience, and best-practices, in a singel fully automated PowerShell tool.

reject any additions that met specific criteria. Easy, we said, so we set to creating a script to interrogate the unified audit log to find new member events. Once that was done, it's a matter of analyzing the events to find if we should reject the addition of any of the added members.

expire over time, so it's good to review app credential expiration dates periodically. This article explains how to use the Microsoft Graph PowerShell SDK to generate a report about app credential expiration dates to allow tenant administrators to manage registered apps a little better...

you may have run across a frustrating problem: An on-premises AD user license has expired but that user can still access resources on Azure AD. As long as you're on a Windows 10 computer with the Remote Server Administration Tools and the Azure PowerShell module installed, you can remedy this security risk by finding all expired AD accounts and revoking them.

If so, you may have run across a frustrating problem - an on-prem AD user has expired but that user can still access resources protected with Azure AD.

update elements through the admin center or PowerShell. This article explains how to use the Microsoft Graph PowerShell SDK to customize the sign-in text and background image for the sign-in screen.

RunAs account because it doesn't require certificate/secret renewal. Therefore it is maintenance-free.

Keeping an eye on app permissions is important. From a PowerShell perspective, it is reasonably straightforward to retrieve details of app permissions using the Microsoft Graph PowerShell SDK. Several methods are available to do the job.

Credentials and Certificate based authentication. Also with Delegated Permissions and Device Code flow authentication. The one I haven't written a post on is performing interactive authentication to Microsoft Graph using MSAL with PowerShell and Delegated Permissions. I have for Python so this post will complete the examples for both Python and PowerShell.

product family.

profile, you can update an account's password and force actions like force the user to change their password on the next sign-in or force the user to enable multifactor authentication for the account. All done with cmdlets from the Microsoft Graph PowerShell SDK.

designed to streamline management and automation for the Microsoft Entra product family, which includes the services formerly known as Azure Active Directory.

group. Yes, the new UI in the AAD portal helps, but doesn't provide all the information. On the other side there are a ton of PowerShell modules e.g.: MSOL, AzureAD or AzureADPreview.

to March 30, 2024. The nine-month extension is there to help customers convert scripts to use the Microsoft Graph PowerShell SDK or Graph API requests. On the upside, the extra time is good as it creates space to migrate scripts. On the downside, there's still some challenges in converting from the old Azure AD modules.

now, but always in separate functions.

cloud management easy and simple. But the end for these two modules is nearby, and the direction is the Graph API. So why not start now and learn what you need to know to migrate your PowerShell [.]

are curious on changes that come with the new module version. In the world of continuous change, it is hard to keep track of these changes as new cmdlets or parameters get added to support new features, and some get removed as they become obsolete. So, how to discover what those changes are after updating to the latest module?

little more difficult . Microsoft allows per-user MFA, Security Defaults, and Conditional Access all to be used concurrently. I've created this monitoring script that returns which users seem to fall out of any Multi-factor authentication scope, and also reports what type of authentication is currently active on the tenant. Using the normal PowerShell methods you can only find if a user has per-user MFA enabled, if a user uses Conditional Access or Security Defaults it shows the per-user MFA state as disabled, which is a little annoying.

should always assume breach. The attack will come and it can strike from any direction - the Internet, on-prem, BYOD, etc. The first thing an organisation experiences after the fact is often confusion, fear, and panic. Not the best mix of feelings to have while trying to sort things out! Most organisations don't have a clear plan of what to do next.

something I've found usefull at work, so I've improved it a little bit now.

your IT Org has N different resource groups where you want to activate every day. It would be time consuming to activate them one by one. Instead, you can build a custom app using PowerShell or UI so that you can activate to all of these resource groups in one shot.

synchronize accounts from their local Active

Azure. See how you can query log data using Powershell.

Microsoft Graph PowerShell SDK. Although options exist in the Microsoft 365 admin center and Azure AD admin center to restore deleted groups, it's nice to have the option to do the same with PowerShell.

with PowerShell using Azure Rest API.

center. PowerShell does the trick, once you know how. The key thing is to find the right cmdlet to use. Once you know that, the rest is pretty easy as we explain in this article.

now available and many Purview solutions support administrative units. In this article, we explain how to use Microsoft Graph PowerShell SDK cmdlets to create a report about administrative units, role assignments for their management, and their membership.

registration occurs. Although this information changes over time and isn't updated by Azure AD, it might be of some interest and use to tenant administrators, so we show how to report it here. If you want accurate information, you'll need to use Intune.

isn't particularly difficult, if you know where to look. Our script uses the Graph SDK to check service principals, filters out the apps to check, and extracts the user and group assignments before reporting what it finds.

Graph PowerShell.

PowerShell for Graph module. It provides you everything you need to know to get started, quickly and easily.

it turns out, Microsoft would prefer if developers use the Revoke-MgUserSignInSession cmdlet instead of Invoke-MgInvalidateUserRefreshToken, but who would have known if we hadn't asked the question?

of years. Now the time has come when things happen. Cmdlets that set licenses for Azure AD accounts are now retired and will stop working on or before June 30, 2023. If you haven't already upgraded scripts, it's time to do so.

data from workloads like Exchange Online, SharePoint Online, and Teams. Some of this data is available via PowerShell cmdlets like Get-ExoMailboxStatistics and Get-SPOSite, but using the Graph is usually faster.

purposes. In this article, we explore how to use the Microsoft Graph PowerShell SDK to update extension attributes for registered devices, and even better, access the content in the extension attributes afterward.

a Daily Microsoft Entra Risk Report.

Directory App Service Principals. Really nothing spectacular but I didn't want to keep it from you.

Risky Users in your Azure Active Directory. I will also show you how to use PowerShell to connect directly to the Microsoft Graph and query the data from there. Being able to query for riskDetections, risky users, and sign-ins, allows you to automate alerts or actions whenever a user gets flagged in your risk policy.

processing, which is how the app filter for conditional access policies works. It's nice to be able to interact with data through PowerShell and the Microsoft Graph PowerShell SDK cmdlets support setting, updating, and retrieval of Azure AD custom security attributes. Everything works, but it's a pity that it's a little clunky.

management PowerShell module, in that article, I also explained how to use Graph API queries in a PowerShell script executed in a runbook.

make it easier to modify (Or more succinctly a Settings Page). This was a bit of work to think through. I am hoping someone might know of a more robust way to do what I am doing. This way I felt I could do with a bit of work. So I came up with two ways of implementing the same settings script.