Clik here to view.
Reporting User and Group Assignments for Enterprise Applications
How to Find and Document Assignments for Entra ID Enterprise Applications A reader asked: “I am trying to execute Microsoft Graph that it can grab all my Enterprise Applications in my tenancy and...
View ArticleClik here to view.
Reasons to Pause Membership Processing for Entra ID Dynamic Groups
Pause Membership Processing to Prevent Inconsistent Changes A year ago, I wrote about the newly-introduced ability to pause membership processing for Entra ID (then Azure AD) dynamic groups. At the...
View ArticleClik here to view.
Exclude Breakglass Accounts from Conditional Access Policies with PowerShell
Check Conditional Access Policies and Add Breakglass Accounts if Necessary Breakglass accounts (or as Microsoft calls them, “emergency access accounts”) are intended for emergency use, such as when...
View ArticleClik here to view.
Entra ID Captures Timestamp for Last Successful Sign In for User Accounts
Big Difference Between Last Sign in and Last Successful Sign In Yesterday, I saw a tweet from Entra ID program manager Merill Ferando announcing that the Graph signInActivity resource type (beta) now...
View ArticleClik here to view.
Entra ID Improves Registered App Security
Changes to App Instance Property Lock and Sign-In Audience In March 2023, I wrote about a preview feature that allows application developers to lock the properties of service principal objects using...
View ArticleClik here to view.
Threat Actors Increase Misuse of OAuth Applications
OAuth Apps Used to Automate Financially-Driven Attacks The December 12, 2023 post for the Microsoft security blog covers how “Threat actors misuse OAuth applications to automate financially driven...
View ArticleClik here to view.
Reporting Entra ID Admin Consent Requests
Use PowerShell to Find and Report Details of Admin Consent Requests Dinesh asked “How can I generate a report of Admin Consent Requests received by Entra ID? I’m specifically looking for information...
View ArticleClik here to view.
Managing Passwords for Entra ID Accounts with PowerShell
Using Password Profiles for Entra ID Accounts Although passwordless authentication is in the future for many Entra ID accounts, the indications are that it will take time for Microsoft 365 tenants to...
View ArticleClik here to view.
Mastering Microsoft Graph PowerShell SDK Foibles
Microsoft 365 Groups, Entra ID, and User Extension Attributes Last year, I wrote about some of the foibles encountered by scripters as they work with the Microsoft Graph PowerShell SDK. At the time,...
View ArticleClik here to view.
How to Report Expiring Credentials for Entra ID Apps
Use the Microsoft Graph to Report App Credential Expiration Dates A reader asks if it’s possible to notify administrators when app secrets expire or are close to expiring. App secrets (also called...
View ArticleClik here to view.
Microsoft Encourages More Performant Membership Rules for Dynamic Groups
Dynamic Group Rule Builder Blocks Contains Operators It was interesting to read message center notification MC705357 (January 9, 2024) and learn that Microsoft implemented a change to the dynamic...
View ArticleClik here to view.
How to Update Tenant Corporate Branding for the Entra ID Sign-in Screen with...
Use Graph SDK Cmdlets to Apply Annual Updates to Corporate Branding for Entra ID Sign-in Screen Back in 2020, I took the first opportunity to apply corporate branding to a Microsoft 365 tenant and...
View ArticleClik here to view.
Exchange Online Optimizes Online Address Book Lookups
Directory Lookups, the Address Book, and the Get-MgDomainNameReference Cmdlet The news published in message center notification MC706449 (13 January 2024) is surprising only because people must still...
View ArticleClik here to view.
Graph User.ReadBasic.All Application Permission Available
Controlling Application Access to Entra ID User Account Information Message center notification MC704030 (5 January 2024) brings important news for developers that the User.ReadBasic.All permission is...
View ArticleClik here to view.
New MSIdentityTools Cmdlet to Report OAuth Permissions
The Export-MsIdAppConsentGrantReport Cmdlet Makes it Easier for Tenant Administrators to Track OAuth Permissions for Apps As readers of my articles know, I have often discussed the topic of monitoring...
View ArticleClik here to view.
Reporting App Permissions Used by Managed Identities
Managed Identity Permissions Gather Like Moss on a Tree A side effect of running the Microsoft Graph PowerShell SDK cmdlets in interactive sessions is that the service principal for the SDK app can...
View ArticleClik here to view.
Why MFA, Conditional Access, and Sensitivity Labels can Combine to Give...
Conditional Access MFA Gives Outlook Desktop a Problem with Protected Email I think most Microsoft 365 tenant administrators would agree that multifactor authentication (MFA) is a good thing. MFA...
View ArticleClik here to view.
Checking Out Entra Identity Secure Score
Entra Identity Secure Score Includes a Check for Expiring Application Credentials In January, I wrote about a script to analyze the credentials (certificates and secrets) for Entra ID registered apps...
View ArticleClik here to view.
Microsoft Releases Entra ID License Utilization Insights
Entra ID Usage Insights for Premium Licenses A February 20 Microsoft Technical Community post covering the introduction of Microsoft Entra License Utilization Insights began by saying that over...
View ArticleClik here to view.
Reporting Soft-Deleted Entra ID Objects
Contemplating the Best Way to Report Soft-Deleted Entra ID Objects The Microsoft Technical Community article about keeping track of object deletions in Entra ID contains some interesting information....
View ArticleClik here to view.
Finding Devices Used for Multifactor Authentication
Track Down Unused Entra ID Registered Devices By Using Entra ID Sign-In Data At the end of January, I wrote about how to use multiple sources of data to figure out which user accounts use multifactor...
View ArticleClik here to view.
How to Convert an Entra ID External Account to Internal
Use the Entra Admin Center or PowerShell to Convert to Internal User Accounts Many Microsoft 365 tenants support a mixture of internal and external accounts. Internal accounts are member accounts that...
View ArticleClik here to view.
Maester: Microsoft Security Test Automation Framework
A Community-Driven Security Configuration Analyzer for Entra ID Tenants The irrepressible Merill Fernando, a product manager in the Microsoft Entra ID organization, came together with Security MVPs...
View ArticleClik here to view.
Microsoft Graph Activity Logs Hit General Availability
Graph Activity Logs for Security Analysis and Threat Hunting On April 11 2024, Microsoft announced the general availability of Microsoft Graph activity logs, explained as: “visibility into HTTP...
View ArticleClik here to view.
Removing Licenses from Entra ID Accounts When a Replacement License Exists
License Management is All a Matter of Identifiers (GUIDs) A reader asked how to use the Graph SDK to remove the Exchange Online Plan 2 license from 2,000 users who have been upgraded to the Microsoft...
View ArticleClik here to view.
How to Remove a Single Service Plan from User Accounts with PowerShell
Remove Service Plans with the Microsoft Graph PowerShell SDK In 2021, I wrote about how to remove a single service plan from multiple Entra ID user accounts with PowerShell. The original script used...
View ArticleClik here to view.
Microsoft Launches Support for Entra ID External Authentication Methods
Advancing MFA with Entra ID Authentication Backed by Nine ISVs Earlier this year, Microsoft reported that the percentage of Entra ID accounts using multifactor authentication had reached 38%. That...
View ArticleClik here to view.
Update Entra ID User Role Permissions to Secure Your Tenant
Make Your Tenant More Manageable by Tightening User Role Permissions The ability of non-privileged user accounts to perform certain administrative tasks in an Entra ID tenant (Microsoft 365 tenant) is...
View ArticleClik here to view.
Block Device Code Authentication Requests with Conditional Access
The Device Code Authentication Flow In late February 2024, Microsoft introduced a preview setting for Entra ID conditional access policies to block authentication flows. Although the setting covers...
View ArticleClik here to view.
Report Delegated Permission Assignments for Users and Apps
Extract and Report Delegated Permission Assignments with the Microsoft Graph PowerShell SDK When discussing permissions used to retrieve data with Graph API requests (including cmdlets from the...
View ArticleClik here to view.
Per-User MFA State Added to Tenant Passwords and MFA Report
Per-User MFA State Available for User Accounts Through the Graph On June 10, 2024, the Microsoft Graph changelog included some interesting additions to the beta version of the authentication resource...
View ArticleClik here to view.
Adding Details of Authentication Methods to the Tenant Passwords and MFA Report
Revealing Full Details of Authentication Methods and Why This Might Be a Privacy Issue Soon after releasing V1.2 of the Tenant Passwords and MFA Report (to add details about per-user MFA states), I...
View ArticleClik here to view.
Reporting Entra ID Administrative Role Assignments
Look Out for Synchronized On-Premises Accounts Holding Administrative Role Assignments An August 2 post by SpecterOps highlights the dangers for hybrid Microsoft 365 organizations of synchronizing...
View ArticleClik here to view.
Why Entra ID can Restore Some Types of Deleted Groups and Not Others
Ability to Restore Deleted Groups Depends on Graph APIs Yesterday, I covered a gap that exists between the Purview development group and the Exchange Online development group when it comes to applying...
View ArticleClik here to view.
The New Entra ID Photo Update Settings Policy for User Profile Photos
Photo Update Settings Policy is Long-term Unified Replacement for Other Controls Given the historical foundation of Microsoft 365 in several on-premises applications, it probably wasn’t surprising...
View ArticleClik here to view.
Adding a Custom Test to the Maester Tool
Create a Custom Maester Test with PowerShell and the Graph I last wrote about the Maester tool in April 2024. At that time, Maester had just been released as a community-based framework for automated...
View ArticleClik here to view.
Microsoft Graph Doesn’t Support Custom Attributes for Groups
Detecting Changes in Container Management Labels Using sensitivity labels to control the settings of Microsoft 365 groups, teams, and sites is a very powerful management tool. Since introducing the...
View ArticleClik here to view.
How to Force Users to Sign in Weekly
Revoke Access for User Accounts at a Good Time A recent question in the Facebook Office 365 Technical Discussions group covered the situation where a conditional access policy imposes a 7-day sign-in...
View ArticleClik here to view.
How to Set Directory Synchronization Features with the Graph
UPN and sAMAccountName Updates and Entra ID Directory Synchronization Features The other day, I received a note from an Office 365 for IT Pros reader to say that they’d perused the book to seek advice...
View ArticleClik here to view.
How to Restore the Service Plan for a Microsoft 365 Product License
Reasons Exist to Disable Service Plans and Enable Service Plans Plenty of articles are available on the internet to explain how to disable a service plan from a Microsoft 365 license. In this respect,...
View ArticleClik here to view.
Why Are Per-User MFA Settings Available in the Entra Admin Center?
Conditional Access Still Preferred Over Per-User MFA I was asked if the existence of an option to manage per-user MFA in the Entra admin center (Figure 1) means that Microsoft plans better support for...
View ArticleClik here to view.
Microsoft Recommends the UnifiedRoleDefinition Graph API for Role Assignment...
A New Graph API to Replace Two Existing APIs The Graph change log update posted on October 21, 2024 contains a simple and blunt recommendation for developers to use the unifiedRoleDefinition Graph...
View ArticleClik here to view.
Manage PIM Role Assignments with the Microsoft Graph PowerShell SDK
Add Eligible and Active PIM Role Assignment Requests I recently wrote about Microsoft’s recommendation to use the UnifiedRoleDefinition Graph API instead of the older DirectoryRole API. In that...
View ArticleClik here to view.
Use the Microsoft Graph to Report Service Principal Sign-In Activity
Gain Insight from Service Principal Sign-in Activity Before an app can be used in an Entra ID tenant, it must be registered and have a unique identifier. Apps can be owned by the tenant or created by...
View ArticleClik here to view.
Final Days for the MSOnline and AzureAD PowerShell Modules
Time Ebbing Away Before AzureAD and MSOnline Module Retirement On January 13, 2025 Microsoft posted what I am sure they hope will be the last notification about retirement details for the MSOnline and...
View ArticleClik here to view.
Entra ID Allows People to Update their User Principal Names
No Good Reason Why Users Can Update User Principal Names Update 14:00 UTC: Microsoft appears to have reacted and has blocked the ability of users to update their UPNs. Here’s what the Entra admin...
View ArticleClik here to view.
Interpreting SignIn Audit Records for Service Principals
Service Principal SignIn Audit Records Available for 30 Days In August 2022, I wrote about the experience of developing and using Azure Automation runbooks. Move forward to today and one of the topics...
View ArticleClik here to view.
Microsoft Introduces People Administrator Role
People Administrator is the 116th Entra ID Role Message center notification MC992218 (30 January 2025) announces the arrival of the new People administrator role for Entra ID. There’s nothing...
View ArticleClik here to view.
Use Protected Actions to Stop Attackers Hard-Deleting Entra ID Accounts
Enforcing Strong MFA Through Protected Actions Might Block Bad Actors A January 25, 2025 blog about how attackers leverage the User.DeleteRestore.All Graph permission attracted my attention. The idea...
View ArticleClik here to view.
How to Use Bulk User Operations in Entra Admin Center
Update Multiple Entra ID Accounts in a Single Action It’s perhaps a natural assumption that administrative consoles like the Entra admin center perform actions against singular objects. However,...
View Article