Full IGA using Azure AD – Managing access using Entitlement Management

In this blog series on building a full Identity Governance and Administration solution, we have until now covered application roles extensively, and how these can be sent to an application.

For a quick summary, this is how you can define custom application roles, here is how to send these roles using the SCIM protocol, this article shows how to transfer the roles using the OpenID Connect ID Token or SAML claim and here I can show you how to use PowerShell to query the Microsoft Graph for application role assignments for your users and groups.

Continue reading “Full IGA using Azure AD – Managing access using Entitlement Management”

Creating B2C users through the Microsoft Graph

The Microsoft Graph finally should have all functionality that previously only the Azure AD Graph had, such as the ability to create and manage B2C user accounts. Earlier you had to create them through the Azure AD Graph, in order to do certain things such as setting the account type as local and managing username.

Continue reading “Creating B2C users through the Microsoft Graph”

Today i learned that querying the Microsoft Graph for the all users with manager reference is slow

What should be a fairly straight forward select is not straight forward. Talking to the product group, this is on the horizon, but right now, this must be done through slow means.

Continue reading “Today i learned that querying the Microsoft Graph for the all users with manager reference is slow”

Enabling Seamless Single Sign-On when using Azure AD Connect Cloud Provisioning

Microsoft has not currently made it easy to figure out how to configure Seamless Single Sign-On when using AAD Connect Cloud Provisioning. Here is how!

Continue reading “Enabling Seamless Single Sign-On when using Azure AD Connect Cloud Provisioning”

PowerShell cmdlet to get attributes not matching between two objects

This is a very quick cmdlet for getting attributes that does not match between two objects

<#
.Synopsis
   Returns a list of all attributes that does not match between two objects
#>
function Get-MismatchedAttributes
{
    [CmdletBinding()]
    [OutputType([boolean])]
    Param
    (
        [Parameter(Mandatory=$true,
                    ValueFromPipelineByPropertyName=$false,
                    Position=0)]
        $ReferenceObject,
              
        [Parameter(Mandatory=$true,
                    ValueFromPipelineByPropertyName=$false,
                    Position=1)]
        $DifferenceObject,

        [Parameter(Mandatory=$false,
                    ValueFromPipelineByPropertyName=$false,
                    Position=2)]
        [String[]] $Attributes = $null
    )

    if($Attributes -eq $null) {
        $Attributes = @(
            $ReferenceObject | gm -MemberType NoteProperty | select -exp Name
            $DifferenceObject | gm -MemberType NoteProperty | select -exp Name
        ) | Sort -Unique
    }
    
    $Attributes | Where {$ReferenceObject.$($_) -ne $DifferenceObject.$($_)}
}



$obj1 = [PSCustomObject] @{
    Attr1 = "abc"
    Attr2 = "def"
    Attr3 = "klm"
}

$obj2 = [PSCustomObject] @{
    Attr1 = "abc"
    Attr2 = "okj"
}

Write-Host "Attributes that does not match, limited to Attr1 and Attr2" -ForegroundColor Red
Get-MismatchedAttributes $obj1 $obj2 -Attributes "Attr1","Attr2"

Write-Host "All attributes that does not match" -ForegroundColor Red
Get-MismatchedAttributes $obj1 $obj2