Testing out Azure AD External Identities

Azure AD External Identities is essentially a new umbrella expression for existing Azure AD features such as the ability to use Google as Identity Provider, B2B guest invitations, Terms of use, Entitlement Management etc., with the new features launched during MS Build 2020 being guest user self service sign-up through “User flows” and Facebook as Identity Provider.

In this blog post i will dive into these new things, to see what these new features can provide of value to Azure AD customers.

Continue reading “Testing out Azure AD External Identities”

Quick script to reset password of users in an Azure AD group


# Get group by name
$group = Get-AzureADGroup -SearchString 'My group'

# Get members
$members = Get-AzureADGroupMember -ObjectId $group.ObjectId -All:$true 

# Get password
$password = Read-host -AsSecureString -Prompt "Password"

$VerbosePreference = "Continue" 
$inc = 1
$members | Foreach {
    Write-Verbose "$($inc) / $($members.Count) - $($_.UserPrincipalName)"
    $inc += 1

    Set-AzureADUserPassword -ObjectId $_.ObjectId -ForceChangePasswordNextLogin:$true -Password $password

Script for generating Azure AD dynamic groups

At a customer I needed to generate quite a few Azure AD dynamic groups, in order to create groups for each department, with users having a set of job titles. This is a good method to automatically assign application roles to a set of users based on their attributes, given that the attributes are managed by a sync from HR or similar. Here is how I did it.

Continue reading “Script for generating Azure AD dynamic groups”

Script for getting Azure AD app registration secrets and certificates that expire soon

Just needed to clean up expired app registration secrets from a tenant, and figured I could just make a very quick script to find secrets and certificates that expire soon. Have fun – no explanation needed i guess.

$expiresWithinDays = 31
$expired = Get-AzureADApplication | ForEach-Object {
    $app = $_
    #$keys = Get-AzureADApplicationKeyCredential -ObjectId $_.ObjectId 
        Get-AzureADApplicationPasswordCredential -ObjectId $_.ObjectId
        Get-AzureADApplicationKeyCredential -ObjectId $_.ObjectId
    ) | Where-Object {
        $_.EndDate -lt (Get-Date).AddDays($expiresWithinDays)
    } | ForEach-Object {
        $id = "Not set"
        if($_.CustomKeyIdentifier) {
            $id = [System.Text.Encoding]::UTF8.GetString($_.CustomKeyIdentifier)
        [PSCustomObject] @{
            App = $app.DisplayName
            ObjectID = $app.ObjectId
            AppId = $app.AppId
            Type = $_.GetType().name
            KeyIdentifier = $id
            EndDate = $_.EndDate

$expired | Out-GridView