Authenticating to Azure AD as an application using certificate based client credential grant

The documentation on how to authenticate to Azure AD using a client credentials grant and certificate is decent, but it leaves a few open questions, I have experienced. Here is a quick guide on how to actually do this, properly detailed, with a simple Azure Function as an example using KeyVault.

Continue reading “Authenticating to Azure AD as an application using certificate based client credential grant”

Testing out the new API Connectors feature of Azure AD External Identities

External Identities just got a hell of a lot closer to B2C, with the API Connectors feature, allowing external API calls to happen before user creation and after signing in with an identity provider. As in my last post about the new External Identities feature, this post will be me exploring the new feature, simply blogging about my experience with it, and which awesome and not so awesome stuff I find.

Continue reading “Testing out the new API Connectors feature of Azure AD External Identities”

ARM – Getting the service principal objectid for a Logic App using managed identity

This will be my shortest blog post ever. Here is a way to get the service principal of the managed identity for a Logic App, deployed using ARM. This is everything you need to i.e. add an access policy to keyvault:

    "outputs": {
        "principalId": {
            "type": "string",
            "value": "[reference(concat(resourceId('Microsoft.Logic/workflows', parameters('name')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2018-11-30').principalId]"
        "tenantId": {
            "type": "string",
            "value": "[reference(concat(resourceId('Microsoft.Logic/workflows', parameters('name')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2018-11-30').tenantId]"

The ‘name’ variable is the name of the LogicApp, logically enough 😉

Testing out Azure AD External Identities

Azure AD External Identities is essentially a new umbrella expression for existing Azure AD features such as the ability to use Google as Identity Provider, B2B guest invitations, Terms of use, Entitlement Management etc., with the new features launched during MS Build 2020 being guest user self service sign-up through “User flows” and Facebook as Identity Provider.

In this blog post i will dive into these new things, to see what these new features can provide of value to Azure AD customers.

Continue reading “Testing out Azure AD External Identities”

Quick script to reset password of users in an Azure AD group


# Get group by name
$group = Get-AzureADGroup -SearchString 'My group'

# Get members
$members = Get-AzureADGroupMember -ObjectId $group.ObjectId -All:$true 

# Get password
$password = Read-host -AsSecureString -Prompt "Password"

$VerbosePreference = "Continue" 
$inc = 1
$members | Foreach {
    Write-Verbose "$($inc) / $($members.Count) - $($_.UserPrincipalName)"
    $inc += 1

    Set-AzureADUserPassword -ObjectId $_.ObjectId -ForceChangePasswordNextLogin:$true -Password $password

Script for generating Azure AD dynamic groups

At a customer I needed to generate quite a few Azure AD dynamic groups, in order to create groups for each department, with users having a set of job titles. This is a good method to automatically assign application roles to a set of users based on their attributes, given that the attributes are managed by a sync from HR or similar. Here is how I did it.

Continue reading “Script for generating Azure AD dynamic groups”