Customers should really start paying attention to their Azure AD application consents, which can be daunting. There are obviously tools for this, even provided by Microsoft through Cloud App Security (CAS), but you know – why not simply dump out everything in Excel and parse through it?
This blog post contains a simple PowerShell script that does exactly this.
Continue reading “Getting all Azure AD consents using PowerShell”This is a quick blog post with an example PowerShell cmdlet allowing you to find out what type of authentication and branding exists for a domain in Azure AD.
function Get-AzureADDomainInfoFromPublicApi
{
[CmdletBinding()]
[Alias()]
Param
(
# Param1 help description
[Parameter(Mandatory=$true,
ValueFromPipeline=$true,
Position=0)]
[String] $Domain
)
Begin
{
}
Process
{
$Url = "https://login.microsoftonline.com/common/userrealm/?user=someone.random@" + $Domain + "&checkForMicrosoftAccount=true&api-version=2.1"
Invoke-RestMethod $Url
}
End
{
}
}
Get-AzureADDomainInfoFromPublicApi microsoft.com
Get-AzureADDomainInfoFromPublicApi innofactor.com
For example, in the output, if “AuthURL” contains a url you’ll see that ADFS is used and if is_dsso_enabled that means the Seamless SSO is active.
This post contains a quick example on how to find users with certain attributes update the last 24 hours. The script uses the Lithnet PowerShell Module, which can be install using Install-Module LithnetRMA.
Continue reading “MIM – Finding users with certain changed attributes last 24 hours”Quick post today. Of course, when implementing Azure AD authentication, you should use the Microsoft Authentication Library. Some times, however, you have platform limitations that limits you to implement OpenID Connect “from scratch”. So one of my customers did, but we found the ID Token to be signed by a key with key identifier (kid) that we could not find in the jwks urls found in the OpenID Connect metadata. However, I found it eventually and here is how.
Continue reading “Today I found out – Azure AD ID Token signed by “unknown KID””The following contains a quick reference for how to extend the OpenID Connect ID Token that we created in this blog post with additional attributes.
Continue reading “Adding custom attributes to the Azure AD OpenID Connect ID Token”Today I quickly needed to split users into migration batches for Office 365, and with that I needed to create many buckets of 100 user objects each. The following script can help you out if you need something similar.
Continue reading “Splitting objects into buckets using PowerShell”This is a short blog post with a PowerShell cmdlet that will return you the Azure AD tenant id for a given domain.
function Get-AzureADTenantId
{
[CmdletBinding()]
[Alias()]
[OutputType([string])]
Param
(
# Param1 help description
[Parameter(Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=0)]
$DomainName
)
Begin
{
Load-Assembly System.Xml.Linq | Out-Null
}
Process
{
$FederationMetadata = Get-AzureADFederationMetadata -Domain $DomainName
$FederationMetadata.EntityDescriptor.entityID -split "/" | where{$_ -match "^[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}$"}
}
End
{
}
}
Get-AzureADTenantId microsoft.com
Get-AzureADTenantId microsoft.onmicrosoft.com
This post contains a quick example on how to utilize the new namedLocation Graph REST API endpoints to populate conditional access sites.
For simplicity, the script utilizes the access token from the Graph Explorer, rather than it’s own application registration. Continue reading “Populating Azure AD named and trusted locations using Graph”
In this post I will quickly demo how to use PowerShell to get app role assignments for all application using the Microsoft Graph.
You should have followed my previous post in order to have created an application, added some appRoles to the manifest and granted access to the Graph.
Continue reading “Full IGA using Azure AD – Getting app role assignments using PowerShell”
In the last post we transferred to user information and roles to the application through Azure AD outbound provisioning with SCIM. This requires the application to either have or to implement a SCIM API, which might some times be unnecessary. Also, many applications does not have an internal user database, but relies on session information when doing access control.
In this blog post I will show you how applications can get user roles through the user’s ID token, demoed with OAuth 2.0 authorization code flow.
Continue reading “Full IGA using Azure AD – App roles in OAuth ID token or SAML claim”
Good Workaround! 