The docs.microsoft.com pages contain several examples for managing Entitlement Management, however, you can never get enough examples. Also, an end to end example can be useful some times, so here you go.
Continue reading “Azure AD Entitlement Management Graph Examples”Category: Uncategorized
Testing out Azure AD External Identities
Azure AD External Identities is essentially a new umbrella expression for existing Azure AD features such as the ability to use Google as Identity Provider, B2B guest invitations, Terms of use, Entitlement Management etc., with the new features launched during MS Build 2020 being guest user self service sign-up through “User flows” and Facebook as Identity Provider.
In this blog post i will dive into these new things, to see what these new features can provide of value to Azure AD customers.
Continue reading “Testing out Azure AD External Identities”Quick script to reset password of users in an Azure AD group
Connect-AzureAD
# Get group by name
$group = Get-AzureADGroup -SearchString 'My group'
# Get members
$members = Get-AzureADGroupMember -ObjectId $group.ObjectId -All:$true
# Get password
$password = Read-host -AsSecureString -Prompt "Password"
$VerbosePreference = "Continue"
$inc = 1
$members | Foreach {
Write-Verbose "$($inc) / $($members.Count) - $($_.UserPrincipalName)"
$inc += 1
Set-AzureADUserPassword -ObjectId $_.ObjectId -ForceChangePasswordNextLogin:$true -Password $password
}
Trying out the new phone sign in feature for Azure AD
Microsoft just launched the preview for the “Text message” authentication method, for Azure AD users. Let’s try it out.
Continue reading “Trying out the new phone sign in feature for Azure AD”Birth right permissions using Azure AD Entitlement Management access packages
Currently, automatically assigning users to access packages is not a feature available. It is on the Microsoft product group’s agenda, but not on public roadmap yet.
So I built a little PowerShell workaround, which works fine.
Continue reading “Birth right permissions using Azure AD Entitlement Management access packages”Script for generating Azure AD dynamic groups
At a customer I needed to generate quite a few Azure AD dynamic groups, in order to create groups for each department, with users having a set of job titles. This is a good method to automatically assign application roles to a set of users based on their attributes, given that the attributes are managed by a sync from HR or similar. Here is how I did it.
Continue reading “Script for generating Azure AD dynamic groups”Script for getting Azure AD app registration secrets and certificates that expire soon
Just needed to clean up expired app registration secrets from a tenant, and figured I could just make a very quick script to find secrets and certificates that expire soon. Have fun – no explanation needed i guess.
Connect-AzureAD
$expiresWithinDays = 31
$expired = Get-AzureADApplication | ForEach-Object {
$app = $_
#$keys = Get-AzureADApplicationKeyCredential -ObjectId $_.ObjectId
@(
Get-AzureADApplicationPasswordCredential -ObjectId $_.ObjectId
Get-AzureADApplicationKeyCredential -ObjectId $_.ObjectId
) | Where-Object {
$_.EndDate -lt (Get-Date).AddDays($expiresWithinDays)
} | ForEach-Object {
$id = "Not set"
if($_.CustomKeyIdentifier) {
$id = [System.Text.Encoding]::UTF8.GetString($_.CustomKeyIdentifier)
}
[PSCustomObject] @{
App = $app.DisplayName
ObjectID = $app.ObjectId
AppId = $app.AppId
Type = $_.GetType().name
KeyIdentifier = $id
EndDate = $_.EndDate
}
}
}
$expired | Out-GridView
Generating report of all Access Package assignments in Azure AD Entitlement Management
Need a script to generate a report of all access package assignments in your tenants? Look no further.
Continue reading “Generating report of all Access Package assignments in Azure AD Entitlement Management”Generating demo Access Packages for AAD Entitlement Management through the Microsoft Graph
Some times it can be handy to be able to generate some demo content, and have some reference PowerShell for working with stuff. Here is my script for creating 5 access packages with different properties:
- A visible package available for any external user
- A hidden package available for any external user, requiring the user to know the url
- A package available to external users in connected organizations
- A package available for members of an internal group
- A package available to any internal user, with manager approval and self review
Script for adding back members to Azure AD group from audit log
Had an emergency at a customer today, where the IAM solution removed a few thousand users from licensing groups. In order to quickly add these back until the IAM system was operational again, the following method was used.
Continue reading “Script for adding back members to Azure AD group from audit log”