Nicola Suter

Don't let Entra ID Protection miss your next breach!

Sun, 22 Mar 2026 10:00:03 +0000

Learn how to strengthen your Entra ID tenant by leveraging Entra ID Protection, understanding risk signals, and implementing effective Conditional Access policies to prevent account breaches.

CEO impersonation with Microsoft Booking

Wed, 18 Mar 2026 20:00:03 +0000

Shared Microsoft Booking pages automatically create Exchange mailboxes with predictable email aliases, enabling attackers to impersonate executives. Learn how to detect and prevent this abuse with KQL queries and configuration options.

Defender XDR Unified Detections Meet Sentinel Data Lake

Tue, 24 Feb 2026 22:00:03 +0000

Unified Detections bring a new way to create and manage detections across Microsoft Sentinel and Defender XDR data. Combined with native Data Lake ingestion for XDR tables, this opens up cost-effective retention opportunities. Let's explore the capabilities, limitations, and migration considerations.

AI just solved a CTF for me!

Fri, 16 Jan 2026 21:00:03 +0000

I tried using AI and the new Microsoft Fabric Real-Time Intelligence to solve a CTF challenge for me, and it worked surprisingly well.

Did you hear that maester supports Intune?

Thu, 04 Dec 2025 20:00:07 +0000

The maester framework now supports Microsoft Intune checks.

Mai 2024 KQL Café Recap

Mon, 01 Jul 2024 20:07:46 +0000

In May I had the pleasure to be invited to the KQL Café which is hosted by Gianni Castaldi & Alex Verboon. Within this format they empower…

AiTM Phishing with Azure Functions

Mon, 01 Apr 2024 18:23:49 +0000

PoC for an Azure AiTM Function to phish Entra ID credentials and bypass canary token detections.

Have you heard about passkeys and AAGuids?

Fri, 01 Dec 2023 00:00:00 +0000

With the availability of passkeys the FIDO2 standards become more accessible in the form of password managers, web-browsers and (mobile) operating systems — without the need for dedicated hardware such as FIDO2 keys.

Microsoft is currently in the process of developing support for passkeys and shipping the public preview in Q1 2024:

While this is a very welcome addition to make passwordless authentication easily accessible without dedicated hardware such as FIDO2 security keys this also introduces new risks, especially for high value accounts — But why’s that?

Enriching Microsoft Sentinel tables with eligible Entra directory roles

Fri, 17 Nov 2023 00:00:00 +0000

Microsoft 365 Defender and Sentinel provide an IdentityInfo table that contains various information that is helpful for threat hunting and detections. One key piece are also the assigned Entra directory roles for a specific identity. Unfortunately only permanently assigned permissions are covered and in times of Entra Privileged Identity Management (PIM) we should have standing permissions only for non-privileged roles and break-glass accounts.

Within this blog post I want to share a few tips and tricks to answer the following questions with Sentinel and a little bit of scripting and KQL:

Maintaining Microsoft Sentinel Analytic Rules in JSON and YAML with GitHub Actions

Mon, 13 Nov 2023 00:00:00 +0000

Microsoft Sentinel Analytic Rules can be shared in both the YAML and ARM format, whereas the ARM format leverages JSON as file type. Within…

Microsoft Sentinel Analytic Rules can be shared in both the YAML and ARM format, whereas the ARM format leverages JSON as file type. Within this short post I want to demonstrate an approach that leverages a GitHub Action to automatically build and update the rules in YAML format — so you can just export and update existing rules without any manual conversion effort.

Have you heard of workload identity access token replay?

Wed, 08 Nov 2023 00:00:00 +0000

Microsoft recently made the Microsoft Graph Activity Logs available as part of the Microsoft Entra ID diagnostic settings. This means we can use the MicrosoftGraphActivityLogs Table to enrich custom detections and analytic rules.

Within this post I want to elaborate closer on an attack scenario for workload identities that leverage workload identity federation and don’t have any persistent credentials or long lived secrets. But one type of credential artefacts is still theft-able — the short lived access tokens.

Microsoft Entra Connect Sync Hardening

Sun, 24 Sep 2023 00:00:00 +0000

Microsoft Entra Connect Sync (aka Azure AD Connect) allows establishing hybrid identity scenarios by interconnecting on-premises Active Directory and Entra ID (aka Azure AD) and leveraging synchronisation features in both directions. As you might already know, this brings potential for abuse of the assigned permissions to the involved service accounts and permissions of this service.

On the internet are already some posts with subset of this information but I wanted to provide an actionable post with individual measures to implement. Of course should we do MFA for all admins and AD tiering but some of those steps involve more complex measures to implement and I will try to provide some individual building blocks you can use to harden the configuration of your Entra Connect service accounts.

Why you should use Entra Workload Identity Federation

Thu, 07 Sep 2023 00:00:00 +0000

Microsoft Entra Workload Identity Federation is a hidden gem when dealing with app registrations and service principals because it will significantly improve the security posture of your workload identities. While I already blogged about the more technical and implementation specific details in my GitHub Actions with Entra Workload Identity Federation post, I want to highlight the benefits and scenarios where you can use Workload Identity Federation to access Entra ID protected resources.

Retrieving Windows LAPS Azure AD Passwords with PowerShell

Wed, 10 May 2023 00:00:00 +0000

Did you know that for the new Windows LAPS Azure AD is also maintaining the password history? The built in PowerShell commandlet relies on the Microsoft Graph PowerShell SDK and within this post I want to show you how to work with the Get-LapsAADPassword cmdlet.

Kudos to Niklas Tinner as he brought this to my attention while working together.

Where is this command originating from?

The Get-LapsAADPassword cmdlet is part of the LAPS PowerShell module that was baked into the Windows Operating system with the April 2023 quality updates.

Let's have a tête-à-tête with the new Windows LAPS for Azure AD joined devices

Fri, 21 Apr 2023 18:56:24 +0000

Deploy the new Windows LAPS to Azure AD Joined devices with Intune. Windows LAPS provides local administrator password management.

Provoking Defender for Identity suspicious certificate usage alerts

Tue, 11 Apr 2023 00:00:00 +0000

Microsoft Defender for Identity (MDI) has announced a new capability back in February to detect suspicious certificate usage for Kerberos authentication. It is already well-known, that Active Directory Certificate Services (ADCS) is a lucrative target for adversaries to achieve persistence in Active Directory as ADCS can be easily misconfigured resulting in an easy way to exploit those misconfigurations. In this post I want to show you how easy those misconfigurations can be abused and how and when such an attempt is detected by Microsoft Defender for Identity new detection capabilities for suspicious certificate usage.

You must not touch my endpoint security settings!

Sun, 12 Mar 2023 00:00:00 +0000

Intune Endpoint Security Configuration Settings have become the way to go for configuring security features on various platforms. What did start with Microsoft Defender for Endpoint settings for Windows clients has evolved to settings for macOS, Windows Servers and is treated like a first class citizen. So it is important to guard those sensitive configurations as they control (and can potentially disable) vital security features on endpoints such as defender tamper protection, attack surface reduction rules, firewall and many more.

Optimising Microsoft Graph PowerShell scripts

Wed, 22 Feb 2023 00:00:00 +0000

We all have probably been there and developed a PowerShell script that took some fair amount of time until the execution completed, weren’t we? Of course one could argue and say that as long a script ‘works’ it is good enough but depending on the use case and environment a PowerShell script that runs 30 to 60 minutes exceeds the patience of most (IT) people and can also lead to increased costs. But what makes those kinds of scripts that awfully slow and can’t we just tweak them to run faster?

Migrating to the new Windows Store experience

Mon, 30 Jan 2023 18:56:24 +0000

The Microsoft Store for Business will be discontinued mid 2023 and Intune recently introduced the new Windows Store experience backed by…

GitHub Actions with Entra Workload Identity Federation

Mon, 23 Jan 2023 17:03:47 +0000

Workload Identity Federation (let’s just call this WIF) allows app principals not residing within Azure to request short lived access…

Inside Windows package manager (winget)

Fri, 30 Dec 2022 23:11:03 +0000

Windows Package Manager provides exciting features to install and upgrade apps on Windows devices. But how does winget actually work?

Setting up a radius server for Azure AD joined devices and 802.1x

Sun, 25 Sep 2022 00:00:00 +0000

RADIUS setup with machine certificates for Azure AD joined devices for Wi-Fi authentication with 802.1x

Android dedicated devices managed home screen and system apps

Tue, 20 Sep 2022 00:00:00 +0000

Learn how to allow android system apps in combination with the Microsoft Managed Home Screen app.

The easiest way to work with the Microsoft Graph PowerShell SDK

Fri, 09 Sep 2022 00:00:00 +0000

Kickstart your Microsoft Graph PowerShell SDK experience for various interactive automation and scripting scenarios by easily obtaining an access token from the MEM console.

Intune app protection policy report

Mon, 13 Dec 2021 00:00:00 +0000

Learn how to create a report about Intune app protection policies (also called MAM) and gain insights about the usage within your organization.

Have you considered TPM key attestation?

Sat, 28 Aug 2021 00:00:00 +0000

Key attestation uses a trusted platform module to protect your private keys and can be enabled on active directory certificate services CAs to prevent private key theft

Automatically sign your PowerShell scripts with GitHub actions

Fri, 09 Jul 2021 00:00:00 +0000

Sign PowerShell artifacts with GitHub actions workflows automatically

Securely sending emails from PowerShell scripts with modern authentication enforced

Fri, 19 Mar 2021 00:00:00 +0000

Send mails from your unattended Powershell scripts with the Microsoft Graph API and the Microsoft Graph PowerShell SDK

Dealing with Intune OMA-URI encoding and applocker rules

Tue, 16 Feb 2021 00:00:00 +0000

Resolving Intune OMA-URI UTF-8 encoding issues when editing XML contents with an automated PowerShell approach.

Microsoft Graph Access Token Acquisition with PowerShell explained in depth

Mon, 04 Jan 2021 00:00:00 +0000

Explaining different ways about obtaining access tokens for Microsoft Graph with PowerShell to support interactive and unattended automation.

Android Enterprise Enrollment: Page Not Found

Sat, 19 Dec 2020 00:00:00 +0000

Page not found when enrolling Android Enterprise Devices with Microsoft Endpoint Manager

Housekeeping for stale MEM profiles

Wed, 16 Dec 2020 00:00:00 +0000

How to do housekeeping for your stale MEM profiles including archiving with Microsoft Graph

Windows Terminal and SSH - the most beautiful SSH client?

Wed, 16 Dec 2020 00:00:00 +0000

My Windows Terminal SSH configuration and setting sync with OneDrive.

Export and import MEM Endpoint Security Profiles

Thu, 19 Nov 2020 00:00:00 +0000

Explaining the PowerShell scripts and process I used to export and import Intune endpoint security profiles

Shut up Surface Pro 7 fan noise!

Mon, 16 Nov 2020 00:00:00 +0000

Prevent Surface Pro 7 fan from going crazy by setting the max. processor power state

Build an Azure DevOps pipeline to automatically sign your PowerShell scripts

Thu, 01 Oct 2020 00:00:00 +0000

Automatically sign your PowerShell scripts with an Azure DevOps pipeline for improved security and integrity of your PowerShell scripts without handing out your code signing certificate.

Ensuring regular Defender Quick scans with Microsoft Endpoint Manager proactive remediations

Mon, 28 Sep 2020 00:00:00 +0000

Ensure Microsoft Defender for Endpoint Quick scans are running regularly with Endpoint analytics proactive remediations.

About

Tue, 22 Sep 2020 11:17:08 +0000

Thank you for visiting my blog and reading this far. You are friendly invited to leave any kind of feedback in the comment sections of my posts.

I’m mainly focusing on Microsoft Enterprise Mobility + Security and building modern workplace experiences with Microsoft 365 technology.

On this blog, I want to share technical posts and solutions from the field. I write those blog posts during my free time and don’t write posts with sponsored content.

Discover the Microsoft Graph API with the Microsoft Endpoint Manager Portal

Tue, 08 Sep 2020 00:00:00 +0000

Discover Microsoft Graph resources while browsing the MEM portal and learn how to automate portal actions

Access has been blocked by Conditional Access policies when using device code flow

Thu, 03 Sep 2020 00:00:00 +0000

Understand why device code flow doesn't always work with Azure AD Conditional Access based on your configuration.

Bulk create Intune mobile app deployment groups and assignments

Wed, 19 Aug 2020 00:00:00 +0000

Creating assignments and software deployment groups for Intune mobile apps is quite a repetitive and manual task. Because of that, I want to share a PowerShell script with you which allows you to automatically create software deployment groups in Azure AD and the assignments for various intents.

The script allows you to:

Create Azure AD groups (install uninstall purpose)
- Pick existing groups based on displayName
Assign Intune mobile apps (tested for Win32 and MSI LOB apps)

Add PowerShell modules to Azure functions

Mon, 17 Aug 2020 00:00:00 +0000

Azure functions for PowerShell natively ship without additional cmdlets or PowerShell modules. In this post, I will show you how to add both public modules from the PowerShell gallery with automatic dependency management and custom modules.

For both options, we use the Kudu tools to adjust the configuration of our function app. You can launch them from the “Advanced Tools” section of your function app:

Afterwards, launch the PowerShell debug console and navigate to the wwwroot folder of your app:

Playing around with the Office 365 Service Communications API

Mon, 10 Aug 2020 00:00:00 +0000

The Office 365 Service Communications API provides information about Microsoft 365 service status for your tenant including service messages. I built a little PowerShell module to access the API with PowerShell cmdlets. In this post I want to show you some examples which help you to use the API.

PowerShell Module

I built a PowerShell module to access Microsoft 365 service status details natively with PowerShell. The PowerShell module and documentation is available on the PowerShell Gallery and on GitHub.

Intune scope tags and role-based access control explained

Mon, 03 Aug 2020 00:00:00 +0000

For larger Intune environments a solid role-based access implementation becomes crucial to ensure a secure administration. But how does Intune role-based access control (RBAC) work in combination with scope tags and how to get started? This post gets you covered with explanations and practical examples.

Role-based access control within the Microsoft 365 ecosystem

Within the Microsoft 365 ecosystem, Microsoft provides Azure AD administrative roles to administrate services like Exchange (Exchange administrator), SharePoint (SharePoint administrator), Intune (Intune administrator) and so on.

Azure AD guest user review solution

Tue, 14 Jul 2020 00:00:00 +0000

Azure AD access review like solution to automatically approve and manage the lifecycle of your guest accounts based on Azure Logic App, Azure Functions and Key Vault.

Who invited this Azure AD guest user?

Tue, 14 Jul 2020 00:00:00 +0000

Who invited this Azure AD guest user? Examining who invited a specific a guest account can be quite a challenging question if you don’t have a log analytics workspace in place with Azure AD Audit log forwarding configured.

Kusto queries for your log analytics workspace

The following queries help you to identify who invited a guest. If you haven’t set-up Azure AD audit log forwarding it’s the right time to do it now as described in one of my previous blogs.

10 suggestions to improve your next PowerShell script

Wed, 08 Jul 2020 00:00:00 +0000

Most of the time PowerShell is my favourite choice to automate processes and tasks. In order to improve the maintainability of my scripts I usually try to focus on some standards combined with a clean scripting style. In this post I want to show you 10 suggestions to improve your next PowerShell script. I’ve tried to order the suggestions according to an actual PowerShell starting from the very first line till the last line.

Remove Azure AD direct License Assignments with PowerShell

Wed, 08 Jul 2020 00:00:00 +0000

Remove all direct assigned licenses from your Azure AD and Office 365 users with a PowerShell script to leverage on full group based licensing capabilities

How I migrated my Ghost blog to Jekyll

Sat, 27 Jun 2020 00:00:00 +0000

Sharing my experiences of migrating my techblog from Ghost on Azure to Jekyll static sites hosted on GitHub pages and with a workflow based on WSL and Visual Studio Code remoting.

Exploring the new Microsoft Graph PowerShell Module(s)

Tue, 12 May 2020 00:00:00 +0000

Microsoft is working on a new set of PowerShell modules grouped under the umbrella of Microsoft.Graph that will (hopefully) cover all the Microsoft Graph resources available. I’ve already used some of them for my Conditional Access Documentation Script and thought they have some notable features worth sharing.

Advantages and changes

The Microsoft Graph modules use the new Microsoft Authentication Library (MSAL) instead of the old Azure AD Authentication Library (ADAL). The MSAL library in the modules implements a token cache which persists the access and refresh tokens.

Validating a GUID with PowerShell

Tue, 05 May 2020 00:00:00 +0000

For some recent Microsoft Graph scripts I wanted to translate some Azure AD Object ID / GUID entries to their respective display name. The array with the GUID’s contained already some readable text. Of course I only wanted to translate the GUID entries with according Graph API requests. Otherwise the Graph requests would fail. Google offered only some fancy regex functions and helpers but I had that .NET function in my mind which looks much nicer compared to whatever regex pattern that I don’t understand.

Document Conditional Access Configuration with my Modern Workplace Concierge

Mon, 20 Apr 2020 19:22:33 +0000

Documenting things sucks. If it involves a lot of klick(edi klack klack) in portals and copying information around even more. But there’s hope. And it’s called automation. For the Intune part Thomas Kurt did already an awesome job with his IntuneDocumentation. Now the Modern Workplace Concierge is ready to help you with documenting your Conditional Access configuration. I promise you: we will get through this within under 15 minutes! Afterwards you can make an impression on your fellow Enterprise Mobility teammates.

I said Connect-AzureAD and not sign-out and re-sign-in!

Wed, 25 Mar 2020 17:21:25 +0000

If you are using the “AzureAD” PowerShell module (also applies to the AzureADPreview) you have probably noticed that the Connect-AzureAD Cmdlet ignores existing access tokens and initiates a new sign in to Azure AD even if you are already signed in.

Prompt you get when calling the "Connect-AzureAD" cmdlet

Long story short, I got annoyed every time when I accidentally recalled Connect-AzureAD (mostly when working with Scripts) until I found this amazing hint on technet and now I want to (re-)share it with you.

Generate a report about assigned Azure Active Directory roles

Thu, 19 Mar 2020 20:42:07 +0000

The Azure AD portal does not really provide an overview about all directory role assignments in your tenant. If you want to review existing Azure AD Directory roles a csv report will probably better server your needs. Therefore I created a PowerShell script to export the role assignments.

The Azure AD Portal only displays limited information about the assignments

### PowerShell Script

Find the PowerShell script in my techblog GitHub Repository.

Detect Deleted User Accounts in Azure Active Directory

Thu, 13 Feb 2020 08:30:46 +0000

An account in your Azure Active Directory got deleted and you want to examine who initiated the delete action? Sounds very simple but if you do not want to search your logs manually things become a little bit trickier.

The challenge

When a user gets deleted and you only remember it’s userPrincipalName you wont be able to to search for a match. And I doubt that you memorized the Azure AD object id of that user.

Managing the new Microsoft Edge Browser with Intune

Mon, 03 Feb 2020 15:40:58 +0000

With the availability of the new Edge browser based on chromium I gained the first experiences about configuring the browser in an enterprise environment. Of course I want to share those with you. This post hopefully helps you to roll-out and configure the new Edge Browser with Microsoft Intune.

Install the new Edge Chromium with Intune

The installation of Edge is not the main topic of this post. The Edge browser is available in Intune as built-in app type like the Office 365 suite. More information about the installation process is available here.

Prevent Intune devices from getting the Microsoft search (Bing) plugin

Fri, 24 Jan 2020 11:19:24 +0000

Microsoft recently announced to install a Bing extension on new and existing Office 365 ProPlus installations which will set Bing as the default search engine starting with the first Office 365 ProPlus release in 2020 - not appreciated Microsoft and definitely not what customers want! The extension will be shipped for new Office installations and existing clients with Office 365 ProPlus installed when they update.

Update 11.02.2020: “ The Microsoft Search in Bing browser extension will not be automatically deployed with Office 365 ProPlus.” - I will keep this post for the archives.

Deploy fonts to Intune managed Windows 10 devices

Sun, 19 Jan 2020 16:25:21 +0000

Recently a customer using Microsoft Intune requested to deploy a TrueType font required by one of their line of business apps. Because Intune does not offer a native solution to deploy fonts it was quite clear that a PowerShell script or Intune Win32 app should do the trick. Note that the mentioned PowerShell scripts can also be used for app deployments with Configuration Manager (MEMCM).

How to install a font programmatically?

There seem to be multiple options depending on the operating system version. I’ve tested this with Windows 10 1909. And broke it down to the following steps:

Connecting to foreign Intune tenants with Microsoft Graph and PowerShell

Thu, 09 Jan 2020 13:25:02 +0000

If you manage multiple Intune tenants with your Azure AD account (invited as guest in the foreign tenant) we need a way to specify the tenant id we want to connect. Otherwise you will land in your home-tenant every time. This posts shows you how to accomplish that with the Intune PowerShell SDK.

If we have a look at the default Graph settings in a PowerShell session with the Intune PowerShell SDK you will notice that all authentication requests will land on the /common endpoint.

Monitor Apple token expiration in Intune

Sat, 04 Jan 2020 14:55:00 +0000

Apple tokens for Mobile Device Management like APNS certificates, DEP and VPP tokens need a renewal every 365 days. When an APNS certificate has expired you are forced to re-enroll all of your MDM managed apple devices. To avoid any headaches I put together a few lines of PowerShell which monitor the expiration with Azure automation and send a notification to Microsoft teams or email.

Script

The script is intended to run recurring on Azure automation. And I recommend to setup a schedule which runs the script once a week. The script checks the following apple tokens and triggers the teams notification if it expires in less than the configured number of days:

Blogging year 2019 in numbers

Sat, 04 Jan 2020 14:53:14 +0000

Most of the people out there blogging have recently published numbers and figures about 2019. Starting the new decade I also want to publish some figures about 2019 and wish you a happy and successful start into 2020.

Blog

On my blog I tried to focus mainly on Enterprise Mobility + Security topics and shared some experiences and how-to’s about the modern workplace.

28 blog posts published
101'074 page visits
04:08 (mm:ss) is the average time users spent on my site

Tools

I published two open source tools in 2019, both are available on GitHub and both of them support your Microsoft 365 based workplace:

Have you already started with Intune automation and Microsoft Graph?

Thu, 19 Dec 2019 21:16:47 +0000

This post has the intention to give you an overview and starting point to automate things with the Microsoft Graph API and PowerShell. While having the focus on Intune and EM+S but the basics are also valid for other Microsoft services.

The world is changing and so are you?

When talking about automation most people only think about some PowerShell code and scheduled tasks running on whatever box in an environment. But technology regarding Microsoft services and it’s automation possibilities have definitely evolved quickly. Automation can now be done with basically any scripting or programming language because Microsoft offers us the Microsoft Graph API. Although API (application program interface) sounds more like a developer term engineers should better get used to consuming API’s. As more and more services can be consumed as SaaS API’s are mostly offered for further data processing and automation.

Application based authentication with the Intune PowerShell SDK using a certificate

Tue, 10 Dec 2019 15:43:58 +0000

As you might have noticed I have been doing quite a lot of automation stuff with Microsoft Graph for Intune and Azure AD. My preferred way to run PowerShell scripts which need to run on a regular basis is to use Azure automation. Unfortunately the official “Intune-PowerShell-SDK” does not support authentication with a client certificate. Therefore I updated the module and will show you how to use it with Azure automation.

Manage Azure AD group based licensing with PowerShell

Wed, 04 Dec 2019 14:39:00 +0000

Recently I needed to assign a lot of Microsoft licenses to different Azure AD groups. Unfortunately Microsoft does currently not offer a solution to do this (yet). Instead of giving up on this I decided to analyze what actually happens when you assign a license to a group in the Azure portal and found some actions going on within the hidden portal API. As an outcome I built a PowerShell module to manage Azure AD group based licensing assignments.

Export and import Intune and Conditional Access configuration

Tue, 03 Dec 2019 07:28:18 +0000

With Microsoft Graph we have powerful automation and configuration management capabilities. To further simplify this process I built the “Modern Workplace Concierge”. It is an ASP.NET application which uses an Azure AD multi tenant app to access the Microsoft Graph API on behalf to perform export and import tasks. The project uses the Microsoft Graph Beta API to access your tenant’s data.

Modern Workplace Concierge

The Modern Workplace Concierge allows you to:

Bulk update Windows Autopilot groupTags

Sun, 01 Dec 2019 11:21:58 +0000

Recently I needed to change a couple of groupTags on existing Windows Autopilot devices. Because Windows Autopilot profiles have been assigned based on the groupTag. Of course I could have done this with the portal (check out the devicemanagement.microsoft.com portal if not done yet!) but I am definitely an automation fan when I need to do repetitive work.

Portal view and property mapping

In the Intune portal the Group Tag field on an Autopilot device maps to the Azure AD device property “OrderID”.
Dynamic Azure AD Groups to assign Autopilot profiles to devices can be built with the following membership rule:

Conditional Access and Azure Log Analytics in Harmony

Fri, 18 Oct 2019 22:06:04 +0000

Auditing Conditional Access events and changes is crucial regarding your hygiene in Azure AD for your modern workplace. With the goal that we receive appropriate notifications and alerts if special events occur. Thanks to Azure Log Analytics (also referred to as Azure Monitor) we can easily filter and create alerts based on events. This post starts where most of the others end - giving you practical examples of KUSTO queries to search your Azure AD Audit logs with Log Analytics.

Unable to reset Windows Hello for Business PIN

Fri, 11 Oct 2019 16:12:14 +0000

Recently I have been troubleshooting a nasty Windows Hello for Business problem which prevented all users in a tenant from resetting their Windows Hello for Business PIN’s on Azure AD joined devices while getting the error CAA20004.

Issue

When clicking on “I forgot my PIN”:

After completing the account sign-in and MFA challenge the Error CAA20004 came up:

Troubleshooting

The Azure AD Portal shows us “Failure reason: other”.

Intune export uploaded PowerShell scripts

Wed, 09 Oct 2019 16:36:57 +0000

After you have uploaded a PowerShell script to the Intune portal you won’t be able to view the script or its content. Therefore things become complicated when an Intune tenant is managed by multiple admins and someone wants to update or review a script. In addition to the unknown script content things can go from bad to worse if you can’t find the script anymore. Fortunately we can recollect our PowerShell scripts directly from the Microsoft Graph API.

The Enrollment Status Page (ESP) and shared devices

Fri, 04 Oct 2019 14:44:10 +0000

If you use the Enrollment Status Page (ESP) on your (Autopilot) devices in blocking mode (Block device use until all apps and profiles are installed) things can get ugly and complicated if you sign-in with another user account on that machine. So it might be better to disable the Enrollment Status Page for all users who sign-in after the initial device enrollment.

ESP behaviour

I was not aware of the fact that only one ESP gets applied to a device and the first one applied will also remain on that device nevertheless if you configure additional ESP settings for different groups of users. In addition the ESP gets displayed for every account even if the account has no Intune license assigned and causing the ESP therefore to fail.

Windows Autopilot failed to delete device records

Sun, 29 Sep 2019 20:16:03 +0000

Recently I needed to delete a desktop machine from the Windows Autopilot service in order to use the machine in another tenant. But the problem was that the Intune and Azure AD device objects were already deleted. All attempts taken within the Microsoft 365 Device Management and Intune Portal were unsuccessful.

Issue

Usually the autopilot device shows the associated Azure AD and Intune objects but here they were shown as N/A (not available) because they were already deleted.

5 Ways to Screw Up Conditional Access

Wed, 28 Aug 2019 08:34:02 +0000

Nowadays where cloud services are available from all over the world we cannot (only) rely on trusted networks and on identities protected by usernames and passwords. Conditional access allows you to define granular controls whether an identity can access cloud applications. Based on the positive feedback for my “5 Ways to Screw up your Intune Tenant” post I felt empowered to get conditional access covered as well.

Chose your platform wisely

If you intend to use the device platform filter make sure that you cover all platforms including unknown platforms. Otherwise your might have a lack in your battleship. Also note that platform detection is based on best effort and can be exploited.

Windows Autopilot White Glove Field Notes

Wed, 14 Aug 2019 16:38:31 +0000

I’m happy to share some field notes and experiences with the Windows Autopilot White Glove feature which is available with the Windows 10 1903 release. I’ve done a lot of testing and engineering for a recent project which also included this brand new feature.

First things first (requirements)

This is probably the most important information of this post. Really make sure to verify the following prerequisites for Autopilot White Glove. Because there are additional requirements compared to Autopilot enrollments.

Windows Autopilot White Glove Error 0x81036501

Thu, 08 Aug 2019 16:58:05 +0000

While testing Autopilot White glove for a customer project my test machines always got stuck within the “Registering your device for mobile management” step and timed out after 12 minutes and returned the error “0x81036501” just before showing the White Glove Failed screen. I was doing my tests with Windows 10 1903 DE (German) with the most recent cumulative update installed, meaning OS build: 18362.267.

The Issue

As normal Autopilot enrollments were working like a charm this one had to be related to the White Glove scenario. Here’s a screen capture showing the actual behavior (unfortunately with German display language):

Intune Win32 app requirements deep dive

Mon, 05 Aug 2019 17:09:02 +0000

The Intune Win32 app requirements feature is quite underrated and often overseen in my experience. The ability to specify a custom PowerShell scripts allow us to check for specific hardware or device properties in order to determine if an app or firmware update should be installed or not. So there’s no need to build multiple and complex dynamic Azure AD groups for the assignment of your apps.

Use cases from the field

From recent projects I’ve discovered the following use cases to deploy Win32 apps only to specific hardware types:

5 Ways to Screw up your Intune Tenant

Wed, 31 Jul 2019 06:40:00 +0000

Here are 5 common recommendations based on misconfigurations I’ve came across in the field which will give your Intune tenant and devices a hard time to work smoothly. So better read this post that you not screw up your Intune tenant and maybe take advantage of the experiences others already gained.

Housekeeping

It’s important to know which devices are actually being used and usually a nice addition to understand compliance data. Stale device entries in may give you a wrong impression of your Intune tenant and it’s health. So enable the automatic device cleanup rule to remove the enrolled device from Intune. Additionally you may also remove the device entries stored in Azure Active Directory (I created a little on-demand script for this which can also run in azure automation).

Automating network drive mapping configuration with Intune

Fri, 19 Jul 2019 07:32:46 +0000

I’m thrilled to introduce the intune-drive-mapping-generator which creates PowerShell scripts to map network drives with Intune. The tool is open source and built on ASP.NET Core MVC.

The intune-drive-mapping-generator is your tool of choice to:

Generate an Intune PowerShell script to map network drives on Azure AD joined devices
Seamlessly migrate existing network drive mapping group policies
Generate a network drive mapping configuration from scratch
Use an existing Active Directory group as a filter to deploy all your drive mapping configurations within one script

This all happens without scripting effort. You receive a fully functional PowerShell script for the deployment with Intune.

Creating desktop shortcuts with Intune

Tue, 09 Jul 2019 23:22:24 +0000

Why want you to create desktop shortcuts with Intune? Business specific apps may require special shortcuts in order to launch the application with the right parameters. Or you need to create a shortcut for an application which is stored on your on premises fileserver. For this purpose I created a little solution which closes the gap between the modern cloud and on premises world. In comparison with other solutions this one works if you have redirected the users desktop with OneDrive Known Folder Move and automatically remediates missing shortcuts if they got deleted.

Bypassing Conditional Access Device Platform Policies

Tue, 02 Jul 2019 17:12:06 +0000

Recently I read a great article from the Microsoft IAM Director Sue Bohn concerning a Conditional Access Q&A. One question was about the device platform feature - which let’s you apply a policy only to a specific device platform like iOS, Android or Windows 10.

The detection of the device platform relies on the user agent string sent by the application or web browser. Because this one can be spoofed easily better configure your Conditional Access policies wisely.

Calling the Microsoft Graph API via PowerShell without a user

Mon, 17 Jun 2019 18:47:47 +0000

A colleague recently asked me how to access the Microsoft Graph API using PowerShell without specifying his user account or credentials. So here’s a little post about the required configuration to authenticate against the OAuth 2.0 endpoint of Azure AD with an app registration. This is especially useful for automation services like Azure automation.

At the end of this post you’ll find a PowerShell template.

Gather application information

Create a new client secret for your app and note down the following values:

Mastering Windows Hello for Business with your hybrid Identity

Sun, 09 Jun 2019 18:07:32 +0000

I had the honor to deploy Windows Hello for Business several times for customers transitioning to a modern workplace using Azure AD and Microsoft Intune to manage their Windows 10 devices - combined with hybrid user identities. Now I want to share the most common hurdles and my experiences with you.

Just to make sure that you have the modern mindset - here’s a little quote to reconsider your hybrid strategy (if not already done):

Onboard macOS to Microsoft Defender ATP with Microsoft Intune

Thu, 23 May 2019 14:23:57 +0000

Microsoft Defender ATP (MDATP) for macOS hit finally the public preview status. We can now protect our macOS endpoints with cloud based power. I created a little guide about the onboarding process with Microsoft Intune and the user experience.

Prerequisites

From a macOS endpoint perspective:

macOS version 10.12 (Sierra) or newer
No third party endpoint protection installed
At least 1GB of free disk space
macOS client enrolled in your Intune tenant

If you want to enable macOS enrollment for your Intune tenant - I’ve written a post about the enrollment process.

Enroll macOS devices to Microsoft Intune

Thu, 23 May 2019 14:22:05 +0000

As Microsoft starts to empower the integration for non Windows devices and also the available apps for macOS devices you might want to profit from your existing MDM solution of choice (Microsoft Intune) and enable features like conditional access or Windows Defender ATP on your macOS devices. This post covers the enrollment with the company portal app. If you want to enroll your devices with DEP (device enrollment program) you can find a great guide here.

Intune configure lid close action

Sun, 19 May 2019 19:08:00 +0000

When using your notebooks and portable devices together with a docking station your users might like to close the lid. The Windows 10 1903 release introduces additional power CSP settings. One of them allows you to configure the lid close action while on ac power - so the device doesn’t switch to hibernate mode as by default.

Policy CSP configuration

To configure this policy with Microsoft Intune use the following OMA-URI configuration within a new custom device configuration:

Introducing the OneDrive AutoMountTeamSites setting

Sun, 17 Mar 2019 16:03:09 +0000

Reviewing the latest OneDrive features I wanted to try the new AutoMountTeamSites setting which lets you preconfigure SharePoint online sites to sync automatically for defined users and devices.

Updated on 12.07.2019: Included the Intune administrative template configuration

The setting is officially described as follow:

This setting lets you specify SharePoint team site libraries to sync automatically the next time users sign in to the OneDrive sync client. (Microsoft)

If you enable this setting, the OneDrive sync client will automatically download the contents of the libraries you specified as online-only files the next time the user signs in. The user won’t be able to stop syncing the libraries. (Microsoft)

Intune map network drives and execute PowerShell script on each user logon

Fri, 11 Jan 2019 20:51:36 +0000

Recently a customer needed a drive mapping solution to access his on premise file shares during his transition phase to a cloud-only workplace. I wanted to share the solution with you because it’s a frequently asked question around a modern workplace migration. The following solution can also be extended or modified for a printer mapping or other PowerShell scripts which need to run on each user logon.

Updated 04.08.2019: I’ve developed an automated solution to generate network drive mapping configurations with an online tool which also migrates group policy network drive mappings. See: next-level-network-drive-mapping-with-intune.

Clean up stale Azure AD devices

Thu, 10 Jan 2019 22:25:00 +0000

If you are using Azure AD and the time passes you’ll have a lot of old device entries. If you enable the automatic device cleanup rule in Microsoft Intune the device is only removed within MDM and the Azure AD entry still exists.

Intune device cleanup rule

For this reason I created a tiny PowerShell snippet to create a report with all devices which didn’t contact your Azure AD tenant since the treshold date specified. If you confirm the operation you can also delete all affected devices.

Set Office 365 UsageLocation property with Azure automation

Wed, 09 Jan 2019 15:23:00 +0000

If you want to assign Microsoft licenses to your Azure AD users e.g. Microsoft 365 E3 licenses you can do this with group based licensing as described here. ~~The problem is that even with group based licensing the UsageLocation property for each user must be set individually.~~

Update: 13.01.2019: Since group based licensing is GA the tenant location is used if no UsageLocation is set on a user object. Use this guide if you want to manually assign licenses or override the tenant settings if you need to configure different UsageLocations.

SwissSkills some thoughts about this years competition

Sat, 15 Sep 2018 18:19:38 +0000

That’s it. Saturday morning, the day after my SwissSkills 2018 competition in Bern. Waiting for a call to answer even though I know that my performance was not good enough to deserve a podium spot.

Update, 16.09.2018: the rankings are now available and I made it to the fourth place. Missing third by 0.05 points (!)

My journey

Last year I had the privilege to compete at the national ICT skills after qualifying through the regional championships. I went there with no expectations I just wanted to know where I stand amongst others. In the end I was overwhelmed with the 3rd place.

Deploy OneDrive KFM with Microsoft Intune OMA-URI

Thu, 06 Sep 2018 18:37:21 +0000

OneDrive KFM (Known Folder Move) allows you to redirect common Windows folders (Desktop, Documents and Pictures) to the users personal OneDrive. OneDrive Known Folder Move is the modern replacement for the well known folder redirection group policy. The deployment with Microsoft Intune allows you to trigger or automate the OneDrive KFM configuration for your end users.

Updated on 04.08.2019: Added administrative template configuration

This post is based on a great article from Oliver Kieselbach about Deep dive ADMX ingestion to configure SilentAccountConfig with OneDrive. I used his blog to play around with the admx ingestion.

Windows 10 1803 New MDM Policy CSP Settings

Sat, 21 Apr 2018 22:11:30 +0000

Hello. Long time no see. Finally I’m back with a new post. This time I created a nice little list with Windows 10 1803 New MDM Policy CSP Settings for the next Windows 10 release. If you’re not familiar with Policy CSP Settings - that are GPO Settings configureable over an Intune OMA-Uri Policy. Here’s a great introducation to Policy CSP Settings.

My favorite policy CPS’s available with Windows 10 1803

The following CSP’s are available on Windows 10 1803 and later:

Surface Hub Miracast Connection Error

Fri, 05 Jan 2018 10:48:59 +0000

Recently I had to troubleshoot a sticky Surface Hub Miracast Connection error for a customer. They were unable to connect to the surface hub from domain joined devices but a newly installed device from a blank Windows image was working as expected. I started Troubleshooting the Surface Hub Miracast Connection Error and checked all the points mentioned in the official Troubleshoot Miracast on Surface Hub post from Microsoft.

Default Configuration

On a Windows 10 1709 device exists a default firewall rule to allow Miracast connections to wireless displays:

Windows 10 1709 Cannot Access SMB2 Share Guest Access

Thu, 19 Oct 2017 17:51:57 +0000

After Upgrading to Windows 10 1709 (Fall Creators Update) I couldn’t access my Synology NAS anymore. Therefore I started troubleshooting the Windows 10 1709 Cannot Access SMB2 Share Guest Access error:

An error occurred while reconnecting X: to \\nas\data Microsoft Windows Network: You can’t access this shared folder because your organization’s security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

PowerShell Script Test Open TCP Ports

Wed, 18 Oct 2017 13:28:12 +0000

Recently I was troubleshooting ADFS connection issues when I discovered a nice little Cmdlet called “Test-NetConnection”. With this Cmdelet you can verify TCP connectivity, in my case from a client to the ADFS server.

The Test-NetConnection cmdlet displays diagnostic information for a connection. It supports ping test, TCP test, route tracing, and route selection diagnostics. Depending on the input parameters, the output can include the DNS lookup results, a list of IP interfaces, IPsec rules, route/source address selection results, and/or confirmation of connection establishment.

Manage Local Administrator Rights Using Group Policy

Sat, 14 Oct 2017 13:37:49 +0000

If you imagine that your users or administrators have uncontrolled local administrator rights it’s a nightmare. They have (certainly) full control over their computer, and could do a lot of harm. So managing local administrator rights is definitely a must.

Manage Local Administrator Rights

The Active Directory Group Policies offer a great possibility to manage local groups on clients or servers. All the magic happens with “Restricted Groups”.

Adding a group or users to a local group

If you want to add a certain group to a built-in group add the group to the restricted groups under the “This group is a member of” sections:

PowerShell Function Validate Object Properties Using ValidateScript

Thu, 12 Oct 2017 10:25:09 +0000

Recently I was working on a PowerShell script with many custom functions. When I started to use PowerShell custom objects I wanted to be able to pass them to a function. So I faced the challenge of validating my object for all required properties and came up with this solution, using the ValidateScript block to test the object:

Customizing the ValidateScript

As you can see I use a ValidateScript for the parameter validation to test the object for the required properties. The properties can be specified in an array: $requiredProperties=@("Property1","Property2","Property3", "Property4") When we call the Function with an appropriate object:

Managing printers with PowerShell

Tue, 10 Oct 2017 17:54:54 +0000

Managing printers with PowerShell instead of VBScript? Sometimes it’s necessary to add and remove specific printers to a computer. For example during a client deployment or when a user logs on. This post covers how to manage printers with PowerShell.

The following PowerShell commands are supported with PowerShell version 4 and newer.

Installing a local network printer

Installing a local printer (without a printserver) consists of the following steps:

Add the printer driver to your system’s driverstore
Install the printer driver from the driverstore
Add a printer port to communicate with the printer
Last but not least add the printer

Add the printer driver to the driverstore

Before you can install the printer driver you need to import the printer driver to your system’s driverstore.

Disable Java Auto Update During Installation

Tue, 10 Oct 2017 17:00:01 +0000

Disable Java Auto Update without registry modification?

Recently i had to install Oracle Java on a Terminal server and was curious, if it’s possible to configure the package that the auto update feature is disabled without any registry configuration?

Custom configuration

On the Oracle website i found a great article about the possibility to pass a configuration file to the installer:

Here’s the syntax to install Java silently with a custom configuration:

Talks

Mon, 01 Jan 0001 00:00:00 +0000

I am looking forward speaking on the events listed below. Do not hesitate to contact me for your next event. Slides from past events can be downloaded as PDF.

Upcoming

Date	Event	Session
x	Your event?	For any speaking related inquiries just drop me an e-mail

Past

Date	Event	Session
08.10.2025	Workplace Ninja User Group Switzerland	Intune misconfigurations in the wild, what we see and what you should fix!
24.09.2025	Workplace Ninja Summit 2025	Various sessions
10.06.2025	Switch NetSec WG 2025	KQL Threat Hunting hands on lab
16.09.2024	Workplace Ninja Summit 2024	Various sessions
28.05.2024	KQL Café	Preventive side of ITDR with KQL
05.05.2024	MMS 2024 at MOA	Various sessions
30.10.2023	MMS 2023 Miami Beach Edition	Various sessions
27.09.2023	Workplace Ninja Summit 2023	Demystifying Defender for Endpoint Security Settings Management
19.03.2021	WPNinjaUG_CH 2103 Virtual	Automating Intune Tasks with the Microsoft Graph API
30.09.2020	Experts Live Switzerland	A safari through the Intune device management scenario jungle
29.11.2019	Geekmania	Hybrid Azure AD Join and Windows Hello for Business
04.10.2019	Configmgr Community Event (CMCE)	Classic On-Prem Services in the Cloud