Monitor Apple token expiration in Intune

Apple tokens for Mobile Device Management like APNS certificates, DEP and VPP tokens need a renewal every 365 days. When an APNS certificate has expired you are forced to re-enroll all of your MDM managed apple devices. To avoid any headaches I put together a few lines of PowerShell which monitor the expiration with Azure automation and send a notification to Microsoft teams or email. Script The script is intended to run recurring on Azure automation....

January 4, 2020 · 2 min · 389 words · Nicola Suter

Blogging year 2019 in numbers

Most of the people out there blogging have recently published numbers and figures about 2019. Starting the new decade I also want to publish some figures about 2019 and wish you a happy and successful start into 2020. Blog On my blog I tried to focus mainly on Enterprise Mobility + Security topics and shared some experiences and how-to’s about the modern workplace. 28 blog posts published 101'074 page visits 04:08 (mm:ss) is the average time users spent on my site Tools I published two open source tools in 2019, both are available on GitHub and both of them support your Microsoft 365 based workplace:...

January 4, 2020 · 2 min · 241 words · Nicola Suter

Have you already started with Intune automation and Microsoft Graph?

This post has the intention to give you an overview and starting point to automate things with the Microsoft Graph API and PowerShell. While having the focus on Intune and EM+S but the basics are also valid for other Microsoft services. The world is changing and so are you? When talking about automation most people only think about some PowerShell code and scheduled tasks running on whatever box in an environment....

December 19, 2019 · 5 min · 1011 words · Nicola Suter

Application based authentication with the Intune PowerShell SDK using a certificate

As you might have noticed I have been doing quite a lot of automation stuff with Microsoft Graph for Intune and Azure AD. My preferred way to run PowerShell scripts which need to run on a regular basis is to use Azure automation. Unfortunately the official “Intune-PowerShell-SDK” does not support authentication with a client certificate. Therefore I updated the module and will show you how to use it with Azure automation....

December 10, 2019 · 4 min · 678 words · Nicola Suter

Manage Azure AD group based licensing with PowerShell

Recently I needed to assign a lot of Microsoft licenses to different Azure AD groups. Unfortunately Microsoft does currently not offer a solution to do this (yet). Instead of giving up on this I decided to analyze what actually happens when you assign a license to a group in the Azure portal and found some actions going on within the hidden portal API. As an outcome I built a PowerShell module to manage Azure AD group based licensing assignments....

December 4, 2019 · 2 min · 261 words · Nicola Suter

Export and import Intune and Conditional Access configuration

With Microsoft Graph we have powerful automation and configuration management capabilities. To further simplify this process I built the “Modern Workplace Concierge”. It is an ASP.NET application which uses an Azure AD multi tenant app to access the Microsoft Graph API on behalf to perform export and import tasks. The project uses the Microsoft Graph Beta API to access your tenant’s data. Modern Workplace Concierge The Modern Workplace Concierge allows you to:...

December 3, 2019 · 1 min · 204 words · Nicola Suter

Bulk update Windows Autopilot groupTags

Recently I needed to change a couple of groupTags on existing Windows Autopilot devices. Because Windows Autopilot profiles have been assigned based on the groupTag. Of course I could have done this with the portal (check out the devicemanagement.microsoft.com portal if not done yet!) but I am definitely an automation fan when I need to do repetitive work. Portal view and property mapping In the Intune portal the Group Tag field on an Autopilot device maps to the Azure AD device property “OrderID”....

December 1, 2019 · 2 min · 215 words · Nicola Suter

Conditional Access and Azure Log Analytics in Harmony

Auditing Conditional Access events and changes is crucial regarding your hygiene in Azure AD for your modern workplace. With the goal that we receive appropriate notifications and alerts if special events occur. Thanks to Azure Log Analytics (also referred to as Azure Monitor) we can easily filter and create alerts based on events. This post starts where most of the others end - giving you practical examples of KUSTO queries to search your Azure AD Audit logs with Log Analytics....

October 18, 2019 · 5 min · 951 words · Nicola Suter

Unable to reset Windows Hello for Business PIN

Recently I have been troubleshooting a nasty Windows Hello for Business problem which prevented all users in a tenant from resetting their Windows Hello for Business PIN’s on Azure AD joined devices while getting the error CAA20004. Issue When clicking on “I forgot my PIN”: After completing the account sign-in and MFA challenge the Error CAA20004 came up: Troubleshooting The Azure AD Portal shows us “Failure reason: other”. While recording all the https traffic to Microsofts oauth2 endpoint with Fiddler this finally unveils usable information:...

October 11, 2019 · 2 min · 302 words · Nicola Suter

Intune export uploaded PowerShell scripts

After you have uploaded a PowerShell script to the Intune portal you won’t be able to view the script or its content. Therefore things become complicated when an Intune tenant is managed by multiple admins and someone wants to update or review a script. In addition to the unknown script content things can go from bad to worse if you can’t find the script anymore. Fortunately we can recollect our PowerShell scripts directly from the Microsoft Graph API....

October 9, 2019 · 1 min · 149 words · Nicola Suter