Microsoft Graph Access Token Acquisition with PowerShell explained in depth
When working with the Microsoft Graph API or introducing the API to colleagues I often get asked about the steps required to obtain an access token for the A...
Posts by Year
2021
2020
Android Enterprise Enrollment: Page Not Found
While doing some Android Enterprise enrollment tests for corporate-owned devices with work profiles I stumbled over the following issue after signing-in with...
Windows Terminal and SSH - the most beautiful SSH client?
I like to have a linux machine for some lab stuff which I can access from multiple machines prefereably over SSH. Because Windows 10 ships with an integrated...
Housekeeping for stale MEM profiles
When involved in new projects I often find a bunch of old profiles in the Microsoft Endpoint Management Console. Before going ahead with a new implementation...
Export and import MEM Endpoint Security Profiles
Recently I got a DM on Twitter with a question about how to export and import Endpoint Security profiles with Microsoft Graph. Besides a technical answer whi...
Shut up Surface Pro 7 fan noise!
I recently bought a Surface Pro 7 with an Intel Core i7 and 256 GB SSD and it was a quite good deal. I’m using it primarily for my studies in computer scienc...
A better Azure AD break glass account?
We all know that we should have some kind of emergency access aka “break glass accounts” to access our Azure AD tenant if things go worse, don’t we? Today I ...
Build an Azure DevOps pipeline to automatically sign your PowerShell scripts
Too lazy to sign your PowerShell scripts? Yes of course it provides security benefits but performing the steps manually can be easily forgotten and re-signin...
Ensuring regular Defender Quick scans with Microsoft Endpoint Manager proactive remediations
While looking into the new Microsoft Defender Antivirus report available in MEM (Intune) I discovered some machines which did not report any recent Defender ...
Discover the Microsoft Graph API with the Microsoft Endpoint Manager Portal
You always wanted to automate a specific action within Intune / the Microsoft Endpoint Manager Portal (MEM) but were afraid of the complexity? The Microsoft ...
Access has been blocked by Conditional Access policies when using device code flow
When using device code authentication for PowerShell modules with conditional access you might receive prompts like: “Access has been blocked by Conditional ...
Bulk create Intune mobile app deployment groups and assignments
Creating assignments and software deployment groups for Intune mobile apps is quite a repetitive and manual task. Because of that, I want to share a PowerShe...
Add PowerShell modules to Azure functions
Azure functions for PowerShell natively ship without additional cmdlets or PowerShell modules. In this post, I will show you how to add both public modules f...
Playing around with the Office 365 Service Communications API
The Office 365 Service Communications API provides information about Microsoft 365 service status for your tenant including service messages. I built a littl...
Intune scope tags and role-based access control explained
For larger Intune environments a solid role-based access implementation becomes crucial to ensure a secure administration. But how does Intune role-based acc...
Who invited this Azure AD guest user?
Who invited this Azure AD guest user? Examining who invited a specific a guest account can be quite a challenging question if you don’t have a log analytics ...
Azure AD guest user review solution
Azure Active Directory guest users really simplify the process to collaborate with external users. Although keeping a good governance on guest accounts can b...
Remove Azure AD direct License Assignments with PowerShell
Who doesn’t love a clean and tidy environment, do you? This also applies for your license assignments in Office 365 and Azure AD. As time passess it is likel...
10 suggestions to improve your next PowerShell script
Most of the time PowerShell is my favourite choice to automate processes and tasks. In order to improve the maintainability of my scripts I usually try to fo...
How I migrated my Ghost blog to Jekyll
Another migration of my blog? After running it for almost three years I thought it’s time for another change. The Ghost platform introduced a lot of changes ...
Exploring the new Microsoft Graph PowerShell Module(s)
Microsoft is working on a new set of PowerShell modules grouped under the umbrella of Microsoft.Graph that will (hopefully) cover all the Microsoft Graph res...
Validating a GUID with PowerShell
For some recent Microsoft Graph scripts I wanted to translate some Azure AD Object ID / GUID entries to their respective display name. The array with the GUI...
Document Conditional Access Configuration with my Modern Workplace Concierge
Documenting things sucks. If it involves a lot of klick(edi klack klack) in portals and copying information around even more. But there’s hope. And it’s call...
I said Connect-AzureAD and not sign-out and re-sign-in!
If you are using the “AzureAD” PowerShell module (also applies to the AzureADPreview) you have probably noticed that the Connect-AzureAD Cmdlet ignores exist...
Generate a report about assigned Azure Active Directory roles
The Azure AD portal does not really provide an overview about all directory role assignments in your tenant. If you want to review existing Azure AD Director...
Detect Deleted User Accounts in Azure Active Directory
An account in your Azure Active Directory got deleted and you want to examine who initiated the delete action? Sounds very simple but if you do not want to s...
Managing the new Microsoft Edge Browser with Intune
With the availability of the new Edge browser based on chromium I gained the first experiences about configuring the browser in an enterprise environment. Of...
Prevent Intune devices from getting the Microsoft search (Bing) plugin
Microsoft recently announced to install a Bing extension on new and existing Office 365 ProPlus installations which will set Bing as the default search engin...
Deploy fonts to Intune managed Windows 10 devices
Recently a customer using Microsoft Intune requested to deploy a TrueType font required by one of their line of business apps. Because Intune does not offer ...
Connecting to foreign Intune tenants with Microsoft Graph and PowerShell
If you manage multiple Intune tenants with your Azure AD account (invited as guest in the foreign tenant) we need a way to specify the tenant id we want to c...
Monitor Apple token expiration in Intune
Apple tokens for Mobile Device Management like APNS certificates, DEP and VPP tokens need a renewal every 365 days. When an APNS certificate has expired you ...
Blogging year 2019 in numbers
Most of the people out there blogging have recently published numbers and figures about 2019. Starting the new decade I also want to publish some figures abo...
2019
Have you already started with Intune automation and Microsoft Graph?
This post has the intention to give you an overview and starting point to automate things with the Microsoft Graph API and PowerShell. While having the focus...
Application based authentication with the Intune PowerShell SDK using a certificate
As you might have noticed I have been doing quite a lot of automation stuff with Microsoft Graph for Intune and Azure AD. My preferred way to run PowerShell ...
Manage Azure AD group based licensing with PowerShell
Recently I needed to assign a lot of Microsoft licenses to different Azure AD groups. Unfortunately Microsoft does currently not offer a solution to do this ...
Export and import Intune and Conditional Access configuration
With Microsoft Graph we have powerful automation and configuration management capabilities. To further simplify this process I built the “Modern Workplace Co...
Bulk update Windows Autopilot groupTags
Recently I needed to change a couple of groupTags on existing Windows Autopilot devices. Because Windows Autopilot profiles have been assigned based on the g...
Conditional Access and Azure Log Analytics in Harmony
Auditing Conditional Access events and changes is crucial regarding your hygiene in Azure AD for your modern workplace. With the goal that we receive appropr...
Unable to reset Windows Hello for Business PIN
Recently I have been troubleshooting a nasty Windows Hello for Business problem which prevented all users in a tenant from resetting their Windows Hello for ...
Intune export uploaded PowerShell scripts
After you have uploaded a PowerShell script to the Intune portal you won’t be able to view the script or its content. Therefore things become complicated whe...
The Enrollment Status Page (ESP) and shared devices
If you use the Enrollment Status Page (ESP) on your (Autopilot) devices in blocking mode (Block device use until all apps and profiles are installed) things ...
Windows Autopilot failed to delete device records
Recently I needed to delete a desktop machine from the Windows Autopilot service in order to use the machine in another tenant. But the problem was that the...
5 Ways to Screw Up Conditional Access
Nowadays where cloud services are available from all over the world we cannot (only) rely on trusted networks and on identities protected by usernames and pa...
Windows Autopilot White Glove Field Notes
I’m happy to share some field notes and experiences with the Windows Autopilot White Glove feature which is available with the Windows 10 1903 release. I’ve ...
Windows Autopilot White Glove Error 0x81036501
While testing Autopilot White glove for a customer project my test machines always got stuck within the “Registering your device for mobile management” step ...
Intune Win32 app requirements deep dive
The Intune Win32 app requirements feature is quite underrated and often overseen in my experience. The ability to specify a custom PowerShell scripts allow u...
5 Ways to Screw up your Intune Tenant
Here are 5 common recommendations based on misconfigurations I’ve came across in the field which will give your Intune tenant and devices a hard time to work...
Automating network drive mapping configuration with Intune
I’m thrilled to introduce the intune-drive-mapping-generator which creates PowerShell scripts to map network drives with Intune. The tool is open source and ...
Creating desktop shortcuts with Intune
Why want you to create desktop shortcuts with Intune? Business specific apps may require special shortcuts in order to launch the application with the right ...
Bypassing Conditional Access Device Platform Policies
Recently I read a great article from the Microsoft IAM Director Sue Bohn concerning a Conditional Access Q&A. One question was about the device platform ...
Calling the Microsoft Graph API via PowerShell without a user
A colleague recently asked me how to access the Microsoft Graph API using PowerShell without specifying his user account or credentials. So here’s a little p...
Mastering Windows Hello for Business with your hybrid Identity
I had the honor to deploy Windows Hello for Business several times for customers transitioning to a modern workplace using Azure AD and Microsoft Intune to m...
Onboard macOS to Microsoft Defender ATP with Microsoft Intune
Microsoft Defender ATP (MDATP) for macOS hit finally the public preview status. We can now protect our macOS endpoints with cloud based power. I created a l...
Enroll macOS devices to Microsoft Intune
As Microsoft starts to empower the integration for non Windows devices and also the available apps for macOS devices you might want to profit from your exist...
Intune configure lid close action
When using your notebooks and portable devices together with a docking station your users might like to close the lid. The Windows 10 1903 release introduces...
Introducing the OneDrive AutoMountTeamSites setting
Reviewing the latest OneDrive features I wanted to try the new AutoMountTeamSites setting which lets you preconfigure SharePoint online sites to sync automat...
Intune map network drives and execute PowerShell script on each user logon
Recently a customer needed a drive mapping solution to access his on premise file shares during his transition phase to a cloud-only workplace. I wanted to s...
Clean up stale Azure AD devices
If you are using Azure AD and the time passes you’ll have a lot of old device entries. If you enable the automatic device cleanup rule in Microsoft Intune th...
Set Office 365 UsageLocation property with Azure automation
If you want to assign Microsoft licenses to your Azure AD users e.g. Microsoft 365 E3 licenses you can do this with group based licensing as described here. ...
2018
SwissSkills some thoughts about this years competition
That’s it. Saturday morning, the day after my SwissSkills 2018 competition in Bern. Waiting for a call to answer even though I know that my performance was n...
Deploy OneDrive KFM with Microsoft Intune OMA-URI
OneDrive KFM (Known Folder Move) allows you to redirect common Windows folders (Desktop, Documents and Pictures) to the users personal OneDrive. OneDrive Kno...
Windows 10 1803 New MDM Policy CSP Settings
Hello. Long time no see. Finally I’m back with a new post. This time I created a nice little list with Windows 10 1803 New MDM Policy CSP Settings for the ne...
Surface Hub Miracast Connection Error
Recently I had to troubleshoot a sticky Surface Hub Miracast Connection error for a customer. They were unable to connect to the surface hub from domain join...
2017
Windows 10 1709 Cannot Access SMB2 Share Guest Access
After Upgrading to Windows 10 1709 (Fall Creators Update) I couldn’t access my Synology NAS anymore. Therefore I started troubleshooting the Windows 10 1709 ...
PowerShell Script Test Open TCP Ports
Recently I was troubleshooting ADFS connection issues when I discovered a nice little Cmdlet called “Test-NetConnection”. With this Cmdelet you can verify TC...
Manage Local Administrator Rights Using Group Policy
If you imagine that your users or administrators have uncontrolled local administrator rights it’s a nightmare. They have (certainly) full control over their...
Managing printers with PowerShell
Managing printers with PowerShell instead of VBScript? Sometimes it’s necessary to add and remove specific printers to a computer. For example during a clien...
Disable Java Auto Update During Installation
Disable Java Auto Update without registry modification?