Hi, I'm Nicola 👋 on Nicola Suter

Finally native SOAR in Sentinel?

Mon, 11 May 2026 06:00:03 +0000

The Microsoft Sentinel SOAR playbook generator has mostly flown under the radar since it entered public preview, so let’s look at what it can do and whether it can replace Logic Apps with something more native. In SecOps conversations, I often hear the same view: Logic Apps are fine, but if you already script or code, they can feel like overhead rather than a productivity boost. Many MSSPs also rely on more flexible tooling such as Azure Functions or compiled code for incident automation.

The new Sentinel playbook generator feels more native for Defender XDR and Sentinel integration, and it adds AI on top. Let’s see whether that actually helps.

Playbook Generator in Action
#

You can find the playbook generator in the Unified Security Operations Platform (USOP) under the Sentinel automation blade, via the ‘Playbook Generator ✨’ option.

It opens a Visual Studio Code or GitHub Codespaces-style editor with Cline preinstalled for building Python playbooks.

Creating a playbook with natural language is straightforward. Cline uses a plan-and-act flow: you describe what you want, then it tests and builds the playbook.

For my initial tests, I used the following prompt:

Don't let Entra ID Protection miss your next breach!

Sun, 22 Mar 2026 10:00:03 +0000

All too often, my baseVISION (IR) colleagues and I find compromised cloud accounts where many security ‘signals’ were missed—both from a prevention and detection perspective. In this blog post, I want to share some motivation and tips to help you adopt Entra ID Protection risk-based Conditional Access policies to increase your tenant’s security posture, and ensure you don’t miss the next obvious account breach.

Real-world motivation
#

Anyone who has seen an AiTM campaign in the wild will probably notice the following details from the Entra ID sign-in logs of a compromised account:

ResourceDisplayName: OfficeHome
UserAgent: axios/1.13.2

The problem? Even though Entra ID Protection flagged the sign-in as ‘High’ risk, the user could still sign in because MFA automatically remediated the sign-in risk (userPassedMfaDrivenByRiskBasedPolicy).

The bummer?
#

The environment had a Conditional Access policy in place that would have blocked users with high sign-in risk, but the policy was only in report-only mode, so the user could sign in without any issues.

CEO impersonation with Microsoft Booking

Wed, 18 Mar 2026 20:00:03 +0000

Recently I observed an interesting behavior after setting up a Microsoft Booking page. After creating the booking page, I suddenly got an e-mail to an automatically created mail alias with the same name as the booking page. This made me curious and I wanted to understand the behavior behind this, and if this could be abused by attackers to impersonate users in Exchange online. In this blog post, I want to share my findings and some tips on how to detect and prevent this kind of abuse in your environment.

Microsoft Booking
#

Microsoft describes the Bookings capabilities as part of Microsoft 365:

“A simpler way to organize schedules and manage appointments.”

Booking pages can be either of type ‘personal’ or ‘shared’:

Personal booking pages provide a handy option for users to create their own booking page, which is automatically linked to their calendar and allows others to book appointments with them. This is a great feature for users who want to share their availability and allow others to easily schedule meetings.
The shared booking pages allow teams to provide a booking experience for services hosted by a team and come with a special mailbox and calendar.

Defender XDR Unified Detections Meet Sentinel Data Lake

Tue, 24 Feb 2026 22:00:03 +0000

With the Unified Security Operations Platform (USOP), Microsoft introduces Unified Detections - a single detection framework spanning both Sentinel and Defender XDR data. Pair this with native Sentinel Data Lake ingestion for XDR tables, and you have a compelling cost-optimization story. But is it ready for prime time? Let’s dive into the capabilities, current limitations, and what it means for your detection strategy.

Architecture Overview
#

Previous Detection Architecture
#

In the ‘previous’ architecture, detections were created and managed separately for Microsoft Sentinel and Microsoft Defender XDR. This often led to overhead in terms of ‘where to create the detection’. Let’s take the use-case of IoC (Indicators of Compromise) based detections. Previously, if a security team wanted to create a detection based on IoCs imported via TAXII into Sentinel and the DeviceNetworkEvents table, they would need to ingest the DeviceNetworkEvents data into Sentinel as well and create the detection rule there. Furthermore, many MSSPs leveraged this pattern to create custom detections for their customers across Defender Advanced Hunting Data.

As part of the USOP onboarding, the following effects come into play, marked with an asterisk above:

AI just solved a CTF for me!

Fri, 16 Jan 2026 21:00:03 +0000

At this year’s YellowHat conference in Almere, the Dutch security community had the chance to participate in a Capture The Flag (CTF) competition organized by one of the conference sponsors - Blu Raven. Mehmet from Blu Raven did a great job setting up a CTF with realistic scenarios and datasets, which made it a lot of fun to solve the challenges.

Foreword
#

Being a big fan of CTFs and digital forensics and incident response (DFIR) in general, I couldn’t resist the temptation to participate. After numerous attempts to solve the first challenge and an enlightening tip from a colleague, I made some progress and solved the first 12 challenges.

To avoid running out of time, I decided to try something unconventional for the remaining challenges - I used AI to help me solve them. Professor Smoke aka Henning Rauch teased the new Microsoft Fabric Real-Time Intelligence (RTI) capabilities during his talk at YellowHat¹, so I thought this would be a great opportunity to test these out in a real-world scenario. Little did I know that the outcome would be surprising!

Preconditions
#

Azure Data Explorer
#

Because the CTF data was stored in an Azure Data Explorer (ADX) cluster, the prerequisite for using the Fabric RTI MCP server was already met, because we can query data in Eventhouse and ADX. Besides that I had already set up GitHub Copilot within Visual Studio Code in agent mode from previous AI ramblings.

Did you hear that maester supports Intune?

Thu, 04 Dec 2025 20:00:07 +0000

Did you know that the maester framework now supports Microsoft Intune checks? In this blog post, I’ll give you a quick overview of the new capabilities and how to get started.

About Maester
#

Maester is an open-source security assessment framework that helps you evaluate the security posture of your Microsoft Entra ID and Microsoft 365 environments. It provides a collection of tests that can be run against your tenant to identify potential misconfigurations and security risks.

After executing the tests, maester generates a detailed report that highlights the findings and provides recommendations for remediation:

Intune Related Checks
#

The great thing about maester is that it’s highly extensible, allowing you to add custom tests and checks based on your specific requirements. To share some Intune best practices with the community, I contributed a set of Intune related checks to the maester framework.

The following Intune checks are now available in maester:

MT.1090 - Global administrator role should not be added as local administrator on the device during Microsoft Entra join
MT.1091 - Registering user should not be added as local administrator on the device during Microsoft Entra join
MT.1092 - Intune APNS certificate should be valid for more than 30 days
MT.1093 - Apple Automated Device Enrollment Tokens should be valid for more than 30 days
MT.1094 - Apple Volume Purchase Program Tokens should be valid for more than 30 days
MT.1095 - Android Enterprise account connection should be healthy
MT.1096 - Ensure at least one Intune Multi Admin Approval policy is configured
MT.1097 - Ensure all Intune Certificate Connectors are healthy and running supported versions
MT.1098 - Mobile Threat Defense Connectors should be healthy
MT.1099 - Windows Diagnostic Data Processing should be enabled
MT.1100 - Intune Diagnostic Settings should include Audit Logs
MT.1101 - Default Branding Profile should be customized
MT.1102 - Windows Feature Update Policy Settings should not reference end of support builds
MT.1103 - Ensure Intune RBAC groups are protected by Restricted Management Administrative Units or Role Assignable groups
MT.1105 - Ensure MDM Authority is set to Intune

Example
#

To run the tests you can simply run:

Mai 2024 KQL Café Recap

Mon, 01 Jul 2024 20:07:46 +0000

In May I had the pleasure to be invited to the KQL Café which is hosted by Gianni Castaldi & Alex Verboon. Within this format they empower people to work with KQL and share various tips and tricks. So this is not a usual blogpost but rather a summary and resource hub for the things I presented within the KQL Café.

Summary
#

To make the content of my talk more accessible, you can find a summary of the individual topics, including the leveraged KQL queries and further resources as part of this post. The KQL queries were mostly consuming the Entra ID Sign-In and Audit Logs. You can forward them to your Microsoft Sentinel or Log Analytics workspace.

Recording
#

You can find the full recording of the KQL Café on YoutTube.

What the heck is ITDR?!
#

Identity Threat Detection and Response (ITDR) is currently one of my favourite topics. It’s basically a combination of the disciplines Identity and Access Management (IAM) and the cyber security disciplines detection and response. Similar to other cybersecurity topics there’s a rule of thumb: The more you invest on the preventive side to increase your identity security posture — the less effort you (hopefully) have on the detection and response side 🤞🤞. Within my talk for the KQL Café I addressed various of those ITDR topics that help you on the preventive side.

AiTM Phishing with Azure Functions

Mon, 01 Apr 2024 18:23:49 +0000

Recently I stumbled over a nice post from Wesly Neelen who built an AiTM phishing toolkit based on a cloudflare worker. Although ‘prooven’ AitM phishing toolkits such as evilginx provide more capabilities in terms of flexibility and robustness I wanted to setup my own phishing toolkit that runs serverless on Azure — based on Azure Functions to phish some Entra ID credentials and cookies.

Advantages of serverless phishing toolkits
#

Serverless platform solutions such as Cloudflare workers, AWS lambda and Azure functions provide some advantages to phishing toolkits that are server-based:

No Infrastructure as a Service (IaaS) resources like virtual machines and public IP addresses are required, this allows faster deployments, easier scaling and comes with low costs
Serverless platforms often have pooled outbound IP addresses that are dynamically assigned by the cloud provider
No DNS domain name or name server entries are required as the cloud provider assigns URLs to the serverless functions
As the domain names, IP addresses and certificates are issued and managed by the cloud provider, this goes usually hand-in-hand with better reputation

Let’s do AiTM Phishing with Azure Functions
#

Demo
#

The following demo provides a quick overview about the Azure AiTM Function and the replay of the cookies in an incognito browser window:

Have you heard about passkeys and AAGuids?

Fri, 01 Dec 2023 00:00:00 +0000

With the availability of passkeys the FIDO2 standards become more accessible in the form of password managers, web-browsers and (mobile) operating systems — without the need for dedicated hardware such as FIDO2 keys.

Microsoft is currently in the process of developing support for passkeys and shipping the public preview in Q1 2024:

While this is a very welcome addition to make passwordless authentication easily accessible without dedicated hardware such as FIDO2 security keys this also introduces new risks, especially for high value accounts — But why’s that?

Let’s imagine a fictive scenario (that might become reality in the future) of a user registering a passkey with his password manager app for a Microsoft Entra account. The security of this passkey is now determined by the security measures on the password manager app.

For the Microsoft roadmap this scenario is not (yet) applicable as Entra will only support device-bound passkeys. At the end of the day it is a similar situation as the security of the passkey depends on the device with the authenticator (passkey) on it and that’s not necessarily under the umbrella of IT security measures.

Fortunately there is hope and the FIDO alliance included that critical aspect of distinguishing authenticators in their standards as we’ll find out below.

Enriching Microsoft Sentinel tables with eligible Entra directory roles

Fri, 17 Nov 2023 00:00:00 +0000

Microsoft 365 Defender and Sentinel provide an IdentityInfo table that contains various information that is helpful for threat hunting and detections. One key piece are also the assigned Entra directory roles for a specific identity. Unfortunately only permanently assigned permissions are covered and in times of Entra Privileged Identity Management (PIM) we should have standing permissions only for non-privileged roles and break-glass accounts.

Within this blog post I want to share a few tips and tricks to answer the following questions with Sentinel and a little bit of scripting and KQL:

How can we enrich the IdentityInfo table to include eligible assigned directory roles?
Which synchronized user accounts have permanent or eligible directory roles assigned? (Spoiler: this should be avoided at all cost)
Were eligible directory role assignments not used within the last couple of days and can therefore be removed?

As a bonus I also prepared an analytics rule for mass unassignment of highly privileged Entra roles, as this tactic was used for example by the LAPSUS$ group.

Gathering PIM eligible Entra Directory Roles
#

As the IdentityInfo and other available built-in data sources do not include eligible role assignments we need a way to gather the existing role assignments. Fortunately, we can query the following Microsoft Graph endpoint to get the eligible permission assignments:

Maintaining Microsoft Sentinel Analytic Rules in JSON and YAML with GitHub Actions

Mon, 13 Nov 2023 00:00:00 +0000

Microsoft Sentinel Analytic Rules can be shared in both the YAML and ARM format, whereas the ARM format leverages JSON as file type. Within…

Microsoft Sentinel Analytic Rules can be shared in both the YAML and ARM format, whereas the ARM format leverages JSON as file type. Within this short post I want to demonstrate an approach that leverages a GitHub Action to automatically build and update the rules in YAML format — so you can just export and update existing rules without any manual conversion effort.

Fabian Bader built a cool solution called SentinelARConverter that allows conversion of exported Sentinel Analctic rules from ARM/JSON to YAML (and vice-versa). To emphasize sharing of analytic rules I wanted to adopt also the YAML format without the need to always manually convert the rules. Therefore I incorporated his solution into a GitHub Action.

Building a GitHub Action
#

The automation of this task is fairly simple if you are already familiar with GitHub actions. In case you want to directly see the full pipeline, you can find it here. Otherwise keep on reading.

The GitHub action should be triggered as soon as I upload a new Export of an Analytics Rule to the repository. For that, we need to define a folder structure. I maintain the rules within a folder called AnalyticRules. Based on that we can define the triggers for the workflow and filter only for the analytic rules path. This will only run the Action, when a file within that folder get’s changed. Additionally, I added a workflow_dispatch trigger, this allows manual execution of the pipeline.

Have you heard of workload identity access token replay?

Wed, 08 Nov 2023 00:00:00 +0000

Microsoft recently made the Microsoft Graph Activity Logs available as part of the Microsoft Entra ID diagnostic settings. This means we can use the MicrosoftGraphActivityLogs Table to enrich custom detections and analytic rules.

Within this post I want to elaborate closer on an attack scenario for workload identities that leverage workload identity federation and don’t have any persistent credentials or long lived secrets. But one type of credential artefacts is still theft-able — the short lived access tokens.

Adversaries can try to exfiltrate the access token from the CI/CD environment such as a GitHub action and replay the token within another system to access Entra ID protected resources.

This tactic could also be used in scenarios with App Registrations that leverage certificates or clients secrets where adversaries don’t have access to the credentials but get possession of the access token due to exposure in cleartext such as in log files or decrypted TLS traffic.

Stealing and replaying workload identity access tokens
#

To demonstrate a scenario to steal and replay an access token of a workload identity, I prepared a demo scenario with a GitHub action that acquires access tokens for the Microsoft Graph API and the Azure Resource Manager API. The pipeline leverages federated credentials (also referred to as workload identity federation).

Microsoft Entra Connect Sync Hardening

Sun, 24 Sep 2023 00:00:00 +0000

Microsoft Entra Connect Sync (aka Azure AD Connect) allows establishing hybrid identity scenarios by interconnecting on-premises Active Directory and Entra ID (aka Azure AD) and leveraging synchronisation features in both directions. As you might already know, this brings potential for abuse of the assigned permissions to the involved service accounts and permissions of this service.

On the internet are already some posts with subset of this information but I wanted to provide an actionable post with individual measures to implement. Of course should we do MFA for all admins and AD tiering but some of those steps involve more complex measures to implement and I will try to provide some individual building blocks you can use to harden the configuration of your Entra Connect service accounts.

Understanding the scope
#

To understand the scope of hardening we need to have an overview of the inner workings of that service. Entra Connect uses three different kind of service accounts for the different systems:

Entra: For the connected Entra tenant, per each Entra Connect installation a cloud only account is created by the wizard: Sync_EIDC02_bba3d8efb72a@nicoladev.onmicrosoft.com
Active Directory: The active directory account is used to connect a forest and allows both reading and depending on the leveraged synchronisation options also modifying the objects for password reset or group write-back scenarios
Synchronisation Service: Under this principal, the actual Entra Connect service is running on the server

Each kind of service account has various interesting privileges that can be abused by attackers. While the security of the server running Entra connect is also an important aspect I want to focus more on the leveraged user accounts as they are subject to multiple well-known attack scenarios.

Why you should use Entra Workload Identity Federation

Thu, 07 Sep 2023 00:00:00 +0000

Microsoft Entra Workload Identity Federation is a hidden gem when dealing with app registrations and service principals because it will significantly improve the security posture of your workload identities. While I already blogged about the more technical and implementation specific details in my GitHub Actions with Entra Workload Identity Federation post, I want to highlight the benefits and scenarios where you can use Workload Identity Federation to access Entra ID protected resources.

Quick recap on Workload Identities
#

Should you read this post and wonder what a Workload Identity is, here a quick recap:

A workload identity (can be either a managed identity or service principal) is used to access resources protected by Entra ID (Azure AD) from a service or automation
A service principal is an instance of an app registration. To leverage a service principal authentication with either a client secret, certificate, or federated credential is required.
A managed identity is a Microsoft managed identity of a resource such as a Logic App, Automation Account or VM. Microsoft manages the credentials of those managed identities. This allows for secure access as the credentials are not exposed to other services.

Managed Identity is the recommended type for workload identities for workloads that live in the Microsoft Azure ecosystem. For services and automations outside of Azure, service principals (app registrations) are the only option. The usage and credential configuration is unfortunately not a simple process.

Retrieving Windows LAPS Azure AD Passwords with PowerShell

Wed, 10 May 2023 00:00:00 +0000

Did you know that for the new Windows LAPS Azure AD is also maintaining the password history? The built in PowerShell commandlet relies on the Microsoft Graph PowerShell SDK and within this post I want to show you how to work with the Get-LapsAADPassword cmdlet.

Kudos to Niklas Tinner as he brought this to my attention while working together.

Where is this command originating from?
#

The Get-LapsAADPassword cmdlet is part of the LAPS PowerShell module that was baked into the Windows Operating system with the April 2023 quality updates.

The module is maintained as part of the Operating System and builds the Interface to interact with Windows LAPS locally on a device. The module binaries reside within C:\Windows\system32\WindowsPowerShell\v1.0\Modules\LAPS and consist of DLLs and PowerShell files:

Let’s retrieve some passwords
#

Before we can start retrieving passwords we need to make sure, that we have the appropriate Microsoft Graph PowerShell SDK module present.

We can easily check this with the following PowerShell command:

Get-Module -Name Microsoft.Graph -ListAvailable

If you do not retrieve any output, you need to install the module with local Administrator privileges with:

Let's have a tête-à-tête with the new Windows LAPS for Azure AD joined devices

Fri, 21 Apr 2023 18:56:24 +0000

Loooooong awaited and it’s finally here - the new Windows LAPS. With the previous announcement(s) of the integration into the native Windows operating system and support for Azure AD join this was a long-awaited feature. With the recent patch Tuesday the binaries were backed and delivered natively into the current Windows client and Server OS and today they also launched the Azure AD backend that can serve as the backup source for passwords. Within this post, I want to give you a quick impression of what the deployment experience currently looks like and where I needed some adjustments to get the expected result.

Setup
#

Prerequisites
#

To deploy LAPS with Azure AD password backup and Intune you need licenses/access to those tools and Windows 10/11 devices with the latest April patches installed. A full list of prerequisites is provided by Microsoft here.

Azure AD enablement
#

Unlike the on-premises AD LAPS enablement we do not need any schema extensions and can simply enable the following toggle within our Azure AD device settings:

Provoking Defender for Identity suspicious certificate usage alerts

Tue, 11 Apr 2023 00:00:00 +0000

Microsoft Defender for Identity (MDI) has announced a new capability back in February to detect suspicious certificate usage for Kerberos authentication. It is already well-known, that Active Directory Certificate Services (ADCS) is a lucrative target for adversaries to achieve persistence in Active Directory as ADCS can be easily misconfigured resulting in an easy way to exploit those misconfigurations. In this post I want to show you how easy those misconfigurations can be abused and how and when such an attempt is detected by Microsoft Defender for Identity new detection capabilities for suspicious certificate usage.

What makes a vulnerable environment
#

To be vulnerable for the certificate abuse scenario I will demonstrate an environment needs to have the following conditions present:

ADCS Enterprise Certification Authority (CA)
CA certificate must be present in NTAuth store (default behaviour when an enterprise ADCS CA is installed)
At least one domain controller needs to have a kerberos authentication certificate enrolled
At least one vulnerable certificate template that meets one of the following criteria’s:
– “specify subject name in the request” flag enabled AND granting enroll permissions to low privileged principals like domain users or domain computers (or equivalent)
– grants modify permissions to low privileged principals like domain users or computers (or equivalent)

The first three conditions are usually present in a standard Active Directory deployment and provide key functionality for other services. Certificate templates are also a standard thing, but there it really comes down to the (mis)configuration and hardening. Specterops documents those very well and provides tools to check for potential misconfigurations¹.

You must not touch my endpoint security settings!

Sun, 12 Mar 2023 00:00:00 +0000

Intune Endpoint Security Configuration Settings have become the way to go for configuring security features on various platforms. What did start with Microsoft Defender for Endpoint settings for Windows clients has evolved to settings for macOS, Windows Servers and is treated like a first class citizen. So it is important to guard those sensitive configurations as they control (and can potentially disable) vital security features on endpoints such as defender tamper protection, attack surface reduction rules, firewall and many more.

Within this post I want to show you an approach to monitor changes to Intune Endpoint security settings with Microsoft Sentinel and watchlists that can be easily customised based on your environment and needs. My main idea is to classify the sensitive configurations in the environment and only creating incidents for those. Of course you could alert on every Intune configuration change but for most of the environments this would lead to many alerts without providing value.

Prerequisites
#

Changes to the Intune Endpoint security settings area are visible like other changes within the Intune Audit Logs.

To have the audit events within our Sentinel workspace we need to enable the forwarding for at least AuditLogs. This can be done within the Intune Tenant Administration > Diagnostic Settings blade.

Optimising Microsoft Graph PowerShell scripts

Wed, 22 Feb 2023 00:00:00 +0000

We all have probably been there and developed a PowerShell script that took some fair amount of time until the execution completed, weren’t we? Of course one could argue and say that as long a script ‘works’ it is good enough but depending on the use case and environment a PowerShell script that runs 30 to 60 minutes exceeds the patience of most (IT) people and can also lead to increased costs. But what makes those kinds of scripts that awfully slow and can’t we just tweak them to run faster?

The following examples and script will be related to PowerShell and the Microsoft Graph API but the mentioned approaches can be adapted for any kind of RESTful API and scripting language. For all interactions with the Graph API I use the Microsoft Graph PowerShell SDK which is available as a PowerShell module from the PowerShell gallery.

Reasons why your script is slow
#

I would say I have already read and (tried to) understand hundreds of PowerShell scripts out there and I often notice the following flaws which lead to poor performance:

Slow algorithms and wrong data structures
#

Slow algorithms are extricably linked to the understanding of data structures when it comes to PowerShell scripting. Here the top two cases I often observe:

Migrating to the new Windows Store experience

Mon, 30 Jan 2023 18:56:24 +0000

The Microsoft Store for Business will be discontinued mid 2023 and Intune recently introduced the new Windows Store experience backed by winget to distribute apps to your Intune managed endpoints.

To simplify the migration to the new Windows Store experience I created a PowerShell Script that migrates all currently assigned Windows Store for Business apps to the new Windows Store experience.

Kudos to Sander Rozemuller for providing detailed instructions about creating winget apps as PowerShell code samples.

Challenges
#

While scripting and extracting the existing Windows Store for Business (WSfB) apps I encountered the following issues:

Not all apps in WSfB have valid privacy and information URLs, therefore I added a check whether the URL starts with http(s).
Some apps have characters present (äöüë….) that require UTF-8 encoding. So I explicitly set the HTTP content-type header to UTF8.

Script prerequisites
#

To run the script you need to have the Microsoft Graph PowerShell SDK modules installed on your machine. You can install them with the following command:

Install-Module Microsoft.Graph.Authentication, Microsoft.Graph.Devices.CorporateManagement -Scope CurrentUser

From a permissions perspective you need an Azure AD Application Administrator for the initial OAuth permission consent and for regular execution the Intune Administrator role.

GitHub Actions with Entra Workload Identity Federation

Mon, 23 Jan 2023 17:03:47 +0000

Workload Identity Federation (let’s just call this WIF) allows app principals not residing within Azure to request short lived access tokens. This removes the need of storing client secrets or certificates within GitHub as Action secrets. One drawback ist that currently only the Azure modules support the usage of WIF.

How it works
#

WIF relies on trust. This trust is directly configured on the Azure AD app registration and scoped to an individual GitHub repository and optionally fine grained by limiting the usage to single git refs, specifically branches and tags. By trusting GitHub as external identity provider (IdP), a GitHub Action can request an identity token from the GitHub IdP and exchange this one against an access token within Azure AD.

A GitHub IdP issued token (decoded) contains the following information:

{ 
 "jti": "1a9fe224-c936-46f6-a38b-3300e76251b0", 
 "sub": "repo:nicolonsky/musical-octo-telegram:ref:refs/heads/main", 
 "aud": "api://AzureADTokenExchange", 
 "ref": "refs/heads/main", 
 "sha": "9f112c0b82547e35b10250d7f3165789bf97862f", 
 "repository": "nicolonsky/musical-octo-telegram", 
 "repository_owner": "nicolonsky", 
 "repository_owner_id": "32899754", 
 "run_id": "3986560796", 
 "run_number": "2", 
 "run_attempt": "2", 
 "repository_visibility": "private", 
 "repository_id": "592303002", 
 "actor_id": "32899754", 
 "actor": "nicolonsky", 
 "workflow": ".github/workflows/wif.yaml", 
 "head_ref": "", 
 "base_ref": "", 
 "event_name": "push", 
 "ref_type": "branch", 
 "workflow_ref": "nicolonsky/musical-octo-telegram/.github/workflows/wif.yaml@refs/heads/main", 
 "workflow_sha": "9f112c0b82547e35b10250d7f3165789bf97862f", 
 "job_workflow_ref": "nicolonsky/musical-octo-telegram/.github/workflows/wif.yaml@refs/heads/main", 
 "job_workflow_sha": "9f112c0b82547e35b10250d7f3165789bf97862f", 
 "iss": "https://token.actions.githubusercontent.com", 
 "nbf": 1674486850, 
 "exp": 1674487750, 
 "iat": 1674487450 
}

Did you recognize the matching sub attribute within the GitHub issued token and the Azure AD configuration? For a successful authentication the:

Inside Windows package manager (winget)

Fri, 30 Dec 2022 23:11:03 +0000

Windows Package Manager (winget) provides exciting features to install and upgrade apps on Windows devices. But how does winget actually work and how are new packages integrated? Within this post I want to elaborate on some questions I had when having a closer look into winget.

How does winget find sources?
#

By default, winget has the following sources configured:

msstore: Microsoft Store (public)
winget: Winget Content Delivery Network (CDN)

When searching for a particular package, e.g: winget search wireshark all configured sources are searched for a match.

lesson learned: winget can install packages from the public Microsoft store and the winget CDN.

How are winget CDN packages provided?
#

Winget CDN packages reside within a public git repository hosted on GitHub. The repository contains an alphabetic folder structure by vendor and product name holding manifests in YAML format that describe the app details.

The manifests folder within the repo is grouped by the app vendor and app name and YAML contents of a manifest look like this:

Setting up a radius server for Azure AD joined devices and 802.1x

Sun, 25 Sep 2022 00:00:00 +0000

A common pitfall in environments where Windows server is used for radius authentication is that Microsoft network policy server (NPS) does currently not support device based authentication for Azure AD joined devices. NPS always checks for the existence of a corresponding computer object in AD. For my home setup and lab I wanted to build a radius solution to enable 802.1x authentication on my Wi-Fi network.

Disclaimer
#

This post describes my setup and does not cover prerequisites like certification authority, certificate revocation and client certificate deployment via SCEP. Furthermore you should be familiar with docker, network topics, dns and Intune.

Available solutions
#

Well known commercial Network Access Control (NAC) solutions like CISCO ISE or Aruba Clearpass often ship with an integrated RADIUS server and the possibility to configure wheter LDAP lookups for computer accounts should happen. Important is, that the solution supports certificate revocation checks either via CRLs or OCSP to ensure network access is blocked when a client certificate is revoked.

For my home and lab setup I wanted to leverage a free or open source solution and decided to use freeRADIUS, probably the most popular open source radius server. freeRADIUS supports EAP-TLS for 802.1x authentication out of the box and is well documented. Additionally, I was looking for a solution that can be deployed to both locallly in my network (e.g. on a raspberry pi) and also to PaaS offerings like Azure.

Android dedicated devices managed home screen and system apps

Tue, 20 Sep 2022 00:00:00 +0000

Android enterprise dedicated devices with the Microsoft Managed Homescreen app are a conenient way to provide devices with restricted functionality and customized look and feel to end users. Because the Managed Homescreen app acts as an overlay to the underlying Android certain prompts and features are not enabled by default unless you allow-list them by deploying the corresponding Android System App and add the app to the kiosk device restrictions.

System Apps
#

System apps can be added as separate app type within MEM:

It is important to deploy the desired system apps as required to your devices and also adding them within the kiosk configuration:

List of commonly used System apps for Samsung devices
#

Based on a recent project where we had Samsung devices in place we allow-listed the following system apps within the kiosk configuration:

Description	App Bundle ID
USB File Transfer Prompt Android Version < 12	`com.samsung.android.MtpApplication`
USB File Transfer Prompt Android Version >= 12	`com.android.mtp`
Android System UI (used for a variety of prompts)	`com.android.systemui`
Service Mode App (USB prompts)	`com.sec.android.app.servicemodeapp`
Knox license prompts	`com.samsung.android.knox.pushmanager`
Samsung Android update prompts	`com.wssyncmldm`
Knox smdms	`com.sec.enterprise.knox.cloudmdm.smdms`
Knox container core	`com.samsung.android.knox.containercore`
Knox attestation	`com.sec.enterprise.knox.attestation`
Keyboard changes	`com.samsung.android.honeyboard`

An indicator to decide wheter you need to add an app to the list is always when you can see the prompts outside of the managed homescreen app after leaving the kiosk mode. {: .notice–info}

The easiest way to work with the Microsoft Graph PowerShell SDK

Fri, 09 Sep 2022 00:00:00 +0000

When you are new to RESTful APIs and want to start with Microsoft Graph to automate tasks in your Endpoint Manager tenant all the stuff about app registrations, access tokens, pagination and request headers can be quite confusing. In this post I want to show you a quick tip to kickstart your Microsoft Graph API experience.

Requirements
#

Cloud admin account with Intune Administrator role assigned
Ability to install Modules from the PowerShell gallery

JWT
#

Just because you can’t see it… doesn’t mean it isn’t there: Due to the naturality of OAuth 2.0 and OpenID connect (these are the protocols involved for authorization and authentication in a cloud environment) we can capture short lived access tokens, also called Json Web Tokens (JWTs) directly from a browser. Tokens are usually valid between 50 and 60 minutes - just what we need to get some hands on with Microsoft Graph API and MEM automation.

The cool thing is actually that we don’t need any kind of app registration or additional permissions which can be quite some blocker in certain restricted environments (or staff unfamiliar with those technologies 😉).

Intune app protection policy report

Mon, 13 Dec 2021 00:00:00 +0000

App protection (also called MAM) policies have been around for a couple of years within MEM and I already used them in various projects to protect company data on unmanaged iOS and Android devices. One of the drawbacks with this approach is that we do not have full visibility about the usage and I tried to shed some light about this with a PowerShel reporting script that pulls data from the Microsoft Graph API.

Information visible within the portal
#

In the MEM portal we can find report data about the number of users that have checked-in to any MAM policy grouped by the respective app.

If we want to perform a wipe we will also be able to see the devices a user has registered:

Of course I was curious which additional data is available on the Microsoft Graph API and found the following resource storing app protection policy check in details: /users/{ID}/managedAppRegistrations.

Script
#

The script uses the Intune PowerShell SDK (could easily be ported to MSAL.PS because I wrote it already a couple of months ago) to enumerate all internal users within the tenant and will check the above mentioned managedAppRegistrations resource. At the end you are presented a flattened CSV report containig the following details:

Have you considered TPM key attestation?

Sat, 28 Aug 2021 00:00:00 +0000

Device and user-based certificates are commonly used for secure authentication for services like: MECM in HTTPS mode, Always On VPN, 802.1x for (wireless) LAN and so on. Mostly these certificates are deployed from an internal PKI and the certificate templates are somewhat outdated because everybody is afraid of touching these settings. As with any type of credentials - credential theft is also applicable for certificates and the corresponding private keys. So let’s dive in and learn the risk and how to reduce the attack surface.

Understanding cryptography providers
#

Before we start with the actual theft we need to know how certificates and the corresponding private keys are stored on Windows devices. Microsoft operating systems implement various cryptographic providers which can be either software or hardware based. The two most important ones are:

Microsoft Software Key Storage Provider
- “Standard” provider which stores keys software based and supports CNG (Crypto-Next Generation)
Microsoft Platform Crypto Provider
- Hardware based which stores keys on a TPM (trusted platform module) and supports CNG as well

When a client is requesting a new certificate from a CA he generates a key pair consisting of a private and public key with such a crpytographic provider.

Automatically sign your PowerShell scripts with GitHub actions

Fri, 09 Jul 2021 00:00:00 +0000

Based on one of my older posts about PowerShell script signing with Azure DevOps I recently implemented a PowerShell script signing workflow with GitHub actions I wanted to share with the community.

Prerequisites
#

For this post the following prerequisites are required:

Code signing certificate in PFX format
GitHub account

Add variables to GitHub actions
#

Because GitHub variables can only be of string content we need to get the contents of the pfx file as base64 encoded string:

$pfxCertFilePath = "~\Downloads\CodeSigningCertificate.pfx"
$pfxContent = Get-Content $pfxCertFilePath -Encoding Byte
[System.Convert]::ToBase64String($pfxContent) | Set-Clipboard

GitHub action variables
#

Add two variables as actions secrets:

BASE64_PFX: Base 64 encoded string of the PFX (automatically copied into your clipboard with the above commands) PFX_PASSWORD: Password for the private key of the pfx file

GitHub action workflow
#

Place the following workflow file within your git repository: .github/workflows/SignPowerShell.yaml whereas the name of the YAML file can be freely chosen.

Securely sending emails from PowerShell scripts with modern authentication enforced

Fri, 19 Mar 2021 00:00:00 +0000

The Send-MailMessage cmdlet has been around for a couple of years and is mostly used to send email messages from PowerShell. But with the deprecation and security flaws of legacy authentication it’s time for a better option which actually supports modern authentication. For this purpose we can use the Microsoft Graph API and the Microsoft Graph PowerShell SDK. The best thing is that this solution works without any service account and does not need any exclusions from conditional access.

Microsoft Graph resource
#

To send a mail we simply specify the user account from which we want to send the email:

POST: https://graph.microsoft.com/v1.0/users/sean.connery@dev.nicolonsky.ch/sendMail

Create an app registration
#

Simply create a new app registration with the Mail.Send permissions and use a certificate for the authentication.

We need to take additional steps to limit the permissions of the app registration. Otherwise the app can send mails on behalf of any user in your tenant. To limit the permissions we leverage exchange application access policies.

Connect to Exchange Online with the ExchangeOnlineManagement PowerShell module Connect-ExchangeOnline

Dealing with Intune OMA-URI encoding and applocker rules

Tue, 16 Feb 2021 00:00:00 +0000

While fine-tuning and adjusting applocker policies for co-managed Windows 10 clients I got really annoyed by special characters commonly used in the German/Swiss language. The Intune portal seemed to use different encoding and didn’t allow me to just copy/paste the currently deployed policy and extend it with a new rule. I needed to request the original file that was uploaded to the tenant in order to adjust the rule. Instead of just accepting this I decided that it is time for an easier approach which I will share with you.

The actual issue
#

After uploading the XML with the applocker policies (in my case EXE rules), special characters like ‘ö’ or ‘ü’ have a weird encoding displayed in the portal. The next person that wants to edit the policy needs to take care to fix the unrecognized characters otherwise the publisher rule won’t work anymore.

Top: Portal view of the special characters, bottom: original file.

Fixing things
#

Save file with UTF-8 encoding
#

First, make sure that you saved an uploaded the file with UTF-8 encoding as this introduces support for most character sets. You can do this by selecting the encoding box in the right bottom of Visual Studio Code:

Microsoft Graph Access Token Acquisition with PowerShell explained in depth

Mon, 04 Jan 2021 00:00:00 +0000

When working with the Microsoft Graph API or introducing the API to colleagues I often get asked about the steps required to obtain an access token for the API with PowerShell. Out in the wild, I’ve spotted many different ways and lots of implementations still relying on the ADAL (Active Directory Authentication Library) despite the fact that this client library is superseded by MSAL (Microsoft Authentication Library). So let’s talk about acquiring access token “in stile” with the most simple method available.

Why do we need an access token?
#

When talking about the Microsoft Graph API an access token fulfills two roles, first: prove authentication (proof of identity) second prove authorization (permissions). Each request needs to submit a request-header that contains the access token.

For an API it’s crucial to validate the authentication and authorization for every request. Otherwise, requests could be made to resources the actor has no access to.

What’s inside the access token
#

You did probably stumble over the terms “bearer authentication” or “bearer token” these describe a mechanism within the OAuth 2.0 Authorization framework to authenticate requests with access tokens. Tokens are issued by the authorization server (Azure AD) and contain a server-generated string in the format of a JSON Web Token (JWT) with the following information (the list is not exhaustive and truncated to only contain the most interesting parts):

Android Enterprise Enrollment: Page Not Found

Sat, 19 Dec 2020 00:00:00 +0000

While doing some Android Enterprise enrollment tests for corporate-owned devices with work profiles I stumbled over the following issue after signing-in with the work account: “Page not found”.

The solution is fairly simple, just double check that your user does not have the device enrollment manager role assigned, which can be found under the device enrollment pane:

The docs tell us:

If you’re enrolling Android Enterprise personally-owned work profile or corporate-owned work profile devices by using a DEM account, there is a limit of 10 devices that can be enrolled per account. Microsoft Docs

In my case, I wasn’t exceeding that limit because it was the first enrollment with that account so I’m not sure if the docs are accurate.

Updated 21.12.2020:

~~I already opened an issue on GitHub about the doc contents.~~

@nicolonsky Good question. Using a DEM account isn’t available to enroll COPE devices. We fixed the article. The changes should be live later today. Thanks for bringing this to our attention.

Hope this helps.

Housekeeping for stale MEM profiles

Wed, 16 Dec 2020 00:00:00 +0000

When involved in new projects I often find a bunch of old profiles in the Microsoft Endpoint Management Console. Before going ahead with a new implementation it’s the best time to clean-up all the leftovers from past ramblings.

How to identify stale profiles
#

If one or multiple statements are met for a profile it is very likely to be a stale profile:

No assignments, assignments to a group without members
“Test” included within the profile name or description
Last modified points back in time for more than a year
No devices reported success/failure status for the given profile type

What to do with stale profiles
#

So let’s be brave and delete them. But Intune doesn’t offer any [CTRL] + [Z] or recycle bin possibilities so we might want to have some kind of archive, just in case?

Let’s agree that we:

Check the points from the list above
Ask our colleagues if they know something about the profiles and their usage
Take a backup

deleting them afterward is a reasonable action which is probably beneficial for everyone.

Windows Terminal and SSH - the most beautiful SSH client?

Wed, 16 Dec 2020 00:00:00 +0000

I like to have a linux machine for some lab stuff which I can access from multiple machines prefereably over SSH. Because Windows 10 ships with an integrated SSH client and Windows Terminal looks just awesome I wanted to use Windows Terminal to access my linux machine running on Azure over SSH. Today I’d like to show you my setup.

Generate a Key Pair
#

ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\NicolaSuter/.ssh/id_rsa):
Created directory 'C:\Users\NicolaSuter/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\NicolaSuter/.ssh/id_rsa.
Your public key has been saved in C:\Users\NicolaSuter/.ssh/id_rsa.pub.

Add SSH config file
#

C:\Users\%USERNAME%\.ssh\config

Host horus
Hostname horus.nicolonsky.ch
Port 22
User azureuser
IdentityFile ~/.ssh/id_rsa

Test the SSH connection
#

ssh horus

Windows Terminal Configuration
#

Create a new GUID with Powershell and the command: (New-Guid).Guid

{
 "guid": "{67d39a21-70ff-4bdd-af09-fd68b29c1716}",
 "name": "Horus",
 "commandline": "ssh horus",
 "hidden": false,
 "icon": "https://image.flaticon.com/icons/png/512/119/119423.png"
},

Sync Windows Terminal Settings with OneDrive
#

We can setup a symlink to use the Windows Terminal Config stored in OneDrive:

Export and import MEM Endpoint Security Profiles

Thu, 19 Nov 2020 00:00:00 +0000

Recently I got a DM on Twitter with a question about how to export and import Endpoint Security profiles with Microsoft Graph. Besides a technical answer which might be of interest for you, I’d like to show you the workflow I used to give a proper reply.

Original question:

Hi @nicolonsky, I was advised on the MS Elite Partner focus groups team (MEM Automation) to reach out to you regarding my question about export/import policies from Endpoint Security in Intune. I’ve been able to export the Disk Encryption policy (via graph explorer), but haven’t been able to find the correct format to use to upload/import it. I was hoping that you would be able to advise on how to go about achieving this.

Workflow
#

Discover request URL’s and payload
#

To discover the request URLs and payloads I used the methodology I explained in the this post a while ago. Basically, I tracked the network activity and used a filter to only include requests made to the Graph API while doing the following activities:

Shut up Surface Pro 7 fan noise!

Mon, 16 Nov 2020 00:00:00 +0000

I recently bought a Surface Pro 7 with an Intel Core i7 and 256 GB SSD and it was a quite good deal. I’m using it primarily for my studies in computer sciences which involves lots of development with Java, Python, C, Linux and so on. Furthermore, I’m using it to write blog posts for this blog.

One thing which annoyed me since day 1 was the fan going absolutely crazy when plugged to AC power. Having only OneNote open and a couple of browser tabs and maybe teams the noise was way too loud and even heard by other participants in meetings.

On Reddit I found a hint to a setting which indeed solved my solution.

We need to adjust the “max. processor power state” setting which is not visible by default on surface devices. To show the setting add this reg key with PowerShell:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\bc5038f7-23e0-4960-96da-33abaf5935ec" -Name Attributes -Value 2

Afterwards, we can change the “max. processor power state” setting within the power settings in the control panel:

Hope this helps you as well to enjoy your Surface Pro 7 with a much quieter fan. 🐱‍💻

Build an Azure DevOps pipeline to automatically sign your PowerShell scripts

Thu, 01 Oct 2020 00:00:00 +0000

Too lazy to sign your PowerShell scripts? Yes of course it provides security benefits but performing the steps manually can be easily forgotten and re-signing needs to happen after every script change. Because I like CI/CD topics and have not found a solution on the internet I decided to build a solution based on Azure capabilities. Furthermore, I wanted a solution which does not require to hand out the code signing certificate to the respective script author which can be useful if you have a bunch of people writing PowerShell scripts.

From a personal perspective, I would also recommend signing scripts you hand over to customers to ensure the integrity of the scripts because as soon as the script gets changed the signature is invalid.

You can find more general recommendations about script signing in the PowerShell docs.

Solution overview
#

The key vault will store the code signing certificate with an access policy that allows access from the Azure DevOps pipeline.

The pipeline consists of the following steps:

Import code signing certificate
- The certificate is supplied as secret in a variable group which is linked to the key vault
- Access to the key vault is granted with a service connection (service principal)
Sign PowerShell scripts which contain a “magic token”
- All *.ps1 within the attached repository will be enumerated
- To control which scripts will be signed only those with the “magic token” get processed
- The “magic token” gets removed before signing the script
Publish signed PowerShell scripts as pipeline artifacts
- To make them available for download

Ensuring regular Defender Quick scans with Microsoft Endpoint Manager proactive remediations

Mon, 28 Sep 2020 00:00:00 +0000

While looking into the new Microsoft Defender Antivirus report available in MEM (Intune) I discovered some machines which did not report any recent Defender antimalware scans, despite configured via configuration profile. Of course, AV scans are kinda old-fashioned against rapidly evolving threats but a regular quick scan won’t hurt anyone. Instead of having a look at every single machine affected, I decided to try out the new proactive remediations feature which went globally available last week and let endpoint analytics do the detection and remediation work for me. As a reference, I used the Tutorial: Proactive remediations from Microsoft which covers the process quite well.

PowerShell scrips
#

For Endpoint analytics / Proactive remediations we need two PowerShell scripts. The first script is used as a detection script and determines whether remediation is necessary based on the exit code. Exit code 0 indicates a healthy status and exit code 1 indicates remediation necessary. Remediation occurs with a second PowerShell script.

To detect the most recent Defender scan I used the Windows Eventlog. Event ID’s are documented here.

Detection script
#

Remediation script
#

The remediation script is just about a one-liner to trigger a quick scan. You can extend this based on your requirements and respective to your Intune settings. E.g. triggering a signature update for a scan or adding additional steps.

Discover the Microsoft Graph API with the Microsoft Endpoint Manager Portal

Tue, 08 Sep 2020 00:00:00 +0000

You always wanted to automate a specific action within Intune / the Microsoft Endpoint Manager Portal (MEM) but were afraid of the complexity? The Microsoft Graph API docs deliver you more questions instead of answers? Automating tasks within the MEM portal could be very easy, couldn’t it? I promise it will be much simpler with this magician trick.

Microsoft Endpoint Manager Portal
#

The MEM Portal UI relies on the Microsoft Graph API. This means that the UI where you create new settings and policies and the Intune backend are encapsulated with different layers. Communication between the UI and the backend happens with the Microsoft Graph API. With the developer tools we can trace network traffic and discover the request URLs and request body payload which are required to interact with the API.

{: .align-center}

Example about how to capture URLs and build a PowerShell script
#

Original request body:

Access has been blocked by Conditional Access policies when using device code flow

Thu, 03 Sep 2020 00:00:00 +0000

When using device code authentication for PowerShell modules with conditional access you might receive prompts like: “Access has been blocked by Conditional Access policies. The access policy does not allow token issuance” or “AADSTS50097: Device authentication is required”. But what’s the reason for this error and is there a solution available?

Examples from the field
#

Device code flow is quite a convenient way to sign-in for an app within the web browser - at least if it works. If not you have to consider other options and that’s probably the reason why you’re reading this blog article.

Az PowerShell

Running the Az PowerShell module on PowerShell 7 uses device code flow to authenticate against your Azure tenant and might fail:

Connect-AzAccount: AADSTS50097: Device authentication is required.
Timestamp: 2020-08-17 13:36:31Z: Response status code does not indicate success: 401 (Unauthorized).

The sign-in to Azure is tied to the “Microsoft Azure Management” app that you can select within Conditional Access.

Microsoft Graph PowerShell

The same applies for the new Microsoft.Graph PowerShell modules - but here we receive a more detailed error message:

Connect-Graph: AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.
Timestamp: 2020-08-17 13:37:12Z

The sign-in to the new Microsoft Graph Modules is tied to the “Microsoft Graph PowerShell (Preview)” app and some more apps I couldn’t determine.

Bulk create Intune mobile app deployment groups and assignments

Wed, 19 Aug 2020 00:00:00 +0000

Creating assignments and software deployment groups for Intune mobile apps is quite a repetitive and manual task. Because of that, I want to share a PowerShell script with you which allows you to automatically create software deployment groups in Azure AD and the assignments for various intents.

The script allows you to:

Create Azure AD groups (install uninstall purpose)
- Pick existing groups based on displayName
Assign Intune mobile apps (tested for Win32 and MSI LOB apps)

You can find the script on my techblog GitHub repository.

Because of the configurable group prefixes the script helps you to keep your Intune environment clean and implement a standard app assignment configuration.

The script uses the Microsoft Graph API and the following resources

https://graph.microsoft.com/beta/deviceAppmanagement/mobileApps
https://graph.microsoft.com/beta/deviceAppmanagement/mobileApps/{AppID}/Assignments
https://graph.microsoft.com/beta/groups

It uses the preregistered app “Microsoft Intune PowerShell” which exists by default in all tenants. If you want to run the Script with PowerShell 7 you need to create an adjust the MSAL token section with the -DeviceCode parameter.

You can bulk select the apps you want to create the assignment and AAD deployment groups:

Hope this saves you some time.

Add PowerShell modules to Azure functions

Mon, 17 Aug 2020 00:00:00 +0000

Azure functions for PowerShell natively ship without additional cmdlets or PowerShell modules. In this post, I will show you how to add both public modules from the PowerShell gallery with automatic dependency management and custom modules.

For both options, we use the Kudu tools to adjust the configuration of our function app. You can launch them from the “Advanced Tools” section of your function app:

Afterwards, launch the PowerShell debug console and navigate to the wwwroot folder of your app:

Option 1: Automatic dependency management
#

Note: Installing modules which require license acceptance (e.g. the MSAL.PS module) currently cannot be installed with automatic dependency management. You can track the issue status here and here. {: .notice–warning}

Azure function apps running PowerShell come with a nice feature called managed dependencies. You can specify the modules you want to import from the PowerShell Gallery and the function app host will automatically process the dependencies.

In the requirements.psd1 add the module details:

# This file enables modules to be automatically managed by the Functions service.
# See https://aka.ms/functionsmanageddependency for additional information.
#
@{
 # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'.
 'Az' = '4.*'
 'Microsoft.Graph.Authentication' = '0.*'
}

You can either specify an exact version available from the PowerShell Gallery or specify the major version with a wildcard. With the wildcard option it will use the latest version available.

Playing around with the Office 365 Service Communications API

Mon, 10 Aug 2020 00:00:00 +0000

The Office 365 Service Communications API provides information about Microsoft 365 service status for your tenant including service messages. I built a little PowerShell module to access the API with PowerShell cmdlets. In this post I want to show you some examples which help you to use the API.

PowerShell Module
#

I built a PowerShell module to access Microsoft 365 service status details natively with PowerShell. The PowerShell module and documentation is available on the PowerShell Gallery and on GitHub.

Before using the module an app registration is required. Setup instructions are also provided on GitHub.

CI/CD
#

By leveraging Azure DevOps I created a build and release pipeline which automatically builds the PowerShell module with Plaster.

Builds are only created if the commit on GitHub includes a version tag. This version tag gets automatically populated to the module manifest.

The build artifact gets then automatically published to the PowerShell Gallery as a new version. Furthermore, a new GitHub release including the module artifact is added to the project.

This process fully automates the publishing and build process for the module. For local development and maintenance, the module can also be built with Invoke-Build.

Intune scope tags and role-based access control explained

Mon, 03 Aug 2020 00:00:00 +0000

For larger Intune environments a solid role-based access implementation becomes crucial to ensure a secure administration. But how does Intune role-based access control (RBAC) work in combination with scope tags and how to get started? This post gets you covered with explanations and practical examples.

Role-based access control within the Microsoft 365 ecosystem
#

Within the Microsoft 365 ecosystem, Microsoft provides Azure AD administrative roles to administrate services like Exchange (Exchange administrator), SharePoint (SharePoint administrator), Intune (Intune administrator) and so on.

As you can see Azure AD provides (usually) only one role which grants full administrative access over a service. You can configure more fine-grained controls within the service itself - that’s where the RBAC controls of the respective service kick in.

To give you another example: You might have a 1^st or 2^nd level support department which needs permissions to perform remote actions on Intune managed devices. Instead of assigning them the Azure AD Intune Administrator role, it’s more convenient to assign them a fine-grained Intune RBAC role which delegates exactly the permissions needed.

As the name already indicates Intune related roles only live within the Intune tenant and cannot be managed from AAD and vice-versa:

Azure AD guest user review solution

Tue, 14 Jul 2020 00:00:00 +0000

Azure Active Directory guest users really simplify the process to collaborate with external users. Although keeping a good governance on guest accounts can become quite a challenge. The two biggest challenges I often observe are: “Who invited that guest user?” and “Does this guest user still need access to our infrastructure?”. Inspired by a recent post of Thomas Kurth regarding Azure AD Guest Account - Governance and Cleanup I also developed a solution which comes quite close to an “Azure AD Access review” like user experience.

Notable features
#

The ‘Manager’ attribute of your guest users get’s automatically populated with the identity of the inviter
All Azure AD app registration information is stored in Azure Key Vault
Almost zero touch deployment with ARM templates
You can integrate existing guest users into this solution by populating the manager attribute in Azure AD
You can configure the approval frequency for guest accounts
Approval frequency respects last approval date for each guest account

Architecture
#

The solution leverages function of:

Azure Logic App

Who invited this Azure AD guest user?

Tue, 14 Jul 2020 00:00:00 +0000

Who invited this Azure AD guest user? Examining who invited a specific a guest account can be quite a challenging question if you don’t have a log analytics workspace in place with Azure AD Audit log forwarding configured.

Kusto queries for your log analytics workspace
#

The following queries help you to identify who invited a guest. If you haven’t set-up Azure AD audit log forwarding it’s the right time to do it now as described in one of my previous blogs.

To find all guest invitations:

AuditLogs
| where OperationName == 'Invite external user' and Result == 'success'

To find all accepted invitations:

AuditLogs 
| where OperationName == 'Invite external user' and Result == 'success'
| extend InvitationId = tostring(AdditionalDetails[0].value)
| join (
 	AuditLogs
	| where OperationName in('Redeem external user invite')
	| parse kind=regex TargetResources[0].displayName with * "InvitationId: " InvitationId:string ","
)
on $left.InvitationId == $right.InvitationId

Improving your guest user governance
#

To simplify the guest user review and management process I developed a solution which fully automates this process. Additionally the solution populates the user who invited a guest as the guest’s manager which allows you to easily examine the question “Who invited this Azure AD Guest Account?”.

Azure AD guest user review solution

10 suggestions to improve your next PowerShell script

Wed, 08 Jul 2020 00:00:00 +0000

Most of the time PowerShell is my favourite choice to automate processes and tasks. In order to improve the maintainability of my scripts I usually try to focus on some standards combined with a clean scripting style. In this post I want to show you 10 suggestions to improve your next PowerShell script. I’ve tried to order the suggestions according to an actual PowerShell starting from the very first line till the last line.

1. Script prerequisites
#

Your PowerShell script might need specific modules or elevated user rights to run. The #Requires statement ensures that these prerequisites are met before the actual script get’s executed. So you don’t need to implement your own checks to verify prerequisites.

Simply use the #Requires statement at the very first line of your script. Find out more about #Requires statement.

Modules
#

Another benefit of specifying the modules within the requires statement is that scripts hosted on the PowerShell Gallery automatically install the modules mentioned in the #Requires list.

To make sure a specific module is installed use:

#Requires -module "Microsoft.Graph.Intune"

To ensure a module with a specific version is available:

Remove Azure AD direct License Assignments with PowerShell

Wed, 08 Jul 2020 00:00:00 +0000

Who doesn’t love a clean and tidy environment, do you? This also applies for your license assignments in Office 365 and Azure AD. As time passess it is likely to have users with direct license assignments or users which still have old trial licenses assigned. To get rid of those assignments I created a PowerShell script with removal and reporting functionality.

Direct link to the script.

Identify direct license assignments
#

In the Azure Portal we recognize direct license assignments on a user account by viewing the “Assignment Paths”:

With the MSOnline PowerShell module we can view the Licenses property of a user and retrieve a nested property called: GroupsAssigningLicense. The GroupsAssigningLicense property contains either:

An empty array if the license was not inherited from a group -> direct assignment
An array with objectId’s
- If the array contains the user’s objectId -> direct assignment

Example 1: User with objectId 36c9b091-fe88-4dc2-a9e1-2662020b4bab has group based license assignment and direct assignment:

AccountSkuId : nicolasuter:SPE_E5
GroupsAssigningLicense : {0a918505-d0d5-4078-9891-0e8bec67cb65, 36c9b091-fe88-4dc2-a9e1-2662020b4bab}

Example 2: User has no inherited licenses from a group:

AccountSkuId : nicolasuter:SPE_E5
GroupsAssigningLicense : {}

PowerShell Script
#

You find the PowerShell script on my techblog GitHub repository.

How I migrated my Ghost blog to Jekyll

Sat, 27 Jun 2020 00:00:00 +0000

Another migration of my blog? After running it for almost three years I thought it’s time for another change. The Ghost platform introduced a lot of changes and updates (with features that I don’t need) and caused me quite some expenses on my Azure subscription (around 50$ each month). Furthermore I wanted someting looking more clean with more focus on the writing part without a lot of fancy add-ons and functionalities. But it still had to cover features like tag summaries, yearly archive and a site search (Ghost doesn’t ship with those features out of the box). Because static sites seem to be a thing now I thought let’s hop onto the static site generator train.

I did some subjective research and decided that it will be Jekyll. I’ve chosen Jekyll because it’s quite easy to understand compared to hugo. Although hugo offers GraphQL which allows you to generate blog posts basically from any source including a REST API and Ghost has such an API in place which provides access to all posts.

To sum up the evolution of my blog:

2017 - 2018: Wordpress (hosted on a free hoster)
2018 - 2020: Ghost (hosted on Azure)
2020 - 20xx: Jekyll (hosted on GitHub Pages)

Since the beginning of my blog I had my DNS zones running on Cloudflare including CDN features. When I migrated from Wordpress to Ghost I also migrated the comments to Disqus -> so for this migration I didn’t need to change anything regarding comments.

Exploring the new Microsoft Graph PowerShell Module(s)

Tue, 12 May 2020 00:00:00 +0000

Microsoft is working on a new set of PowerShell modules grouped under the umbrella of Microsoft.Graph that will (hopefully) cover all the Microsoft Graph resources available. I’ve already used some of them for my Conditional Access Documentation Script and thought they have some notable features worth sharing.

Advantages and changes
#

The Microsoft Graph modules use the new Microsoft Authentication Library (MSAL) instead of the old Azure AD Authentication Library (ADAL). The MSAL library in the modules implements a token cache which persists the access and refresh tokens.

MSAL caches a token after it has been acquired. Application code should try to get a token silently (from the cache), first, before acquiring a token by other means. - Microsoft docs

The token cache persists system reboots and re-opening PowerShell sessions. The module allows you to obtain tokens either for authentication via client credentials (certificate only) or device code flow.

Furthermore, the new modules support a really broad spectrum of available entities on the Graph API. From an EM+S perspective this means for example: groups, users, identity protection, conditional access, and some of the Intune app management commands are also starting to appear.

Just be aware that the modules are currently published as pre-release. If you encounter any issues share them with the development team on GitHub and submit issues or even better contribute directly to the project.

Validating a GUID with PowerShell

Tue, 05 May 2020 00:00:00 +0000

For some recent Microsoft Graph scripts I wanted to translate some Azure AD Object ID / GUID entries to their respective display name. The array with the GUID’s contained already some readable text. Of course I only wanted to translate the GUID entries with according Graph API requests. Otherwise the Graph requests would fail. Google offered only some fancy regex functions and helpers but I had that .NET function in my mind which looks much nicer compared to whatever regex pattern that I don’t understand.

"applications": {
 "includeApplications": [
 "797f4846-ba00-4fd7-ba43-dac1f8f63013",
 "Office365"
 ]
}

So I needed a way to test a string for a valid GUID and only invoking the Graph calls for GUID values.

Matching a GUID with a regex
#

I found the following regex on this site:

"d815c3bc-9c49-4633-9d16-29808242d063" -match '(?im)^[{(]?[0-9A-F]{8}[-]?(?:[0-9A-F]{4}[-]?){3}[0-9A-F]{12}[)}]?$'

Matching a GUID with the .NET method
#

Instead of the complex regex we can invoke this nice .NET member method which returns true or false based on the input:

[guid]::TryParse("d815c3bc-9c49-4633-9d16-29808242d063", $([ref][guid]::Empty))

I guess that’s much more convenient.

Helper Function
#

Here’s a helper function which can be used in PowerShell scripts:

Document Conditional Access Configuration with my Modern Workplace Concierge

Mon, 20 Apr 2020 19:22:33 +0000

Documenting things sucks. If it involves a lot of klick(edi klack klack) in portals and copying information around even more. But there’s hope. And it’s called automation. For the Intune part Thomas Kurt did already an awesome job with his IntuneDocumentation. Now the Modern Workplace Concierge is ready to help you with documenting your Conditional Access configuration. I promise you: we will get through this within under 15 minutes! Afterwards you can make an impression on your fellow Enterprise Mobility teammates.

What’s inside?
#

A Conditional Access policy is returned by the Microsoft Graph API in the following JSON representation:


{
 "id": "714b5737-5f13-415e-bf96-d659f3a5928e",
 "displayName": "PROD - Admin protection - Azure management: Require MFA",
 "createdDateTime": null,
 "modifiedDateTime": null,
 "state": "enabled",
 "grantControls": {
 "operator": "OR",
 "builtInControls": [
 "mfa"
 ],
 "customAuthenticationFactors": [],
 "termsOfUse": []
 },
 "conditions": {
 "signInRiskLevels": [],
 "clientAppTypes": [],
 "platforms": null,
 "locations": null,
 "deviceStates": null,
 "applications": {
 "includeApplications": [
 "797f4846-ba00-4fd7-ba43-dac1f8f63013"
 ],
 "excludeApplications": [],
 "includeUserActions": []
 },
 "users": {
 "includeUsers": [
 "All"
 ],
 "excludeUsers": [],
 "includeGroups": [],
 "excludeGroups": [
 "04988d96-ad01-4569-9aee-a199a1cb4f8e"
 ],
 "includeRoles": [],
 "excludeRoles": []
 }
 },
 "sessionControls": null
}

That’s not really human readable. Especially the object id’s (32 character UUIDs) make it difficult to guess to which users or apps a policy is assigned. But an API has definitely other goals than showing pretty formatted reports.

I said Connect-AzureAD and not sign-out and re-sign-in!

Wed, 25 Mar 2020 17:21:25 +0000

If you are using the “AzureAD” PowerShell module (also applies to the AzureADPreview) you have probably noticed that the Connect-AzureAD Cmdlet ignores existing access tokens and initiates a new sign in to Azure AD even if you are already signed in.

Prompt you get when calling the "Connect-AzureAD" cmdlet

Long story short, I got annoyed every time when I accidentally recalled Connect-AzureAD (mostly when working with Scripts) until I found this amazing hint on technet and now I want to (re-)share it with you.

In your PowerShell scripts simply use the following snippet to connect with Azure AD / check your connection and you wont get any sign-in prompts if you are already connected!

Reusing the access token for the MsOnline module
#

The Azure AD PowerShell access token which gets stored can also be used to connect to the MsOnline resources (because certain attributes like strong authentication details are not available with the AzureAD modules):

$token = [Microsoft.Open.Azure.AD.CommonLibrary.AzureSession]::AccessTokens Connect-MsolService -AccessToken $token.AccessToken.AccessToken

Generate a report about assigned Azure Active Directory roles

Thu, 19 Mar 2020 20:42:07 +0000

The Azure AD portal does not really provide an overview about all directory role assignments in your tenant. If you want to review existing Azure AD Directory roles a csv report will probably better server your needs. Therefore I created a PowerShell script to export the role assignments.

The Azure AD Portal only displays limited information about the assignments

### PowerShell Script

Find the PowerShell script in my techblog GitHub Repository.

Make sure that you have the AzureAD PowerShell module installed before running the script. You can install it by running “Install-Module AzureAD”.

PowerShell script output

Report
#

The report contains three columns:

Role (name of the directory role)
- Note that the Global Administrator Role is represented as Company Administrator
Member
- If the role is assigned to a user its the UserPrincipalName
- If the role is assigned to a service principal its the display name with the Azure AD application ID in the brackets
ObjectType
- Indicates whether the role is assigned to user account or a service principal

CSV file containing all assigned directory roles

Comparing reports
#

You can compare two reports with the following PowerShell code:

Detect Deleted User Accounts in Azure Active Directory

Thu, 13 Feb 2020 08:30:46 +0000

An account in your Azure Active Directory got deleted and you want to examine who initiated the delete action? Sounds very simple but if you do not want to search your logs manually things become a little bit trickier.

The challenge
#

When a user gets deleted and you only remember it’s userPrincipalName you wont be able to to search for a match. And I doubt that you memorized the Azure AD object id of that user.

Here’s what the Azure AD Audit log shows us:

The userPrincipalName attribute will get the Azure AD object ID as prefix:

userPrincipalName before deletion: jane.doe@nicolonsky.ch
userPrincipalName after deletion: f5d7e17347594a658d124329b9b025abjane.doe@nicolonsky.ch

By having a closer look to the Azure Active Directory Audit logs you will notice that the filtering or search capabilities are limited in terms of searching for a specific target:

Search is case-sensitive and only supports ‘starts with’ operator

Which means we cannot search for the userPrincipalName. The only option in the Azure AD Audit Logs would be to download the logs and perform a search within a text editor which is not really feasible nor efficient.

Managing the new Microsoft Edge Browser with Intune

Mon, 03 Feb 2020 15:40:58 +0000

With the availability of the new Edge browser based on chromium I gained the first experiences about configuring the browser in an enterprise environment. Of course I want to share those with you. This post hopefully helps you to roll-out and configure the new Edge Browser with Microsoft Intune.

Install the new Edge Chromium with Intune
#

The installation of Edge is not the main topic of this post. The Edge browser is available in Intune as built-in app type like the Office 365 suite. More information about the installation process is available here.

Set Edge Chromium as default browser
#

Default applications are configured on the Windows 10 operating system level via app associations. The current app associations of a device can be exported with dism and the command:

Dism /Online /Export-DefaultAppAssociations:"appassociations.xml"

Which will produce a file containing all associations. For setting Edge as the default browser this one is sufficient:

To deploy an app associations file with Intune it needs to be base64 encoded. I used the base64encode online tool.

Intune configuration
#

To distribute the default app association configure the following OMA-URI in a custom device configuration profile:

Prevent Intune devices from getting the Microsoft search (Bing) plugin

Fri, 24 Jan 2020 11:19:24 +0000

Microsoft recently announced to install a Bing extension on new and existing Office 365 ProPlus installations which will set Bing as the default search engine starting with the first Office 365 ProPlus release in 2020 - not appreciated Microsoft and definitely not what customers want! The extension will be shipped for new Office installations and existing clients with Office 365 ProPlus installed when they update.

Update 11.02.2020: “ The Microsoft Search in Bing browser extension will not be automatically deployed with Office 365 ProPlus.” - I will keep this post for the archives.

Starting with Version 2002 of Office 365 ProPlus, an extension for Microsoft Search in Bing will be installed that makes Bing the default search engine for the Google Chrome web browser only on devices in certain locations. This extension will be installed with new installations of Office 365 ProPlus or when existing installations of Office 365 ProPlus are updated. (Reference)

As expected date the 2002 release will be rolling out in March for the monthly update channel.

More details are available under:

New Office installations
#

To avoid the plugin being installed with new office installations edit your Office 365 Configuration with the Office Customization Tool . Make sure to toggle the switch for “Set default search engine to Microsoft Search in Bing” to off:

Deploy fonts to Intune managed Windows 10 devices

Sun, 19 Jan 2020 16:25:21 +0000

Recently a customer using Microsoft Intune requested to deploy a TrueType font required by one of their line of business apps. Because Intune does not offer a native solution to deploy fonts it was quite clear that a PowerShell script or Intune Win32 app should do the trick. Note that the mentioned PowerShell scripts can also be used for app deployments with Configuration Manager (MEMCM).

How to install a font programmatically?
#

There seem to be multiple options depending on the operating system version. I’ve tested this with Windows 10 1909. And broke it down to the following steps:

Copy the font to the “C:\Windows\Fonts” folder
Create a registry key which points to the filename of the *.ttf or *.otf font copied to the Windows font path

How to install a font with Intune?
#

To get the font to Windows 10 devices I created a PowerShell script which copies the font files to the windows-fonts folder and creates the required registry key.

Deploying the PowerShell script as Intune Win32 app has the advantage that we can link the font as a dependency if any app requires a specific font. Additionally we can detect and uninstall the font if needed.

Connecting to foreign Intune tenants with Microsoft Graph and PowerShell

Thu, 09 Jan 2020 13:25:02 +0000

If you manage multiple Intune tenants with your Azure AD account (invited as guest in the foreign tenant) we need a way to specify the tenant id we want to connect. Otherwise you will land in your home-tenant every time. This posts shows you how to accomplish that with the Intune PowerShell SDK.

If we have a look at the default Graph settings in a PowerShell session with the Intune PowerShell SDK you will notice that all authentication requests will land on the /common endpoint.

Get-MSGraphEnvironment
 
 AuthUrl : https://login.microsoftonline.com/common
 ResourceId : https://graph.microsoft.com/
 GraphBaseAddress : https://graph.microsoft.com
 AppId : d1ddf0e4-d672-4dae-b554-9d5bdfd93547
 RedirectLink : urn:ietf:wg:oauth:2.0:oob
 SchemaVersion : v1.0

To connect to a specific tenant we need to update the AuthUrl to contain the tenant id or any registered domain name of the target tenant before connecting:

Update-MSGraphEnvironment -AuthUrl "https://login.microsoftonline.com/nicolonsky.ch"

Afterewards you can connect to Microsoft Graph as usual:

Connect-MSGraph
```

Happy Microsoft Graph-ing with multiple tenants.

Monitor Apple token expiration in Intune

Sat, 04 Jan 2020 14:55:00 +0000

Apple tokens for Mobile Device Management like APNS certificates, DEP and VPP tokens need a renewal every 365 days. When an APNS certificate has expired you are forced to re-enroll all of your MDM managed apple devices. To avoid any headaches I put together a few lines of PowerShell which monitor the expiration with Azure automation and send a notification to Microsoft teams or email.

Script
#

The script is intended to run recurring on Azure automation. And I recommend to setup a schedule which runs the script once a week. The script checks the following apple tokens and triggers the teams notification if it expires in less than the configured number of days:

Push Notification certificate
DEP (Device Enrollment Program) tokens
VPP (Volume Purchase Program) tokens

Hint : You can setup multiple DEP and VPP tokens in your Intune tenant.

The triggered notification is delivered to Microsoft Teams as message card with some details about the token

Prerequisites
#

In order to get the monitoring up and running you need at least:

Azure automation account (ideally with a service principal), if you need a guide to set up an automation account read follow this article
An incoming webhook for your Microsoft Teams team which will receive the notifications OR an email account to send mails
The script from my Github techblog repository

Create a Microsoft Teams Webhook
#

Navigate to your desired teams channel which should receive the notifications and add a new incoming webhook:

Blogging year 2019 in numbers

Sat, 04 Jan 2020 14:53:14 +0000

Most of the people out there blogging have recently published numbers and figures about 2019. Starting the new decade I also want to publish some figures about 2019 and wish you a happy and successful start into 2020.

Blog
#

On my blog I tried to focus mainly on Enterprise Mobility + Security topics and shared some experiences and how-to’s about the modern workplace.

28 blog posts published
101'074 page visits
04:08 (mm:ss) is the average time users spent on my site

Tools
#

I published two open source tools in 2019, both are available on GitHub and both of them support your Microsoft 365 based workplace:

The Modern Workplace Concierge is a helper tool to simplify Microsoft 365 configuration allowing bulk import and export operations. Project URL
The Intune Drive Mapping Generator creates PowerShell scripts to map your on premises file shares to Intune MDM managed devices. Project URL

More numbers
#

2 sessions on community events
254 new followers on twitter
423 commits on GitHub
802 generated network drive mapping configurations (Intune Drive Mapping Generator)

Final words
#

I really appreciate all the feedback and support I received from you and fellow readers. Also in 2020 I will try to blog as much as possible and giving the community something back while representing the message that even at a young age you can contribute to the community, share your knowledge end especially learn a lot because this is a lifelong and ongoing process.

Have you already started with Intune automation and Microsoft Graph?

Thu, 19 Dec 2019 21:16:47 +0000

This post has the intention to give you an overview and starting point to automate things with the Microsoft Graph API and PowerShell. While having the focus on Intune and EM+S but the basics are also valid for other Microsoft services.

The world is changing and so are you?
#

When talking about automation most people only think about some PowerShell code and scheduled tasks running on whatever box in an environment. But technology regarding Microsoft services and it’s automation possibilities have definitely evolved quickly. Automation can now be done with basically any scripting or programming language because Microsoft offers us the Microsoft Graph API. Although API (application program interface) sounds more like a developer term engineers should better get used to consuming API’s. As more and more services can be consumed as SaaS API’s are mostly offered for further data processing and automation.

Microsoft Graph API
#

Microsoft describes it’s own Graph API as “Microsoft Graph is the gateway to data and intelligence in Microsoft 365”. Most of the API’s out there are built according the RESTful definition. A RESTful, also called REST API should implement the following operations (HTTP methods) to work with data:

Application based authentication with the Intune PowerShell SDK using a certificate

Tue, 10 Dec 2019 15:43:58 +0000

As you might have noticed I have been doing quite a lot of automation stuff with Microsoft Graph for Intune and Azure AD. My preferred way to run PowerShell scripts which need to run on a regular basis is to use Azure automation. Unfortunately the official “Intune-PowerShell-SDK” does not support authentication with a client certificate. Therefore I updated the module and will show you how to use it with Azure automation.

Why I don’t like client secrets
#

Azure automation brings us service principals (run as accounts) which simplify the access to Azure resources by providing an Azure AD app registration and certificates to authenticate against Azure AD. This provides more security and prevents the risk from having client secrets stored as plain text in scripts. Going with a client secret when having a nice certificate based authentication solution in place feels like making a step-backwards for me. This was the main reason why I decided to “upgrade” the Intune-PowerShell-SDK to support certificate based authentication.

Why I love the Intune-PowerShell-SDK
#

This PowerShell SDK provides nice Cmdlets to do any kind of automation with Microsoft Graph, not only limited to Intune because it offers a helper cmdlets like:

Manage Azure AD group based licensing with PowerShell

Wed, 04 Dec 2019 14:39:00 +0000

Recently I needed to assign a lot of Microsoft licenses to different Azure AD groups. Unfortunately Microsoft does currently not offer a solution to do this (yet). Instead of giving up on this I decided to analyze what actually happens when you assign a license to a group in the Azure portal and found some actions going on within the hidden portal API. As an outcome I built a PowerShell module to manage Azure AD group based licensing assignments.

Full functionality for group-based licensing is available through the Azure portal, and currently PowerShell and Microsoft Graph support is limited to read-only operations.
PowerShell and Graph examples for group-based licensing in Azure AD

The PowerShell module
#

The PowerShell module uses the “main.iam.ad.ext.azure” API for the license operations and the AzureRM module to get an access token for the API. Please note that the mentioned API is not officially supported or documented. Although the API is being used by the Azure Portal for settings you configure via the portal.

Kudos to Jos Lieben for his “pioneer work” documenting on how to get an access token for the API.

Export and import Intune and Conditional Access configuration

Tue, 03 Dec 2019 07:28:18 +0000

With Microsoft Graph we have powerful automation and configuration management capabilities. To further simplify this process I built the “Modern Workplace Concierge”. It is an ASP.NET application which uses an Azure AD multi tenant app to access the Microsoft Graph API on behalf to perform export and import tasks. The project uses the Microsoft Graph Beta API to access your tenant’s data.

Modern Workplace Concierge
#

The Modern Workplace Concierge allows you to:

Import and export Intune configuration and settings
Import and export Conditional Access policies
Download OSD ready offline Autopilot profiles
Download stored PowerShell scripts in Intune (as PowerShell)

This allows you to import your existing Intune and Conditional Access configuration in new tenants or demo tenants. The files in JSON format can be used for further processing or documentation.

And this all via web browser no client side prerequisites or PowerShell code is required!

The Modern Workplace Concierge

The project and more information is available on GitHub feel free to provide feedback there.

That's how I backup my Intune configuration with the #ModernWorkplaceConcierge. Curious? Give it a try. Of course also supporting imports .https://t.co/30H8b0olLn pic.twitter.com/g5X58l1e1i
— Nicola Suter (@nicolonsky) December 3, 2019

More Information:

Bulk update Windows Autopilot groupTags

Sun, 01 Dec 2019 11:21:58 +0000

Recently I needed to change a couple of groupTags on existing Windows Autopilot devices. Because Windows Autopilot profiles have been assigned based on the groupTag. Of course I could have done this with the portal (check out the devicemanagement.microsoft.com portal if not done yet!) but I am definitely an automation fan when I need to do repetitive work.

Portal view and property mapping
#

In the Intune portal the Group Tag field on an Autopilot device maps to the Azure AD device property “OrderID”.
Dynamic Azure AD Groups to assign Autopilot profiles to devices can be built with the following membership rule:

(device.devicePhysicalIds -any _ -eq "[OrderID]:mOSD")

The “Order Identifier” field on an Autopilot device maps to the Azure AD device property “PurchaseOrderId”.
Dynamic Azure AD Groups to assign Autopilot profiles to devices can be built with the following membership rule:

(device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:1234")

PowerShell script to update groupTags
#

The following script updates the groupTag of one or multiple selected Autopilot devices. Selection is done with a PowerShell GridView.

Please note:

Conditional Access and Azure Log Analytics in Harmony

Fri, 18 Oct 2019 22:06:04 +0000

Auditing Conditional Access events and changes is crucial regarding your hygiene in Azure AD for your modern workplace. With the goal that we receive appropriate notifications and alerts if special events occur. Thanks to Azure Log Analytics (also referred to as Azure Monitor) we can easily filter and create alerts based on events. This post starts where most of the others end - giving you practical examples of KUSTO queries to search your Azure AD Audit logs with Log Analytics.

Default log retention in AAD
#

A point which get’s raised often is the default log retention in Azure Active Directory (AAD). Azure Active Directory stores all activity reports depending on your license for 7 or 30 days:

Azure AD Free and Basic: 7 days
Azure AD Premium P1 and P2: 30 days

Source, more Information.

To retain and further process Azure Active Directory Audit Logs for a longer time period (because a 30 day audit trail is likely too short for most organizations) we can:

Stream to an Azure Event Hub
Archive to Blob Storage
Forward them to Azure Log Analytics

With Log Analytics the KUSTO query language can be used to query the forwarded log entries and we can create alert rules based on custom queries.

Unable to reset Windows Hello for Business PIN

Fri, 11 Oct 2019 16:12:14 +0000

Recently I have been troubleshooting a nasty Windows Hello for Business problem which prevented all users in a tenant from resetting their Windows Hello for Business PIN’s on Azure AD joined devices while getting the error CAA20004.

Issue
#

When clicking on “I forgot my PIN”:

After completing the account sign-in and MFA challenge the Error CAA20004 came up:

Troubleshooting
#

The Azure AD Portal shows us “Failure reason: other”.

While recording all the https traffic to Microsofts oauth2 endpoint with Fiddler this finally unveils usable information:

AADSTS65001: The user or administrator has not consented to use the application with ID ’ 9115dd05-fad5-4f9c-acc7-305d08b1b04e’ named ’ Microsoft Pin Reset Client Production’. Send an interactive authorization request for this user and resource.

The error indicates that an application registration is missing in the tenant for the application “Microsoft Pin Reset Client Production”

Solution
#

After a short search I found a matching Microsoft docs article. Instead of reading through the whole article the only thing I needed to do was consenthing to the: Microsoft PIN Reset Service production application and also for the Microsoft PIN Reset Client production

Intune export uploaded PowerShell scripts

Wed, 09 Oct 2019 16:36:57 +0000

After you have uploaded a PowerShell script to the Intune portal you won’t be able to view the script or its content. Therefore things become complicated when an Intune tenant is managed by multiple admins and someone wants to update or review a script. In addition to the unknown script content things can go from bad to worse if you can’t find the script anymore. Fortunately we can recollect our PowerShell scripts directly from the Microsoft Graph API.

Taking advantage of the Intune-PowerShell-SDK
#

Install the Intune-PowerShell-SDK
Consent MS Graph App registration if not done yet (uses default Microsoft Intune PowerShell App with ID: d1ddf0e4-d672-4dae-b554-9d5bdfd93547 )
Execute the snippet below

Retrieve device configuration - PowerShell scripts
#

Final words
#

This was more a minimalistic self-serving post instead of a good explained one but it hopefully helps you if in need to export your PowerShell scripts in Intune without reinventing the wheel.

The Enrollment Status Page (ESP) and shared devices

Fri, 04 Oct 2019 14:44:10 +0000

If you use the Enrollment Status Page (ESP) on your (Autopilot) devices in blocking mode (Block device use until all apps and profiles are installed) things can get ugly and complicated if you sign-in with another user account on that machine. So it might be better to disable the Enrollment Status Page for all users who sign-in after the initial device enrollment.

ESP behaviour
#

I was not aware of the fact that only one ESP gets applied to a device and the first one applied will also remain on that device nevertheless if you configure additional ESP settings for different groups of users. In addition the ESP gets displayed for every account even if the account has no Intune license assigned and causing the ESP therefore to fail.

The Enrollment Status Page can only be targeted to a user who belongs to an assigned group and the policy is set on the device at the time of enrollment for all users that use the device. https://docs.microsoft.com/en-us/intune/windows-enrollment-status

Use cases from the field
#

I have came past the following use cases where you would want to disable the ESP after the initial enrollment:

Windows Autopilot failed to delete device records

Sun, 29 Sep 2019 20:16:03 +0000

Recently I needed to delete a desktop machine from the Windows Autopilot service in order to use the machine in another tenant. But the problem was that the Intune and Azure AD device objects were already deleted. All attempts taken within the Microsoft 365 Device Management and Intune Portal were unsuccessful.

Issue
#

Usually the autopilot device shows the associated Azure AD and Intune objects but here they were shown as N/A (not available) because they were already deleted.

Every attempt to delete the device produced the following error:

Device 8CC9082ZVE deletion failed. Please delete the associated Intune device before deleting this Autopilot device record.

Solution
#

A quick visit to the Microsoft Store for Business resolved things because there I could delete the device without any issue. Direct URL to the Microsoft Store for Business. After a sync in the Intune Autopilot Devices pane the device had also gone from the Intune portal.

Final words
#

This was a rather short post but I hope it prevents headache if you want to delete an Autopilot device with stale Azure AD / Intune records.

5 Ways to Screw Up Conditional Access

Wed, 28 Aug 2019 08:34:02 +0000

Nowadays where cloud services are available from all over the world we cannot (only) rely on trusted networks and on identities protected by usernames and passwords. Conditional access allows you to define granular controls whether an identity can access cloud applications. Based on the positive feedback for my “5 Ways to Screw up your Intune Tenant” post I felt empowered to get conditional access covered as well.

Chose your platform wisely
#

If you intend to use the device platform filter make sure that you cover all platforms including unknown platforms. Otherwise your might have a lack in your battleship. Also note that platform detection is based on best effort and can be exploited.

Long live legacy
#

Mind the client apps configuration to ensure that your conditional access policies also apply to non-modern authentication clients. If you have created your conditional access policies in the early days of the product you didn’t have this option available.

Something that has created some confusion is that conditional access policies don’t include legacy authentication clients by default, this means that if you have a conditional access policy enforcing MFA for all users and all cloud apps, it doesn’t block legacy authentication clients (or “Other clients”, as the CA UI refers to them) - Sue Bohn, Microsoft

Windows Autopilot White Glove Field Notes

Wed, 14 Aug 2019 16:38:31 +0000

I’m happy to share some field notes and experiences with the Windows Autopilot White Glove feature which is available with the Windows 10 1903 release. I’ve done a lot of testing and engineering for a recent project which also included this brand new feature.

First things first (requirements)
#

This is probably the most important information of this post. Really make sure to verify the following prerequisites for Autopilot White Glove. Because there are additional requirements compared to Autopilot enrollments.

Basic Autopilot
#

Make sure that a “classical” Autopilot Deployment is working properly without any issues.

Hardware and OS
#

Hardware with support for device Attestation (“Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported.”)
Physical devices with Ethernet connectivity (WiFi connectivity is not supported!)
Windows 10, version 1903 with KB4505903 injected (equals OS Build 18362.267)

Starting the white glove adventure
#

Preparing Windows 10 1903
#

As mentioned by Michael Niehaus Windows multiple Autopilot issues were fixed by KB4505903. So we need to inject this cumulative update to the downloaded source. This was already the first hurdle to overcome because I’ve missed the fact that the Windows Setup (install.wim) actually contained multiple image indexes (yeah it’s kinda embarrassing). We achieve this by using dism offline servicing with PowerShell cmdlets.

Windows Autopilot White Glove Error 0x81036501

Thu, 08 Aug 2019 16:58:05 +0000

While testing Autopilot White glove for a customer project my test machines always got stuck within the “Registering your device for mobile management” step and timed out after 12 minutes and returned the error “0x81036501” just before showing the White Glove Failed screen. I was doing my tests with Windows 10 1903 DE (German) with the most recent cumulative update installed, meaning OS build: 18362.267.

The Issue
#

As normal Autopilot enrollments were working like a charm this one had to be related to the White Glove scenario. Here’s a screen capture showing the actual behavior (unfortunately with German display language):

By pressing [shift] + [F10] i opened a command prompt and launched the event viewer (eventvwr.msc). In the “Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot” event log I found the following error popping up multiple times, including a retry attempt and limit:

Autopilot discovery failed to find a valid MDM. Confirm that the AAD tenant is properly provisioned and licensed for exactly one MDM. HRESULT = 0x81036501

AutopilotManager failed during device enrollment phase DeviceDiscovery. HRESULT = 0x81036501

On the enrollment status page the error “0x81036501” got displayed for like one second before showing the red generic Autopilot White glove error screen.

Intune Win32 app requirements deep dive

Mon, 05 Aug 2019 17:09:02 +0000

The Intune Win32 app requirements feature is quite underrated and often overseen in my experience. The ability to specify a custom PowerShell scripts allow us to check for specific hardware or device properties in order to determine if an app or firmware update should be installed or not. So there’s no need to build multiple and complex dynamic Azure AD groups for the assignment of your apps.

Use cases from the field
#

From recent projects I’ve discovered the following use cases to deploy Win32 apps only to specific hardware types:

Install specific device drivers or hardware vendor’s software which is not available within the Windows update catalog (e.g. hotkey features, firmware updates)
Install a VPN client only on notebooks and tablets (e.g. Palo Alto GlobalProtect Client)

Win32 app requirements
#

Intune Win32 app requirements are evaluated by the Intune Management Extension to check if a device fulfills defined requirements for an application installation. Requirements support both built-in and custom rules.

Built-in rules
#

Wit the built-in capabilities we can check for:

5 Ways to Screw up your Intune Tenant

Wed, 31 Jul 2019 06:40:00 +0000

Here are 5 common recommendations based on misconfigurations I’ve came across in the field which will give your Intune tenant and devices a hard time to work smoothly. So better read this post that you not screw up your Intune tenant and maybe take advantage of the experiences others already gained.

Housekeeping
#

It’s important to know which devices are actually being used and usually a nice addition to understand compliance data. Stale device entries in may give you a wrong impression of your Intune tenant and it’s health. So enable the automatic device cleanup rule to remove the enrolled device from Intune. Additionally you may also remove the device entries stored in Azure Active Directory (I created a little on-demand script for this which can also run in azure automation).

Same applies to registered Autopilot devices. E.g. if you allow your employees to buy their old devices from the company if they get a new one make sure to remove the device from the Autopilot service. Otherwise you’ll see it again popping up in your tenant very soon. Thus it also prevents the device from being registered in another tenant as autopilot device.

Automating network drive mapping configuration with Intune

Fri, 19 Jul 2019 07:32:46 +0000

I’m thrilled to introduce the intune-drive-mapping-generator which creates PowerShell scripts to map network drives with Intune. The tool is open source and built on ASP.NET Core MVC.

The intune-drive-mapping-generator is your tool of choice to:

Generate an Intune PowerShell script to map network drives on Azure AD joined devices
Seamlessly migrate existing network drive mapping group policies
Generate a network drive mapping configuration from scratch
Use an existing Active Directory group as a filter to deploy all your drive mapping configurations within one script

This all happens without scripting effort. You receive a fully functional PowerShell script for the deployment with Intune.

Architecture
#

This tool is designed to work best with the following components although it can be useful for other purposes(?) :

Azure AD Joined and Intune enrolled Windows 10 devices
Synced user account from Active Directory to Azure Active Directory (Azure AD Connect)
On-premises file servers

Howto
#

Export existing group policy
#

To convert your existing drive mapping group policy configuration, save the GPO as XML report with the group policy management console.

Creating desktop shortcuts with Intune

Tue, 09 Jul 2019 23:22:24 +0000

Why want you to create desktop shortcuts with Intune? Business specific apps may require special shortcuts in order to launch the application with the right parameters. Or you need to create a shortcut for an application which is stored on your on premises fileserver. For this purpose I created a little solution which closes the gap between the modern cloud and on premises world. In comparison with other solutions this one works if you have redirected the users desktop with OneDrive Known Folder Move and automatically remediates missing shortcuts if they got deleted.

Direct link to the GitHub repository.

Browser links: Instead of placing shortcuts to websites on the desktop I would recommend you to use managed bookmarks which can be directly provisioned within the web browser. I documented this for the new Microsoft Edge based on chromium here. {: .notice}

Features
#

This solution works when the desktop is redirected with OneDrive Known Folder Move
Everything is user based (local userprofile)
If the shortcut is missing or deleted it gets automatically (re)created
Possibility to remove shortcut via Intune Win32 app uninstall
Shortcut can point to: URL, File (UNC) or Folder (UNC)
Ability to pass shortcut arguments
Ability to specify shortcut icon (UNC/URL)
Ability to deploy shortcut together with an app using Intune Win32 app dependencies

Architecture
#

A simple PowerShell script which does all the shortcut stuff is wrapped as Intune Win32 App. This adds possibility to detect the presence of the shortcut and if required to uninstall it with Intune. In order to work with the redirected desktop to OneDrive with Known Folder Move we can take advantage of the [Environment]::GetFolderPath("Desktop") method to resolve the desktop location. Based on the Win32 app configuration the shortut get’s either created on the users personal desktop or on the allusers desktop.

Bypassing Conditional Access Device Platform Policies

Tue, 02 Jul 2019 17:12:06 +0000

Recently I read a great article from the Microsoft IAM Director Sue Bohn concerning a Conditional Access Q&A. One question was about the device platform feature - which let’s you apply a policy only to a specific device platform like iOS, Android or Windows 10.

The detection of the device platform relies on the user agent string sent by the application or web browser. Because this one can be spoofed easily better configure your Conditional Access policies wisely.

The problem
#

As soon as you enable the device platform selection there’s the chance that a user doesn’t catch any Conditional Access policy.

As a result, you should not rely on the User Agent String to be present or to be accurate. Most browsers have a function to set an arbitrary User Agent String for testing purposes. (Microsoft)

Bypass example
#

To give you an example, here’s a little walk-through:

Conditional Access Policy configured for all cloud apps
Windows 10 selected as device platform
Access control: Block

If we now try to access the azure portal with a Windows 10 app or browser we get the following result:

Calling the Microsoft Graph API via PowerShell without a user

Mon, 17 Jun 2019 18:47:47 +0000

A colleague recently asked me how to access the Microsoft Graph API using PowerShell without specifying his user account or credentials. So here’s a little post about the required configuration to authenticate against the OAuth 2.0 endpoint of Azure AD with an app registration. This is especially useful for automation services like Azure automation.

At the end of this post you’ll find a PowerShell template.

Gather application information
#

Create a new client secret for your app and note down the following values:

Client Secret
Application ID (client ID)
Directory ID (tenant ID)

Azure AD App registration

## PowerShell code

Request authentication token
#

In order to use the Graph API we need an authentication token. The information we gathered before is now sent to the Azure AD OAuth 2.0 endpoint.

https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/token

In the request supply a body with the following content:

$body=@{
 client_id="8f9f420d-606c-4e13-889e-837072dbfb42"
 client_secret="BlaBlaExampleSecret" #Generated secret
 scope="https://graph.microsoft.com/.default"
 grant_type="client_credentials"
}

The scope and grant_type are required attributes. A full example looks like:

$body=@{
 client_id="8f9f420d-606c-4e13-889e-837072dbfb42"
 client_secret="BlaBlaExampleSecret"
 scope="https://graph.microsoft.com/.default"
 grant_type="client_credentials"
}

$tenantId="7955e1b3-cbad-49eb-9a84-e14aed7f3400"

Invoke-WebRequest -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $body -Method Post

If everything works we receive an access token object as HTML 200/ok response:

Mastering Windows Hello for Business with your hybrid Identity

Sun, 09 Jun 2019 18:07:32 +0000

I had the honor to deploy Windows Hello for Business several times for customers transitioning to a modern workplace using Azure AD and Microsoft Intune to manage their Windows 10 devices - combined with hybrid user identities. Now I want to share the most common hurdles and my experiences with you.

Just to make sure that you have the modern mindset - here’s a little quote to reconsider your hybrid strategy (if not already done):

You don’t need a Hybrid Azure AD join for your Windows 10 devices. Be brave and don’t be afraid and switch to an Azure AD join. It will simplify your device management and significantly reduce the complexity.

Why additional configuration is required
#

To access on premise resources who rely on Active Directory (file shares, applications) kerberos is used as authentication protocol. If you have Azure AD connect in place and a user sign’s in with his hybrid Identity using a password to a Windows 10 device which is Azure AD joined he automatically receives the required kerberos tickets if he wants to access resources.

But if the sign-in happens with Windows Hello for Business credentials (pin, biometrics) the authentication flow get’s interrupted because whether the domain controller (if it’s not a Windows Server 2016 DC) or the client can verify the integrity of each other.

Onboard macOS to Microsoft Defender ATP with Microsoft Intune

Thu, 23 May 2019 14:23:57 +0000

Microsoft Defender ATP (MDATP) for macOS hit finally the public preview status. We can now protect our macOS endpoints with cloud based power. I created a little guide about the onboarding process with Microsoft Intune and the user experience.

Prerequisites
#

From a macOS endpoint perspective:

macOS version 10.12 (Sierra) or newer
No third party endpoint protection installed
At least 1GB of free disk space
macOS client enrolled in your Intune tenant

If you want to enable macOS enrollment for your Intune tenant - I’ve written a post about the enrollment process.

From a Microsoft 365 perspective:

Microsoft Defender ATP license (Windows 10 Enterprise E5)
Intune tenant wit macOS enrollment enabled
Access to the Microsoft Defender Security Center
Appropriate user rights to create and assign an Intune device configuration, LOB App

This post assumes that you perform the tasks and file preparation on a macOS machine.

Preparing the onboarding package and files
#

Access the Microsoft Defender Security Center and gather the installation and onboarding package:

To deploy the installation package with Microsoft Intune we need the Intune app wrapping tool for macOS which is available here.

Enroll macOS devices to Microsoft Intune

Thu, 23 May 2019 14:22:05 +0000

As Microsoft starts to empower the integration for non Windows devices and also the available apps for macOS devices you might want to profit from your existing MDM solution of choice (Microsoft Intune) and enable features like conditional access or Windows Defender ATP on your macOS devices. This post covers the enrollment with the company portal app. If you want to enroll your devices with DEP (device enrollment program) you can find a great guide here.

Mind the enrollment restrictions
#

Let’s start and check the configured enrollment restrictions to make sure that the macOS enrollment is not blocked for your tenant. You’ll find them on your Intune dashboard under: Microsoft Intune > Device enrollment - Enrollment restrictions

Intune enrollment restrictions

Get an Apple MDM push certificate
#

Without loosing into details - you need an Apple MDM push certificate (also called APNs) to manage apple devices with MDM. The push certificate allows your MDM solution to send notifications about device actions to your end devices (e.g. wipe, app installation, new policy). To request a push certificate you need a valid Apple ID.

Intune configure lid close action

Sun, 19 May 2019 19:08:00 +0000

When using your notebooks and portable devices together with a docking station your users might like to close the lid. The Windows 10 1903 release introduces additional power CSP settings. One of them allows you to configure the lid close action while on ac power - so the device doesn’t switch to hibernate mode as by default.

Policy CSP configuration
#

To configure this policy with Microsoft Intune use the following OMA-URI configuration within a new custom device configuration:

Other possible values are:

0 - Take no action
1 - Sleep
2 - System hibernate sleep state
3 - System shutdown

End user experience
#

After the next MDM policy refresh the configured policy takes effect and is visible under the power options in control panel:

Introducing the OneDrive AutoMountTeamSites setting

Sun, 17 Mar 2019 16:03:09 +0000

Reviewing the latest OneDrive features I wanted to try the new AutoMountTeamSites setting which lets you preconfigure SharePoint online sites to sync automatically for defined users and devices.

Updated on 12.07.2019: Included the Intune administrative template configuration

The setting is officially described as follow:

This setting lets you specify SharePoint team site libraries to sync automatically the next time users sign in to the OneDrive sync client. (Microsoft)

If you enable this setting, the OneDrive sync client will automatically download the contents of the libraries you specified as online-only files the next time the user signs in. The user won’t be able to stop syncing the libraries. (Microsoft)

Prerequisites
#

In order to get things up an running we need at least:

OneDrive sync client version 19.012.0121.0011 or newer
Windows 10 Version 1709 or newer
OneDrive Files On-Demand enabled (described below)

Be aware that this feature is not supported with on-premises SharePoint sites and not recommended to enable this setting for more than 1'000 devices. The device limit is related to the Windows Push Notification Service which tells the OneDrive clients when a file change occurs on a server side. When you exceed that limit clients will find themselves in a polling mode. Hans Brender explains this behavior well on his blog.

Intune map network drives and execute PowerShell script on each user logon

Fri, 11 Jan 2019 20:51:36 +0000

Recently a customer needed a drive mapping solution to access his on premise file shares during his transition phase to a cloud-only workplace. I wanted to share the solution with you because it’s a frequently asked question around a modern workplace migration. The following solution can also be extended or modified for a printer mapping or other PowerShell scripts which need to run on each user logon.

Updated 04.08.2019: I’ve developed an automated solution to generate network drive mapping configurations with an online tool which also migrates group policy network drive mappings. See: next-level-network-drive-mapping-with-intune.

Direct link to the final scripts

Lets assume we have the following scenario:

- Customer with hybrid user-identities (Azure AD Connect) - On premise ressources with legacy file shares - Devices are Azure AD joined ( **not** hybrid joined) - MDM managed with Intune - [Optional] Always on VPN for external on-premise resource access - [Optional] Windows Hello for Business deployment as described [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso)

Architecture
#

With my colleague Alain Schneiter I designed the following solution:

Main PowerShell script stored on Azure blob storage which handles the drive mapping - driveletters, UNC paths and descriptions can be configured within the script
Client side script deployed with Intune which triggers the main script during logon. The main script is not stored locally which makes it easy to customize (no updates oder changes needed on client side)
Deployment is user targeted via Azure AD group and Intune

Azure blob storage configuration
#

We wanted to store the script within Azure because the customer was already using Azure blob storage. It’s also possible to store the PowerShell script on GitHub if you don’t want to use Azure.

Clean up stale Azure AD devices

Thu, 10 Jan 2019 22:25:00 +0000

If you are using Azure AD and the time passes you’ll have a lot of old device entries. If you enable the automatic device cleanup rule in Microsoft Intune the device is only removed within MDM and the Azure AD entry still exists.

Intune device cleanup rule

For this reason I created a tiny PowerShell snippet to create a report with all devices which didn’t contact your Azure AD tenant since the treshold date specified. If you confirm the operation you can also delete all affected devices.

Please be careful when running the script because when removing a device from Azure AD the stored Bitlocker recovery keys are also removed. I can recommend Roger Zander’s Azure table-based Bitlocker recovery key solution.

Set Office 365 UsageLocation property with Azure automation

Wed, 09 Jan 2019 15:23:00 +0000

If you want to assign Microsoft licenses to your Azure AD users e.g. Microsoft 365 E3 licenses you can do this with group based licensing as described here. ~~The problem is that even with group based licensing the UsageLocation property for each user must be set individually.~~

Update: 13.01.2019: Since group based licensing is GA the tenant location is used if no UsageLocation is set on a user object. Use this guide if you want to manually assign licenses or override the tenant settings if you need to configure different UsageLocations.

Possible bulk and automation solutions
#

You can achieve this with the following options:

“Manual” trough Azure or Office 365 portal
PowerShell (must be triggered manually or through scheduled task)
Azure AD Connect synchronisation (UsageLocation populated in on prem AD)
Azure automation with PowerShell runbook as in this post 🙂

Azure automation sounds expensive?
#

Fortunately Azure automation offers 500 minutes of script runtime for free. Find more details under Automation pricing. Just to give you an idea: If the executed script has an average runtime of 1 minute you could run it (500 minutes / (30 calendear days / 1 minute script runtime)) = 16x per day. Each month. For free.

SwissSkills some thoughts about this years competition

Sat, 15 Sep 2018 18:19:38 +0000

That’s it. Saturday morning, the day after my SwissSkills 2018 competition in Bern. Waiting for a call to answer even though I know that my performance was not good enough to deserve a podium spot.

Update, 16.09.2018: the rankings are now available and I made it to the fourth place. Missing third by 0.05 points (!)

My journey
#

Last year I had the privilege to compete at the national ICT skills after qualifying through the regional championships. I went there with no expectations I just wanted to know where I stand amongst others. In the end I was overwhelmed with the 3rd place.

With this achievement a few things had changed. I’ve gotten new opportunities regarding my job, had the chance to attend great events and had a confidence boost to finish my apprenticeship.

Because of my 3rd place last year I was automatically qualified to compete this year at the SwissSkills in Bern. Now I had expectations and wanted to qualify myself for the upcoming WorldSkills in Kazan.

The SwissSkills competition
#

I went to the event with a good feeling and felt confident. I had prepared myself well - even better than last year and I wanted this podium spot so badly. During the competition I was realizing that just because you want something it doesn’t have to mean that you will get it. No matter how much you want it. I gave my very best but approximately after 5 hours into the competition I had trouble to focus properly and was unable to concentrate. Of course the tasks were difficult but not at an unsolvable level.

Deploy OneDrive KFM with Microsoft Intune OMA-URI

Thu, 06 Sep 2018 18:37:21 +0000

OneDrive KFM (Known Folder Move) allows you to redirect common Windows folders (Desktop, Documents and Pictures) to the users personal OneDrive. OneDrive Known Folder Move is the modern replacement for the well known folder redirection group policy. The deployment with Microsoft Intune allows you to trigger or automate the OneDrive KFM configuration for your end users.

Updated on 04.08.2019: Added administrative template configuration

This post is based on a great article from Oliver Kieselbach about Deep dive ADMX ingestion to configure SilentAccountConfig with OneDrive. I used his blog to play around with the admx ingestion.

Prerequisites
#

To automatically deploy OneDrive Known Folder Move the following prerequisites must be met:

OneDrive sync client with build 18.111.0603.0004 or greater
Azure AD Joined or Hybrid Azure AD Joined Windows 10 Device Running Windows 10 1709 or later

Intune Configuration
#

Configure SilentAccountConfig
#

Option #1 - ADMX Templates
#

With SilentAccountConfig enabled OneDrive for Business gets automatically configured with the current user account who’s signing in to Windows.

Windows 10 1803 New MDM Policy CSP Settings

Sat, 21 Apr 2018 22:11:30 +0000

Hello. Long time no see. Finally I’m back with a new post. This time I created a nice little list with Windows 10 1803 New MDM Policy CSP Settings for the next Windows 10 release. If you’re not familiar with Policy CSP Settings - that are GPO Settings configureable over an Intune OMA-Uri Policy. Here’s a great introducation to Policy CSP Settings.

My favorite policy CPS’s available with Windows 10 1803
#

The following CSP’s are available on Windows 10 1803 and later:

ControlPolicyConflict: MDMWinsOverGP
This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy are set on the device.
Microsoft docs
LanmanWorkstation: EnableInsecureGuestLogons
This policy setting determines if the SMB client will allow insecure guest logons to an SMB server
Microsoft docs
RestrictedGroups: ConfigureGroupMembership
This security setting allows an administrator to define the members of a security-sensitive (restricted) group.
Microsoft docs

You can find the entire list (CSV) on Github.

The scripts to retrieve and compare the available Policy CSP’s for a Windows version are available on GitHub. Feel free to leave feedback or improvement changes.

Surface Hub Miracast Connection Error

Fri, 05 Jan 2018 10:48:59 +0000

Recently I had to troubleshoot a sticky Surface Hub Miracast Connection error for a customer. They were unable to connect to the surface hub from domain joined devices but a newly installed device from a blank Windows image was working as expected. I started Troubleshooting the Surface Hub Miracast Connection Error and checked all the points mentioned in the official Troubleshoot Miracast on Surface Hub post from Microsoft.

Default Configuration
#

On a Windows 10 1709 device exists a default firewall rule to allow Miracast connections to wireless displays:

But the connection attempt was still interrupted after a timeout.

Looking trough Group Policy
#

After analyzing the Windows 10 Security Baseline Group Policy configuration I came across the following settings:

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security:

In the settings for the public profile under the “Customize” section there’s a section called “Rule merging”:

As you can see rule merging is turned of in the Windows 10 Security Baseline which means, **all locally configured firewall rules are being ignored for the public profile. **Because Miracast connections or connection attempts belong to the public profile of the Windows Firewall, the built-in local firewall rule gets always bypassed.

Windows 10 1709 Cannot Access SMB2 Share Guest Access

Thu, 19 Oct 2017 17:51:57 +0000

After Upgrading to Windows 10 1709 (Fall Creators Update) I couldn’t access my Synology NAS anymore. Therefore I started troubleshooting the Windows 10 1709 Cannot Access SMB2 Share Guest Access error:

An error occurred while reconnecting X: to \\nas\data Microsoft Windows Network: You can’t access this shared folder because your organization’s security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

Cause
#

Starting with Windows 10 1709, Windows prevents you from accessing network shares with guest access enabled. Guest access means connecting to network shares without authentication, using the built-in “guest” account.

This has no reference to the SMB1 protocol which was disabled in the latest Windows 10 release.

Resolution
#

To enable guest access again, configure the following GPO:

Computer configuration > administrative templates > network > Lanman Workstation: "Enable insecure guest logons" = Enabled

Registry Key
#

The according registry key is located under:

PowerShell Script Test Open TCP Ports

Wed, 18 Oct 2017 13:28:12 +0000

Recently I was troubleshooting ADFS connection issues when I discovered a nice little Cmdlet called “Test-NetConnection”. With this Cmdelet you can verify TCP connectivity, in my case from a client to the ADFS server.

The Test-NetConnection cmdlet displays diagnostic information for a connection. It supports ping test, TCP test, route tracing, and route selection diagnostics. Depending on the input parameters, the output can include the DNS lookup results, a list of IP interfaces, IPsec rules, route/source address selection results, and/or confirmation of connection establishment.

Find a full documentation on the Microsoft Docs Page.

About the script
#

With this Script you are able to specify server names and port numbers to check in a CSV File. The Script generates an CSV output file as a report. You can use this script for troubleshooting or engineering purposes to verify if TCP ports are opened.

Simply add the hostname and TCP port to the “CheckList.csv” and the script checks the specified servers and ports.

The script will generate an output file for the same path containing the suffix “Report_” with the test results.

CheckList.csv:
Report_CheckList.csv generated after script execution:

Manage Local Administrator Rights Using Group Policy

Sat, 14 Oct 2017 13:37:49 +0000

If you imagine that your users or administrators have uncontrolled local administrator rights it’s a nightmare. They have (certainly) full control over their computer, and could do a lot of harm. So managing local administrator rights is definitely a must.

Manage Local Administrator Rights
#

The Active Directory Group Policies offer a great possibility to manage local groups on clients or servers. All the magic happens with “Restricted Groups”.

Adding a group or users to a local group
#

If you want to add a certain group to a built-in group add the group to the restricted groups under the “This group is a member of” sections:

When the GPO is no longer applied, the restricted group is being removed from the clients.

Overwrite local group members
#

When you wan’t take full control over a local group, you can choose the “Members of this group” option. Then all group members are replaced with the specified users or groups here, except the built-in local Administrator account.

PowerShell Function Validate Object Properties Using ValidateScript

Thu, 12 Oct 2017 10:25:09 +0000

Recently I was working on a PowerShell script with many custom functions. When I started to use PowerShell custom objects I wanted to be able to pass them to a function. So I faced the challenge of validating my object for all required properties and came up with this solution, using the ValidateScript block to test the object:

Customizing the ValidateScript
#

As you can see I use a ValidateScript for the parameter validation to test the object for the required properties. The properties can be specified in an array: $requiredProperties=@("Property1","Property2","Property3", "Property4") When we call the Function with an appropriate object:

$config= [PSCUSTOMOBJECT]@{ 
 property1= "Value"; 
 property2= "Value"; 
 property3= "Value"; 
 property4= "Value"; 
}

We receive the following output:

PS H:\> New-Example -InputObject $config 
Succesfully passed ValidateScript

Result
#

If we remove one or more properties from our custom object, an error is thrown:

PS H:\> $config= [PSCUSTOMOBJECT]@{ 
 property1= "Value"; 
 property2= "Value"; 
 property3= "Value"; 
} 

New-Example -InputObject $config 

New-Example : Cannot validate argument on parameter 'InputObject'. Property: 'Property4' missing At line:10 char:26 + New-Example -InputObject $config + ~~~~~~~ + CategoryInfo : InvalidData: (:) [New-Example], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationError,New-Example

If you want to go a step further you could extend the ValidateScript to…

Prevent passing properties with a NULL or empty value
#

$_.PSObject.Properties | ForEach-Object { 
 if (([string]::IsNullOrEmpty($_.Value))){ 
 Throw [System.Management.Automation.ValidationMetadataException] "Property '$($_.Name)' has either a NULL or empty value" 
 } 
}

If we call our function again with the added IsNullOrEmpty validation NULL or emtpy values throw an exception:

Managing printers with PowerShell

Tue, 10 Oct 2017 17:54:54 +0000

Managing printers with PowerShell instead of VBScript? Sometimes it’s necessary to add and remove specific printers to a computer. For example during a client deployment or when a user logs on. This post covers how to manage printers with PowerShell.

The following PowerShell commands are supported with PowerShell version 4 and newer.

Installing a local network printer
#

Installing a local printer (without a printserver) consists of the following steps:

Add the printer driver to your system’s driverstore
Install the printer driver from the driverstore
Add a printer port to communicate with the printer
Last but not least add the printer

Add the printer driver to the driverstore
#

Before you can install the printer driver you need to import the printer driver to your system’s driverstore.

This can be achieved with the built in Windows “pnputil” utility.

The following code adds all drivers from the specified path to the driverstore:

Get-ChildItem %PathToYourDriverFolder% -Filter *.inf -Recurse | % {pnputil.exe /a $_.FullName}

Install the printer driver from the driverstore
#

This step is quite simple, you just need to know the name of the printer driver you want to install. For example “HP Universal Printing PCL 6”.

Disable Java Auto Update During Installation

Tue, 10 Oct 2017 17:00:01 +0000

Disable Java Auto Update without registry modification?

Recently i had to install Oracle Java on a Terminal server and was curious, if it’s possible to configure the package that the auto update feature is disabled without any registry configuration?

Custom configuration
#

On the Oracle website i found a great article about the possibility to pass a configuration file to the installer:

Here’s the syntax to install Java silently with a custom configuration:

jre-8u121-windows-x64.exe -s INSTALLCFG="C:\Install\Java\java.settings.cfg" AUTO_UPDATE=Disable EULA=Disable NOSTARTMENU=Enable SPONSORS=Disable

You can find a full reference of all configuration items here: https://docs.oracle.com/javase/8/docs/technotes/guides/install/config.html

Please be careful when using the REMOVEOUTOFDATEJRES=1 option, because when you install the same Java version in a different architecture (x86 & x64), the other architecture with the same version is being removed during the installation!

You can find more information on the About section of my blog. Stay tuned for more posts.

About

Mon, 01 Jan 0001 00:00:00 +0000

Thank you for visiting my blog and reading this far. I am passionate about Cyber Security with the Microsoft Security stack. On this blog I like to share ideas, solutions, experiences and learnings with the community. I write those blog posts during my free time and don’t write posts with sponsored content.

Please note that all posts on this blog reflect my own opinions and are provided “as is”, without warranty of any kind.

User Group
#

To further strengthen the swiss Microsoft Security Community, I’m also Organizing the Workplace & Security Ninja User Group Switzerland with my good friend Janic. The latest event and call for speakers information is available on meetup.

Offline Activities
#

Here some offline impressions:

Talks

Mon, 01 Jan 0001 00:00:00 +0000

I am looking forward speaking on the events listed below. Do not hesitate to contact me for your next event. Slides from past events can mostly be downloaded as PDF.

Upcoming
#

Date	Event	Session
x	Your event?	For any speaking related inquiries just drop me an e-mail

Past
#

Date	Event	Session
08.10.2025	Workplace Ninja User Group Switzerland	Intune misconfigurations in the wild, what we see and what you should fix!
24.09.2025	Workplace Ninja Summit 2025	Various sessions
10.06.2025	Switch NetSec WG 2025	KQL Threat Hunting hands on lab
16.09.2024	Workplace Ninja Summit 2024	Various sessions
28.05.2024	KQL Café	Preventive side of ITDR with KQL
05.05.2024	MMS 2024 at MOA	Various sessions
30.10.2023	MMS 2023 Miami Beach Edition	Various sessions
27.09.2023	Workplace Ninja Summit 2023	Demystifying Defender for Endpoint Security Settings Management
19.03.2021	WPNinjaUG_CH 2103 Virtual	Automating Intune Tasks with the Microsoft Graph API
30.09.2020	Experts Live Switzerland	A safari through the Intune device management scenario jungle
29.11.2019	Geekmania	Hybrid Azure AD Join and Windows Hello for Business
04.10.2019	Configmgr Community Event (CMCE)	Classic On-Prem Services in the Cloud

Hi, I'm Nicola 👋 on Nicola Suter

Finally native SOAR in Sentinel?

Playbook Generator in Action #

Don't let Entra ID Protection miss your next breach!

Real-world motivation #

The bummer? #

CEO impersonation with Microsoft Booking

Microsoft Booking #

Defender XDR Unified Detections Meet Sentinel Data Lake

Architecture Overview #

Previous Detection Architecture #

AI just solved a CTF for me!

Foreword #

Preconditions #

Azure Data Explorer #

Did you hear that maester supports Intune?

About Maester #

Intune Related Checks #

Example #

Mai 2024 KQL Café Recap

Summary #

Recording #

What the heck is ITDR?! #

AiTM Phishing with Azure Functions

Advantages of serverless phishing toolkits #

Let’s do AiTM Phishing with Azure Functions #

Demo #

Have you heard about passkeys and AAGuids?

Enriching Microsoft Sentinel tables with eligible Entra directory roles

Gathering PIM eligible Entra Directory Roles #

Maintaining Microsoft Sentinel Analytic Rules in JSON and YAML with GitHub Actions

Building a GitHub Action #

Have you heard of workload identity access token replay?

Stealing and replaying workload identity access tokens #

Microsoft Entra Connect Sync Hardening

Understanding the scope #

Why you should use Entra Workload Identity Federation

Quick recap on Workload Identities #

Retrieving Windows LAPS Azure AD Passwords with PowerShell

Where is this command originating from? #

Let’s retrieve some passwords #

Let's have a tête-à-tête with the new Windows LAPS for Azure AD joined devices

Setup #

Prerequisites #

Azure AD enablement #

Provoking Defender for Identity suspicious certificate usage alerts

What makes a vulnerable environment #

You must not touch my endpoint security settings!

Prerequisites #

Optimising Microsoft Graph PowerShell scripts

Reasons why your script is slow #

Slow algorithms and wrong data structures #

Migrating to the new Windows Store experience

Challenges #

Script prerequisites #

GitHub Actions with Entra Workload Identity Federation

How it works #

Inside Windows package manager (winget)

How does winget find sources? #

How are winget CDN packages provided? #

Setting up a radius server for Azure AD joined devices and 802.1x

Disclaimer #

Available solutions #

Android dedicated devices managed home screen and system apps

System Apps #

List of commonly used System apps for Samsung devices #

The easiest way to work with the Microsoft Graph PowerShell SDK

Requirements #

JWT #

Intune app protection policy report

Information visible within the portal #

Script #

Have you considered TPM key attestation?

Understanding cryptography providers #

Automatically sign your PowerShell scripts with GitHub actions

Prerequisites #

Add variables to GitHub actions #

GitHub action variables #

GitHub action workflow #

Securely sending emails from PowerShell scripts with modern authentication enforced

Playbook Generator in Action
#

Real-world motivation
#

The bummer?
#

Microsoft Booking
#

Architecture Overview
#

Previous Detection Architecture
#

Foreword
#

Preconditions
#

Azure Data Explorer
#

About Maester
#

Intune Related Checks
#

Example
#

Summary
#

Recording
#

What the heck is ITDR?!
#

Advantages of serverless phishing toolkits
#

Let’s do AiTM Phishing with Azure Functions
#

Demo
#

Gathering PIM eligible Entra Directory Roles
#

Building a GitHub Action
#

Stealing and replaying workload identity access tokens
#

Understanding the scope
#

Quick recap on Workload Identities
#

Where is this command originating from?
#

Let’s retrieve some passwords
#

Setup
#

Prerequisites
#

Azure AD enablement
#

What makes a vulnerable environment
#

Prerequisites
#

Reasons why your script is slow
#

Slow algorithms and wrong data structures
#

Challenges
#

Script prerequisites
#

How it works
#

How does winget find sources?
#

How are winget CDN packages provided?
#

Disclaimer
#

Available solutions
#

System Apps
#

List of commonly used System apps for Samsung devices
#

Requirements
#

JWT
#

Information visible within the portal
#

Script
#

Understanding cryptography providers
#

Prerequisites
#

Add variables to GitHub actions
#

GitHub action variables
#

GitHub action workflow
#

Microsoft Graph resource
#

Create an app registration
#

The actual issue
#

Fixing things
#

Save file with UTF-8 encoding
#

Why do we need an access token?
#

What’s inside the access token
#

How to identify stale profiles
#

What to do with stale profiles
#

Generate a Key Pair
#

Add SSH config file
#

Test the SSH connection
#

Windows Terminal Configuration
#

Sync Windows Terminal Settings with OneDrive
#

Workflow
#

Discover request URL’s and payload
#

Solution overview
#

PowerShell scrips
#

Detection script
#

Remediation script
#

Microsoft Endpoint Manager Portal
#

Example about how to capture URLs and build a PowerShell script
#

Examples from the field
#

Option 1: Automatic dependency management
#

PowerShell Module
#

CI/CD
#

Role-based access control within the Microsoft 365 ecosystem
#

Notable features
#

Architecture
#

Kusto queries for your log analytics workspace
#