Automation on Nicola Suter

Manage Microsoft Sentinel Table Tiers and Retention as Code with Bicep

Sun, 24 May 2026 12:00:03 +0000

Managing Microsoft Sentinel table retention and tiers is typically done through scripts or the portal, but neither approach fits well into an infrastructure-as-code workflow and it can be difficult to maintain tables at scale. While exploring the Log Analytics Bicep resource provider, I came across the Microsoft.OperationalInsights/workspaces/tables resource type¹, which makes it possible to manage table tier and retention declaratively with Bicep: version-controlled, reviewable, and reproducible across environments.

For each table we typically want to control:

Table tier: Analytics or Data Lake (Auxiliary)
Interactive retention: the hot, queryable period
Total retention: the overall retention period of the table

Typical Table Configuration Settings

Managing the total retention per table is necessary whenever you want to keep logs longer than the 90-day default to satisfy logging or compliance requirements. Since there is no workspace-level default for total retention, it has to be configured table by table, a perfect fit for a declarative approach.

Identify tables with recent ingestion
#

To identify ‘active’ tables, both a KQL- and API-based approach exist.

KQL
#

The following KQL query lists tables that have received data in the last 90 days along with their current tier, which is helpful when deciding what to put under Bicep management:

Optimising Microsoft Graph PowerShell scripts

Wed, 22 Feb 2023 00:00:00 +0000

We all have probably been there and developed a PowerShell script that took some fair amount of time until the execution completed, weren’t we? Of course one could argue and say that as long a script ‘works’ it is good enough but depending on the use case and environment a PowerShell script that runs 30 to 60 minutes exceeds the patience of most (IT) people and can also lead to increased costs. But what makes those kinds of scripts that awfully slow and can’t we just tweak them to run faster?

The following examples and script will be related to PowerShell and the Microsoft Graph API but the mentioned approaches can be adapted for any kind of RESTful API and scripting language. For all interactions with the Graph API I use the Microsoft Graph PowerShell SDK which is available as a PowerShell module from the PowerShell gallery.

Reasons why your script is slow
#

I would say I have already read and (tried to) understand hundreds of PowerShell scripts out there and I often notice the following flaws which lead to poor performance:

Slow algorithms and wrong data structures
#

Slow algorithms are extricably linked to the understanding of data structures when it comes to PowerShell scripting. Here the top two cases I often observe:

Migrating to the new Windows Store experience

Mon, 30 Jan 2023 18:56:24 +0000

The Microsoft Store for Business will be discontinued mid 2023 and Intune recently introduced the new Windows Store experience backed by winget to distribute apps to your Intune managed endpoints.

To simplify the migration to the new Windows Store experience I created a PowerShell Script that migrates all currently assigned Windows Store for Business apps to the new Windows Store experience.

Kudos to Sander Rozemuller for providing detailed instructions about creating winget apps as PowerShell code samples.

Challenges
#

While scripting and extracting the existing Windows Store for Business (WSfB) apps I encountered the following issues:

Not all apps in WSfB have valid privacy and information URLs, therefore I added a check whether the URL starts with http(s).
Some apps have characters present (äöüë….) that require UTF-8 encoding. So I explicitly set the HTTP content-type header to UTF8.

Script prerequisites
#

To run the script you need to have the Microsoft Graph PowerShell SDK modules installed on your machine. You can install them with the following command:

Install-Module Microsoft.Graph.Authentication, Microsoft.Graph.Devices.CorporateManagement -Scope CurrentUser

From a permissions perspective you need an Azure AD Application Administrator for the initial OAuth permission consent and for regular execution the Intune Administrator role.

GitHub Actions with Entra Workload Identity Federation

Mon, 23 Jan 2023 17:03:47 +0000

Workload Identity Federation (let’s just call this WIF) allows app principals not residing within Azure to request short lived access tokens. This removes the need of storing client secrets or certificates within GitHub as Action secrets. One drawback ist that currently only the Azure modules support the usage of WIF.

How it works
#

WIF relies on trust. This trust is directly configured on the Azure AD app registration and scoped to an individual GitHub repository and optionally fine grained by limiting the usage to single git refs, specifically branches and tags. By trusting GitHub as external identity provider (IdP), a GitHub Action can request an identity token from the GitHub IdP and exchange this one against an access token within Azure AD.

A GitHub IdP issued token (decoded) contains the following information:

{ 
 "jti": "1a9fe224-c936-46f6-a38b-3300e76251b0", 
 "sub": "repo:nicolonsky/musical-octo-telegram:ref:refs/heads/main", 
 "aud": "api://AzureADTokenExchange", 
 "ref": "refs/heads/main", 
 "sha": "9f112c0b82547e35b10250d7f3165789bf97862f", 
 "repository": "nicolonsky/musical-octo-telegram", 
 "repository_owner": "nicolonsky", 
 "repository_owner_id": "32899754", 
 "run_id": "3986560796", 
 "run_number": "2", 
 "run_attempt": "2", 
 "repository_visibility": "private", 
 "repository_id": "592303002", 
 "actor_id": "32899754", 
 "actor": "nicolonsky", 
 "workflow": ".github/workflows/wif.yaml", 
 "head_ref": "", 
 "base_ref": "", 
 "event_name": "push", 
 "ref_type": "branch", 
 "workflow_ref": "nicolonsky/musical-octo-telegram/.github/workflows/wif.yaml@refs/heads/main", 
 "workflow_sha": "9f112c0b82547e35b10250d7f3165789bf97862f", 
 "job_workflow_ref": "nicolonsky/musical-octo-telegram/.github/workflows/wif.yaml@refs/heads/main", 
 "job_workflow_sha": "9f112c0b82547e35b10250d7f3165789bf97862f", 
 "iss": "https://token.actions.githubusercontent.com", 
 "nbf": 1674486850, 
 "exp": 1674487750, 
 "iat": 1674487450 
}

Did you recognize the matching sub attribute within the GitHub issued token and the Azure AD configuration? For a successful authentication the:

Automatically sign your PowerShell scripts with GitHub actions

Fri, 09 Jul 2021 00:00:00 +0000

Based on one of my older posts about PowerShell script signing with Azure DevOps I recently implemented a PowerShell script signing workflow with GitHub actions I wanted to share with the community.

Prerequisites
#

For this post the following prerequisites are required:

Code signing certificate in PFX format
GitHub account

Add variables to GitHub actions
#

Because GitHub variables can only be of string content we need to get the contents of the pfx file as base64 encoded string:

$pfxCertFilePath = "~\Downloads\CodeSigningCertificate.pfx"
$pfxContent = Get-Content $pfxCertFilePath -Encoding Byte
[System.Convert]::ToBase64String($pfxContent) | Set-Clipboard

GitHub action variables
#

Add two variables as actions secrets:

BASE64_PFX: Base 64 encoded string of the PFX (automatically copied into your clipboard with the above commands) PFX_PASSWORD: Password for the private key of the pfx file

GitHub action workflow
#

Place the following workflow file within your git repository: .github/workflows/SignPowerShell.yaml whereas the name of the YAML file can be freely chosen.

Securely sending emails from PowerShell scripts with modern authentication enforced

Fri, 19 Mar 2021 00:00:00 +0000

The Send-MailMessage cmdlet has been around for a couple of years and is mostly used to send email messages from PowerShell. But with the deprecation and security flaws of legacy authentication it’s time for a better option which actually supports modern authentication. For this purpose we can use the Microsoft Graph API and the Microsoft Graph PowerShell SDK. The best thing is that this solution works without any service account and does not need any exclusions from conditional access.

Microsoft Graph resource
#

To send a mail we simply specify the user account from which we want to send the email:

POST: https://graph.microsoft.com/v1.0/users/sean.connery@dev.nicolonsky.ch/sendMail

Create an app registration
#

Simply create a new app registration with the Mail.Send permissions and use a certificate for the authentication.

We need to take additional steps to limit the permissions of the app registration. Otherwise the app can send mails on behalf of any user in your tenant. To limit the permissions we leverage exchange application access policies.

Connect to Exchange Online with the ExchangeOnlineManagement PowerShell module Connect-ExchangeOnline

Dealing with Intune OMA-URI encoding and applocker rules

Tue, 16 Feb 2021 00:00:00 +0000

While fine-tuning and adjusting applocker policies for co-managed Windows 10 clients I got really annoyed by special characters commonly used in the German/Swiss language. The Intune portal seemed to use different encoding and didn’t allow me to just copy/paste the currently deployed policy and extend it with a new rule. I needed to request the original file that was uploaded to the tenant in order to adjust the rule. Instead of just accepting this I decided that it is time for an easier approach which I will share with you.

The actual issue
#

After uploading the XML with the applocker policies (in my case EXE rules), special characters like ‘ö’ or ‘ü’ have a weird encoding displayed in the portal. The next person that wants to edit the policy needs to take care to fix the unrecognized characters otherwise the publisher rule won’t work anymore.

Top: Portal view of the special characters, bottom: original file.

Fixing things
#

Save file with UTF-8 encoding
#

First, make sure that you saved an uploaded the file with UTF-8 encoding as this introduces support for most character sets. You can do this by selecting the encoding box in the right bottom of Visual Studio Code:

Microsoft Graph Access Token Acquisition with PowerShell explained in depth

Mon, 04 Jan 2021 00:00:00 +0000

When working with the Microsoft Graph API or introducing the API to colleagues I often get asked about the steps required to obtain an access token for the API with PowerShell. Out in the wild, I’ve spotted many different ways and lots of implementations still relying on the ADAL (Active Directory Authentication Library) despite the fact that this client library is superseded by MSAL (Microsoft Authentication Library). So let’s talk about acquiring access token “in stile” with the most simple method available.

Why do we need an access token?
#

When talking about the Microsoft Graph API an access token fulfills two roles, first: prove authentication (proof of identity) second prove authorization (permissions). Each request needs to submit a request-header that contains the access token.

For an API it’s crucial to validate the authentication and authorization for every request. Otherwise, requests could be made to resources the actor has no access to.

What’s inside the access token
#

You did probably stumble over the terms “bearer authentication” or “bearer token” these describe a mechanism within the OAuth 2.0 Authorization framework to authenticate requests with access tokens. Tokens are issued by the authorization server (Azure AD) and contain a server-generated string in the format of a JSON Web Token (JWT) with the following information (the list is not exhaustive and truncated to only contain the most interesting parts):

Housekeeping for stale MEM profiles

Wed, 16 Dec 2020 00:00:00 +0000

When involved in new projects I often find a bunch of old profiles in the Microsoft Endpoint Management Console. Before going ahead with a new implementation it’s the best time to clean-up all the leftovers from past ramblings.

How to identify stale profiles
#

If one or multiple statements are met for a profile it is very likely to be a stale profile:

No assignments, assignments to a group without members
“Test” included within the profile name or description
Last modified points back in time for more than a year
No devices reported success/failure status for the given profile type

What to do with stale profiles
#

So let’s be brave and delete them. But Intune doesn’t offer any [CTRL] + [Z] or recycle bin possibilities so we might want to have some kind of archive, just in case?

Let’s agree that we:

Check the points from the list above
Ask our colleagues if they know something about the profiles and their usage
Take a backup

deleting them afterward is a reasonable action which is probably beneficial for everyone.

Export and import MEM Endpoint Security Profiles

Thu, 19 Nov 2020 00:00:00 +0000

Recently I got a DM on Twitter with a question about how to export and import Endpoint Security profiles with Microsoft Graph. Besides a technical answer which might be of interest for you, I’d like to show you the workflow I used to give a proper reply.

Original question:

Hi @nicolonsky, I was advised on the MS Elite Partner focus groups team (MEM Automation) to reach out to you regarding my question about export/import policies from Endpoint Security in Intune. I’ve been able to export the Disk Encryption policy (via graph explorer), but haven’t been able to find the correct format to use to upload/import it. I was hoping that you would be able to advise on how to go about achieving this.

Workflow
#

Discover request URL’s and payload
#

To discover the request URLs and payloads I used the methodology I explained in the this post a while ago. Basically, I tracked the network activity and used a filter to only include requests made to the Graph API while doing the following activities:

Build an Azure DevOps pipeline to automatically sign your PowerShell scripts

Thu, 01 Oct 2020 00:00:00 +0000

Too lazy to sign your PowerShell scripts? Yes of course it provides security benefits but performing the steps manually can be easily forgotten and re-signing needs to happen after every script change. Because I like CI/CD topics and have not found a solution on the internet I decided to build a solution based on Azure capabilities. Furthermore, I wanted a solution which does not require to hand out the code signing certificate to the respective script author which can be useful if you have a bunch of people writing PowerShell scripts.

From a personal perspective, I would also recommend signing scripts you hand over to customers to ensure the integrity of the scripts because as soon as the script gets changed the signature is invalid.

You can find more general recommendations about script signing in the PowerShell docs.

Solution overview
#

The key vault will store the code signing certificate with an access policy that allows access from the Azure DevOps pipeline.

The pipeline consists of the following steps:

Import code signing certificate
- The certificate is supplied as secret in a variable group which is linked to the key vault
- Access to the key vault is granted with a service connection (service principal)
Sign PowerShell scripts which contain a “magic token”
- All *.ps1 within the attached repository will be enumerated
- To control which scripts will be signed only those with the “magic token” get processed
- The “magic token” gets removed before signing the script
Publish signed PowerShell scripts as pipeline artifacts
- To make them available for download

Bulk create Intune mobile app deployment groups and assignments

Wed, 19 Aug 2020 00:00:00 +0000

Creating assignments and software deployment groups for Intune mobile apps is quite a repetitive and manual task. Because of that, I want to share a PowerShell script with you which allows you to automatically create software deployment groups in Azure AD and the assignments for various intents.

The script allows you to:

Create Azure AD groups (install uninstall purpose)
- Pick existing groups based on displayName
Assign Intune mobile apps (tested for Win32 and MSI LOB apps)

You can find the script on my techblog GitHub repository.

Because of the configurable group prefixes the script helps you to keep your Intune environment clean and implement a standard app assignment configuration.

The script uses the Microsoft Graph API and the following resources

https://graph.microsoft.com/beta/deviceAppmanagement/mobileApps
https://graph.microsoft.com/beta/deviceAppmanagement/mobileApps/{AppID}/Assignments
https://graph.microsoft.com/beta/groups

It uses the preregistered app “Microsoft Intune PowerShell” which exists by default in all tenants. If you want to run the Script with PowerShell 7 you need to create an adjust the MSAL token section with the -DeviceCode parameter.

You can bulk select the apps you want to create the assignment and AAD deployment groups:

Hope this saves you some time.

Add PowerShell modules to Azure functions

Mon, 17 Aug 2020 00:00:00 +0000

Azure functions for PowerShell natively ship without additional cmdlets or PowerShell modules. In this post, I will show you how to add both public modules from the PowerShell gallery with automatic dependency management and custom modules.

For both options, we use the Kudu tools to adjust the configuration of our function app. You can launch them from the “Advanced Tools” section of your function app:

Afterwards, launch the PowerShell debug console and navigate to the wwwroot folder of your app:

Option 1: Automatic dependency management
#

Note: Installing modules which require license acceptance (e.g. the MSAL.PS module) currently cannot be installed with automatic dependency management. You can track the issue status here and here. {: .notice–warning}

Azure function apps running PowerShell come with a nice feature called managed dependencies. You can specify the modules you want to import from the PowerShell Gallery and the function app host will automatically process the dependencies.

In the requirements.psd1 add the module details:

# This file enables modules to be automatically managed by the Functions service.
# See https://aka.ms/functionsmanageddependency for additional information.
#
@{
 # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'.
 'Az' = '4.*'
 'Microsoft.Graph.Authentication' = '0.*'
}

You can either specify an exact version available from the PowerShell Gallery or specify the major version with a wildcard. With the wildcard option it will use the latest version available.

Playing around with the Office 365 Service Communications API

Mon, 10 Aug 2020 00:00:00 +0000

The Office 365 Service Communications API provides information about Microsoft 365 service status for your tenant including service messages. I built a little PowerShell module to access the API with PowerShell cmdlets. In this post I want to show you some examples which help you to use the API.

PowerShell Module
#

I built a PowerShell module to access Microsoft 365 service status details natively with PowerShell. The PowerShell module and documentation is available on the PowerShell Gallery and on GitHub.

Before using the module an app registration is required. Setup instructions are also provided on GitHub.

CI/CD
#

By leveraging Azure DevOps I created a build and release pipeline which automatically builds the PowerShell module with Plaster.

Builds are only created if the commit on GitHub includes a version tag. This version tag gets automatically populated to the module manifest.

The build artifact gets then automatically published to the PowerShell Gallery as a new version. Furthermore, a new GitHub release including the module artifact is added to the project.

This process fully automates the publishing and build process for the module. For local development and maintenance, the module can also be built with Invoke-Build.

Azure AD guest user review solution

Tue, 14 Jul 2020 00:00:00 +0000

Azure Active Directory guest users really simplify the process to collaborate with external users. Although keeping a good governance on guest accounts can become quite a challenge. The two biggest challenges I often observe are: “Who invited that guest user?” and “Does this guest user still need access to our infrastructure?”. Inspired by a recent post of Thomas Kurth regarding Azure AD Guest Account - Governance and Cleanup I also developed a solution which comes quite close to an “Azure AD Access review” like user experience.

Notable features
#

The ‘Manager’ attribute of your guest users get’s automatically populated with the identity of the inviter
All Azure AD app registration information is stored in Azure Key Vault
Almost zero touch deployment with ARM templates
You can integrate existing guest users into this solution by populating the manager attribute in Azure AD
You can configure the approval frequency for guest accounts
Approval frequency respects last approval date for each guest account

Architecture
#

The solution leverages function of:

Azure Logic App

10 suggestions to improve your next PowerShell script

Wed, 08 Jul 2020 00:00:00 +0000

Most of the time PowerShell is my favourite choice to automate processes and tasks. In order to improve the maintainability of my scripts I usually try to focus on some standards combined with a clean scripting style. In this post I want to show you 10 suggestions to improve your next PowerShell script. I’ve tried to order the suggestions according to an actual PowerShell starting from the very first line till the last line.

1. Script prerequisites
#

Your PowerShell script might need specific modules or elevated user rights to run. The #Requires statement ensures that these prerequisites are met before the actual script get’s executed. So you don’t need to implement your own checks to verify prerequisites.

Simply use the #Requires statement at the very first line of your script. Find out more about #Requires statement.

Modules
#

Another benefit of specifying the modules within the requires statement is that scripts hosted on the PowerShell Gallery automatically install the modules mentioned in the #Requires list.

To make sure a specific module is installed use:

#Requires -module "Microsoft.Graph.Intune"

To ensure a module with a specific version is available:

Remove Azure AD direct License Assignments with PowerShell

Wed, 08 Jul 2020 00:00:00 +0000

Who doesn’t love a clean and tidy environment, do you? This also applies for your license assignments in Office 365 and Azure AD. As time passess it is likely to have users with direct license assignments or users which still have old trial licenses assigned. To get rid of those assignments I created a PowerShell script with removal and reporting functionality.

Direct link to the script.

Identify direct license assignments
#

In the Azure Portal we recognize direct license assignments on a user account by viewing the “Assignment Paths”:

With the MSOnline PowerShell module we can view the Licenses property of a user and retrieve a nested property called: GroupsAssigningLicense. The GroupsAssigningLicense property contains either:

An empty array if the license was not inherited from a group -> direct assignment
An array with objectId’s
- If the array contains the user’s objectId -> direct assignment

Example 1: User with objectId 36c9b091-fe88-4dc2-a9e1-2662020b4bab has group based license assignment and direct assignment:

AccountSkuId : nicolasuter:SPE_E5
GroupsAssigningLicense : {0a918505-d0d5-4078-9891-0e8bec67cb65, 36c9b091-fe88-4dc2-a9e1-2662020b4bab}

Example 2: User has no inherited licenses from a group:

AccountSkuId : nicolasuter:SPE_E5
GroupsAssigningLicense : {}

PowerShell Script
#

You find the PowerShell script on my techblog GitHub repository.

Document Conditional Access Configuration with my Modern Workplace Concierge

Mon, 20 Apr 2020 19:22:33 +0000

Documenting things sucks. If it involves a lot of klick(edi klack klack) in portals and copying information around even more. But there’s hope. And it’s called automation. For the Intune part Thomas Kurt did already an awesome job with his IntuneDocumentation. Now the Modern Workplace Concierge is ready to help you with documenting your Conditional Access configuration. I promise you: we will get through this within under 15 minutes! Afterwards you can make an impression on your fellow Enterprise Mobility teammates.

What’s inside?
#

A Conditional Access policy is returned by the Microsoft Graph API in the following JSON representation:


{
 "id": "714b5737-5f13-415e-bf96-d659f3a5928e",
 "displayName": "PROD - Admin protection - Azure management: Require MFA",
 "createdDateTime": null,
 "modifiedDateTime": null,
 "state": "enabled",
 "grantControls": {
 "operator": "OR",
 "builtInControls": [
 "mfa"
 ],
 "customAuthenticationFactors": [],
 "termsOfUse": []
 },
 "conditions": {
 "signInRiskLevels": [],
 "clientAppTypes": [],
 "platforms": null,
 "locations": null,
 "deviceStates": null,
 "applications": {
 "includeApplications": [
 "797f4846-ba00-4fd7-ba43-dac1f8f63013"
 ],
 "excludeApplications": [],
 "includeUserActions": []
 },
 "users": {
 "includeUsers": [
 "All"
 ],
 "excludeUsers": [],
 "includeGroups": [],
 "excludeGroups": [
 "04988d96-ad01-4569-9aee-a199a1cb4f8e"
 ],
 "includeRoles": [],
 "excludeRoles": []
 }
 },
 "sessionControls": null
}

That’s not really human readable. Especially the object id’s (32 character UUIDs) make it difficult to guess to which users or apps a policy is assigned. But an API has definitely other goals than showing pretty formatted reports.

Export and import Intune and Conditional Access configuration

Tue, 03 Dec 2019 07:28:18 +0000

With Microsoft Graph we have powerful automation and configuration management capabilities. To further simplify this process I built the “Modern Workplace Concierge”. It is an ASP.NET application which uses an Azure AD multi tenant app to access the Microsoft Graph API on behalf to perform export and import tasks. The project uses the Microsoft Graph Beta API to access your tenant’s data.

Modern Workplace Concierge
#

The Modern Workplace Concierge allows you to:

Import and export Intune configuration and settings
Import and export Conditional Access policies
Download OSD ready offline Autopilot profiles
Download stored PowerShell scripts in Intune (as PowerShell)

This allows you to import your existing Intune and Conditional Access configuration in new tenants or demo tenants. The files in JSON format can be used for further processing or documentation.

And this all via web browser no client side prerequisites or PowerShell code is required!

The Modern Workplace Concierge

The project and more information is available on GitHub feel free to provide feedback there.

That's how I backup my Intune configuration with the #ModernWorkplaceConcierge. Curious? Give it a try. Of course also supporting imports .https://t.co/30H8b0olLn pic.twitter.com/g5X58l1e1i
— Nicola Suter (@nicolonsky) December 3, 2019

More Information:

Automating network drive mapping configuration with Intune

Fri, 19 Jul 2019 07:32:46 +0000

I’m thrilled to introduce the intune-drive-mapping-generator which creates PowerShell scripts to map network drives with Intune. The tool is open source and built on ASP.NET Core MVC.

The intune-drive-mapping-generator is your tool of choice to:

Generate an Intune PowerShell script to map network drives on Azure AD joined devices
Seamlessly migrate existing network drive mapping group policies
Generate a network drive mapping configuration from scratch
Use an existing Active Directory group as a filter to deploy all your drive mapping configurations within one script

This all happens without scripting effort. You receive a fully functional PowerShell script for the deployment with Intune.

Architecture
#

This tool is designed to work best with the following components although it can be useful for other purposes(?) :

Azure AD Joined and Intune enrolled Windows 10 devices
Synced user account from Active Directory to Azure Active Directory (Azure AD Connect)
On-premises file servers

Howto
#

Export existing group policy
#

To convert your existing drive mapping group policy configuration, save the GPO as XML report with the group policy management console.

Clean up stale Azure AD devices

Thu, 10 Jan 2019 22:25:00 +0000

If you are using Azure AD and the time passes you’ll have a lot of old device entries. If you enable the automatic device cleanup rule in Microsoft Intune the device is only removed within MDM and the Azure AD entry still exists.

Intune device cleanup rule

For this reason I created a tiny PowerShell snippet to create a report with all devices which didn’t contact your Azure AD tenant since the treshold date specified. If you confirm the operation you can also delete all affected devices.

Please be careful when running the script because when removing a device from Azure AD the stored Bitlocker recovery keys are also removed. I can recommend Roger Zander’s Azure table-based Bitlocker recovery key solution.

Set Office 365 UsageLocation property with Azure automation

Wed, 09 Jan 2019 15:23:00 +0000

If you want to assign Microsoft licenses to your Azure AD users e.g. Microsoft 365 E3 licenses you can do this with group based licensing as described here. ~~The problem is that even with group based licensing the UsageLocation property for each user must be set individually.~~

Update: 13.01.2019: Since group based licensing is GA the tenant location is used if no UsageLocation is set on a user object. Use this guide if you want to manually assign licenses or override the tenant settings if you need to configure different UsageLocations.

Possible bulk and automation solutions
#

You can achieve this with the following options:

“Manual” trough Azure or Office 365 portal
PowerShell (must be triggered manually or through scheduled task)
Azure AD Connect synchronisation (UsageLocation populated in on prem AD)
Azure automation with PowerShell runbook as in this post 🙂

Azure automation sounds expensive?
#

Fortunately Azure automation offers 500 minutes of script runtime for free. Find more details under Automation pricing. Just to give you an idea: If the executed script has an average runtime of 1 minute you could run it (500 minutes / (30 calendear days / 1 minute script runtime)) = 16x per day. Each month. For free.

PowerShell Script Test Open TCP Ports

Wed, 18 Oct 2017 13:28:12 +0000

Recently I was troubleshooting ADFS connection issues when I discovered a nice little Cmdlet called “Test-NetConnection”. With this Cmdelet you can verify TCP connectivity, in my case from a client to the ADFS server.

The Test-NetConnection cmdlet displays diagnostic information for a connection. It supports ping test, TCP test, route tracing, and route selection diagnostics. Depending on the input parameters, the output can include the DNS lookup results, a list of IP interfaces, IPsec rules, route/source address selection results, and/or confirmation of connection establishment.

Find a full documentation on the Microsoft Docs Page.

About the script
#

With this Script you are able to specify server names and port numbers to check in a CSV File. The Script generates an CSV output file as a report. You can use this script for troubleshooting or engineering purposes to verify if TCP ports are opened.

Simply add the hostname and TCP port to the “CheckList.csv” and the script checks the specified servers and ports.

The script will generate an output file for the same path containing the suffix “Report_” with the test results.

CheckList.csv:
Report_CheckList.csv generated after script execution:

PowerShell Function Validate Object Properties Using ValidateScript

Thu, 12 Oct 2017 10:25:09 +0000

Recently I was working on a PowerShell script with many custom functions. When I started to use PowerShell custom objects I wanted to be able to pass them to a function. So I faced the challenge of validating my object for all required properties and came up with this solution, using the ValidateScript block to test the object:

Customizing the ValidateScript
#

As you can see I use a ValidateScript for the parameter validation to test the object for the required properties. The properties can be specified in an array: $requiredProperties=@("Property1","Property2","Property3", "Property4") When we call the Function with an appropriate object:

$config= [PSCUSTOMOBJECT]@{ 
 property1= "Value"; 
 property2= "Value"; 
 property3= "Value"; 
 property4= "Value"; 
}

We receive the following output:

PS H:\> New-Example -InputObject $config 
Succesfully passed ValidateScript

Result
#

If we remove one or more properties from our custom object, an error is thrown:

PS H:\> $config= [PSCUSTOMOBJECT]@{ 
 property1= "Value"; 
 property2= "Value"; 
 property3= "Value"; 
} 

New-Example -InputObject $config 

New-Example : Cannot validate argument on parameter 'InputObject'. Property: 'Property4' missing At line:10 char:26 + New-Example -InputObject $config + ~~~~~~~ + CategoryInfo : InvalidData: (:) [New-Example], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationError,New-Example

If you want to go a step further you could extend the ValidateScript to…

Prevent passing properties with a NULL or empty value
#

$_.PSObject.Properties | ForEach-Object { 
 if (([string]::IsNullOrEmpty($_.Value))){ 
 Throw [System.Management.Automation.ValidationMetadataException] "Property '$($_.Name)' has either a NULL or empty value" 
 } 
}

If we call our function again with the added IsNullOrEmpty validation NULL or emtpy values throw an exception:

Automation on Nicola Suter

Manage Microsoft Sentinel Table Tiers and Retention as Code with Bicep

Identify tables with recent ingestion #

KQL #

Optimising Microsoft Graph PowerShell scripts

Reasons why your script is slow #

Slow algorithms and wrong data structures #

Migrating to the new Windows Store experience

Challenges #

Script prerequisites #

GitHub Actions with Entra Workload Identity Federation

How it works #

Automatically sign your PowerShell scripts with GitHub actions

Prerequisites #

Add variables to GitHub actions #

GitHub action variables #

GitHub action workflow #

Securely sending emails from PowerShell scripts with modern authentication enforced

Microsoft Graph resource #

Create an app registration #

Dealing with Intune OMA-URI encoding and applocker rules

The actual issue #

Fixing things #

Save file with UTF-8 encoding #

Microsoft Graph Access Token Acquisition with PowerShell explained in depth

Why do we need an access token? #

What’s inside the access token #

Housekeeping for stale MEM profiles

How to identify stale profiles #

What to do with stale profiles #

Export and import MEM Endpoint Security Profiles

Workflow #

Discover request URL’s and payload #

Build an Azure DevOps pipeline to automatically sign your PowerShell scripts

Solution overview #

Bulk create Intune mobile app deployment groups and assignments

Add PowerShell modules to Azure functions

Option 1: Automatic dependency management #

Playing around with the Office 365 Service Communications API

PowerShell Module #

CI/CD #

Azure AD guest user review solution

Notable features #

Architecture #

10 suggestions to improve your next PowerShell script

1. Script prerequisites #

Modules #

Remove Azure AD direct License Assignments with PowerShell

Identify direct license assignments #

PowerShell Script #

Document Conditional Access Configuration with my Modern Workplace Concierge

What’s inside? #

Export and import Intune and Conditional Access configuration

Modern Workplace Concierge #

Automating network drive mapping configuration with Intune

Architecture #

Howto #

Export existing group policy #

Clean up stale Azure AD devices

Set Office 365 UsageLocation property with Azure automation

Possible bulk and automation solutions #

Azure automation sounds expensive? #

PowerShell Script Test Open TCP Ports

About the script #

PowerShell Function Validate Object Properties Using ValidateScript

Customizing the ValidateScript #

Result #

Prevent passing properties with a NULL or empty value #

Identify tables with recent ingestion
#

KQL
#

Reasons why your script is slow
#

Slow algorithms and wrong data structures
#

Challenges
#

Script prerequisites
#

How it works
#

Prerequisites
#

Add variables to GitHub actions
#

GitHub action variables
#

GitHub action workflow
#

Microsoft Graph resource
#

Create an app registration
#

The actual issue
#

Fixing things
#

Save file with UTF-8 encoding
#

Why do we need an access token?
#

What’s inside the access token
#

How to identify stale profiles
#

What to do with stale profiles
#

Workflow
#

Discover request URL’s and payload
#

Solution overview
#

Option 1: Automatic dependency management
#

PowerShell Module
#

CI/CD
#

Notable features
#

Architecture
#

1. Script prerequisites
#

Modules
#

Identify direct license assignments
#

PowerShell Script
#

What’s inside?
#

Modern Workplace Concierge
#

Architecture
#

Howto
#

Export existing group policy
#

Possible bulk and automation solutions
#

Azure automation sounds expensive?
#

About the script
#

Customizing the ValidateScript
#

Result
#

Prevent passing properties with a NULL or empty value
#