Powershell on Nicola Suter

Optimising Microsoft Graph PowerShell scripts

Wed, 22 Feb 2023 00:00:00 +0000

We all have probably been there and developed a PowerShell script that took some fair amount of time until the execution completed, weren’t we? Of course one could argue and say that as long a script ‘works’ it is good enough but depending on the use case and environment a PowerShell script that runs 30 to 60 minutes exceeds the patience of most (IT) people and can also lead to increased costs. But what makes those kinds of scripts that awfully slow and can’t we just tweak them to run faster?

The following examples and script will be related to PowerShell and the Microsoft Graph API but the mentioned approaches can be adapted for any kind of RESTful API and scripting language. For all interactions with the Graph API I use the Microsoft Graph PowerShell SDK which is available as a PowerShell module from the PowerShell gallery.

Reasons why your script is slow
#

I would say I have already read and (tried to) understand hundreds of PowerShell scripts out there and I often notice the following flaws which lead to poor performance:

Slow algorithms and wrong data structures
#

Slow algorithms are extricably linked to the understanding of data structures when it comes to PowerShell scripting. Here the top two cases I often observe:

The easiest way to work with the Microsoft Graph PowerShell SDK

Fri, 09 Sep 2022 00:00:00 +0000

When you are new to RESTful APIs and want to start with Microsoft Graph to automate tasks in your Endpoint Manager tenant all the stuff about app registrations, access tokens, pagination and request headers can be quite confusing. In this post I want to show you a quick tip to kickstart your Microsoft Graph API experience.

Requirements
#

Cloud admin account with Intune Administrator role assigned
Ability to install Modules from the PowerShell gallery

JWT
#

Just because you can’t see it… doesn’t mean it isn’t there: Due to the naturality of OAuth 2.0 and OpenID connect (these are the protocols involved for authorization and authentication in a cloud environment) we can capture short lived access tokens, also called Json Web Tokens (JWTs) directly from a browser. Tokens are usually valid between 50 and 60 minutes - just what we need to get some hands on with Microsoft Graph API and MEM automation.

The cool thing is actually that we don’t need any kind of app registration or additional permissions which can be quite some blocker in certain restricted environments (or staff unfamiliar with those technologies 😉).

Intune app protection policy report

Mon, 13 Dec 2021 00:00:00 +0000

App protection (also called MAM) policies have been around for a couple of years within MEM and I already used them in various projects to protect company data on unmanaged iOS and Android devices. One of the drawbacks with this approach is that we do not have full visibility about the usage and I tried to shed some light about this with a PowerShel reporting script that pulls data from the Microsoft Graph API.

Information visible within the portal
#

In the MEM portal we can find report data about the number of users that have checked-in to any MAM policy grouped by the respective app.

If we want to perform a wipe we will also be able to see the devices a user has registered:

Of course I was curious which additional data is available on the Microsoft Graph API and found the following resource storing app protection policy check in details: /users/{ID}/managedAppRegistrations.

Script
#

The script uses the Intune PowerShell SDK (could easily be ported to MSAL.PS because I wrote it already a couple of months ago) to enumerate all internal users within the tenant and will check the above mentioned managedAppRegistrations resource. At the end you are presented a flattened CSV report containig the following details:

Automatically sign your PowerShell scripts with GitHub actions

Fri, 09 Jul 2021 00:00:00 +0000

Based on one of my older posts about PowerShell script signing with Azure DevOps I recently implemented a PowerShell script signing workflow with GitHub actions I wanted to share with the community.

Prerequisites
#

For this post the following prerequisites are required:

Code signing certificate in PFX format
GitHub account

Add variables to GitHub actions
#

Because GitHub variables can only be of string content we need to get the contents of the pfx file as base64 encoded string:

$pfxCertFilePath = "~\Downloads\CodeSigningCertificate.pfx"
$pfxContent = Get-Content $pfxCertFilePath -Encoding Byte
[System.Convert]::ToBase64String($pfxContent) | Set-Clipboard

GitHub action variables
#

Add two variables as actions secrets:

BASE64_PFX: Base 64 encoded string of the PFX (automatically copied into your clipboard with the above commands) PFX_PASSWORD: Password for the private key of the pfx file

GitHub action workflow
#

Place the following workflow file within your git repository: .github/workflows/SignPowerShell.yaml whereas the name of the YAML file can be freely chosen.

Securely sending emails from PowerShell scripts with modern authentication enforced

Fri, 19 Mar 2021 00:00:00 +0000

The Send-MailMessage cmdlet has been around for a couple of years and is mostly used to send email messages from PowerShell. But with the deprecation and security flaws of legacy authentication it’s time for a better option which actually supports modern authentication. For this purpose we can use the Microsoft Graph API and the Microsoft Graph PowerShell SDK. The best thing is that this solution works without any service account and does not need any exclusions from conditional access.

Microsoft Graph resource
#

To send a mail we simply specify the user account from which we want to send the email:

POST: https://graph.microsoft.com/v1.0/users/sean.connery@dev.nicolonsky.ch/sendMail

Create an app registration
#

Simply create a new app registration with the Mail.Send permissions and use a certificate for the authentication.

We need to take additional steps to limit the permissions of the app registration. Otherwise the app can send mails on behalf of any user in your tenant. To limit the permissions we leverage exchange application access policies.

Connect to Exchange Online with the ExchangeOnlineManagement PowerShell module Connect-ExchangeOnline

Dealing with Intune OMA-URI encoding and applocker rules

Tue, 16 Feb 2021 00:00:00 +0000

While fine-tuning and adjusting applocker policies for co-managed Windows 10 clients I got really annoyed by special characters commonly used in the German/Swiss language. The Intune portal seemed to use different encoding and didn’t allow me to just copy/paste the currently deployed policy and extend it with a new rule. I needed to request the original file that was uploaded to the tenant in order to adjust the rule. Instead of just accepting this I decided that it is time for an easier approach which I will share with you.

The actual issue
#

After uploading the XML with the applocker policies (in my case EXE rules), special characters like ‘ö’ or ‘ü’ have a weird encoding displayed in the portal. The next person that wants to edit the policy needs to take care to fix the unrecognized characters otherwise the publisher rule won’t work anymore.

Top: Portal view of the special characters, bottom: original file.

Fixing things
#

Save file with UTF-8 encoding
#

First, make sure that you saved an uploaded the file with UTF-8 encoding as this introduces support for most character sets. You can do this by selecting the encoding box in the right bottom of Visual Studio Code:

Microsoft Graph Access Token Acquisition with PowerShell explained in depth

Mon, 04 Jan 2021 00:00:00 +0000

When working with the Microsoft Graph API or introducing the API to colleagues I often get asked about the steps required to obtain an access token for the API with PowerShell. Out in the wild, I’ve spotted many different ways and lots of implementations still relying on the ADAL (Active Directory Authentication Library) despite the fact that this client library is superseded by MSAL (Microsoft Authentication Library). So let’s talk about acquiring access token “in stile” with the most simple method available.

Why do we need an access token?
#

When talking about the Microsoft Graph API an access token fulfills two roles, first: prove authentication (proof of identity) second prove authorization (permissions). Each request needs to submit a request-header that contains the access token.

For an API it’s crucial to validate the authentication and authorization for every request. Otherwise, requests could be made to resources the actor has no access to.

What’s inside the access token
#

You did probably stumble over the terms “bearer authentication” or “bearer token” these describe a mechanism within the OAuth 2.0 Authorization framework to authenticate requests with access tokens. Tokens are issued by the authorization server (Azure AD) and contain a server-generated string in the format of a JSON Web Token (JWT) with the following information (the list is not exhaustive and truncated to only contain the most interesting parts):

Build an Azure DevOps pipeline to automatically sign your PowerShell scripts

Thu, 01 Oct 2020 00:00:00 +0000

Too lazy to sign your PowerShell scripts? Yes of course it provides security benefits but performing the steps manually can be easily forgotten and re-signing needs to happen after every script change. Because I like CI/CD topics and have not found a solution on the internet I decided to build a solution based on Azure capabilities. Furthermore, I wanted a solution which does not require to hand out the code signing certificate to the respective script author which can be useful if you have a bunch of people writing PowerShell scripts.

From a personal perspective, I would also recommend signing scripts you hand over to customers to ensure the integrity of the scripts because as soon as the script gets changed the signature is invalid.

You can find more general recommendations about script signing in the PowerShell docs.

Solution overview
#

The key vault will store the code signing certificate with an access policy that allows access from the Azure DevOps pipeline.

The pipeline consists of the following steps:

Import code signing certificate
- The certificate is supplied as secret in a variable group which is linked to the key vault
- Access to the key vault is granted with a service connection (service principal)
Sign PowerShell scripts which contain a “magic token”
- All *.ps1 within the attached repository will be enumerated
- To control which scripts will be signed only those with the “magic token” get processed
- The “magic token” gets removed before signing the script
Publish signed PowerShell scripts as pipeline artifacts
- To make them available for download

Ensuring regular Defender Quick scans with Microsoft Endpoint Manager proactive remediations

Mon, 28 Sep 2020 00:00:00 +0000

While looking into the new Microsoft Defender Antivirus report available in MEM (Intune) I discovered some machines which did not report any recent Defender antimalware scans, despite configured via configuration profile. Of course, AV scans are kinda old-fashioned against rapidly evolving threats but a regular quick scan won’t hurt anyone. Instead of having a look at every single machine affected, I decided to try out the new proactive remediations feature which went globally available last week and let endpoint analytics do the detection and remediation work for me. As a reference, I used the Tutorial: Proactive remediations from Microsoft which covers the process quite well.

PowerShell scrips
#

For Endpoint analytics / Proactive remediations we need two PowerShell scripts. The first script is used as a detection script and determines whether remediation is necessary based on the exit code. Exit code 0 indicates a healthy status and exit code 1 indicates remediation necessary. Remediation occurs with a second PowerShell script.

To detect the most recent Defender scan I used the Windows Eventlog. Event ID’s are documented here.

Detection script
#

Remediation script
#

The remediation script is just about a one-liner to trigger a quick scan. You can extend this based on your requirements and respective to your Intune settings. E.g. triggering a signature update for a scan or adding additional steps.

Discover the Microsoft Graph API with the Microsoft Endpoint Manager Portal

Tue, 08 Sep 2020 00:00:00 +0000

You always wanted to automate a specific action within Intune / the Microsoft Endpoint Manager Portal (MEM) but were afraid of the complexity? The Microsoft Graph API docs deliver you more questions instead of answers? Automating tasks within the MEM portal could be very easy, couldn’t it? I promise it will be much simpler with this magician trick.

Microsoft Endpoint Manager Portal
#

The MEM Portal UI relies on the Microsoft Graph API. This means that the UI where you create new settings and policies and the Intune backend are encapsulated with different layers. Communication between the UI and the backend happens with the Microsoft Graph API. With the developer tools we can trace network traffic and discover the request URLs and request body payload which are required to interact with the API.

{: .align-center}

Example about how to capture URLs and build a PowerShell script
#

Original request body:

Access has been blocked by Conditional Access policies when using device code flow

Thu, 03 Sep 2020 00:00:00 +0000

When using device code authentication for PowerShell modules with conditional access you might receive prompts like: “Access has been blocked by Conditional Access policies. The access policy does not allow token issuance” or “AADSTS50097: Device authentication is required”. But what’s the reason for this error and is there a solution available?

Examples from the field
#

Device code flow is quite a convenient way to sign-in for an app within the web browser - at least if it works. If not you have to consider other options and that’s probably the reason why you’re reading this blog article.

Az PowerShell

Running the Az PowerShell module on PowerShell 7 uses device code flow to authenticate against your Azure tenant and might fail:

Connect-AzAccount: AADSTS50097: Device authentication is required.
Timestamp: 2020-08-17 13:36:31Z: Response status code does not indicate success: 401 (Unauthorized).

The sign-in to Azure is tied to the “Microsoft Azure Management” app that you can select within Conditional Access.

Microsoft Graph PowerShell

The same applies for the new Microsoft.Graph PowerShell modules - but here we receive a more detailed error message:

Connect-Graph: AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.
Timestamp: 2020-08-17 13:37:12Z

The sign-in to the new Microsoft Graph Modules is tied to the “Microsoft Graph PowerShell (Preview)” app and some more apps I couldn’t determine.

Bulk create Intune mobile app deployment groups and assignments

Wed, 19 Aug 2020 00:00:00 +0000

Creating assignments and software deployment groups for Intune mobile apps is quite a repetitive and manual task. Because of that, I want to share a PowerShell script with you which allows you to automatically create software deployment groups in Azure AD and the assignments for various intents.

The script allows you to:

Create Azure AD groups (install uninstall purpose)
- Pick existing groups based on displayName
Assign Intune mobile apps (tested for Win32 and MSI LOB apps)

You can find the script on my techblog GitHub repository.

Because of the configurable group prefixes the script helps you to keep your Intune environment clean and implement a standard app assignment configuration.

The script uses the Microsoft Graph API and the following resources

https://graph.microsoft.com/beta/deviceAppmanagement/mobileApps
https://graph.microsoft.com/beta/deviceAppmanagement/mobileApps/{AppID}/Assignments
https://graph.microsoft.com/beta/groups

It uses the preregistered app “Microsoft Intune PowerShell” which exists by default in all tenants. If you want to run the Script with PowerShell 7 you need to create an adjust the MSAL token section with the -DeviceCode parameter.

You can bulk select the apps you want to create the assignment and AAD deployment groups:

Hope this saves you some time.

Add PowerShell modules to Azure functions

Mon, 17 Aug 2020 00:00:00 +0000

Azure functions for PowerShell natively ship without additional cmdlets or PowerShell modules. In this post, I will show you how to add both public modules from the PowerShell gallery with automatic dependency management and custom modules.

For both options, we use the Kudu tools to adjust the configuration of our function app. You can launch them from the “Advanced Tools” section of your function app:

Afterwards, launch the PowerShell debug console and navigate to the wwwroot folder of your app:

Option 1: Automatic dependency management
#

Note: Installing modules which require license acceptance (e.g. the MSAL.PS module) currently cannot be installed with automatic dependency management. You can track the issue status here and here. {: .notice–warning}

Azure function apps running PowerShell come with a nice feature called managed dependencies. You can specify the modules you want to import from the PowerShell Gallery and the function app host will automatically process the dependencies.

In the requirements.psd1 add the module details:

# This file enables modules to be automatically managed by the Functions service.
# See https://aka.ms/functionsmanageddependency for additional information.
#
@{
 # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'.
 'Az' = '4.*'
 'Microsoft.Graph.Authentication' = '0.*'
}

You can either specify an exact version available from the PowerShell Gallery or specify the major version with a wildcard. With the wildcard option it will use the latest version available.

Playing around with the Office 365 Service Communications API

Mon, 10 Aug 2020 00:00:00 +0000

The Office 365 Service Communications API provides information about Microsoft 365 service status for your tenant including service messages. I built a little PowerShell module to access the API with PowerShell cmdlets. In this post I want to show you some examples which help you to use the API.

PowerShell Module
#

I built a PowerShell module to access Microsoft 365 service status details natively with PowerShell. The PowerShell module and documentation is available on the PowerShell Gallery and on GitHub.

Before using the module an app registration is required. Setup instructions are also provided on GitHub.

CI/CD
#

By leveraging Azure DevOps I created a build and release pipeline which automatically builds the PowerShell module with Plaster.

Builds are only created if the commit on GitHub includes a version tag. This version tag gets automatically populated to the module manifest.

The build artifact gets then automatically published to the PowerShell Gallery as a new version. Furthermore, a new GitHub release including the module artifact is added to the project.

This process fully automates the publishing and build process for the module. For local development and maintenance, the module can also be built with Invoke-Build.

Azure AD guest user review solution

Tue, 14 Jul 2020 00:00:00 +0000

Azure Active Directory guest users really simplify the process to collaborate with external users. Although keeping a good governance on guest accounts can become quite a challenge. The two biggest challenges I often observe are: “Who invited that guest user?” and “Does this guest user still need access to our infrastructure?”. Inspired by a recent post of Thomas Kurth regarding Azure AD Guest Account - Governance and Cleanup I also developed a solution which comes quite close to an “Azure AD Access review” like user experience.

Notable features
#

The ‘Manager’ attribute of your guest users get’s automatically populated with the identity of the inviter
All Azure AD app registration information is stored in Azure Key Vault
Almost zero touch deployment with ARM templates
You can integrate existing guest users into this solution by populating the manager attribute in Azure AD
You can configure the approval frequency for guest accounts
Approval frequency respects last approval date for each guest account

Architecture
#

The solution leverages function of:

Azure Logic App

10 suggestions to improve your next PowerShell script

Wed, 08 Jul 2020 00:00:00 +0000

Most of the time PowerShell is my favourite choice to automate processes and tasks. In order to improve the maintainability of my scripts I usually try to focus on some standards combined with a clean scripting style. In this post I want to show you 10 suggestions to improve your next PowerShell script. I’ve tried to order the suggestions according to an actual PowerShell starting from the very first line till the last line.

1. Script prerequisites
#

Your PowerShell script might need specific modules or elevated user rights to run. The #Requires statement ensures that these prerequisites are met before the actual script get’s executed. So you don’t need to implement your own checks to verify prerequisites.

Simply use the #Requires statement at the very first line of your script. Find out more about #Requires statement.

Modules
#

Another benefit of specifying the modules within the requires statement is that scripts hosted on the PowerShell Gallery automatically install the modules mentioned in the #Requires list.

To make sure a specific module is installed use:

#Requires -module "Microsoft.Graph.Intune"

To ensure a module with a specific version is available:

Remove Azure AD direct License Assignments with PowerShell

Wed, 08 Jul 2020 00:00:00 +0000

Who doesn’t love a clean and tidy environment, do you? This also applies for your license assignments in Office 365 and Azure AD. As time passess it is likely to have users with direct license assignments or users which still have old trial licenses assigned. To get rid of those assignments I created a PowerShell script with removal and reporting functionality.

Direct link to the script.

Identify direct license assignments
#

In the Azure Portal we recognize direct license assignments on a user account by viewing the “Assignment Paths”:

With the MSOnline PowerShell module we can view the Licenses property of a user and retrieve a nested property called: GroupsAssigningLicense. The GroupsAssigningLicense property contains either:

An empty array if the license was not inherited from a group -> direct assignment
An array with objectId’s
- If the array contains the user’s objectId -> direct assignment

Example 1: User with objectId 36c9b091-fe88-4dc2-a9e1-2662020b4bab has group based license assignment and direct assignment:

AccountSkuId : nicolasuter:SPE_E5
GroupsAssigningLicense : {0a918505-d0d5-4078-9891-0e8bec67cb65, 36c9b091-fe88-4dc2-a9e1-2662020b4bab}

Example 2: User has no inherited licenses from a group:

AccountSkuId : nicolasuter:SPE_E5
GroupsAssigningLicense : {}

PowerShell Script
#

You find the PowerShell script on my techblog GitHub repository.

Exploring the new Microsoft Graph PowerShell Module(s)

Tue, 12 May 2020 00:00:00 +0000

Microsoft is working on a new set of PowerShell modules grouped under the umbrella of Microsoft.Graph that will (hopefully) cover all the Microsoft Graph resources available. I’ve already used some of them for my Conditional Access Documentation Script and thought they have some notable features worth sharing.

Advantages and changes
#

The Microsoft Graph modules use the new Microsoft Authentication Library (MSAL) instead of the old Azure AD Authentication Library (ADAL). The MSAL library in the modules implements a token cache which persists the access and refresh tokens.

MSAL caches a token after it has been acquired. Application code should try to get a token silently (from the cache), first, before acquiring a token by other means. - Microsoft docs

The token cache persists system reboots and re-opening PowerShell sessions. The module allows you to obtain tokens either for authentication via client credentials (certificate only) or device code flow.

Furthermore, the new modules support a really broad spectrum of available entities on the Graph API. From an EM+S perspective this means for example: groups, users, identity protection, conditional access, and some of the Intune app management commands are also starting to appear.

Just be aware that the modules are currently published as pre-release. If you encounter any issues share them with the development team on GitHub and submit issues or even better contribute directly to the project.

Validating a GUID with PowerShell

Tue, 05 May 2020 00:00:00 +0000

For some recent Microsoft Graph scripts I wanted to translate some Azure AD Object ID / GUID entries to their respective display name. The array with the GUID’s contained already some readable text. Of course I only wanted to translate the GUID entries with according Graph API requests. Otherwise the Graph requests would fail. Google offered only some fancy regex functions and helpers but I had that .NET function in my mind which looks much nicer compared to whatever regex pattern that I don’t understand.

"applications": {
 "includeApplications": [
 "797f4846-ba00-4fd7-ba43-dac1f8f63013",
 "Office365"
 ]
}

So I needed a way to test a string for a valid GUID and only invoking the Graph calls for GUID values.

Matching a GUID with a regex
#

I found the following regex on this site:

"d815c3bc-9c49-4633-9d16-29808242d063" -match '(?im)^[{(]?[0-9A-F]{8}[-]?(?:[0-9A-F]{4}[-]?){3}[0-9A-F]{12}[)}]?$'

Matching a GUID with the .NET method
#

Instead of the complex regex we can invoke this nice .NET member method which returns true or false based on the input:

[guid]::TryParse("d815c3bc-9c49-4633-9d16-29808242d063", $([ref][guid]::Empty))

I guess that’s much more convenient.

Helper Function
#

Here’s a helper function which can be used in PowerShell scripts:

Creating desktop shortcuts with Intune

Tue, 09 Jul 2019 23:22:24 +0000

Why want you to create desktop shortcuts with Intune? Business specific apps may require special shortcuts in order to launch the application with the right parameters. Or you need to create a shortcut for an application which is stored on your on premises fileserver. For this purpose I created a little solution which closes the gap between the modern cloud and on premises world. In comparison with other solutions this one works if you have redirected the users desktop with OneDrive Known Folder Move and automatically remediates missing shortcuts if they got deleted.

Direct link to the GitHub repository.

Browser links: Instead of placing shortcuts to websites on the desktop I would recommend you to use managed bookmarks which can be directly provisioned within the web browser. I documented this for the new Microsoft Edge based on chromium here. {: .notice}

Features
#

This solution works when the desktop is redirected with OneDrive Known Folder Move
Everything is user based (local userprofile)
If the shortcut is missing or deleted it gets automatically (re)created
Possibility to remove shortcut via Intune Win32 app uninstall
Shortcut can point to: URL, File (UNC) or Folder (UNC)
Ability to pass shortcut arguments
Ability to specify shortcut icon (UNC/URL)
Ability to deploy shortcut together with an app using Intune Win32 app dependencies

Architecture
#

A simple PowerShell script which does all the shortcut stuff is wrapped as Intune Win32 App. This adds possibility to detect the presence of the shortcut and if required to uninstall it with Intune. In order to work with the redirected desktop to OneDrive with Known Folder Move we can take advantage of the [Environment]::GetFolderPath("Desktop") method to resolve the desktop location. Based on the Win32 app configuration the shortut get’s either created on the users personal desktop or on the allusers desktop.

Calling the Microsoft Graph API via PowerShell without a user

Mon, 17 Jun 2019 18:47:47 +0000

A colleague recently asked me how to access the Microsoft Graph API using PowerShell without specifying his user account or credentials. So here’s a little post about the required configuration to authenticate against the OAuth 2.0 endpoint of Azure AD with an app registration. This is especially useful for automation services like Azure automation.

At the end of this post you’ll find a PowerShell template.

Gather application information
#

Create a new client secret for your app and note down the following values:

Client Secret
Application ID (client ID)
Directory ID (tenant ID)

Azure AD App registration

## PowerShell code

Request authentication token
#

In order to use the Graph API we need an authentication token. The information we gathered before is now sent to the Azure AD OAuth 2.0 endpoint.

https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/token

In the request supply a body with the following content:

$body=@{
 client_id="8f9f420d-606c-4e13-889e-837072dbfb42"
 client_secret="BlaBlaExampleSecret" #Generated secret
 scope="https://graph.microsoft.com/.default"
 grant_type="client_credentials"
}

The scope and grant_type are required attributes. A full example looks like:

$body=@{
 client_id="8f9f420d-606c-4e13-889e-837072dbfb42"
 client_secret="BlaBlaExampleSecret"
 scope="https://graph.microsoft.com/.default"
 grant_type="client_credentials"
}

$tenantId="7955e1b3-cbad-49eb-9a84-e14aed7f3400"

Invoke-WebRequest -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $body -Method Post

If everything works we receive an access token object as HTML 200/ok response:

Introducing the OneDrive AutoMountTeamSites setting

Sun, 17 Mar 2019 16:03:09 +0000

Reviewing the latest OneDrive features I wanted to try the new AutoMountTeamSites setting which lets you preconfigure SharePoint online sites to sync automatically for defined users and devices.

Updated on 12.07.2019: Included the Intune administrative template configuration

The setting is officially described as follow:

This setting lets you specify SharePoint team site libraries to sync automatically the next time users sign in to the OneDrive sync client. (Microsoft)

If you enable this setting, the OneDrive sync client will automatically download the contents of the libraries you specified as online-only files the next time the user signs in. The user won’t be able to stop syncing the libraries. (Microsoft)

Prerequisites
#

In order to get things up an running we need at least:

OneDrive sync client version 19.012.0121.0011 or newer
Windows 10 Version 1709 or newer
OneDrive Files On-Demand enabled (described below)

Be aware that this feature is not supported with on-premises SharePoint sites and not recommended to enable this setting for more than 1'000 devices. The device limit is related to the Windows Push Notification Service which tells the OneDrive clients when a file change occurs on a server side. When you exceed that limit clients will find themselves in a polling mode. Hans Brender explains this behavior well on his blog.

Intune map network drives and execute PowerShell script on each user logon

Fri, 11 Jan 2019 20:51:36 +0000

Recently a customer needed a drive mapping solution to access his on premise file shares during his transition phase to a cloud-only workplace. I wanted to share the solution with you because it’s a frequently asked question around a modern workplace migration. The following solution can also be extended or modified for a printer mapping or other PowerShell scripts which need to run on each user logon.

Updated 04.08.2019: I’ve developed an automated solution to generate network drive mapping configurations with an online tool which also migrates group policy network drive mappings. See: next-level-network-drive-mapping-with-intune.

Direct link to the final scripts

Lets assume we have the following scenario:

- Customer with hybrid user-identities (Azure AD Connect) - On premise ressources with legacy file shares - Devices are Azure AD joined ( **not** hybrid joined) - MDM managed with Intune - [Optional] Always on VPN for external on-premise resource access - [Optional] Windows Hello for Business deployment as described [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso)

Architecture
#

With my colleague Alain Schneiter I designed the following solution:

Main PowerShell script stored on Azure blob storage which handles the drive mapping - driveletters, UNC paths and descriptions can be configured within the script
Client side script deployed with Intune which triggers the main script during logon. The main script is not stored locally which makes it easy to customize (no updates oder changes needed on client side)
Deployment is user targeted via Azure AD group and Intune

Azure blob storage configuration
#

We wanted to store the script within Azure because the customer was already using Azure blob storage. It’s also possible to store the PowerShell script on GitHub if you don’t want to use Azure.

Clean up stale Azure AD devices

Thu, 10 Jan 2019 22:25:00 +0000

If you are using Azure AD and the time passes you’ll have a lot of old device entries. If you enable the automatic device cleanup rule in Microsoft Intune the device is only removed within MDM and the Azure AD entry still exists.

Intune device cleanup rule

For this reason I created a tiny PowerShell snippet to create a report with all devices which didn’t contact your Azure AD tenant since the treshold date specified. If you confirm the operation you can also delete all affected devices.

Please be careful when running the script because when removing a device from Azure AD the stored Bitlocker recovery keys are also removed. I can recommend Roger Zander’s Azure table-based Bitlocker recovery key solution.

Set Office 365 UsageLocation property with Azure automation

Wed, 09 Jan 2019 15:23:00 +0000

If you want to assign Microsoft licenses to your Azure AD users e.g. Microsoft 365 E3 licenses you can do this with group based licensing as described here. ~~The problem is that even with group based licensing the UsageLocation property for each user must be set individually.~~

Update: 13.01.2019: Since group based licensing is GA the tenant location is used if no UsageLocation is set on a user object. Use this guide if you want to manually assign licenses or override the tenant settings if you need to configure different UsageLocations.

Possible bulk and automation solutions
#

You can achieve this with the following options:

“Manual” trough Azure or Office 365 portal
PowerShell (must be triggered manually or through scheduled task)
Azure AD Connect synchronisation (UsageLocation populated in on prem AD)
Azure automation with PowerShell runbook as in this post 🙂

Azure automation sounds expensive?
#

Fortunately Azure automation offers 500 minutes of script runtime for free. Find more details under Automation pricing. Just to give you an idea: If the executed script has an average runtime of 1 minute you could run it (500 minutes / (30 calendear days / 1 minute script runtime)) = 16x per day. Each month. For free.

PowerShell Script Test Open TCP Ports

Wed, 18 Oct 2017 13:28:12 +0000

Recently I was troubleshooting ADFS connection issues when I discovered a nice little Cmdlet called “Test-NetConnection”. With this Cmdelet you can verify TCP connectivity, in my case from a client to the ADFS server.

The Test-NetConnection cmdlet displays diagnostic information for a connection. It supports ping test, TCP test, route tracing, and route selection diagnostics. Depending on the input parameters, the output can include the DNS lookup results, a list of IP interfaces, IPsec rules, route/source address selection results, and/or confirmation of connection establishment.

Find a full documentation on the Microsoft Docs Page.

About the script
#

With this Script you are able to specify server names and port numbers to check in a CSV File. The Script generates an CSV output file as a report. You can use this script for troubleshooting or engineering purposes to verify if TCP ports are opened.

Simply add the hostname and TCP port to the “CheckList.csv” and the script checks the specified servers and ports.

The script will generate an output file for the same path containing the suffix “Report_” with the test results.

CheckList.csv:
Report_CheckList.csv generated after script execution:

PowerShell Function Validate Object Properties Using ValidateScript

Thu, 12 Oct 2017 10:25:09 +0000

Recently I was working on a PowerShell script with many custom functions. When I started to use PowerShell custom objects I wanted to be able to pass them to a function. So I faced the challenge of validating my object for all required properties and came up with this solution, using the ValidateScript block to test the object:

Customizing the ValidateScript
#

As you can see I use a ValidateScript for the parameter validation to test the object for the required properties. The properties can be specified in an array: $requiredProperties=@("Property1","Property2","Property3", "Property4") When we call the Function with an appropriate object:

$config= [PSCUSTOMOBJECT]@{ 
 property1= "Value"; 
 property2= "Value"; 
 property3= "Value"; 
 property4= "Value"; 
}

We receive the following output:

PS H:\> New-Example -InputObject $config 
Succesfully passed ValidateScript

Result
#

If we remove one or more properties from our custom object, an error is thrown:

PS H:\> $config= [PSCUSTOMOBJECT]@{ 
 property1= "Value"; 
 property2= "Value"; 
 property3= "Value"; 
} 

New-Example -InputObject $config 

New-Example : Cannot validate argument on parameter 'InputObject'. Property: 'Property4' missing At line:10 char:26 + New-Example -InputObject $config + ~~~~~~~ + CategoryInfo : InvalidData: (:) [New-Example], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationError,New-Example

If you want to go a step further you could extend the ValidateScript to…

Prevent passing properties with a NULL or empty value
#

$_.PSObject.Properties | ForEach-Object { 
 if (([string]::IsNullOrEmpty($_.Value))){ 
 Throw [System.Management.Automation.ValidationMetadataException] "Property '$($_.Name)' has either a NULL or empty value" 
 } 
}

If we call our function again with the added IsNullOrEmpty validation NULL or emtpy values throw an exception:

Managing printers with PowerShell

Tue, 10 Oct 2017 17:54:54 +0000

Managing printers with PowerShell instead of VBScript? Sometimes it’s necessary to add and remove specific printers to a computer. For example during a client deployment or when a user logs on. This post covers how to manage printers with PowerShell.

The following PowerShell commands are supported with PowerShell version 4 and newer.

Installing a local network printer
#

Installing a local printer (without a printserver) consists of the following steps:

Add the printer driver to your system’s driverstore
Install the printer driver from the driverstore
Add a printer port to communicate with the printer
Last but not least add the printer

Add the printer driver to the driverstore
#

Before you can install the printer driver you need to import the printer driver to your system’s driverstore.

This can be achieved with the built in Windows “pnputil” utility.

The following code adds all drivers from the specified path to the driverstore:

Get-ChildItem %PathToYourDriverFolder% -Filter *.inf -Recurse | % {pnputil.exe /a $_.FullName}

Install the printer driver from the driverstore
#

This step is quite simple, you just need to know the name of the printer driver you want to install. For example “HP Universal Printing PCL 6”.

Powershell on Nicola Suter

Optimising Microsoft Graph PowerShell scripts

Reasons why your script is slow #

Slow algorithms and wrong data structures #

The easiest way to work with the Microsoft Graph PowerShell SDK

Requirements #

JWT #

Intune app protection policy report

Information visible within the portal #

Script #

Automatically sign your PowerShell scripts with GitHub actions

Prerequisites #

Add variables to GitHub actions #

GitHub action variables #

GitHub action workflow #

Securely sending emails from PowerShell scripts with modern authentication enforced

Microsoft Graph resource #

Create an app registration #

Dealing with Intune OMA-URI encoding and applocker rules

The actual issue #

Fixing things #

Save file with UTF-8 encoding #

Microsoft Graph Access Token Acquisition with PowerShell explained in depth

Why do we need an access token? #

What’s inside the access token #

Build an Azure DevOps pipeline to automatically sign your PowerShell scripts

Solution overview #

Ensuring regular Defender Quick scans with Microsoft Endpoint Manager proactive remediations

PowerShell scrips #

Detection script #

Remediation script #

Discover the Microsoft Graph API with the Microsoft Endpoint Manager Portal

Microsoft Endpoint Manager Portal #

Example about how to capture URLs and build a PowerShell script #

Access has been blocked by Conditional Access policies when using device code flow

Examples from the field #

Bulk create Intune mobile app deployment groups and assignments

Add PowerShell modules to Azure functions

Option 1: Automatic dependency management #

Playing around with the Office 365 Service Communications API

PowerShell Module #

CI/CD #

Azure AD guest user review solution

Notable features #

Architecture #

10 suggestions to improve your next PowerShell script

1. Script prerequisites #

Modules #

Remove Azure AD direct License Assignments with PowerShell

Identify direct license assignments #

PowerShell Script #

Exploring the new Microsoft Graph PowerShell Module(s)

Advantages and changes #

Validating a GUID with PowerShell

Matching a GUID with a regex #

Matching a GUID with the .NET method #

Helper Function #

Creating desktop shortcuts with Intune

Features #

Architecture #

Calling the Microsoft Graph API via PowerShell without a user

Gather application information #

Request authentication token #

Introducing the OneDrive AutoMountTeamSites setting

Prerequisites #

Intune map network drives and execute PowerShell script on each user logon

Architecture #

Azure blob storage configuration #

Clean up stale Azure AD devices

Set Office 365 UsageLocation property with Azure automation

Possible bulk and automation solutions #

Azure automation sounds expensive? #

PowerShell Script Test Open TCP Ports

About the script #

PowerShell Function Validate Object Properties Using ValidateScript

Customizing the ValidateScript #

Result #

Prevent passing properties with a NULL or empty value #

Managing printers with PowerShell

Installing a local network printer #

Reasons why your script is slow
#

Slow algorithms and wrong data structures
#

Requirements
#

JWT
#

Information visible within the portal
#

Script
#

Prerequisites
#

Add variables to GitHub actions
#

GitHub action variables
#

GitHub action workflow
#

Microsoft Graph resource
#

Create an app registration
#

The actual issue
#

Fixing things
#

Save file with UTF-8 encoding
#

Why do we need an access token?
#

What’s inside the access token
#

Solution overview
#

PowerShell scrips
#

Detection script
#

Remediation script
#

Microsoft Endpoint Manager Portal
#

Example about how to capture URLs and build a PowerShell script
#

Examples from the field
#

Option 1: Automatic dependency management
#

PowerShell Module
#

CI/CD
#

Notable features
#

Architecture
#

1. Script prerequisites
#

Modules
#

Identify direct license assignments
#

PowerShell Script
#

Advantages and changes
#

Matching a GUID with a regex
#

Matching a GUID with the .NET method
#

Helper Function
#

Features
#

Architecture
#

Gather application information
#

Request authentication token
#

Prerequisites
#

Architecture
#

Azure blob storage configuration
#

Possible bulk and automation solutions
#

Azure automation sounds expensive?
#

About the script
#

Customizing the ValidateScript
#

Result
#

Prevent passing properties with a NULL or empty value
#

Installing a local network printer
#

Add the printer driver to the driverstore
#

Install the printer driver from the driverstore
#