Microsoft plans to support IPv6 connectivity for Azure AD starting on March 31, 2023. The change creates specific requirements for conditional access policies that use named locations to allow or block connections. Administrators will have to add new IPv6 address ranges to named locations to allow users to continue to connect. Apart from that, it’s a matter of making sure that any reporting, analysis, or SIEM applications can deal with the new IPv6 data.
Azure AD Guest Accounts have a habit of becoming stale or obsolete as time progresses. Guest accounts created to share documents or to be a member of a long-forgotten team or group remain in Azure AD until someone comes to clean them up. This article explains how we refreshed a popular script to use cmdlets from the Microsoft Graph PowerShell SDK to report guest accounts with different degrees of staleness.
Azure AD user accounts and Exchange Online mailboxes share many properties, including some for a user’s address. When it comes to countries, Azure AD has the country property while Exchange uses the CountryOrRegion property. Sometimes the two don’t match up. Why does this happen and does it matter in practical terms? What other country or regional settings exist that need to be managed? A simple question sets off a big discussion.
Getting a new device means that some work must be done to ensure that apps work. This article explains how to add QR codes to the Microsoft Authenticator app so that the app has the credentials to respond to MFA challenges. We cover how to get QR codes for Azure AD accounts and how to do the same for guest accounts in other Microsoft 365 tenants.
Several methods exist to add new user accounts to groups automatically. Dynamic group membership is an obvious option, but other choices exist, including org-wide teams (if your organization is under 10,000 accounts) and using PowerShell to manage the automatic addition of new members to a standard distribution list or Microsoft 365 group. This article examines the various methods. Once you understand what’s possible, you can make the right choice.
A fuss erupted about the Azure AD admin center setting to control Azure AD tenant creation by users. Allowing people to have their own tenant can be a good thing, especially for developers who want to have a tenant as a sandbox to test code in. In this article, we discuss what the control is, what it does, and how to set it with PowerShell.
The automation of Azure AD account creation and password updates are straightforward using the Microsoft Graph PowerShell SDK. A little preparation always helps, but once you have all the necessary information, it’s easy to code up the necessary script to generate a new password and add the account – or set of accounts.
The Azure AD admin center now includes the option to pause processing for the membership query for an Azure AD dynamic group. This article reviews how the new feature works and what it might be used for, including a PowerShell script to report the membership processing status of all Azure AD dynamic groups.
Azure AD custom security attributes can mark user and service principal objects for special processing, which is how the app filter for conditional access policies works. It’s nice to be able to interact with data through PowerShell and the Microsoft Graph PowerShell SDK cmdlets support setting, updating, and retrieval of Azure AD custom security attributes. Everything works, but it’s a pity that it’s a little clunky.
Azure AD conditional access policies can now use an app filter based on custom security attributes to restrict access to specific apps. It’s a neat idea that should be popular in larger enterprises where the need exists to manage large numbers of apps. In other news, the Graph X-Ray tool is available in the Windows Store and a neat cmd.ms tool is available to provide shortcuts to Microsoft 365 sites.
Azure AD conditional access policies can exert fine-grained control over the type of external users who can connect and what tenants they belong to. The new capability works especially well alongside Azure B2B Collaboration (guest users) and Azure B2B Direct Connect (used by Teams shared channels). It’s yet another way to impose control over who you allow to connect to your tenant.
Microsoft has made number matching and additional context generally available for its Authenticator app. The new capabilities help users to avoid MFA fatigue. In other words, instead of being challenged with a simple request to approve a sign-in, users must respond by entering a number selected by Azure AD. At the same time, Authenticator can display additional information, such as where the sign-in originated from. It all helps to make Authenticator a more secure way of approving user sign-ins.
In most situations, it’s a good idea to enable Azure AD accounts for SSPR (self-service password reset) to avoid the need for administrators to update user accounts when things go wrong. This article explains how to report accounts that are not yet set up to use SSPR. It’s a check that should happen regularly, perhaps with the aid of Azure Automation.
A reader asked how to update user email addresses and UPNs. As it turns out, this is not a very difficult technical challenge. The problem lies in the aftermath. It’s easy to update the primary SMTP address for a mail-enabled object or assign a new user principal name to an Azure AD account. Then problems might come into view, like needing to adjust the Microsoft Authenticator app to make MFA challenges work for the new UPN.
This article explains how to use PowerShell and the Office 365 audit log to report Azure AD license assignments. The output isn’t pretty, but it works. The code works by finding two different audit events for each license assignment and combining information from both events to create a view of what happened. It’s rough and ready and can be improved, but the principal is proven and that’s what I set out to do.
This article describes how to use the Exchange.ManageAsApp permission to allow Azure AD apps to run Exchange Online PowerShell cmdlets. You can do this in the Azure AD admin center for registered apps, but when the time comes to allow Azure Automation runbooks to sign into Exchange Online with a managed identity, you must assign the permission to the automation account with PowerShell. Easy when you know how, hard when you don’t!
A new setting for Azure AD conditional access policies allows organizations to dictate the authentication strength of accepted connections. This is part of a Microsoft effort to move MFA-enabled Azure AD accounts away from the relatively insecure SMS-based challenges to methods that are less susceptible to attack.
A script written by a Microsoft program manager to remove authentication methods from an Azure AD account caused me to write a script to capture all the authentication methods used in a tenant. I have other similar scripts, but this one records some additional detail for each method. And I have a moan about why the Microsoft Graph PowerShell SDK includes so many cmdlets for interacting with authentication methods. Some consolidation would be nice.
This article describes how to adapt the Microsoft 365 licensing report script to highlight Azure AD accounts that haven’t signed in for a long time. Because Microsoft charges for licenses on a monthly basis, every month that goes by racks up cost for underused accounts. The new version of the script tells you what accounts to check to help you focus on driving down licensing costs.
Audit logs hold lots of information, including records for when Azure AD consent permission grants happen. Checking the audit data can detect illicit grants. Records are in the Azure AD audit log and are also ingested into the Office 365 (unified) audit log, so there’s two places to check. The audit data is interesting and could help administrators work out if a permission grant is illicit. But only if checks are made and people review the reports.
Azure AD registered devices have 15 extension attributes that tenants can use for their own purposes. In this article, we explore how to use the Microsoft Graph PowerShell SDK to update extension attributes for registered devices, and even better, access the content in the extension attributes afterward.
Microsoft launched an effort on September 2 to stop the creation of any more unmanaged Azure AD accounts in unmanaged tenants. A set of tools is available to help tenants to find unmanaged accounts and reset them by reissuing invitations to the affected guest members. There’s not much to complain about, but it is something to understand.
A little known fact about the Graph Explorer utility is that you can use it to sign into a tenant using a guest access. This might or might not be a good idea, but if you don’t want people to do this, it’s easy to block guest access by either disabling user access to the app (crude) or using a Conditional Access policy (much nicer).
Like all apps, the Azure AD Admin center has its own quirks and inconsistencies. In this article, we cover issues creating groups when the admin center doesn’t apply sensitivity label container management settings properly, and group-based license management, which only works if the group’s security enabled property is set correctly.
A new Yammer administrator role is available in Azure AD. Assignees of the new role become Yammer verified admins and can make changes to both native and non-native Yammer networks. It’s nice to see the new role appearing in Azure AD and no doubt it will be useful to Microsoft 365 tenants that use Yammer, but why did it take so long to happen?
Many example PowerShell scripts exist to report Azure AD accounts and their MFA status. Most of the scripts use the old MSOL module. Now we can use the Microsoft Graph PowerShell SDK and some Graph API requests to do the same job, This article explains how, including how to highlight unprotected Azure AD accounts that hold administrative roles.
Time is ebbing away and the date when the Azure AD PowerShell modules will start not to work is approaching. Microsoft wants customers to upgrade to the Microsoft Graph PowerShell SDK or Graph API requests. That’s fine, but a knowledge gap exists because most of the examples – including in Microsoft’s own documentation – for how to interact with Azure AD via PowerShell use the old modules. And then every other blog on the planet (with some notable exceptions) does the same. So we have work to do to bridge the knowledge gap and help people to make the transition.
A new preview feature supports the creation of dynamic Azure AD groups based on the membership of other groups, including dynamic groups and distribution lists (aka nested groups). It’s a nice feature that adds value, even if dynamic groups require Azure AD Premium P1 licenses.
The Azure AD PowerShell module allows guest accounts to sign into target tenants and update their account photo there. The Microsoft Graph PowerShell SDK includes a cmdlet to do the job, but it doesn’t work when connected to a target tenant. Permissions are the reason why, which is what we explain in this article.
Despite the advent of shared channels in Teams and the wonders of Azure AD Direct Connect, the chances are that Azure AD B2B Collaboration (Azure AD guest accounts) will remain the predominant method for external collaboration for the immediate future. That’s not so bad, as long as you maintain good guest hygiene!
Teams supports external access through guest account membership in teams and external sharing of shared channels. Sometimes, things go wrong and sharing can’t happen. In this article, we explore some common reasons and explain the solutions. And the need for patience!
Outlook’s Org Explorer (available in Insider builds) brings together information from multiple Microsoft 365 sources to help users understand the people they work with in an organization. It’s like an Office 365 profile card on steroids, but only for user accounts as guest accounts and other external people are ignored. In other news, roaming signatures for Outlook desktop are getting closer as OWA now supports the creation and use of multiple web signatures, all of which can be used by Outlook desktop.
The new Graph X-Ray extension available for the Chrome and Edge browsers gives developers an insight into how the Azure AD admin center uses Graph API commands to retrieve user and group objects. The insight is invaluable when teasing out some of the syntax needed to get work done with the Graph. It’s much appreciated.
A new feature for Azure AD access reviews allows Microsoft 365 tenants to check for inactive guest accounts in group memberships. It’s useful functionality if your Microsoft 365 groups are used for Teams rather than Outlook groups. Email activity is ignored by these access reviews, so all guest members are deemed to be inactive!
Teams shared channels are now in public preview, meaning that many organizations are trying them out to see how effective a means of collaboration these channels are. One of the administrative challenges of implementing shared channels for cross-tenant collaboration is knowing who uses the channels. An answer can be found in the Azure AD sign-in logs, but only after you go looking.
Assigning Azure AD roles to user accounts is the way users receive permissions to perform certain administrative actions. You can automate these assignments using cmdlets from the Microsoft Graph PowerShell SDK. That is, until the time comes to remove assignments.
The Microsoft Graph SDK for PowerShell includes cmdlets for management of Azure AD Groups. The cmdlets work, and in some places they are screamingly fast compared to Exchange Online or Azure AD cmdlets. In other places, the cmdlets are a tad bizarre and expose a little too much of their Graph underpinnings. Oh well, at least after reading this article, you’ll know where the holes lie.
With the demise of the Azure AD and MSOL PowerShell modules on the horizon, it’s time to figure out how to upgrade scripts to use cmdlets from the Microsoft Graph PowerShell SDK. This article books at basic account management and shows how to update, delete, restore, and find Azure AD accounts using SDK cmdlets.
Microsoft has announced that it will be possible to recover a deleted service principal by the end of May. This is good news because it means that an accidental deletion can’t wreak the kind of havoc it can today. Microsoft hasn’t updated the APIs to manage soft-deleted service principals yet, but we can get an insight into what’s likely to happen by investigating how to manage deleted Azure AD accounts using cmdlets from the Microsoft Graph PowerShell SDK.
It seems like it should be possible to transfer a membership rule from an Exchange dynamic distribution list to a dynamic Microsoft 365 group/team, but it’s not. Different directories, schemas, properties. and syntax conspire to stop easy conversion. It’s a pity, but that’s the way life and technology sometimes go…