Azure AD administrators should be able to assign a reserved alias to a new group. At least, that’s what the documentation says. As it turns out, this isn’t strictly true as there are places where administrative interfaces (GUI and PowerShell) block any attempt to use reserved aliases. Does this matter? Probably not, unless you like consistency… which we do!
The preview of a new app governance add-on for Microsoft Client App Security gives Office 365 administrators insight into Graph-based apps. The add-on depends on information gathered from Azure AD and MCAS to generate insights about apps and their usage, including highlighting apps which are overprivileged or highly privileged. Although you can do some of the auditing yourself, the add-on makes it easier. It’s a preview, so some glitches are present.
A preview for Sensitivity Labels show how they can use Azure AD authentication contexts and conditional access policies to protect SharePoint Online sites. Although you can link conditional access policies to sites with PowerShell, it’s a lot easier to make the connection through sensitivity labels. Any SharePoint Online site which receives a label configured with an authentication context automatically invokes the associated conditional access policy to protect its contents.
Anyone writing PowerShell code against Azure Active Directory probably uses the Azure AD module. In June 2022, Microsoft will deprecate the API underpinning the Azure AD module. Tenants who want to use PowerShell to create scripts to automate administrative processes will need to move to Graph API calls or use the Microsoft Graph PowerShell SDK. Either way, there’s a bunch of work to do to upgrade scripts.
Without warning (for security reasons), Microsoft stopped the Exchange Online Set-User cmdlet being able to update the work and mobile numbers for Azure AD accounts. We don’t know what kind of security concerns caused Microsoft to take this action, but it might be associated with administrative roles. In any case, this disappointing example of how to communicate with customers might end up with people having to update some PowerShell scripts – and no one likes unexpected work.
Azure B2B collaboration is used by Microsoft 365 Groups-based apps like Teams, Planner, and Yammer to create new guest accounts. You can update settings in the Azure AD portal to stop new accounts from specific domains or restrict guests to a list of known domains. But before you go ahead and update the settings, it’s a good idea to know where existing guest accounts come from. It’s easy to create a report with PowerShell. The next step might be to remove guests from offending domains.
Office 365 administrators can update Azure AD guest accounts with photos. Guests can do the job themselves using three PowerShell commands. Other approaches work too, but this is the easiest and quickest method to do the job, especially if you have guest accounts in multiple tenants.
Azure AD holds information about managers and their direct reports. It’s easy for that data to go out of date, so we create a report to tell us who are the managers and how many direct reports they have. Azure AD has some cmdlets to retrieve information about managers and direct reports, but as it turns out, the older Get-User cmdlet is the best way to proceed.
A new preview feature allows the resources available to an Azure AD guest account to be reassigned to another email address. It’s a nice feature, but Teams has some problems with it at present. On the upside, everything works great with SharePoint Online and Planner, and we’re sure that Microsoft will fix the problem with Teams soon.
The Office 365 audit log is packed full of information about what happens inside workloads. New events show up all the time. The question is how to understand what actions these events relate to. We outline a simple procedure to discover the presence of new audit events and dive into the investigation of an event called Consent to application, which is pretty important in the context of recent high-profile attacks.
Exchange dynamic distribution lists allow messages to be sent to sets of recipients determined by a query against the directory. A custom filter is a powerful way to find the right set of recipients. In this case, we want to find mailboxes with certain job titles whose Azure AD accounts are not blocked for sign-in. Here’s how to create the filter, make sure it works, and create the DDL.
Many Office 365 features depend on accurate user account data in Azure AD. Here’s how to use PowerShell to track down accounts with missing properties. Once you know which accounts need to be updated, it’s easy to insert the missing properties. Boring, but easy…
Over time, you might join several Office 365 tenants as a guest. Some of those Azure AD guest accounts probably won’t be needed forever and you want to clean them up. This is easy for individuals to do through their MyAccount page, which might just be a page that they never knew existed.
Security groups are often used to protect access to resources, but they can’t be used to control membership for Microsoft 365 Groups or Teams. If you want to use AAD security groups to control membership for Groups and Teams, you need to come up with a way to synchronize. PowerShell is available to do the job, and as it turns out, it’s not too difficult.