Clik here to view.
Using the Graph API to Export eDiscovery (Premium) datasets
Microsoft has steadily been adding Graph API endpoints to cover eDiscovery scenarios, albeit only targeting the “Premium” experience. Just recently, the Export operation become available, bringing full...
View ArticleClik here to view.
Scoping conditional access policies to “tagged” applications
Microsoft has been gradually expanding the reach of its Conditional Access feature, while at the same time also releasing a bunch of controls that allow us to more granularly scope CA policies....
View ArticleClik here to view.
Microsoft 365 Audit adds support for administrative unit scoping
A while back, we covered the introduction of support for scoping (some) Purview Compliance Center role groups based on membership of administrative units. At that time, only the DLP and Sensitivity...
View ArticleClik here to view.
Non-existent users show up in SignInActivity data (or how logs continue to...
One of the common questions I get nowadays is “give me a list of all users that haven’t logged in in the past XX days”, or variations of the same theme. The question is somewhat easier to answer...
View ArticleClik here to view.
Make sure Deleted items are automatically removed from Microsoft 365 mailboxes
In another “forgotten knowledge” topic, let’s discuss how to automatically clean up/remove items from the Deleted items folder in Exchange Online/Microsoft 365. Nothing has changed in this process for...
View ArticleClik here to view.
Protect your multi-tenant applications from being hijacked by admins in the...
In the beginning of 2023, Microsoft introduced the app instance property lock feature, as a response to some of the “app hijacking” techniques used by prominent attacks over the past few years. The...
View ArticleClik here to view.
We can finally report on last successful login timestamp in Entra ID
Today’s article will be a short one. In a small, but meaningful update, Microsoft has released a new addition to the signInActivity resource, which allows us to determine the last time a given user was...
View ArticleClik here to view.
Script to review and remove service principal credentials
Last week, we explored Entra ID’s app instance property lock feature. As part of the process, we examined one possible way that bad actors could take advantage of the convoluted nature of working with...
View ArticleClik here to view.
Reporting on Microsoft 365 mailbox item count and size by year via the Graph API
Happy new year! For the first article of 2024, we will cover the “give me a breakdown of items within my mailbox, by age” question that pops up semi-regularly on the forums. The usual answer I give to...
View ArticleClik here to view.
Reporting on Entra ID integrated applications (service principals) and their...
Today, we’re going to be looking at reporting for Entra-integrated third-party applications (or their local representation, service principals). Since the last time we examined this, Microsoft has...
View ArticleClik here to view.
Reporting on Entra ID application registrations
After updating the scripts to report on Entra-integrated applications (aka service principals) last week, it is time to take a look at the updated scripts to report on application registrations. While...
View ArticleClik here to view.
Reporting on BitLocker recovery keys and associated devices
Today’s article will be an odd one, as its primary goal is to address some requests from the Q&A platform. In particular, the question about getting a list of all BitLocker recovery keys, posted...
View ArticleClik here to view.
Reporting on Entra ID directory role assignments (including PIM)
While certainly interesting in nature, the recent Midnight Blizzard breach is just the same old story – unprotected account, unsecured environment, a lot of neglect and failure to adhere to the best...
View ArticleClik here to view.
Can you verify whether third-party applications adhere to the Identity...
One of the resources I used in preparation for the latest version of my Entra ID service principals and applications reporting scripts was the Identity platform best practices article. In fact, some of...
View ArticleClik here to view.
Obtaining Entra license utilization insights data via the Graph API
Yesterday, Microsoft announced the public preview of Microsoft Entra License Utilization Insights, or in other words, a set of reports that aim to give you an overview of how features that require...
View ArticleClik here to view.
Querying the Microsoft 365 Unified Audit Log datamart via the Graph API
Over the past couple of months, several announcements have been made around the Microsoft 365 Unified audit log and the methods used to access it. Some changes were good, such as the improvements made...
View ArticleSearch-Mailbox is no longer available in Exchange Online
After being away for a while (attending the Microsoft MVP Summit in Seattle and some additional traveling), I come bearing sad news. The beloved Search-Mailbox cmdlet, easily one of my favorite bits of...
View ArticleClik here to view.
How to manage email addresses for Microsoft 365 Groups
Recently, I’ve run into several discussions around how to use the Graph API to change the email address of an already provisioned Microsoft 365 Group (or Team). In all of them, a claim was made that...
View ArticleClik here to view.
Changes in Set-UnifiedGroup result in lack of proper audit trail
As part of my investigation into the Microsoft 365 Group email address management story, I run a bunch of searches against Exchange Online’s Admin audit log as well as the Microsoft 365 Unified audit...
View ArticleClik here to view.
Remove user from all Microsoft 365 groups and roles (and more) via the Graph...
The script to remove users from all groups across Microsoft 365 has been one of the more popular entries in my GitHub repo for a while now. It is also generating a lot of improvement requests, the most...
View Article
