Remove-StaleIntuneDevices using a scheduled Azure Runbook

I recently came upon a really cool post by Josh and Sarah that explains how to clean up stale devices in Intune using the Graph API.

As I want to run this from an Azure runbook, silently, I had to modify it a little so it automatically consents to azure app permissions and logs in silently. If you’d like to use it, feel free to add it from the Azure gallery (search for Lieben) or download it yourself.

Make sure you’ve also imported the AzureAD and AzureRM modules into your automation account, and configured a credential object for the script to use.

GitLab: Remove-StaleIntuneDevicesForAzureAutomation.ps1

Technet: Remove-Stale-Intune-4b07488a

How to grant OAuth2 permissions to an Azure AD Application using PowerShell unattended / silently

You may know this button:There is no native Powershell command to grant OAuth permissions to an Azure AD Application, so I wrote a function for that. Note that this is NOT a supported way to grant permissions to an application because it does not follow the proper admin consent flow that applications normally use.

The great advantage of my method is that it can be used to grant permissions silently, AND to ‘hidden’ and/or multi-tenant applications that companies like Microsoft use for backend stuff like the Intune API. (e.g. the ‘Microsoft Intune Powershell’ multi-tenant application).

The function requires AzureAD and AzureRM modules installed!


Function Grant-OAuth2PermissionsToApp{
Param(
[Parameter(Mandatory=$true)]$Username, #global administrator username
[Parameter(Mandatory=$true)]$Password, #global administrator password
[Parameter(Mandatory=$true)]$azureAppId #application ID of the azure application you wish to admin-consent to
)

Function Grant-OAuth2PermissionsToApp{
    Param(
        [Parameter(Mandatory=$true)]$Username, #global administrator username
        [Parameter(Mandatory=$true)]$Password, #global administrator password
        [Parameter(Mandatory=$true)]$azureAppId #application ID of the azure application you wish to admin-consent to
    )

    $secpasswd = ConvertTo-SecureString $Password -AsPlainText -Force
    $mycreds = New-Object System.Management.Automation.PSCredential ($Username, $secpasswd)
    $res = login-azurermaccount -Credential $mycreds
    $context = Get-AzureRmContext
    $tenantId = $context.Tenant.Id
    $refreshToken = $context.TokenCache.ReadItems().RefreshToken
    $body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
    $apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'
    $header = @{
    'Authorization' = 'Bearer ' + $apiToken.access_token
    'X-Requested-With'= 'XMLHttpRequest'
    'x-ms-client-request-id'= [guid]::NewGuid()
    'x-ms-correlation-id' = [guid]::NewGuid()}
    $url = "https://main.iam.ad.ext.azure.com/api/RegisteredApplications/$azureAppId/Consent?onBehalfOfAll=true"
    Invoke-RestMethod –Uri $url –Headers $header –Method POST -ErrorAction Stop
}

GITLAB: Grant-OAuth2PermissionsToApp.ps1

Connect-AzureRMAccount requires CASE SENSITIVE input for the tenantId

Just for those poor souls googling this error:

get-azurermvm : Your Azure credentials have not been set up or have expired, please run Connect-AzureRmAccount to set
up your Azure credentials.

Or any other command after Connect-AzureRMAccount with the -tenantId switch specified.

Took me over an hour to figure out that the tenant ID is actually case sensitive as the error is confusing, the log in works fine but subsequent commands fail.

Name must be unique per owning mailbox. There’s already a request with the name

While migrating some public folders to Office 365 Groups, I kept running into issues with one of the target groups:

“De gebruiker XXX heeft al een aanvraag die in behandeling is. Verwijder de bestaande aanvraag en hervat de huidige batch of start een nieuwe batch voor deze gebruiker. –> Name must be unique per owning mailbox. T”

In english you’ll probably see “Name must be unique per owning mailbox. There’s already a request with the name “.

I figured there was a moverequest hanging / not properly cleaned up; but none to be found with get-moverequest, get-migrationuser or get-migrationbatch; all clean!

In the end, it took almost 2 weeks of patience after contacting support until the Exchange Online backend team reset a hanging job on their end. So if you google above errors and come here, check if you have double jobs, if you don’t, request support and make sure they escalate to the product team immediately.

portal.microsoftonline.com down (fixed)

It seems portal.microsoftonline.com is down, this may affect OnedriveMapper users, some tenants seem to get redirected during the logon process to portal.microsoftonline.com, but many also don’t. If you’re affected, open a ticket with Microsoft.

OnedriveMapper will show this in the log: | ERROR | Error detected while following redirect, check the FAQ for help

Update: it seems only ADFS / federated tenants are affected.

Update: the RPT update command seems to have fixed the issue for most of those affected.

OnedriveMapper v3.14 released!

Version 3.14 of OneDriveMapper has been released:

  • added an ‘always reset IE cookies’ option
  • completely revamped the way you configure mappings (make sure you read the help in the code!)
  • optionally, map to Network Locations instead of Driveletters (thanks Tom!)
  • Most options are no longer mandatory
  • OnedriveMapper Cloud no longer supported (as announced last year)
  • New and greatly enhanced Folder Redirection functions, including automatic copying of source content
  • Optional client certificate selection based on certificate template name
  • Automatic certificate refresh if no client certificate is present, when using client certificates as auth mode
  • Some bugfixes and major code cleanup
  • Usage of environment variable to determine mapping driveletter removed

As always, make sure to test before deploying to production, I’ve only tested Azure AD and a single ADFS setup.

Get the new version here

set Intune MDM user scope to ALL using Powershell and hidden API

If you want to change the settings on this page (or most Azure Portal pages) programmatically:

Microsoft’ll tell you to use your browser, there is no API/PS for this yet. As I really hate the answer “no”, I used Fiddler and baked some Powershell:


login-azurermaccount
$context = Get-AzureRmContext
$tenantId = $context.Tenant.Id
$refreshToken = $context.TokenCache.ReadItems().RefreshToken
$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'

$header = @{
'Authorization' = 'Bearer ' + $apiToken.access_token
'Content-Type' = 'application/json'}
$url = "https://main.iam.ad.ext.azure.com/api/MdmApplications/eab0bcaf-9b2e-4e62-b9be-2eea708422f8?mdmAppliesToChanged=true&mamAppliesToChanged=true"

$content = '{"objectId":"eab0bcaf-9b2e-4e62-b9be-2eea708422f8","appId":"0000000a-0000-0000-c000-000000000000","appDisplayName":"Microsoft Intune","appCategory":null,"logoUrl":null,"isOnPrem":false,"appData":{"mamEnrollmentUrl":null,"mamComplianceUrl":null,"mamTermsOfUseUrl":null,"enrollmentUrl":"https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc","complianceUrl":"https://portal.manage.microsoft.com/?portalAction=Compliance","termsOfUseUrl":"https://portal.manage.microsoft.com/TermsofUse.aspx"},"originalAppData":{"mamEnrollmentUrl":"https://wip.mam.manage.microsoft.com/Enroll","mamComplianceUrl":"","mamTermsOfUseUrl":"","enrollmentUrl":"https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc","complianceUrl":"https://portal.manage.microsoft.com/?portalAction=Compliance","termsOfUseUrl":"https://portal.manage.microsoft.com/TermsofUse.aspx"},"mdmAppliesTo":2,"mamAppliesTo":2,"mdmAppliesToGroups":[],"mamAppliesToGroups":[]}'
Invoke-RestMethod –Uri $url –Headers $header –Method PUT -Body $content -ErrorAction Stop

You can do almost anything using the above snippet and changing the endpoint URL and POST contents. Use Fiddler to capture, then replicate in code 🙂

Be warned and use at your own risk, obviously this method is unsupported.

Onedrive For Business Silent Deployment, Configuration and Folder Redirection through Intune MDM for Windows 10

I’ve taken information from several sources and written a single “Do It All – Onedrive For Business configuration script” for the Windows 10 Modern Management (Intune MDM Azure AD Join) scenario.

The script can be deployed through Intune to your Windows 10 MDM clients and will do the following silently:

    • check latest O4B version and update to it
    • detect O4B configuration, start auto config
    • completely silent / invisible configuration with SSO
    • optionally, enable Files On Demand
    • optionally, redirect folders to Onedrive
    • optionally, copy old content

O4BClientAutoConfig + source code.

 

Restarting a x86 Powershell Process as x64 automatically

Let’s say something (like Intune) starts your Powershell script in 32 bit and you really need commands that only 64 bit Powershell has….


#Restart self in x64
If (!([Environment]::Is64BitProcess)){ 
    if([Environment]::Is64BitOperatingSystem){
        Write-Output "Running 32 bit Powershell on 64 bit OS, restarting as 64 bit process..."
        $arguments = "-NoProfile -ExecutionPolicy ByPass -WindowStyle Hidden -File `"" + $myinvocation.mycommand.definition + "`""
        $path = (Join-Path $Env:SystemRoot -ChildPath "\sysnative\WindowsPowerShell\v1.0\powershell.exe")
        Start-Process $path -ArgumentList $arguments -wait
        Write-Output "finished x64 version of PS"
        Exit
    }else{
        Write-Output "Running 32 bit Powershell on 32 bit OS"
    }
}

With the above at the top of your script, it’ll automatically restart itself if needed 🙂