Automation, Exchange Online, Identity, M365Permissions, Microsoft Teams, Office 365, OneDrive for Business, PowerBI, Powershell, Security, Sharepoint Online

M365Permissions v1.1.5

Leave a comment

1.1.5 brings some initial improvements to prepare for Managed Identities and fully automates creating a Service Principal (unattended/automated scanning).

But, that isn’t entirely finished yet. However, since my target platforms are Automation Accounts and Azure Functions, which are heavily memory-constricted, I’ve focused on reducing the module’s memory footprint and further enhancing performance. The module now uses up to 80% less memory at no cost to scan speed!

I’ve described how to first set up a service principal in a separate post.

Full changelog:

  • [Feature] Add application and policy scanning
  • [Feature] Scan Entra Users in batches
  • [Feature] Improve memory usage
  • [Feature] Use tenant specific report folder
  • [Feature] Make logLevel configurable
  • [Feature] Experimental Managed Identity support
  • [Feature] Automatically handle Sharepoint Site Locks
  • [Feature] Automatically deduplicate and diff all reports
  • [Feature] Add objectId’s to report where useful
  • [Feature] Display calculated remaining scan time
  • [Feature] Service Principal create function
  • [Feature] Improved changed detection (e.g. ignore display name changes)
  • [BugFix] Respect verbose settings in child jobs
  • [BugFix] For english permission descriptions to avoid diff issues

Download / Use:

M365Permissions module page | Github | PSGallery

Automation, M365Permissions, PowerBI

Allowing a Service Principal to Scan PowerBI

2 Comments

PowerBI’s admin-level API’s are not enabled at the OAuth / Entra level, but need to be enabled in the PowerBI Admin Center before you can use M365Permissions to scan all your PowerBI resources for access.

  1. Go to the Entra portal and create a security group, e.g. ‘PowerBISPNAccess’
  2. Add your service principal to the new group (you can find it under Enterprise Applications):
  1. Go to the PowerBI portal and search for ‘service principals can access’ and configure as follows:
Automation, Intune, Powershell, Security

Remediating secureboot on Lenovo devices through Intune

1 Comment

Sometimes someone forgets to enable SecureBoot, boo!

For Lenovo devices built after 2018, this can be remediated using PowerShell without any dependencies whatsoever.

So here’s a simple remediation solution using Intune that reads the SecureBoot status from the Lenovo_BiosSetting WMI class and then uses the Lenovo_SetBiosSetting and Lenovo_SaveBiosSettings WMI classes to enable SecureBoot as needed.

Source code:

https://github.com/jflieben/assortedFunctionsV2/tree/main/LenovoSecurebootRemediation

Example:

ARM, Azure, Powershell

Simple Azure RSG to ARM template in Git backup yaml pipeline

Leave a comment

Although this is obviously ‘quick and dirty’, it can be useful in restoring things that aren’t easily backed up such as e.g. Logic Apps, and it can aid in change detection/tracking (git change/history). It only requires Azure DevOps which is basically free in this scenario.

The result is a bunch of .json arm templates, the same as would result in using the Export to Template function in the Azure Portal.

Yaml code with inline PS:

https://github.com/jflieben/assortedFunctionsV2/blob/main/backup-rsgstoarm.yml

Automation, Intune, Powershell

Windows 11 default terminal remediation scripts

Leave a comment

For those of you that want the default terminal in windows 11 to be cmd again, I’ve created two simple files that can be used in an Intune Remediation to automatically configure the default terminal.

https://github.com/jflieben/assortedFunctionsV2/tree/main/DefaultTerminalRemediation

Run in user context!

This solves PowerShell windows staying visible even if -WindowStyle Hidden is used, e.g. from Scheduled Tasks.

Microsoft 365, Azure, Automation & Code