Monthly Archives: February 2025

ARM, Azure, Powershell

Simple Azure RSG to ARM template in Git backup yaml pipeline

Leave a comment

Although this is obviously ‘quick and dirty’, it can be useful in restoring things that aren’t easily backed up such as e.g. Logic Apps, and it can aid in change detection/tracking (git change/history). It only requires Azure DevOps which is basically free in this scenario.

The result is a bunch of .json arm templates, the same as would result in using the Export to Template function in the Azure Portal.

Yaml code with inline PS:

https://github.com/jflieben/assortedFunctionsV2/blob/main/backup-rsgstoarm.yml

Automation, Intune, Powershell

Windows 11 default terminal remediation scripts

Leave a comment

For those of you that want the default terminal in windows 11 to be cmd again, I’ve created two simple files that can be used in an Intune Remediation to automatically configure the default terminal.

https://github.com/jflieben/assortedFunctionsV2/tree/main/DefaultTerminalRemediation

Run in user context!

This solves PowerShell windows staying visible even if -WindowStyle Hidden is used, e.g. from Scheduled Tasks.

Automation, Exchange Online, Identity, M365Permissions, Microsoft Teams, Office 365, OneDrive for Business, PowerBI, Powershell, Security, Sharepoint Online

M365Permissions v1.1.4

9 Comments

1.1.4 finally brings unattended scanning using a service principal!

I’ve described how to first set up a service principal in a separate post.

Full changelog:

  • [Feature] Add SPN scanning
  • [Feature] Configurable connection method
  • [Feature] Scan PowerBI gateways
  • [Feature] Scan PowerBI Lakehouses and Warehouses
  • [Feature] Add view config function
  • [Feature] Client cert creation function
  • [BugFix] Fix diff scanning path issue
  • [BugFix] Exclude modified field when detecting changes

Download / Use:

M365Permissions module page | Github | PSGallery

EntraID, M365Permissions

Scanning unattended using a Service Principal

2 Comments

If you want to use the M365Permissions module in unattended (or headless) mode, e.g. from a runbook or on a server as scheduled task, you’ll need to create an app registration in Entra with sufficient permissions to scan your tenant.

Setup instructions (automated)

  1. Install the module using Install-Module -Name M365Permissions -Force
  2. Load the module using Import-Module -Name M365Permissions
  3. Create a service principal using Set-ScanPermissions -switchToSPNAuth -appName "M365Permissions (AppOnly)"
  4. Run Connect-M365 -ServicePrincipal
  5. Start a scan (e.g. using get-allM365Permissions)
  6. Scroll down if you also want to scan PowerBI

Setup instructions (manual)

  1. Go to https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false
  2. Decide on a name and click Register
  3. Go to API permissions and enter as follows:
  1. Don’t forget to click ‘Grant admin consent’
  2. Note down the ‘Application (client) id’ and ‘Directory (tenant) id’ from the ‘Overview’ page
  3. run the new-SpnAuthCert command from the M365Permissions module, it will output a .cer file. Make sure to use the tenant ID from step 5.
  4. The PFX file has to be imported on any machine you wish to run the module on, except for the machine where you ran the new-SpnAuthCert command.
  5. Go to ‘Certificates & secrets’ and upload the .cer file
  1. Go to the Roles and Administrators in Entra and select the Global Administrator role.
  2. Add the new app registration to the global administrator role:
  1. Run set-M365PermissionsConfig -LCTenantId <tenant ID> -LCClientId <client id> with the values from step 5 to configure the module to use your new SPN to log in.
  2. Alternatively, you can configure the LCTENANTID and LCCLIENTID environment variables with above information.
  3. If you also configure the LCAUTHMODE environment variable with a value of “ServicePrincipal”, the module will log in to your tenant fully automatically the moment it is imported.
  4. If you’re running interactively, you can now use connect-M365 -ServicePrincipal before running a scan to use the SPN instead of delegated authentication

Scanning PowerBI

If you also want to include PowerBI in your scans, you’ll have to authorize the service principal.

PFX certificate location

If you want to run from an automation account, Azure function etc, for now you’ll have to retrieve the .pfx file dynamically and install it before the module loads because the module looks in the local certificate store for a certificate with your tenant ID as subject.

I will consider adding support for Managed Identities in the future to make this simpler, and possibly also add keyvault integration or direct path configuration an option.

Restrictions

When scanning as service principal, you cannot scan:

  • Graph Subscriptions
  • PowerBI Gateways

You’ll see a warning in the logs about this as they’ll automatically be excluded.

Setup instructions (automated)

to be added in a future version

Automation, Azure

The selected Hybrid Worker Group has no active workers

1 Comment

The wish

I wanted to allow certain users to only start specific azure runbooks in an automation account, so that I wouldn’t need separate automation accounts for each role.

This worked by assigning the ‘Automation Runbook Operator’ per runbook, and the ‘Automation Job Operator’ to the automation account for these users.

The issue

However, some of our runbooks actually run on premises as hybrid runbooks on our Hybrid Worker Group. And when a user tried to start one of those runbooks, they received an error:

The selected Hybrid Worked Group has no active workers. Until the worker is seen again, the job might fail to start.

The selected Hybrid Worked Group has no active workers. Until the worker is seen again, the job might fail to start.

The fix

After some experimenting, I found out that assigning the ‘Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/hybridRunbookWorkers/read’ action (using a custom role) at the automation account scope fixed this error and allowed our users to run hybrid jobs without seeing runbooks they don’t need to see.