Category Archives: Automation

Allowing a Service Principal to Scan PowerBI

PowerBI’s admin-level API’s are not enabled at the OAuth / Entra level, but need to be enabled in the PowerBI Admin Center before you can use M365Permissions to scan all your PowerBI resources for access.

  1. Go to the Entra portal and create a security group, e.g. ‘PowerBISPNAccess’
  2. Add your service principal to the new group (you can find it under Enterprise Applications):
  1. Go to the PowerBI portal and search for ‘service principals can access’ and configure as follows:

Remediating secureboot on Lenovo devices through Intune

Sometimes someone forgets to enable SecureBoot, boo!

For Lenovo devices built after 2018, this can be remediated using PowerShell without any dependencies whatsoever.

So here’s a simple remediation solution using Intune that reads the SecureBoot status from the Lenovo_BiosSetting WMI class and then uses the Lenovo_SetBiosSetting and Lenovo_SaveBiosSettings WMI classes to enable SecureBoot as needed.

Source code:

https://github.com/jflieben/assortedFunctionsV2/tree/main/LenovoSecurebootRemediation

Example:

Windows 11 default terminal remediation scripts

For those of you that want the default terminal in windows 11 to be cmd again, I’ve created two simple files that can be used in an Intune Remediation to automatically configure the default terminal.

https://github.com/jflieben/assortedFunctionsV2/tree/main/DefaultTerminalRemediation

Run in user context!

This solves PowerShell windows staying visible even if -WindowStyle Hidden is used, e.g. from Scheduled Tasks.

M365Permissions v1.1.4

1.1.4 finally brings unattended scanning using a service principal!

I’ve described how to first set up a service principal in a separate post.

Full changelog:

  • [Feature] Add SPN scanning
  • [Feature] Configurable connection method
  • [Feature] Scan PowerBI gateways
  • [Feature] Scan PowerBI Lakehouses and Warehouses
  • [Feature] Add view config function
  • [Feature] Client cert creation function
  • [BugFix] Fix diff scanning path issue
  • [BugFix] Exclude modified field when detecting changes

Download / Use:

M365Permissions module page | Github | PSGallery

The selected Hybrid Worker Group has no active workers

The wish

I wanted to allow certain users to only start specific azure runbooks in an automation account, so that I wouldn’t need separate automation accounts for each role.

This worked by assigning the ‘Automation Runbook Operator’ per runbook, and the ‘Automation Job Operator’ to the automation account for these users.

The issue

However, some of our runbooks actually run on premises as hybrid runbooks on our Hybrid Worker Group. And when a user tried to start one of those runbooks, they received an error:

The selected Hybrid Worked Group has no active workers. Until the worker is seen again, the job might fail to start.

The selected Hybrid Worked Group has no active workers. Until the worker is seen again, the job might fail to start.

The fix

After some experimenting, I found out that assigning the ‘Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/hybridRunbookWorkers/read’ action (using a custom role) at the automation account scope fixed this error and allowed our users to run hybrid jobs without seeing runbooks they don’t need to see.