Category Archives: EntraID

EntraID, M365Permissions

Scanning unattended using a Service Principal

2 Comments

If you want to use the M365Permissions module in unattended (or headless) mode, e.g. from a runbook or on a server as scheduled task, you’ll need to create an app registration in Entra with sufficient permissions to scan your tenant.

Setup instructions (automated)

  1. Install the module using Install-Module -Name M365Permissions -Force
  2. Load the module using Import-Module -Name M365Permissions
  3. Create a service principal using Set-ScanPermissions -switchToSPNAuth -appName "M365Permissions (AppOnly)"
  4. Run Connect-M365 -ServicePrincipal
  5. Start a scan (e.g. using get-allM365Permissions)
  6. Scroll down if you also want to scan PowerBI

Setup instructions (manual)

  1. Go to https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false
  2. Decide on a name and click Register
  3. Go to API permissions and enter as follows:
  1. Don’t forget to click ‘Grant admin consent’
  2. Note down the ‘Application (client) id’ and ‘Directory (tenant) id’ from the ‘Overview’ page
  3. run the new-SpnAuthCert command from the M365Permissions module, it will output a .cer file. Make sure to use the tenant ID from step 5.
  4. The PFX file has to be imported on any machine you wish to run the module on, except for the machine where you ran the new-SpnAuthCert command.
  5. Go to ‘Certificates & secrets’ and upload the .cer file
  1. Go to the Roles and Administrators in Entra and select the Global Administrator role.
  2. Add the new app registration to the global administrator role:
  1. Run set-M365PermissionsConfig -LCTenantId <tenant ID> -LCClientId <client id> with the values from step 5 to configure the module to use your new SPN to log in.
  2. Alternatively, you can configure the LCTENANTID and LCCLIENTID environment variables with above information.
  3. If you also configure the LCAUTHMODE environment variable with a value of “ServicePrincipal”, the module will log in to your tenant fully automatically the moment it is imported.
  4. If you’re running interactively, you can now use connect-M365 -ServicePrincipal before running a scan to use the SPN instead of delegated authentication

Scanning PowerBI

If you also want to include PowerBI in your scans, you’ll have to authorize the service principal.

PFX certificate location

If you want to run from an automation account, Azure function etc, for now you’ll have to retrieve the .pfx file dynamically and install it before the module loads because the module looks in the local certificate store for a certificate with your tenant ID as subject.

I will consider adding support for Managed Identities in the future to make this simpler, and possibly also add keyvault integration or direct path configuration an option.

Restrictions

When scanning as service principal, you cannot scan:

  • Graph Subscriptions
  • PowerBI Gateways

You’ll see a warning in the logs about this as they’ll automatically be excluded.

Setup instructions (automated)

to be added in a future version

EntraID, M365Permissions, Microsoft Teams, OneDrive for Business, Powershell, Security, Sharepoint Online

M365Permissions Module

Leave a comment

Let’s be honest, the TeamPermissions module ‘s name has quickly lost touch with what it does (already doing Sharepoint and Onedrive as well).

Adding the overwhelming number of positive reactions and rapid adoption, I want to add even more features:

  1. Scanning EntraID roles
  2. Scanning Exchange roles
  3. Scanning Mailbox permissions
  4. Change detection (between scans)
  5. Scanning Azure RM roles
  6. Scanning PowerBI roles
  7. SPN based scanning

So I’ve decided to rename it to M365Permissions!

Obviously it’ll take a lot of time/work to get above coded up and tested.

But for now I can already give you the M365Permissions PowerShell module, which includes:

  • EntraID roles (permanent and eligible)
  • Lots of bug fixes
  • Performance improvements (especially with lots of small sites)
  • Everything the TeamPermissions module did

Please give it a spin and let me know what other features you’d like to see!

Other links:

M365Permissions in the PSGallery

M365Permissions on Github

EntraID, Microsoft Teams, Powershell, Security

Get-CsTeamsMeetingPolicy: Invalid credential Provide valid credential.

Leave a comment

For those googling, above error happened for us when trying to use application-based authentication for the MS Teams PowerShell commandlets.

We followed the instructions but kept getting Invalid credential Provide valid credential whenever calling a cmdlet, while the connect-microsoftteams command worked fine with the -accesstokens param.

Turns out, when you assign application level permissions to your service principal on top of the delegated permissions, the SPN is not authorized for all subsequent cmdlet calls :O

Automation, EntraID, Logic Apps, Office 365, Sharepoint Online

Populating Sharepoint Choice Column with Entra Group Names

Leave a comment

If you want to allow users in Sharepoint to select e.g. security groups or teams from a dropdown in a List and don’t want to manually keep that list of choices up to date….this is for you!

I’ve used Power Automate Flow for this specific scenario, but Logic Apps will of course work just as well.

First, define some variables and retrieve all the groups you want to show up in the Choice column:

Then, create a string with all the group’s names using a simple loop:

Then use ‘Send an HTTP request to Sharepoint’ to retrieve current columns (fields) defined in the list if you don’t know the GUID yet. This step is optional and uses GET to the _api/web/Lists/GetById(”)/Fields method.

Finally, use another Send an HTTP request to Sharepoint to Patch the column definition of the Choice column with the new group names.

Note we’re using PATCH for the _api/Web/Lists(guid”)/Fields(guid”) method and that I’m removing the trailing comma (,) from the data we’re patching in.

Also note that if you’re not using multiple choice but single choice you’ll need to adjust the SP.FieldMultiChoice and 15 values.