With Intune’s new Bitlocker Encryption Report administrators have an effective way of seeing which of their devices have been encrypted.
But if we want to know if we can actually recover the bitlocker key of a device, we need to know if it was ever uploaded to AzureAD.
Network or local device issues can sometimes prevent the recovery key from reaching AzureAD, resulting in lost data if the device’s disk needs to be recovered for any reason. To hunt down devices that have not escrowed their recovery key to AzureAD, you can use my report function (in PowerShell as always):
Azure AD allows us to assign licenses to groups, a nifty feature that has made a host of automation scripts dealing with bulk license assignment obsolete.
A problem I’ve encountered is that when you assign users to a group, license assignments are not processed right away, especially if you didn’t have enough licenses when you assigned the user to the group (and added licenses to the tenant later).
Azure AD has a button to trigger an update manually:
But of course, this can also be automated with PowerShell!
function Invoke-AzHAPIReprocessGroupLicenses{
<#
.SYNOPSIS
reprocesses group license assignment
.NOTES
Author: Jos Lieben
.PARAMETER AzureRMToken
Use Get-azureRMToken to get a token for this parameter
.PARAMETER groupGUID
GUID of the group to reprocess licenses of
Requires:
- Global Administrator Credentials (non-CSP!)
- AzureRM Module
- supply result of get-azureRMToken function
#>
param(
[Parameter(Mandatory = $true)]$AzureRMToken,
[Parameter(Mandatory = $true)]$groupGUID
)
$header = @{
'Authorization' = 'Bearer ' + $AzureRMToken
'X-Requested-With'= 'XMLHttpRequest'
'x-ms-client-request-id'= [guid]::NewGuid()
'x-ms-correlation-id' = [guid]::NewGuid()
}
$url = "https://main.iam.ad.ext.azure.com/api/AccountSkus/Group/$groupGUID/Reprocess"
Invoke-RestMethod –Uri $url –Headers $header –Method POST -Body $Null -UseBasicParsing -ErrorAction Stop -ContentType "application/json"
}
I often need a tenant ID for a given customer, the usual method to get it is to log in to the Azure portal and find it there. But what if you want to get the tenant ID programmatically? Without actually logging in? And you only know the log in name of a user? Or just one of the customer’s domain names?
Then this’ll help you out!
function get-tenantIdFromLogin(){
<#
.SYNOPSIS
Retrieves an Office 365 / Azure AD tenant ID for a given user login name (email address)
.EXAMPLE
$tenantId = get-tenantIdFromLogin -Username you@domain.com
.PARAMETER Username
the UPN of a user
.NOTES
filename: get-tenantIdFromLogin.ps1
author: Jos Lieben
blog: www.lieben.nu
created: 8/3/2019
#>
Param(
[Parameter(Mandatory=$true)]$Username
)
$openIdInfo = Invoke-RestMethod "https://login.windows.net/$($Username.Split("@")[1])/.well-known/openid-configuration" -Method GET
return $openIdInfo.userinfo_endpoint.Split("/")[3]
}
Obviously, you can also get the tenant ID by just filling out bogus info in front of the user’s login (e.g. bogus@ogd.nl), it’ll still work as only the domain part of the login is really used.
Most solutions that describe how to deploy a font through Intune use an external source to host fonts such as Azure Blob storage.
If you want to KISS (keep it simple, stupid), you don’t want to maintain two different things (your script and externally accessible storage).
The following example shows how to embed a file in a PowerShell script, and then install it into the Fonts folder. This could, of course, be used for other purposes, but don’t forget that the script size limit in Intune is only 200kb.
On the first line, follow the instructions (e.g. paste your b64-encoded font on that line). Now save and check if the size is below 200kb, then distribute the script to your users. For Fonts, don’t forget to let the script run in system context as administrative permissions are required when installing Fonts.
This method can be used to deploy other payloads as well, happy scripting!
When working with non-US customers, users often have characters in their names like ë, ó, ç and so on. Most of the time, a ‘human process’ converts these to their simple equivalent of e, o and c for use in computerized systems.
When searching for such a mapping of special characters to ‘safe’ characters I had a hard time finding a good list or PowerShell method to automatically convert special characters to standard A-Z characters so I wrote one:
Edit: my colleague Gerbrand alerted me to a post by Grégory Schiro which solves this issue much more elegantly using native .NET functions. My slightly modified version to really ensure nothing non a-zA-Z0-9 gets past the function:
And an even easier oneliner I converted to a function by John Seerden:
function Remove-DiacriticsAndSpaces
{
Param(
[String]$inputString
)
#replace diacritics
$sb = [Text.Encoding]::ASCII.GetString([Text.Encoding]::GetEncoding("Cyrillic").GetBytes($inputString))
#remove spaces and anything the above function may have missed
return($sb -replace '[^a-zA-Z0-9]', '')
}
As my employer is a Microsoft Cloud Service Provider, we want to monitor the total storage available and the total storage used by all of the tenants we manage under CSP, including storage used by Sharepoint and Teams. This called for a script!
I slimmed down the resulting script to work for just a single tenant that you can use to generate an XLSX report of which of your sites / teams are nearing their assigned storage quota. You can either build your own alerting around this to raise site quota’s before your users upload too much data, or you can use it to buy additional storage from Microsoft before your tenant reaches the maximum quota 🙂
For a customer that is using SuccessFactors to manage their employees / contractees, I wrote a script that will update the AD accounts of any person that is updated in SuccessFactors.
I expect you’ll have working knowledge on how to configure SF PerformanceManager to export the users you wish to update to a CSV file on the sFTP server SF provides for you.
With that, you should be able to configure the script. It’ll basically map any field you export to any field in Active Directory you wish. In some cases, such as the Manager field, special logic has been added to the script to look up the user’s manager. For other special fields you may have to write your own logic.
If you wish, the script will provide you with a full report in your email, for example:
Just a quick share as I needed this for something, this function will replace values in a CSV file. It takes the desired column(s) and value(s) to search for and a new value and desired target column as required parameters.
function update-csvColumn{
Param(
[Parameter(Mandatory=$true)]$csvContents, #input original CSV file contents here (use import-csv first)
[Parameter(Mandatory=$true)][Array]$searchForColumns, #names of the columns you want to base your search on
[Parameter(Mandatory=$true)][Array]$searchForValues, #replace rows in $searchForColumn that match these values (in same order!)
[Parameter(Mandatory=$true)]$replaceColumn, #set this column to what you specified in $newValue
[Parameter(Mandatory=$true)]$newValue #the new value you wish to set $searchForColumn or $replaceColumn to
)
if($searchForColumns.Count -ne $searchForValues.Count) {Throw "You must supply an equal number of columns and values to match on"}
for($i = 0; $i -lt $csvContents.Count; $i++){
$replace = $True
for($c = 0; $c -lt $searchForColumns.Count; $c++){
if($csvContents[$i].$($searchForColumns[$c]) -ne $searchForValues[$c]){
$replace = $False
}
}
if($replace){
$csvContents[$i].$replaceColumn = $newValue
}
}
return $csvContents
}
For a customer that is using SuccessFactors to manage their employees / contractees, I wrote a script that will disable the AD accounts of any person that is disabled in SuccessFactors.
I expect you’ll have working knowledge on how to configure SF PerformanceManager to export the users you wish to disable to a CSV file on the sFTP server SF provides for you.
With that, you should be able to configure the script. If you wish, the script will provide you with a full report in your email, for example:
