So you’d like to know which applications are living in your AzureAD?
And you’d like to know which of those were added by your admins, and what permissions those applications have?
And you’d also like to know which applications your users are consenting to, and what rights those applications have on your users?
Look no further, I wrote a script to export all of that to Excel for you!
Apps an admin has consented to and the type of rights it needs
Apps a user has consented to and the type of rights it needs
Apps to user mapping, for an easy overview of which user has consented to which app
Get it at:
Credits to Doug Finke for the Excel module I’m using!
The Microsoft supplied Get-AzureRMADApplication Powershell cmdlet does not return all applications you can see in the Enterprise Applications and App registrations blades in Azure AD.
In addition, Get-AzureRmAdApplication also does not return information such as:
- Publisher Name
- enabled/disabled status
- if it is a MicrosoftFirstParty application
So, here’s a custom PS function to help you out: https://gitlab.com/Lieben/assortedFunctions/blob/master/get-azureRMADAllApplications.ps1
It requires a special token generated by my get-AzureRMtoken function to log in.
As usual when using unsupported API’s, be careful!
If you’re a Cloud Solution Provider and you supply a CSP azure subscription to that tenant, your AdminAgents will have Owner access to that subscription by default. Lets say the customer also has an existing subscription (maybe a non-profit donation?).
When you add your accounts as Owner to the existing tenant’s (non-csp) subscription, your users are added as Guest accounts in the customer’s Azure AD. This removes the delegated CSP rights on the CSP subscription because the references to foreign accounts break due to the new guest accounts having the same UPN.
So, alternatively, use
Get-AzureRmRoleAssignment -Scope "/subscriptions/<CSP SUBSCRIPTION ID>
on the CSP subscription to get the Foreign Principal ID for your own tenant. Then use
New-AzureRMRoleAssignment -ObjectId <FOREIGN PRINCIPAL ID> -Scope "/subscriptions/
<EXISTING SUBSCRIPTION ID>" -RoleDefinitionName Owner
to add the foreign principal ID to the existing customer subscription to get delegated access 🙂
I recently ran into an article by Pieter Wigleven, based on an original idea of Jan Van Meirvenne that I simply have to share, and expand upon.
When you go cloud first, and do light MDM management of your Azure AD Joined Windows 10 devices, you will likely enable a Bitlocker policy in Intune. What you’ll quickly discover, is that your policy will not automatically enforce/enable Bitlocker on non-InstantGo capable devices.
So, I expanded upon Jan and Pieter’s script to automatically enable Bitlocker on Windows 10; it has additional error handling, local logging and it will eject removable drives prior to immediately (vs reboot) encrypting your system drive. After this is started, it will register your recovery key in AzureAD. Of course all credit for the original idea goes to Jan van Meirvenne.
Powershell source file
enableBitlockerAndRegisterInAAD_v0.04.ps1 (right click, save as)
enableBitlockerAndRegisterInAAd_v0.04.msi (right click, save as)
As Intune won’t let you deploy a Powershell script, I’ve also wrapped the script in an MSI file with Advanced Installer for you. What this will do;
- Deploy the PS1 file to the machine
- Register a scheduled task to run this PS1 file at logon each time
- Kick off the scheduled task once so a first reboot isn’t required
Advanced installer package (.aip)
enableBitlockerAndRegisterInAAD.zip (right click, save as)
- Windows 10, AzureAD Joined
- TPM chip
- User should be local admin
Have you tried https://securescore.office.com yet?
You should 🙂
Office 365 and all related services have various forms of auditing options, it’s a pain to monitor and configure them all.
A while back, Microsoft unified these auditing logs into the Unified Audit Log. The Unified Audit Log for Office 365 is super easy to configure.
For all my customers I always enable this free feature, it is pretty much the only way you can have a RPO of 0 when you need to undo changes / deletes or restore data, and gives you a very nice and compliant audit log of everything your users and admins do in your environment.
In addition, it allows me to help you automatically reverse nasty CryptoLocker actions like mass file and folder renames and restore previous versions in bulk.
edit: you can also enable the audit log programatically