So you’d like to know which applications are living in your AzureAD?
And you’d like to know which of those were added by your admins, and what permissions those applications have?
And you’d also like to know which applications your users are consenting to, and what rights those applications have on your users?
Look no further, I wrote a script to export all of that to Excel for you!
Apps an admin has consented to and the type of rights it needs
Apps a user has consented to and the type of rights it needs
Apps to user mapping, for an easy overview of which user has consented to which app
Get it at:
Doug Finke for the Excel module I’m using!
The Microsoft supplied Get-AzureRMADApplication Powershell cmdlet does not return all applications you can see in the Enterprise Applications and App registrations blades in Azure AD.
In addition, Get-AzureRmAdApplication also does not return information such as:
if it is a MicrosoftFirstParty application
So, here’s a custom PS function to help you out:
It requires a special
token generated by my get-AzureRMtoken function to log in.
As usual when using unsupported API’s, be careful!
If you’re a Cloud Solution Provider and you supply a CSP azure subscription to that tenant, your AdminAgents will have Owner access to that subscription by default. Lets say the customer also has an existing subscription (maybe a non-profit donation?).
When you add your accounts as Owner to the existing tenant’s (non-csp) subscription, your users are added as Guest accounts in the customer’s Azure AD. This
removes the delegated CSP rights on the CSP subscription because the references to foreign accounts break due to the new guest accounts having the same UPN.
So, alternatively, use
Get-AzureRmRoleAssignment -Scope "/subscriptions/<CSP SUBSCRIPTION ID>
CSP subscription to get the Foreign Principal ID for your own tenant. Then use New-AzureRMRoleAssignment -ObjectId <FOREIGN PRINCIPAL ID> -Scope "/subscriptions/
<EXISTING SUBSCRIPTION ID>" -RoleDefinitionName Owner
to add the foreign principal ID to the existing customer subscription to get delegated access 🙂
Update: in recent builds of Windows the BackupToAAD-BitLockerKeyProtector PowerShell command does most of what this used to do 🙂
I recently ran into an
article by Pieter Wigleven, based on an original idea of Jan Van Meirvenne that I simply have to share, and expand upon.
When you go cloud first, and do light MDM management of your Azure AD Joined Windows 10 devices, you will likely enable a Bitlocker policy in Intune. What you’ll quickly discover, is that your policy
will not automatically enforce/enable Bitlocker on non-InstantGo capable devices.
So, I expanded upon Jan and Pieter’s script to automatically enable Bitlocker on Windows 10; it has additional error handling, local logging and it will eject removable drives prior to immediately (vs reboot) encrypting your system drive. After this is started, it will register your recovery key in AzureAD. Of course all credit for the original idea goes to Jan van Meirvenne.
Powershell source file
enableBitlockerAndRegisterInAAD_v0.04.ps1 (right click, save as)
enableBitlockerAndRegisterInAAd_v0.04.msi (right click, save as)
As Intune won’t let you deploy a Powershell script, I’ve also wrapped the script in an MSI file with Advanced Installer for you. What this will do;
Deploy the PS1 file to the machine
Register a scheduled task to run this PS1 file at logon each time
Kick off the scheduled task once so a first reboot isn’t required
Advanced installer package (.aip)
enableBitlockerAndRegisterInAAD.zip (right click, save as)
Windows 10, AzureAD Joined
User should be local admin
Have you tried
You should 🙂