The final push to GA "Azure AD in new Azure Portal": We need your help!
Hello folks, We`re making our final push to the General Availability of "Azure Active Directory in the new Azure Portal", and we need your help to make sure it is great for you. As Alex Simons shared: "Last September we shared the first preview of the new administration experience for Azure Active Directory in the new Azure portal. Since then, we’ve added lots of new functionality, including reporting, app management, conditional access, B2B, and licensing. Many of you are using the new experience regularly – in fact, over half a million of you are using it, from almost every country in the world, with usage increasing by about 25% each month. We appreciate all your positive feedback, and love the constructive feedback that’s helped us make an even stronger product. But there are still a LOT of you using the old portal. Late last week we turned on the another set of feature updates, and the new experience now has all of the features identity admins frequently use. With that update, we’ve entered our final push to GA the UX in the next ~60 days. And that’s where we need your help: We need everyone to move over to using the new portal for production tasks so we can uncover any last minute lingering issues." Please, do read Alex` blog post for more details and send us your feedback in the ‘Admin Portal’ section of our feedback forum. Let us know what you think!Upcoming improvements to the Azure AD sign-in experience
We’d like to give you an early heads up on some visual design updates that are coming to the Azure AD sign-in experience. Customers gave us a LOT of feedback last time we updated the sign-in. It was clear that you wanted us to provide more notification, earlier in the process with more information. We’ve learned and this time we’re giving you more time and info than ever before. Our next set of changes aims to reduce clutter and make our screens look cleaner. A visually simpler UI helps users focus on the task at hand – signing in. This is solely a visual UI change with no changes to functionality. Existing company branding settings will carry forward to the updated UI. There will be no change to SSO or "Keep me signed in functionality". Read more about the changes in the https://aka.ms/y4s53u.Azure Active Directory Guest User Lifecycle Management (Access Reviews)!
Dear Azure Active Directory Friends, Collaboration in today's world, with a wide variety of Microsoft cloud services, is here to stay. As with everything, advantages also come with disadvantages, for example when it comes to managing guest users in Azure Active Directory (Azure AD). Guest users can be created/invited in various services, such as SharePoint Online, Teams or Azure AD. After some time, the question arises which guest users still need access or access to our organization and which do not? I answer this question with an Access Review. Before we start creating the Access Review, we need to talk about the prerequisites. In my example, the following requirements are present: 1. Azure AD Premium P2 (Was already present at the customer) https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#license-requirements 2. For this customer all guest users are in one group. 3. You must be a Global administrator or User administrator Let's start now by navigating to the Azure Active Directory and clicking on External Identities under "Manage". On the left side menu, navigate to "Lifecycle management" and click Access reviews. Click on "New access review". In "Review" please select Teams+Groups and then select "Select Teams + Groups. Click on "Select group(s)", a new blade will open, in the search box search for the group, highlight that group and click "Select" at the bottom. In "Select review scope" I select Guest users only, because in the selected group (in my example) there are only guest users. Click on Reviews. Now select the reviewer from the "Select reviewers. I will select Group owner(s) (for this there must be an owner from this group), you can of course make another selection, according to your needs. If the owner does not respond to the access review, you can select "Fallback reviewers". In order to work with group owner, the following must be configured. In the Azure AD portal open the Identity Governance page. In the left menu, under Access reviews, settings. On the Delegate who can create and manage access reviews page, set the (Preview) Group owners can create and manage for access reviews of groups they own setting to Yes. Now you can determine the duration of the review. Depending on the number of days you select, not all options are available for "Review recurrence".For example, if you select 7 days, you cannot select weekly for "Review recurrence", etc. (I select 3 days and one time). Once your settings are made, click on "Next:Settings". Now the individual settings can be made: 1. If you want to automatically remove access for denied users, set Auto apply results to resource to Enable. 2. Use the If reviewers don't respond list to specify what happens for users that are not reviewed by the reviewer within the review period. - No change - Leave user's access unchanged - Remove access - Remove user's access - Approve access - Approve user's access - Take recommendations - Take the system's recommendation on denying or approving the user's continued access 3. Use the Action to apply on denied guest users to specify what happens to guest users if they are denied. Remove user’s membership from the resource will remove denied user’s access to the group or application being reviewed, they will still be able to sign-in to the tenant. Block user from signing-in for 30 days, then remove user from the tenant will block the denied users from signing in to the tenant, regardless if they have access to other resources. If there was a mistake or if an admin decides to re-enable one’s access, they can do so within 30 days after the user has been disabled. If there is no action taken on the disabled users, they will be deleted from the tenant. 4. In the Enable review decision helpers choose whether you would like your reviewer to receive recommendations during the review process. 5. In the Advanced settings section you can choose the following - Set Justification required to Enable to require the reviewer to supply a reason for approval. - Set email notifications to Enable to have Azure AD send email notifications to reviewers when an access review starts, and to administrators when a review completes. - Set Reminders to Enable to have Azure AD send reminders of access reviews in progress to all reviewers. Reviewers will receive the reminders halfway through the duration of the review, regardless of whether they have completed their review at that time. At the end click on "Next: Review+Create". Give your review a name and click "Create". Now your Access Review will be listed. The owner or owners of the group (in my case, me) have now received an email. (Sorry the last two printscreens are in German). The group owner can now start the review by clicking on "Start review". It starts the browser, login must be made and then the group owner sees the details. Now the group owner can decide which guest users can still have access to the organization. I hope this article was helpful for you? Thank you for taking the time to read this article. Best regards, Tom WechslerExample of retrieving Azure AD access reviews via Microsoft Graph
The Azure AD access reviews feature now has an API in the Microsoft Graph beta endpoint. The list of API methods is at https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/accessreviews_root. While we are in progress of adding access reviews to Azure AD PowerShell and examples of using access reviews from other development platforms to our documentation, the following code sample may be of interest. Azure AD access reviews data model The Azure AD access reviews feature adds the following resource types: accessReview: represents an access review. This can be a one-time review, a recurring review series, or an instance of a recurring review. businessFlowTemplate: the business flow template determines the type resource on which an access review is to be performed. The identifier of a template, such as to review guest members of a group, is supplied by the caller when creating an access review. (The business flow template objects are read only, they are automatically generated when the global administrator onboards the tenant to use the access reviews feature. No additional business flow templates can be created.) program: represents an Azure AD access review program. A program is a container, holding program controls. A tenant can have one or more programs. Each control links an access review to a program, to make it easier to locate related access reviews. Each tenant that has onboarded Azure AD access reviews has one program, `Default program`. A global administrator can create additional programs, for example to represent compliance initiatives. programControl: represents a control, which links an access review to a particular program. programControlType: the program control type is used when associating a control to a program, to indicate the type of access review the control is for. (The program control type objects are read only, they are automatically generated when the global administrator onboards the tenant to use the access reviews feature. No additional program control types can be created.) Understanding authorization requirements The Azure AD access reviews API performs three checks: First, has the tenant onboarded to the feature – Azure AD access reviews or, in the case of access reviews of Azure AD roles, Azure AD PIM. Both of these features are included in Azure AD Premium P2, and require the administrator to have used the features at least once in order to permit the APIs to be called. If you have not already used Azure AD access reviews, the section “Enable Azure AD access reviews in your tenant” below onboards the Azure AD access reviews feature so you can try out the APIs. Second, does the application have the necessary permissions. The permissions available for these APIs are: AccessReview.Read.All: read access reviews AccessReview.ReadWrite.All: read, create, update and delete access reviews ProgramControl.Read.All: read programs and controls ProgramControl.ReadWrite.All: read, create, update and delete programs and controls If you do not already have those permissions on an application, the section “Register an Azure AD application which can call the access reviews Graph API” below creates a new application and assigns it read permissions. (You can change the scenario to assign it read and write permission). Third, does the user have the necessary permissions. This is determined by the calling user’s directory role: Target Resource Desired Operation Required directory role of the user, in addition to the application permission Access review of an Azure AD role Read Global Administrator, Security Administrator, Security Reader or Privileged Role Administrator Create, Update or Delete Global Administrator or Privileged Role Administrator Access review of a group or app Read Global Administrator, Security Administrator, Security Reader or User Administrator Create, Update or Delete Global Administrator or User Administrator Programs or controls Read Global Administrator, Security Administrator, Security Reader or User Administrator Create, Update or Delete Global Administrator or User Administrator Enable Azure AD access reviews in your tenant This example assumes you have already onboarded Azure AD access reviews in your tenant directory. If you have already done so, then skip to the next section “Register an Azure AD application which has permissions to call the access reviews API in Graph”. Otherwise, continue with these steps to ensure the feature is onboarded so the APIs will return some data. Log into the Azure portal as a global administrator. Ensure that your organization has Azure AD Premium P2 or EMS E5 subscription active. If not, click on https://portal.azure.com/#blade/Microsoft_AAD_IAM/TryBuyProductBlade and activate a trial of Enterprise Mobility + Security E5. Otherwise, if your organization has an active subscription, continue at the next step. Navigate to the Azure AD extension, and click on “Access reviews” on the right hand side under “Other capabilities”. If you have not already onboarded Azure AD access reviews in your organization, onboard it now. Click on “Programs” and ensure there is at least one program listed. At this point you can create additional access reviews if you wish. Register an Azure AD application which has permissions to call the access reviews API in Graph The Graph authorization model requires that an application must be consented by a user or administrator prior to accessing an organization’s data. Log into the Azure portal as a global administrator. Navigate to the Azure AD extension, and click on “App registrations” in the MANAGE section, to land at the page https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps Click on “New application registration” button at the top of the page. Provide a name for the application that is different from any other application in your tenant’s directory (e.g., “graphsample”), change the Application type to Native, and provide the following as the Redirect URI: urn:ietf:wg:oauth:2.0:oob Click “Create”. When the application is registered, copy the Application ID value, and save the value for later. Click on Settings, then click on “Required permissions”. Click on “Add”. Click on “Select an API”, click on “Microsoft Graph”, and then click “Select”. Azure AD access reviews uses the following delegated permissions: Read all access reviews that use can access, Manage all access reviews that user can access, Read all programs that user can access, and Manage all programs that user can access. This example application requires only the permissions: Read all access reviews that user can access Read all programs that user can access Put a checkbox by those two permissions, and click “Select”. Click “Done”. (Sample only) Ensure PowerShell and the ADAL libraries are on your computer The Microsoft Graph requires the application calling it to have an access token. In this example, the sample code to use the API will leverage the ADAL library which is automatically installed when using Azure AD PowerShell cmdlets. Ensure that you have PowerShell 3.0 or later, and .NET Framework 4.5 installed on your computer. Ensure that you have either the Azure AD PowerShell v2 General Availability or Preview modules installed on your computer. If not, more information on how to install them is at https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0. Try using Connect-AzureAD to ensure that you can authenticate to Azure AD as a global administrator. Retrieving the token and calling the API Create a file named “access-reviews-example1.ps1” whose context in the sample PowerShell from the end of this post. Start PowerShell. Change to the directory where the access-reviews-example1.ps1 script is located. Invoke the script, providing on the command line -User with the User principal name (UPN) of a global administrator, and -ClientId with the application ID value from earlier. For example, .\access-reviews-example1.ps1 -User ga@contoso.onmicrosoft.com -ClientId 280d7b83-8d0a-4ee7-8f1a-064ec36d1fa1 When the script is run for the first time in a PowerShell session, you will be asked to authenticate. For the purposes of this example, ensure that you sign in as a global administrator. After authenticating, the first time the script is run for a particular application, you will be prompted to consent the application use of permissions. Once consented, the script will use the token to call Microsoft Graph and retrieve programs, controls, business flow templates and access reviews, and write a summary of them to the PowerShell window. Note that the authorization is only applicable to the global administrator who consented to the application, and only for that tenant. If other users in the organization or in other applications also wish to use the application, additional steps are required for admin consent. See the article https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview for more information on admin consent in applications. Sample (PowerShell) # Example for using Azure AD access reviews in Microsoft Graph # # This material is provided "AS-IS" and has no warranty. # # Last updated August 22, 2018 # # This example is adapted from the documentation example located at # https://docs.microsoft.com/en-us/intune/intune-graph-apis # # Param( [Parameter(Mandatory=$true)][string]$User, [Parameter(Mandatory=$true)][string]$ClientId ) # from Intune graph API samples function Get-GraphExampleAuthToken { [cmdletbinding()] param ( [Parameter(Mandatory = $true)] $User, [Parameter(Mandatory = $true)] $ClientId, [Parameter()] $TenantDomain ) $userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User $tenant = $userUpn.Host if ($TenantDomain -ne $null) { $tenant = $TenantDomain } Write-Verbose "Checking for AzureAD module..." $AadModule = Get-Module -Name "AzureAD" -ListAvailable if ($AadModule -eq $null) { Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview" $AadModule = Get-Module -Name "AzureADPreview" -ListAvailable } if ($AadModule -eq $null) { write-host write-host "AzureAD Powershell module not installed..." -f Red write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow write-host "Script can't continue..." -f Red write-host exit } # Getting path to ActiveDirectory Assemblies # If the module count is greater than 1 find the latest version if ($AadModule.count -gt 1) { $Latest_Version = ($AadModule | select version | Sort-Object)[-1] $aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version } $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll" } else { $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll" } [System.Reflection.Assembly]::LoadFrom($adal) | Out-Null [System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null $redirectUri = "urn:ietf:wg:oauth:2.0:oob" $resourceAppIdURI = "https://graph.microsoft.com" $authority = "https://login.microsoftonline.com/$Tenant" try { $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority # https://msdn.microsoft.com/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx # Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto" $userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId") $authResult = $authContext.AcquireTokenAsync($resourceAppIdURI, $ClientId, $redirectUri, $platformParameters, $userId).Result # If the accesstoken is valid then create the authentication header if ($authResult.AccessToken) { # Creating header for Authorization token $authHeader = @{ 'Content-Type' = 'application/json' 'Authorization' = "Bearer " + $authResult.AccessToken 'ExpiresOn' = $authResult.ExpiresOn } return $authHeader } else { Write-Host Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red Write-Host break } } catch { write-host $_.Exception.Message -f Red write-host $_.Exception.ItemName -f Red write-host break } } # start of access review specific example function Get-GraphExampleProgramControls($authHeaders,$programId) { $uri1 = "https://graph.microsoft.com/beta/programs('" + $programId + "')/controls" Write-Host "GET $uri1" $resp1 = Invoke-WebRequest -UseBasicParsing -headers $authHeaders -Uri $uri1 -Method Get $val1 = ConvertFrom-Json $resp1.Content foreach ($c in $val1.Value) { $cid = $c.controlId $displayname = '"' + $c.displayName + '"' Write-Host "control $cid $displayname" } } function Get-GraphExamplePrograms($authHeaders) { $uri1 = "https://graph.microsoft.com/beta/programs" Write-Host "GET $uri1" $resp1 = Invoke-WebRequest -UseBasicParsing -headers $authHeaders -Uri $uri1 -Method Get $val1 = ConvertFrom-Json $resp1.Content foreach ($program in $val1.Value) { $id = $program.id $displayname = '"' + $program.displayName + '"' Write-Host "program $id $displayName" Get-GraphExampleProgramControls $authHeaders $id Write-Host "" } } function Get-GraphExampleAccessReviewDecisions($authHeaders,$arid) { $uri1 = 'https://graph.microsoft.com/beta/accessReviews(' + "'" + $arid + "')/decisions" Write-Host "GET $uri1" $resp1 = Invoke-WebRequest -UseBasicParsing -headers $authHeaders -Uri $uri1 -Method Get $val1 = ConvertFrom-Json $resp1.Content foreach ($ard in $val1.Value) { $rr = $ard.reviewResult $upn = $ard.userPrincipalName Write-Host "access review decision $upn $rr" } Write-Host "" } function Get-GraphExampleAccessReviewInstances($authHeaders,$arid) { $uri1 = 'https://graph.microsoft.com/beta/accessReviews(' + "'" + $arid + "')/instances" Write-Host "GET $uri1" $resp1 = Invoke-WebRequest -UseBasicParsing -headers $authHeaders -Uri $uri1 -Method Get $val1 = ConvertFrom-Json $resp1.Content foreach ($ard in $val1.Value) { $iid = $ard.id $start = $ard.startDateTime $end = $ard.endDateTime $status = $ard.status Write-Host "access review instance $start $end $status" if ($status -ne "NotStarted") { Get-GraphExampleAccessReviewDecisions $authHeaders $iid } } Write-Host "" } function Get-GraphExampleAccessReviews($authHeaders,$bftid) { $uri1 = 'https://graph.microsoft.com/beta/accessReviews?$filter=businessFlowTemplateId%20eq%20' + "'" + $bftid + "'" Write-Host "GET $uri1" $resp1 = Invoke-WebRequest -UseBasicParsing -headers $authHeaders -Uri $uri1 -Method Get $val1 = ConvertFrom-Json $resp1.Content foreach ($ar in $val1.Value) { $id = $ar.id $displayname = '"' + $ar.displayName + '"' $startDateTime = $ar.startDateTime $status = $ar.status Write-Host "access review $id $displayName $startDateTime $status" Get-GraphExampleAccessReviewDecisions $authHeaders $id Get-GraphExampleAccessReviewInstances $authHeaders $id } } function Get-GraphExampleBusinessFlowTemplates($authHeaders) { $uri1 = "https://graph.microsoft.com/beta/businessFlowTemplates" Write-Host "GET $uri1" $resp1 = Invoke-WebRequest -UseBasicParsing -headers $authHeaders -Uri $uri1 -Method Get $val1 = ConvertFrom-Json $resp1.Content foreach ($bft in $val1.Value) { $id = $bft.id Write-Host "business flow template $id" Get-GraphExampleAccessReviews $authHeaders $id Write-Host "" } } $authHeaders = Get-GraphExampleAuthToken -User $User -ClientId $ClientId Get-GraphExamplePrograms $authHeaders Get-GraphExampleBusinessFlowTemplates $authHeaders
Guest Users - Clean Up
Does anyone have any experience with policies and planning for cleaning up guest users? We want to make sure that when guest users leave their company we can make sure they no longer have access to our Teams? Is there an audit process or a expiration process for guest users? Thanks!Use Conditional Access to Restrict Microsoft Teams
Hell everyone. I wrote a new blog post about how to restrict access to Microsoft Teams using Azure AD Conditional Access. To me, this opens up a new world of possibilities and use cases with the product. Let me know your thoughts, feedback, input and comments and if you find this valuable or useful - or would like for me to expand. Thanks so much! https://blogs.technet.microsoft.com/skypehybridguy/2017/08/31/microsoft-teams-restrict-usage-with-azure-ad-conditional-access/Example how to create Azure AD access reviews using Microsoft Graph app permissions with PowerShell
The Azure AD access reviews feature is part of Microsoft Graph, with a list of methods at https://docs.microsoft.com/en-us/graph/api/resources/accessreviews-root?view=graph-rest-beta. An earlier blog post included an example of how a user, such as a Security Reader, could retrieve all the programs, controls and access reviews via Microsoft Graph, in PowerShell. In this post, I'll show an example PowerShell script that uses the new application permission AccessReview.ReadWrite.Membership. . Application permissions don’t need the app to have a logged in user to call Graph, so you can use this to automatically to create and retrieve access reviews from scheduled jobs or as part of your existing automation. Code Sample Prerequisite #1: Azure AD PowerShell To set up this code sample, you’ll need an Azure AD tenant where you’re a global administrator. In this example, as with the previous blog post, the sample code to use the API leverages the ADAL library to retrieve an access token used by Microsoft Graph. The ADAL library is automatically installed when you install Azure AD PowerShell cmdlets. So before you begin, ensure that you have PowerShell 3.0 or later,.NET Framework 4.5 and either the Azure AD PowerShell v2 General Availability or Preview modules installed on your computer. If you don’t have Azure AD PowerShell installed yet, see https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0. Try the Connect-AzureAD command to ensure that you can authenticate to Azure AD as a global administrator. Also try Get-AzureADUser to make sure you can retrieve users, as you'll need a user ID later on. Code Sample Prerequisite #2: Azure AD access reviews This example assumes you have already onboarded Azure AD access reviews in your tenant directory. If you have already done so, then skip to the next section “Register an Azure AD application”. Otherwise, continue with these steps to ensure the feature is onboarded so the APIs will allow access reviews to be created and return some data. Log into the Azure portal as a global administrator. Ensure that your organization has Azure AD Premium P2 or EMS E5 subscription active. If not, click https://portal.azure.com/#blade/Microsoft_AAD_IAM/TryBuyProductBlade and activate a trial of Enterprise Mobility + Security E5. Otherwise, if your organization has an active subscription, continue at the next step. Navigate to Azure Active Directory, and then click Identity Governance on the left hand side. Click Access reviews. If no one has onboarded Azure AD access reviews in your organization, onboard it now. Register an Azure AD application Next, you'll need to create an app registration with the new permission, to allow your application to call the access reviews API in Microsoft Graph. If you haven’t created an app registration lately, the user interface in the Azure portal has changed. Here’s how to create an app with the updated UI. Log into the Azure portal as a global administrator. In the Azure portal, go to Azure Active Directory, and then click App registrations on the left. Click New registration. Give your app a name, and then click Register. Copy and save for later the application (client) ID that appears after the app is registered. On the left, click API permissions. Click Add a permission, click Microsoft Graph, and then click Application permissions. In the Select permissions list, expand AccessReview and select AccessReview.ReadWrite.Membership. While here, though not required for this sample, you might want to expand Group and give the app the permission Group.Read.All, and expand User and give the app the User.Read.All permission, Click Add permissions. Click to Grant admin consent for <your tenant> and then click Yes. The status for each permission the app needs should change to a green checkmark, indicating consent was granted. On the left, click Certificates & secrets. Click New client secret and then for Expires select Never. Click Add. Copy and save locally the value of the secret that appears- you won’t see it again after you leave this part of the UI. At this point, you’ll have a client app ID and a client secret. In real life you'd probably want to store the secret in Azure Automation, Azure Key Vault, or similar. Create and retrieve access reviews using Graph Next, here's how to try out Microsoft Graph API requests when authenticated as an application, using a PowerShell script to be your application. I'll assume you have Azure AD v2 PowerShell cmdlets already installed - the script uses the Azure AD library included in those modules for authentication. Save the PowerShell below to a file named sample-ar-app-permissions.psm1. Open a new PowerShell window, change to the directory where the file is located and type Import-Module .\sample-ar-app-permissions.psm1 Type Connect-AzureADMSARSample. This obtains a token needed for the service principal to call Graph. You’ll be prompted to provide the following information: ClientApplicationId ClientSecret TenantDomain (e.g. demo….onmicrosoft.com) To create a new access review, use the command New-AzureADMSARSampleAccessReview. To try out this command, you’ll need to have an Azure AD group with members and owners – the owners will be the reviewers. You’ll be prompted to provide the following information: DisplayName: (a display name for the access review) ReviewedEntityId: (the object ID of a group whose members are to be reviewed) OwnerUserId: (the object ID of a user such as an admin who will be listed as the owner of a review – since apps can’t own access reviews) If successful, the command will return the ID of the new access review. If you see an error about permissions, please note that app registration may take a few minutes to be set up in the directory – if the Graph calls don’t work right away, try again an hour later. Type Get-AzureADMSARSampleAccessReview to see the access review that you've created. I expect we’ll bring commands to create and query access reviews into the Azure AD PowerShell module in the future, which will remove the need for Connect-AzureADMSARSample. Please let us know about any other feedback/suggestions you have for more code samples. Thanks, Mark Wahl # Example for creating and retrieving the results of an Azure AD access review via Microsoft Graph using application permissions # # This material is provided "AS-IS" and has no warranty. # # Last updated August 2019 # # This example is adapted from the documentation example located at # https://docs.microsoft.com/en-us/intune/intune-graph-apis # # # the following functions are from Intune graph API samples, adapted for service principal authentication function Get-GraphExampleAuthTokenServicePrincipal { [cmdletbinding()] param ( [Parameter(Mandatory = $true)] $ClientId, [Parameter(Mandatory = $true)] $ClientSecret, [Parameter(Mandatory = $true)] $TenantDomain ) $tenant = $TenantDomain Write-Verbose "Checking for AzureAD module..." $AadModule = Get-Module -Name "AzureAD" -ListAvailable if ($AadModule -eq $null) { write-verbose "AzureAD PowerShell module not found, looking for AzureADPreview" $AadModule = Get-Module -Name "AzureADPreview" -ListAvailable } if ($AadModule -eq $null) { write-output write-error "AzureAD Powershell module not installed..." write-output "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" write-output "Script can't continue..." write-output return "" } # Getting path to ActiveDirectory Assemblies # If the module count is greater than 1 find the latest version if ($AadModule.count -gt 1) { write-verbose "multiple module versions" $Latest_Version = ($AadModule | select version | Sort-Object)[-1] $aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version } $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll" } else { write-verbose "single module version" $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll" } Write-verbose "loading $adal and $adalforms" [System.Reflection.Assembly]::LoadFrom($adal) | Out-Null [System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null write-verbose "DLLs loaded" # $redirectUri = "urn:ietf:wg:oauth:2.0:oob" $resourceAppIdURI = "https://graph.microsoft.com" $authority = "https://login.microsoftonline.com/$Tenant" try { write-verbose "instantiating ADAL objects for $authority" $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority write-verbose "client $ClientId $clientSecret" $clientCredential = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential" -ArgumentList ($ClientId,$ClientSecret) write-verbose "acquiring token for $resourceAppIdURI" # AuthenticationResult authResult = await authContext.AcquireTokenAsync(BatchResourceUri, new ClientCredential(ClientId, ClientKey)); # if you get an error about PowerShell not being able to find this method with 2 parameters, it means there is another version of ADAL DLL already in the process space of your PowerShell environment. $authResult = $authContext.AcquireTokenAsync($resourceAppIdURI, $clientCredential).Result # If the accesstoken is valid then create the authentication header if ($authResult.AccessToken) { write-verbose "acquired token" # Creating header for Authorization token $authHeader = @{ 'Content-Type' = 'application/json' 'Authorization' = "Bearer " + $authResult.AccessToken 'ExpiresOn' = $authResult.ExpiresOn } return $authHeader } else { write-output "" write-output "Authorization Access Token is null, please re-run authentication..." write-output "" break } } catch { write-output $_.Exception.Message write-output $_.Exception.ItemName write-output "" break } } $_SampleInternalAuthNHeaders = @() # exported module member function Connect-AzureADMSARSample { [CmdletBinding()] param( [Parameter(Mandatory=$true)] [ValidateScript({ try { [System.Guid]::Parse($_) | Out-Null $true } catch { throw "$_ is not a valid GUID" } })] [string]$ClientApplicationId, [Parameter(Mandatory=$true)] [string]$ClientSecret, # base64 client secret. Note this as a command line parameter is for testing purposes only [Parameter(Mandatory=$true)] [string]$TenantDomain # e.g., microsoft.onmicrosoft.com ) $script:_SampleInternalAuthNHeaders = @() $authHeaders = Get-GraphExampleAuthTokenServicePrincipal -ClientId $ClientApplicationId -ClientSecret $ClientSecret -TenantDomain $TenantDomain $script:_SampleInternalAuthNHeaders = $authHeaders } function Get-InternalAuthNHeaders { [CmdletBinding()] param() try { $authResult = $script:_SampleInternalAuthNHeaders if ($authResult.Length -eq @()) { Throw "Connect-AzureADMSARSample must be called first" } } catch { Throw # "Connect-AzureADMSControls must be called first" } return $authResult } function New-GraphExampleAccessReview($authHeaders,$displayName,$reviewedObjectId,$reviewerType,$businessFlowTemplateId,$description,$durationInDays,$ownerUserId) { $recurrenceSettings = @{ recurrenceType = "onetime"; recurrenceEndType = "endBy"; durationInDays = 0; recurrenceCount = 0; } $autoReviewSettings = @{ notReviewedResult = "Approve" # also use "Deny" or "Recommendation" } $settings = @{ mailNotificationsEnabled = $true; remindersEnabled = $true; justificationRequiredOnApproval = $false; autoReviewEnabled = $true; activityDurationInDays = 30; autoApplyReviewResultsEnabled = $false; accessRecommendationsEnabled = $true; recurrenceSettings = $recurrenceSettings; autoReviewSettings = $autoReviewSettings; } $reviewedEntity = [pscustomobject]@{ id = $reviewedObjectId } $owner = [pscustomobject]@{ id = $ownerUserId } $now = Get-Date $ts = Get-Date $now.ToUniversalTime() -format "s" $startDate = $ts + "Z" $ts = Get-Date $now.AddDays($durationInDays).ToUniversalTime() -format "s" $endDate = $ts + "Z" $bodyObj = [pscustomobject]@{ displayName = $displayName; startDateTime = $startDate; endDateTime = $endDate; reviewedEntity = $reviewedEntity; reviewerType = $reviewerType; businessFlowTemplateId = $businessFlowTemplateId; description = $description; settings = $settings; createdBy = $owner; } # $body = ConvertTo-Json $bodyObj -compress # ensure it contains "Content-Type" = "application/json"; $requestHeadersp = @{ "Content-Length" = $body.Length } $requestHeadersp += $authHeaders $uri1 = "https://graph.microsoft.com/beta/accessReviews" $resp1 = Invoke-WebRequest -UseBasicParsing -Headers $requestHeadersp -Uri $uri1 -Method Post -Body $body if ($resp1 -eq $null -or $resp1.Content -eq $null) { throw "error repsonse from $uri1" } $val1 = ConvertFrom-Json $resp1.Content return $val1.id } function New-AzureADMSARSampleAccessReview { [CmdletBinding()] param( [Parameter(Mandatory=$true)] [string]$DisplayName, # of the review to create [Parameter()] [string]$Description = "", # of the review to create [Parameter()] [int]$DurationInDays=30, [Parameter(Mandatory=$true)] [ValidateScript({ try { [System.Guid]::Parse($_) | Out-Null $true } catch { throw "$_ is not a valid GUID" } })] [string]$ReviewedEntityId, [Parameter()] [ValidateScript({ try { [System.Guid]::Parse($_) | Out-Null $true } catch { throw "$_ is not a valid GUID" } })] [string]$BusinessFlowTemplateId = "6e4f3d20-c5c3-407f-9695-8460952bcc68", #business flow template 6e4f3d20-c5c3-407f-9695-8460952bcc68 for Access reviews of memberships of a group [Parameter()] [string]$ReviewerType = "entityOwners", [Parameter(Mandatory=$true)] [ValidateScript({ try { [System.Guid]::Parse($_) | Out-Null $true } catch { throw "$_ is not a valid GUID" } })] [string]$OwnerUserId # a user who has an email address ) $authHeaders = Get-InternalAuthNHeaders $reviewId = New-GraphExampleAccessReview $authHeaders $DisplayName $ReviewedEntityId $ReviewerType $BusinessFlowTemplateId $Description $durationInDays $OwnerUserId return $reviewId } function Get-GraphExampleAccessReviews($authHeaders,$businessFlowTemplateId) { $uri1 = 'https://graph.microsoft.com/beta/accessReviews?$filter=businessFlowTemplateId%20eq%20' + "'" + $businessFlowTemplateId + "'" $results = @() do { $resp1 = Invoke-WebRequest -UseBasicParsing -headers $authHeaders -Uri $uri1 -Method Get if ($resp1 -eq $null -or $resp1.Content -eq $null) { throw "error response from $uri1" } $val1 = ConvertFrom-Json $resp1.Content foreach ($i in $val1.value) { $results += $i } $uri1 = $val1.'@odata.nextLink' # Odata list may have more } while ($uri1 -ne $null) return $results } function Get-GraphExampleAccessReview($authHeaders,$reviewId) { $uri1 = "https://graph.microsoft.com/beta/accessReviews/" + $reviewId $resp1 = Invoke-WebRequest -UseBasicParsing -headers $authHeaders -Uri $uri1 -Method Get if ($resp1 -eq $null -or $resp1.Content -eq $null) { throw "error response from $uri1" } $val1 = ConvertFrom-Json $resp1.Content return $val1 } function Get-AzureADMSARSampleAccessReview { [CmdletBinding()] param( [Parameter()] [ValidateScript({ try { [System.Guid]::Parse($_) | Out-Null $true } catch { throw "$_ is not a valid GUID" } })] [string]$ReviewId, [Parameter()] [ValidateScript({ try { [System.Guid]::Parse($_) | Out-Null $true } catch { throw "$_ is not a valid GUID" } })] [string]$BusinessFlowTemplateId = "6e4f3d20-c5c3-407f-9695-8460952bcc68" ) #business flow template 842169fe-e1b7-4ce9-98b6-6a9db02eec6b for Access reviews of guest user memberships of a group #business flow template 7fbc909b-efe1-4c72-8ae6-99cb30b882de for Access reviews of guest user assignments to an application #business flow template 50839a84-e23c-44a7-a8cc-16e162afc656 for Access reviews of assignments to an application #business flow template 6e4f3d20-c5c3-407f-9695-8460952bcc68 for Access reviews of memberships of a group $authHeaders = Get-InternalAuthNHeaders if ($ReviewId -ne $null) { if ($ReviewId.Length -ge 1) { $reviewObj = Get-GraphExampleAccessReview $authHeaders $ReviewId $reviews = @() $reviews += $reviewObj return $reviewObj } } $res = Get-GraphExampleAccessReviews $authHeaders $BusinessFlowTemplateId return $res } ### export-modulemember -function Connect-AzureADMSARSample export-modulemember -function Get-AzureADMSARSampleAccessReview export-modulemember -function New-AzureADMSARSampleAccessReview
GSA - Web content filtering - Custom blocked page
Hello everyone, I have a quick question. I just tested the 'Web Content Filtering' of Global Secure Access. However, in Microsoft's documentation, two processes are mentioned for displaying blocked sites (related to HTTP and HTTPS). I wanted to know if it is possible to create a custom page (for example, adding the company logo, indicating the reason for blocking such as the associated web category, etc.). I tried to search, but no documentation related to this is available (or at least I couldn't find it). Thanks in advance for the help!(Password reset) An example of how you can use Administrative Units in Azure Active Directory!
Hi Azure / Microsoft365 friends, This scenario is about assigning an elevated right (an administrative role) for a specific area. More precisely, to an administrative unit (You need Azure Active Directory Premium P1 for Administrative Units!). I will explain exactly what I mean by this in a moment. I am in the Azure Active Directory. I navigate to the users. I select the "Jane Ford". I click on Assigend Roles on the left. At "Select role" I choose the "Password Administrator". In your case, the view may be somewhat different. For me, Privileged Identity Management is enabled. I select Eligible for Assignment Type and select Assign. Now we see why I don't want to work with the permission assignment, the area is too "open". Now the Administrative units come into play. I go back to Azure Active Directory and click on Administrative Units. Click on "add". We assign a name and click next. Click on "Password Administrator". I search "Jane Ford" and click "add". Now click on "Review + create. The Administrative Unit is created. Click on the Administrative Unit. Click on Users and "Add member". Select the users for whom Jane Ford is allowed to reset the password. The users are now listed. We go back to the Azure Active Directory and click on "Users". I select the "Jane Ford" again. Click on "Assigned Roles". You see, now the Jane Ford has the role "Password Administrator but no longer on the entire directory but only on the Administrative Unit. Mission accomplished! But now, how exactly can the Jane Ford reset the passwords for the selected users? For this we (i.e. the Jane Ford) use the following URL on: mystaff.microsoft.com (Jane Ford needs to sign up). Subsequently, Jane Ford sees the Administrative Unit. Now click on Administrative Unit. The users are displayed. Now click on Jon Prime and the password can be reset! I absolutely aware that this was now not the absolute ultimate! But I really wanted to share my experience with you. Thank you for taking the time to read the article and I hope this article was useful. Best regards, Tom Wechsler
