User Profile
EntilZha
Iron Contributor
Joined 8 years ago
User Widgets
Recent Discussions
Removing Unwanted Videos from Containers
At present, there are over 5k containers with videos that I need to transfer from Classic Stream to SharePoint Online; however, i have over hundreds of containers containing over 1k videos. How can I remove unwanted videos from these containers. Also, is possible to build custom containers with selected videos'? Thank You,User's receives a new OneDrive site address when Rehired
When a user leave the organization and then gets rehired ; during the provisioning process to Office 365 the users receives a new url for their OneDrive that contains a org1. https://xxxxxxxxxx.org-my.sharepoint.com/personal/XXXXXX_XXXXX_org1/_layouts/15/onedrive.aspx?view=1 The old OneDrive address https://xxxxxxxxxxxxorg-my.sharepoint.com/personal/XXXXXX_XXXXX_org/_layouts/15/onedrive.aspx?view=1 is still valid; however, the user previous manager in the owner. Process when user leaves the organizations. After 10 days the email is striped from the account (Hybrid) UPN change to prevent Azure AD Connect from syncing the account to Azure AD Azure AD Connect is scoped for specified domains to sync to Azure AD When a person is rehired. Their previous account is sync to Azure AD Received basic license Add Remote mailbox to user account and synced On the next sync the user receive the correct licenses with all the services Currently this randomly happening to rehire accounts. Any ideas why a rehired will get a new OneDrive address ( 1 added) when they're rehired. Thank You -LarryAdvanced Hunting - Search for Message Header Items
In the applications i develop I add a custom header (X-test-Header) to all messages be sent that contains information. Question: Can I leverage Advanced Hunting to search for email containing my custom headers? If so, how will the query look like to achieve that results? Thank You, -LarryRe: Unable to login into Win 10 Azure AD joined device after a PW Change
Here's the article the resolved my issues. Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true <------ This fix the issue when the box is checked change password at next login in AD https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronizationDon't have Access to Users within Endpoint Manager Admin Center
Trying to resolve an issue for a user whos having an issues accessing Users within Microsoft Endpoint Manager Admin Center. When the user click Users from the menu, their presented with message "you do not have access" -The user is a members of the build in role "Read Only Operator" -User is able to access other menu options within EPM Any suggestion to a resolution would be grateful. Thank You, -LarryRe: Add additional Header Information to Batch Payload
rbrbr Below is an extract of what I have batching my requests and the header function i use to execute the batch request. I use two self sign certificate one for read-only Header and the other certificate for Read Write instead of using a Client Secret. As to the Cert location, I install the cert under my and the service account Current User, for Task Scheduler to work service account. Also, within the script I check the date of the cert on each run, and the script will send an Email when cert date is with 20, 10, 5, and 1 days from expiration. On expiration the script will not run until cert is update. Neither of these headers have "ConsistencyLevel" added to the header. The only issue I have right now, is when I have a group with over 1000 members it only reports 999. When I have time I look into finding the solution. Hope this information helps. -Larry ##################HEADER FUNCTION######################## Function HeaderToken-RW { $TenantName = "XXXXXXXXXXXXXXXXXXXXXXXX" $AppId = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #$Certificate = Get-Item 'Cert:\CurrentUser\My\XXXXXXXXX THUMBPRINT xxxxxxxxxxxxxxxxxxxxxxx' $Certificate = Get-Item "Cert:\CurrentUser\My\$Global:ThumbPrint" $Scope = "https://graph.microsoft.com/.default" # Create base64 hash of certificate $CertificateBase64Hash = [System.Convert]::ToBase64String($Certificate.GetCertHash()) # Create JWT timestamp for expiration $StartDate = (Get-Date "1970-01-01T00:00:00Z" ).ToUniversalTime() #$StartDate = (Get-Date).ToUniversalTime() $JWTExpirationTimeSpan = (New-TimeSpan -Start $StartDate -End (Get-Date).ToUniversalTime().AddMinutes(2)).TotalSeconds $JWTExpiration = [math]::Round($JWTExpirationTimeSpan,0) # Create JWT validity start timestamp $NotBeforeExpirationTimeSpan = (New-TimeSpan -Start $StartDate -End ((Get-Date).ToUniversalTime())).TotalSeconds $NotBefore = [math]::Round($NotBeforeExpirationTimeSpan,0) # Create JWT header $JWTHeader = @{ alg = "RS256" typ = "JWT" # Use the CertificateBase64Hash and replace/strip to match web encoding of base64 x5t = $CertificateBase64Hash -replace '\+','-' -replace '/','_' -replace '=' } # Create JWT payload $JWTPayLoad = @{ # What endpoint is allowed to use this JWT aud = "https://login.microsoftonline.com/$TenantName/oauth2/token" # Expiration timestamp exp = $JWTExpiration # Issuer = your application iss = $AppId # JWT ID: random guid jti = [guid]::NewGuid() # Not to be used before nbf = $NotBefore # JWT Subject sub = $AppId } # Convert header and payload to base64 $JWTHeaderToByte = [System.Text.Encoding]::UTF8.GetBytes(($JWTHeader | ConvertTo-Json)) $EncodedHeader = [System.Convert]::ToBase64String($JWTHeaderToByte) $JWTPayLoadToByte = [System.Text.Encoding]::UTF8.GetBytes(($JWTPayload | ConvertTo-Json)) $EncodedPayload = [System.Convert]::ToBase64String($JWTPayLoadToByte) # Join header and Payload with "." to create a valid (unsigned) JWT $JWT = $EncodedHeader + "." + $EncodedPayload # Get the private key object of your certificate $PrivateKey = ([System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Certificate)) # Define RSA signature and hashing algorithm $RSAPadding = [Security.Cryptography.RSASignaturePadding]::Pkcs1 $HashAlgorithm = [Security.Cryptography.HashAlgorithmName]::SHA256 # Create a signature of the JWT $Signature = [Convert]::ToBase64String( $PrivateKey.SignData([System.Text.Encoding]::UTF8.GetBytes($JWT),$HashAlgorithm,$RSAPadding) ) -replace '\+','-' -replace '/','_' -replace '=' # Join the signature to the JWT with "." $JWT = $JWT + "." + $Signature # Create a hash with body parameters $Body = @{ client_id = $AppId client_assertion = $JWT client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" scope = $Scope grant_type = "client_credentials" } $Url = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token" # Use the self-generated JWT as Authorization $Header = @{ Authorization = "Bearer $JWT" } # Splat the parameters for Invoke-Restmethod for cleaner code $PostSplat = @{ ContentType = 'application/x-www-form-urlencoded' Method = 'POST' Body = $Body Uri = $Url Headers = $Header } $Request = Invoke-RestMethod @PostSplat # View access_token # $Request.access_token $RWHeader = @{Authorization = "$($Request.token_type) $($Request.access_token)"} Return $RWHeader } ############### SCRIPT EXTRACTION #################### ######################################################## IF($GrpInfoCreateDate -gt '2021-07-31') { ################################################## $myRequest1 = @{ id = $requestID method = "GET" url = "/groups/$GrpInfoID/members?`$count=true" } $myBatchRequests += $myRequest1 ################################################## $requestID ++ $myRequest2 = @{ id = $requestID method = "GET" url = "/groups/$GrpInfoID/owners?`$count=true" } $myBatchRequests += $myRequest2 ################################################## $requestID ++ $myRequest3 = @{ id = $requestID method = "GET" url = "/teams/$GrpInfoID" } $myBatchRequests += $myRequest3 ################################################## $allBatchRequests = @{ requests = $myBatchRequests } ################################################## $batchBody = $allBatchRequests | ConvertTo-Json $batchURL = "https://graph.microsoft.com/v1.0/`$batch" ################################################## $Header = HeaderToken-RW $getBatchRequests = Invoke-RestMethod -Method POST -Headers $Header -Uri $batchURL -Body $batchBody -ContentType “application/json” foreach ($jobRMResult in $getBatchRequests.responses) { $BatchJobID = $jobRMResult.id Write-host "###### Batch ID: $BatchJobID ############" -ForegroundColor Magenta If($BatchJobID -eq 1) { $MemberCount = 0 $MemJobID = $jobRMResult.id Foreach($Owners in $jobRMResult.body.value) { $MemberGUID = $Owners.id $MemberMail = $owners.Mail $MemberDisplayName = $owners.displayName $MemberCount++ if($OwnerDisplayName -contains 'Microsoft.Azure.SyncFabric'){$OwnerCount = $OwnerCount - 1} } Write-host "JobID: $MemJobID ### Member Name: $MemberDisplayName ### Grp ID: $GrpInfoID ## Member Count: $MemberCount" -ForegroundColor Cyan } If($BatchJobID -eq 2) { #Owner/s of Group $OwnerCount = 0 $OwnerJobID = $jobRMResult.id Foreach($Owners in $jobRMResult.body.value) { $OwnerGUID = $Owners.id $OwnerMail = $owners.Mail $OwnerDisplayName = $owners.displayName $OwnerCount++ if($OwnerDisplayName -contains 'Microsoft.Azure.SyncFabric'){$OwnerCount = $OwnerCount - 1} } Write-host "JobID: $OwnerJobID ### Owner Name: $OwnerDisplayName ### Grp ID: $GrpInfoID ## Owner Count: $OwnerCount" -ForegroundColor Gray } If($BatchJobID -eq 3) { # Teams Data $TeamsJobID = $jobRMResult.id $TeamStatus = $jobRMResult.body $TeamActivated = $TeamStatus.isMembershipLimitedToOwners $TeamArchived = $TeamStatus.isArchived $TeamDisplayName = $TeamStatus.displayName If($TeamActivated -eq $True){$isActive = "Not Activated"}elseif($TeamActivated -eq $False){$isActive = "Activated"} If($TeamArchived -eq $True){$isArchived = "Archived"}elseif($TeamArchived -eq $False){$isArchived = "Not Archived"} Write-host "JobID: $TeamsJobID ### Team Name: $TeamDisplayName ### Grp ID: $GrpInfoID " -ForegroundColor Yellow } }Azure AD group-based license management
We have a limited number of A3 licenses and an Unlimited A1 licenses Want to use Group Base License to assign licenses based on a expression located in Security Group's "Dynamic Membership Expresssion" Users are added to my On Premise Active Directory using MIM Have an automated powershell script that Enable-RemoteMailbox on the new user Using the latest version of Azure AD Connect Questions: 1. Is there a Advance Rule I can created that will evaulate that new user and determain if I ran out of A3 licenes and assign the new user an A1 license? 2. If question 1 possible, have a rule to re-evaulate the user and assign an A3 when a new A3 license becomes avaiable? Thank You, -LarryAzure AD Group Base Licensing
Wanting to move to Group base licensing; however, Azure AD having issues reading the membership from a MIM manage mail enable security group. I have a MIM group with a mail nickname "GROUP_NAME" and the Dynamic Membership Rule ((user.accountEnabled -eq True) -and user.mailNickName -eq "GROUP_NAME"). It's been over a week and still no members. This MIM mail enable security group has four levels of nested groups, this group sync to Azure using one version behind the lastest version of Azure AD Connect. Question: Does a Azure AD Dynamic Group using Dynamic Membership Rule have an issue reading nested groups? Thank You, -LarryGetting No Access when trying to access Dynamic membership rules on a Group Base License
Currently I'm testing Group Base License (GBL) in my testing environment, and I went to edit a GBL I currently been using I'm getting "No Access" when selecting Dynamic membership rules Based on the following Microsoft Doc the minimum license requirement to use Group Base License (GBL) is a "Paid or trial subscription for Azure AD Basic". Currently I have a paid subscription "Office 365 A1 for faculty" which has an "Azure Active Directory Basic for EDU" The rule still works, when adding users to AD, the user being assign the correct license. Environment This issue occurring in my testing environment. Once testing is completed, I’ll will be moving GBL to production I had an EMS E5 license which expired Dec. 11, 2018 Any help in is this matter would greatly be appreciated Thank You, -LarryUsing onPremisesDistinguishedName Attribute in Group Base License (GBL)
I'm trying to use Azure AD user Extension Property onPremisesDistinguishedName attribute as part of an expression in a GBL Dynamic User query. I've used custom extension like user.extension._xxxxxxxxxxxxxxx_CustomAttribute successfully within my query for GBL; however, I'm having an issue trying to use onPremisesDistinguishedName to my GBL query. Any help with adding onPremisesDistinguishedName to Dynamic membership rule in GBL would be appreciated. Thank You, -Larry
