User Profile
Qonnect
Copper Contributor
Joined 7 years ago
User Widgets
Recent Discussions
users/{id}/authentication/methods generates many 429 errors.
Hi, In a large inventory script one of the lists it generates contains all registered MFA methods for all users ("users/$UserId/authentication/methods"). My environment has 10k users, querying the resource sequentially takes over an hour, so I made it multithreaded. I use 16 in my 20 core system, that brings it down to ~30 mins. In another function in the same inventory script uses multithreading too, it lists all group members of ~7500 groups using "groups/$GroupId/members" that only takes 2 min and 15 seconds. I played around with the number of cores, and barely get any 429's but still takes close to an hour. I tried consistencylevel "Eventual" in the header, but had no effect. Is this difference caused by an issue in the MSgraph backend? or is there something I can fix on my end to improve performance? Cheers, Sander61Views0likes0CommentsAdding PIM enabled security group to an Access Package
Hi, Recently a new feature has gone in preview, it's now possible to add PIM enabled security group to an access package. explained here: https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-package-eligible I followed the instruction exactly on 2 different tenants, one tenant has Entra ID Governance licence, another has the Entra Suite licence. The result on both tenants was the same. When adding a PIM enabled group to an access package. I am presented only with 2 roles (member or owner) and not with the expected 4 roles. (member, owner, eligible member, eligible owner). The group I add is created for test purpose couple of weeks ago, and really is PIM enabled (discovered ). Is this a preview that has to be activated on a tenant? (its not in the "Entra -> Identity -> settings -> Preview features" list). Am i missing something? Cheers!63Views0likes0CommentsRe: servicePrincipals?$expand=appRoleAssignedTo incomplete result
I was finally able to dig a bit deeper. I added a routine to query the data directly and store the result in a table in memory. then count the entries for each app with $expand and direct data. I found that around 10% of the $expand data is missing app role assignments and see that the $expand method sometimes misses the only approle assignment configured on an app. I don't think the cause is the documented approle limit. I changed my script not to use the $expand query parameter for appRoleaAssignedTo data. So data is now 100% correct. but script is a bit slower. thanks again VasilMichev !338Views0likes0CommentsRe: servicePrincipals?$expand=appRoleAssignedTo incomplete result
Thanks for your answer! sorry for the double post on the other forum, i couldn't remove it there. I think this is the place for an issue like this. back to the issue: I added a counter to assignedroles for each app to the inventory script, to see if the max i got was 20. Weirdly enough it wasn't, from 250 apps with roles assigned, 10% of them had more 20 than assingedTo entries (up to 160). The app where i noticed first some assignments were missing showed 10, but had 13 assignedTo entries in reality. The limit in the documentation isn't as hard is it is stated it seems and with the app with only 13 assignments still missing some, it might be a different issue. I'll dig a bit deeper to see if I can find the difference for all role assignment between $expand and direct query data. performance is quite important to me, if i can find the lowest number of assignments that is correct, I'll trust that number, everything above I query directly. ill share my findings here. or did I overlook something?380Views0likes1CommentservicePrincipals?$expand=appRoleAssignedTo incomplete result
For an inventory script, I use servicePrincipals?$expand=appRoleAssignedTo to get all serviceprinciples including "approleassignedTo" info. To make an inventory of the approle assignments, I loop through all apps (~2250) and for each app, I loop through approles, and foreach approle I loop through appRoleAssignedTo data. In my environment this results in ~3000 approle assignments. When I analyze the result, I estimate 5% of role assignments are missing. I do see all roles, just not all roleassignments. When I look up a missing assignments in the Entra portal I do see them. The missing role assignment aren't special, they are assigned to normal Entra ID groups like other assigned approles. When I rerun the script, the same assignments are missing each time. When I don't use $expand query parameter, but query the data directly using 'servicePrincipals/{id}/appRoleAssignedTo', I do get all assignments. Did I run into a bug?484Views0likes3CommentsRe: unresolvable roledefinitionId in roleEligibilitySchedules
VasilMichev Thanks for your reply, I think I didn’t explain it very well. Allow me a retry: I wrote a script that makes an inventory of which principals are assigned to which EntraID roles, roleEligibilitySchedules is the cross table for eligible assignments that glues roles to principals (like users and groups). For built-in roles, it works exactly as you suggest. But for custom roles it doesn’t, that’s my problem. Before I can resolve those ID I query all roles. I focus on one custom role: /roleManagement/directory/roleDefinitions/6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0 I retrieve : "id": "6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0", … "displayName": "Bitlocker Read" "isBuiltIn": false, … "templateId": "6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0", … When I query roleManagement/directory/roleEligibilitySchedules, and get all eligibility assignments. I cannot find 6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0 as templateId, but I know which test user is member of my custom "bitlocker read" role. So I filter on the user's principalId This is the only roleEligibilitySchedule with my test user's principalId: id : 0d6c6077-15fc-48e1-a055-4ce91f1a4aa2 principalId : 6f8622c4-4f60-4072-af68-6b59191680c1 roleDefinitionId : 32b1dc3c-00af-4da1-9044-6fcfbd2ba4d4 directoryScopeId : / appScopeId : createdUsing : 0d6c6077-15fc-48e1-a055-4ce91f1a4aa2 createdDateTime : 2022-11-18T09:46:58.217Z modifiedDateTime : 0001-01-01T08:00:00Z status : Provisioned memberType : Direct scheduleInfo : @{startDateTime=2022-11-18T09:46:58.217Z; recurrence=; expiration=} RoledefinitionId for this assignment (32b1dc3c-00af-4da1-9044-6fcfbd2ba4d4)does not equal the TemplateID (6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0). For all built-in roles the roleDefinionId does equal the templateId, and I can resolve which principal is assigned to which role. But for custom roles I can't. Am I overlooking something? Or did I find a bug 🙂 Cheers, Sem307Views0likes2Commentsunresolvable roledefinitionId in roleEligibilitySchedules
I query roleManagement/directory/roleEligibilitySchedules to make an inventory of all assigned Entra ID roles through Priviledged Identity Management. Each role assignment has a property RoleDefinitionId, which refers to the id of the Entra ID role (a list I got from roleManagement/directory/roleDefinitions, it includes custom roles). My problem is that a RoleDefinitionId can only be found for builtin roles, not for custom roles. A custom role has a Guid that cannot be found/resolved anywhere it seems. Is this a bug ? Or am I missing something? Cheers, SemSolved499Views0likes4CommentsRe: Early preview of Microsoft Edge group policies
SeanLyndersay-MS the feature i miss is to add a custom 'User Agent String' to the new Edge. we use this in IE to allow ADFS to distinguish our managed machines from "guest" machines. our domain joined machines get the GPO and thus the custom user agent string, which is added to the ADFS filter This allows windows integrated authentication for our domain joined boxes. while other (non-domain joined) machines get forms authentication.40KViews3likes0Comments
Recent Blog Articles
No content to show