User Profile
Compulinx
Copper Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Entra External ID (CIAM) - creation of OIDC identity provider
I have a regular Entra tenant (described now as workforce ?). I now also have an external Id for customers tenant. In the past using B2C, I was able to create a custom policy that allowed a user to sign into b2c registered applications using a federated account, where that account existed in an Entra tenant. I am trying to do the same thing with the new entra external Id for customer solution. I cant find a way to an OIDC azure tenant however. Is this possible?Re: View and unblock users that are blocked by MFA using Powershell
https://graph.microsoft.com/v1.0/reports/getMfaDetail does not work for me This works: This will provide a historic list of blocked users $uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=category eq 'UserManagement' and activitydisplayname eq 'Fraud reported - user is blocked for MFA'" $res = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get $blockedUsers = $res.value.targetResources.userPrincipalName This will provide details on who cleared the block $uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=category eq 'Policy'" $res = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get $res.value|? activityDisplayName -Match "clear" $res = $res.value|? activityDisplayName -Match "clear" $listofclearedusers = $res.targetResources.userPrincipalName The two lists are subtracted $blockedUsers |? {$_ -NotIn $listofclearedusers}11KViews0likes0CommentsRe: View and unblock users that are blocked by MFA using Powershell
Yep pretty good jvinterberg. The API call I use is: $uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=category eq 'UserManagement' and activitydisplayname eq 'Fraud reported - user is blocked for MFA" Works nicely10KViews0likes0CommentsAzure Functions - In Powershell
Hello! Can someone please provide some guidance regarding writing azure functions with Powershell. Essentially I would like to connect-mgGraph and display a user attribute. Basics: 1. I have a function app built 2. The profile file looks like if ($env:MSI_SECRET) { Disable-AzContextAutosave -Scope Process | Out-Null Connect-AzAccount -Identity } 3. The requirements.psd1 file looks like: @{ # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'. # To use the Az module in your function app, please uncomment the line below. 'Az' = '9.*' 'Microsoft.Graph.Authentication' = '1.*' 'Microsoft.Graph.Users' = '1.*' } So what is the best way to connect to MGGraph?2.9KViews0likes1CommentAzure B2C - restricting admins!
Hi Hope someone can help. How would I restrict admin access in an Azure B2C tenant? Azure B2C does not have admin units. If an admin signs in, it would seem that with 'user admin' rights they can alter accounts across the directory. Can this be restricted?Solved1.5KViews0likes1CommentRe: Assign Users to an app using another app
Thanks for this, but just to clarify (I should have added this to the original question). I have added the Application Administrator role to TestApp3 first: So as global admin: $sp = Get-AzureADServicePrincipal -SearchString "testapp3" Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Application administrator"}).Objectid -RefObjectId $sp.ObjectId This allows me to connect TestApp3 and assign users to TestApp2 $cert = Get-ChildItem Cert:\LocalMachine\My\B***** $tenant = "109***" $applicationID = "afd7a2***" Connect-AzureAD -TenantId $tenant -CertificateThumbprint $cert.Thumbprint -ApplicationId $applicationID Once connected you can assign users to App2 $user = Get-AzureADUser -SearchString email address removed for privacy reasons $servicePrincipal = Get-AzureADServicePrincipal -ObjectId 6f*** (SP of testApp2) New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectID -PrincipalId $user.ObjectID -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty) Now this works, but the problem is: TestApp3 can assign that user to ANY SP (not just TestApp2) The role of Application Administrator is way too strong. I need a role that is just used to assign users. Nothing else. Hope this is clearer. Appreciate your input.932Views0likes0CommentsHow do I use New-MgRoleManagementDirectoryRoleAssignment?
Can someone help define how I use New-MgRoleManagementDirectoryRoleAssignment? The MS doc is, well lets say a little confusing! Essentially I want to assign the application administrator role to a registered application. Is this even the correct cmdlet? Thanks /A1.3KViews0likes0CommentsAssign Users to an app using another app
Hello, I hope someone can help with this problem. I have a registered application (lets call it TESTApp3). I make an Azure AD connection using this application Connect-AzureAD -TenantId $tenant -CertificateThumbprint $thumb -ApplicationId $applicationID And I get connected fine. What I need to do is assign users to another application (lets call it TESTApp2) using the connection made by TESTApp3. I also need it scoped to work only on TESTApp2! What commands do I use? Any help would be magnificent!! /A1.1KViews0likes2CommentsRe: View and unblock users that are blocked by MFA using Powershell
Actually partially yes.. This is the rest call to find the blocked users: $filters= "activityDisplayName eq 'Fraud reported - user is blocked for MFA'" $uri = "https://graph.microsoft.com/beta/auditLogs/directoryaudits?api-version=beta&filter=$($filters)"24KViews0likes3CommentsFilter Azure AD Signin Logs using Graph API
Hello! I am exploring how to filter the signin logs using REST calls. I'll be honest, for me, the syntax for this is a little confusing. Any help would be great. I am interested in filtering for signin status where the errorcode has a value of zero So far, and woefully wrong! : https://graph.microsoft.com/beta/auditLogs/signins?$filter=userDisplayName/any(s:s Where am I going wrong? Thanks /ASolved4.4KViews0likes2CommentsView and unblock users that are blocked by MFA using Powershell
How can I view and unblock uses that have become blocked using MFA in Powershell The following https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/BlockedUsers Provides a listing of uses that have become blocked using MFA. In my case, most of the uses listed are a consequence of badly managed MFA registration. But what I really need is to be able to view the listing in Powershell, and potentially unblock the user in Powershell. If unblocking is not possible then viewing would be a start. Perhaps a REST call to the GRAPH API? Anything would help.. //ASolved
Recent Blog Articles
No content to show