Export Last user sign-in with MGGraph PowerShell

MGGraph is a must to have in the toolbox when working with Azure AD. This can for example be used to see activity of guest accounts. Install and connect MGGraph First you need to install the PowerShell commands needed to run commands. The prerequisites are better described by Microsoft here . Start PowerShell and run: […]

SSO for Azure AD now integrated in Firefox

Mozilla Firefox has a setting now to support sign-in with Microsoft Work or School account. This is great news since it also means that we now can sign-in and get the benefits of Conditional Access Policies using Firefox browser. It will take benefit of your registered work or school account in Windows. I have tested […]

Azure AD Connect Version 2.0.X, my thoughts

Just arrived back from vacation and now it’s time to get to know our new friend AD Connect Version 2. I started with reading Microsoft documentations and want to pinpoint the differences. Requires Windows Server 2016 or later Uses LocalDB components of SQL 2019 Use TLS1.2 and is required for installation. You can use “Set-ADSyncToolsTls12” […]

Configure FIDO2 for Firstline workers with Temporary Access Pass

Finally Microsoft release the public preview of Temporary Access Pass. Why is that so important?For all Firstline workers without mobile device it´s hard to configure MFA (Multi Factor Authentication). They need assistance from an IT support to setup FIDO2 security key. With TAP (Temporary Access Pass) it´s now possible to configure a passcode for new […]

Updated Authentication Methods API in Public Preview

Microsoft is now release new features to Authentication Methods API. One of the most missing component was Application Permissions that are now in Public Preview. What mean with Application support? You can connect and change sign-in methods for all users. Before was only delegated permission an option and the you need to sign-in with each […]

Remove a User from All Teams with PowerShell in Azure Automation

I did an easy script for a case when disabled user accounts are saved during a sometime. The case was to remove this users from all membership in Microsoft Teams. An extension attribute is used for all accounts that is in this disabled state. ExtentionAttribute7 = “Sleep” To be able to run this script you […]

Password policy for hybrid identity

When setting up Azure AD Connect and synchronize identities to Azure AD we have two different password policy’s to take care of. In local Active Directory we have a policy for local accounts but if we have an user synchronize to Azure AD they still use the local password policy as default. In Azure AD […]

Block external e-mail forward in Power Automate (Flow)

I have a case where a company had issues with users started to forward e-mail with power automate even that external forwarding is blocked in Exchange. This issue can occur even if the user do not have a power automate license since they anyway can initiate the service themselves. To make this more usable we […]

Connect Azure Automation Runbook script with service principal for AzureAD

We are all working to get rid of service account without MFA. One step forward is to use service principal with permissions and then connect. In this article I will guide you how to setup this solution to connect with AzureAD PowerShell. Start PowerShell as administrator on your computer. Update the password (“pwd” in the […]

Prohibit upload sensitive data in Microsoft 365

I got many questions from customer that they want to block upload of confidential data in Microsoft 365. Is it possible to block that? The answer is yes if you have access to both (CA) Conditional Access and (MCAS) Microsoft Cloud App Security. In CA you need to enabled the “Use Conditional Access App Control” […]

Login to Teams webclient is blocked

I had an issue where it was not possible to login to Teams web client. It just generated a error that referred to contact your administrator. AADSTS7000112: Application ‘id’ (Microsoft Teams Web Client) is disabled To fix this issue we can go to and sign-in. Select Azure Active Directory -> Enterprise Apps and do […]

Remove AD Forest from AD Connect

I was going to remove an AD Forest from AD Connect and took for granted that this would be an easy operation to do from within the AD Connect wizard. I realized that it is just possible to add AD Forests. I than thought that miisclient would be the place to do this. There is […]

Enable Azure ATP and integrate to Microsoft Cloud App Security

Azure Advanced Threat Protection (ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. With all this signals integrated in Cloud App Security it’s possible to create alerts and actions on all this signals. If […]

Export Azure AD last logon with PowerShell Graph API

In local Active Directory we have the possibility to export last logon for each user but in Azure AD we don´t had that attribute before. From now it´s available in Microsoft Graph beta. There are still limitation in graph queries to filter the data so the best recommendations is to export the data with PowerShell […]

Administrative Units get graphical interface

Finally we have a interface for Administrative Units. I have been in private preview for a time now and test this interface with customers. There are always things I will see to be better but a very good start. If you hope that you can release PowerShell for now, then the answer is no. We […]

FIDO2 security keys (passwordless) in hybrid enviroment

Everyone know that password is weak today and passwordless is around the corner for every enterprise company’s. Together with FIDO2 it is now possible to sign-in to an Windows 10 hybrid join device. We don´t need any MFA or a complex password anymore. Just a key that you bring with you. FIDO2 is based on […]

Configure Hybrid Azure AD joined with AD Connect

This method is suitable for hybrid organizations with existing on-premises AD infrastructure. This is also a requirement for other solutions like Co-Management, Passwordless sign-in etc. Start the AD Connect Configuration Wizard. Select Configure device options. Select Configure Hybrid Azure AD join. Choose Windows 10 or later if you only have that. All Windows down-level require […]

Configure SSO with Office 365

In Azure there are a lot of Single Sign-On (SSO) options. Many early adopters in cloud use ADFS based on that SSO was not a part of AD Connect at the beginning. Today we have more than one solution to choose between. Active Directory Federation Services (ADFS)This is an on-premies solution that is important if […]

When to use Security Defaults or Conditional Access?

Azure AD Security Defaults is a protection that is enabled in all new tenants. This is created to raise the security in Microsoft 365 to a better level. When security defaults is enabled you are not able to use Conditional Access. If to want better control and choose the rule by your self, the Conditional […]

Azure Automation Credentials, auto-rollover

In this blog I will describe an easy way to rollover credentials in you Azure Automation Credential key vault. This example we use a Global Admin account. When you setup service accounts you should always use “least privilege permissions”. This can be combined with Administrative Units or even a model where you use a secured […]

Update Exchange Online connection in Azure Automation to support Modern Authentication

Update your Automation runbooks running exchange online to Modern Authentication The final date for running basic authentication on Exchange Online is coming fast. Have you updated all your runbooks against Exchange Online from not using Basic authentication? If not it’s highly recommended to start the work ASAP. In this blog I will describe how easy […]

Get started with Azure AD Identity Protection

A first look at a customer can be like the picture below. A lot of risky users to take care of. Before you activate Microsoft Azure AD Identity Protection there is some necessary step that need to be configured. What settings can you configure in Identity Protection? User risk policy Sign-in risk policy MFA registration […]

Use Azure AD dynamic groups based on ServicePlanId

Azure AD Dynamic Groups is not something new. We have this in Exchange for long time but we are also able to use them even in Azure Active Directory with the Azure AD Premium 1 license. Why should we use dynamic groups instead of static groups? In this post I will give you some example […]

Look for Teams with Guests

When rolling out classifications on Teams in an existing environment it can be good to know how many Teams that already have Guest Users invited. To gather this information I put together an easy PowerShell script. Running this script requires that you install the Microsoft Teams PowerShell module. Hope this will help you in your […]

Part 3: Conditional Access block legacy authentication

Microsoft has announced that “End of support for Basic Authentication access to Exchange Online API’s for Office 365 customers” is October 13th, 2020. Basic Authentication for Exchange Active Sync (EAS), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), and Remote PowerShell (RPS) in Exchange Online is affected. SMTP AUTH with basic authentication will not be affected. It´t […]

Part 2: Conditional Access Azure Monitor Log Analytics workspace

Why should we store log to an Log Analytics workspace? The answer can be more than one. I will guide you how to setup and share some benefit of the value. The picture above show the standard workbooks you can see. You can deep into each of the workbooks to investigate more information. Let´s open […]

Part 1: Conditional Access Report-only

Conditional Access is used by rules to secure users and applications against sign-ins to Azure AD. New features are released recurrent and some are still in preview. One of the feature is Report-only that is a very powerful to get started with Conditional Access in a current environment. Instead of create rules that block traffic […]

Create Azure EA Subscription with PowerShell

Create EA subscription with PowerShell First I configure Visual Studio Code to work together with Azure Cloud Shell. To begin we have 2 prerequisites. Install node.js, Install Visual Studio Code Azure Account extension from within application You can now type CTRL+SHIFT+P from within Visual Studio Code, this should present you with the option to […]

How to configue advanced settings of sensitive labelpolicy with powershell

When Microsoft moving more and more settings from Azure portal to Office 365 SCC portal then all settings is not available in the GUI anymore. We need to use PowerShell to use these settings. Not even the PowerShell, we also need the real Unified Labeling client installed on Windows. What kind of settings do we […]

Configure Domain in Office 365 and Azure with PowerShell

I often setup lab environment in an Azure subscription combined with a trial for Microsoft 365 E5 licensing. One of the most booring task is to manually configure DNS in Azure for the domain. To solve this, I put together a PowerShell to setup the domain automatically. This script requires you to install 2 PowerShell […]

Follow My Blog

Get new content delivered directly to your inbox.