Delegating LAPS password retrieval at device level

Poor man’s EPM – delegate access to the LAPS password on a device basis.
(this alternative title is inspired by Jan Bakker’s “Poor man’s IGA” blog series)

by on February 22, 2026  •  Permalink
Posted in EntraID, GraphAPI
Tagged ,
Posted by Daniel Kovacs on February 22, 2026

https://f12.hu/2026/02/22/delegating-laps-password-retrieval-at-device-level/

Entra App instance property lock vs SAML signing certificate – an uncommon way of self-sabotage

Recently I tried to set up ClaimXRay NG with the guidance of DSInternals, learned things, failed here and there and stumbled upon a totally-not-helpful error message: “There was an error in the uploading the private certificate and password. Please try again or contact support.” To cut to the chase: This message appeared when I was […]

by on January 29, 2026  •  Permalink
Posted in AzureAD, EntraID, GraphAPI
Tagged ,
Posted by Daniel Kovacs on January 29, 2026

https://f12.hu/2026/01/29/entra-app-instance-property-lock-vs-saml-signing-certificate-an-uncommon-way-of-self-sabotage/

Multitenant organization “cheat” to add group(s) to the default sync scope

Back in the days when M365 MTO was in preview, it was possible to add group(s) to the default sync scope – today, the documentation states that if you want to sync groups, “you must configure cross-tenant synchronization directly in Microsoft Entra ID”. It doesn’t say “it is impossible to add groups to the default […]

by on January 12, 2026  •  Permalink
Posted in AzureAD, EntraID, M365, PowerShell
Tagged , , ,
Posted by Daniel Kovacs on January 12, 2026

https://f12.hu/2026/01/12/multitenant-organization-cheat-to-add-groups-to-the-default-sync-scope/

Find personal Microsoft accounts with corporate email address

Personal Microsoft accounts registered with corporate email address can cause end-user confusion and probably some headaches for IT admins. Let’s find these users before they find you.

by on December 16, 2025  •  Permalink
Posted in AzureAD, PowerShell
Tagged ,
Posted by Daniel Kovacs on December 16, 2025

https://f12.hu/2025/12/16/find-personal-microsoft-accounts-with-corporate-email-address/

Disabling Entra Seamless SSO – some extra notes

Disabling Entra Seamless SSO is simple – or you can get lost in the details.

by on October 31, 2025  •  Permalink
Posted in AzureAD, Edge, GPO
Tagged ,
Posted by Daniel Kovacs on October 31, 2025

https://f12.hu/2025/10/31/disabling-entra-seamless-sso-some-extra-notes/

Quicknote: Hybrid Exchange mailbox migration account vs. modern authentication policy

Recently, I came across an uncommon issue while disabling legacy authentication in a hybrid Exchange environment. Since I did not find any exact solutions, I thought I share my story about modern authentication in on-premises Exchange server and how it affects the mailbox migration account. Spoiler: it breaks the mailbox migration TL;DR– Exchange Online uses […]

by on September 25, 2025  •  Permalink
Posted in Exchange, Exchange Online
Posted by Daniel Kovacs on September 25, 2025

https://f12.hu/2025/09/25/quicknote-hybrid-exchange-mailbox-migration-account-vs-modern-authentication-policy/

Powershell with Entra CBA – unattended access to Defender portal when Graph API or Application permission does not fit

One of my previous posts covered a “basic” way to track secure score changes using Graph API with application permissions. While I still prefer application permissions (over service accounts) for unattended access to certain resources, sometimes it is not possible – for example when you want to access resources which are behind the Defender portal’s […]

by on May 2, 2025  •  Permalink
Posted in AzureAD, Defender, GraphAPI, PowerShell
Tagged , , ,
Posted by Daniel Kovacs on May 2, 2025

https://f12.hu/2025/05/02/powershell-with-entra-cba-unattended-access-to-defender-portal-when-graph-api-or-application-permission-does-not-fit/

How much time your users are wasting with “traditional” MFA?

Recently, I came across a post on LinkedIn which demonstrated that Passkey authentication is way faster than traditional Password+MFA notification login. It made me curious: how much time does it exactly take to do MFA? TL;DR– This report uses the SignInLogs table which needs to be configured in Diagnostic settings– Unfortunately I did not manage […]

by on January 4, 2025  •  Permalink
Posted in AzureAD, Conditional Access, KQL
Tagged , , ,
Posted by Daniel Kovacs on January 4, 2025

https://f12.hu/2025/01/04/how-much-time-your-users-are-wasting-with-traditional-mfa/

Find clients authenticating from unassigned AD subnets – using Defeder for Identity

Housekeeping with Defender for Identity – finding unassinged AD subnets using the IdentityLogonEvents table

by on October 25, 2024  •  Permalink
Posted in GraphAPI, KQL, MDI, PowerShell
Posted by Daniel Kovacs on October 25, 2024

https://f12.hu/2024/10/25/find-clients-authenticating-from-unassigned-ad-subnets-using-defeder-for-identity/

Tracking Microsoft Secure Score changes

Microsoft Secure Score is a useful feature in the Defender portal, but I missed the alerting option.

No Comments
by on May 6, 2024  •  Permalink
Posted in GraphAPI, PowerShell
Posted by Daniel Kovacs on May 6, 2024

https://f12.hu/2024/05/06/tracking-microsoft-secure-score-changes/

« Older Posts