When talking about Azure AD security, we tend to put less focus on service principals/app registrations*. But when we take into consideration that these principals can have assigned API permissions and “static” credentials (certificate or password) and that these credentials in the wrong hands can cause serious damage, we may change our attitude.* While “App […]
https://f12.hu/2023/05/06/azuread-app-registrations-the-application-permission-credentials-combination-security-nightmare/
The Edge Drop is a really wonderful feature, but my inner data protection officer was bugging me to investigate if it is safe in an enterprise (or SMB) environment. There are several options to protect corporate data (labels, App Protection Policy, DLP policies, etc.) but not every business is lucky enough to afford the required […]
https://f12.hu/2023/04/06/edge-drop-vs-sharepoints-access-control-policy-for-unmanaged-devices/
Scenario: the business is now convinced that computers should be managed centrally (either with Active Directory or Azure Active Directory) instead of having WORKGROUP computers.Problem: after joining to (Azure)AD, users will have a new profile created. Gone are their settings, wallpaper, pinned icons, etc. You need to note these settings, copy the files to the […]
https://f12.hu/2023/03/30/dont-do-that-series-migrate-personal-user-profile-to-azuread-user-profile-with-win32_userprofile-changeowner-method/
The story in short: one of my customers asked me if it is possible to generate a report on all content in Office365 shared externally. Doing some searches I found the following solutions:– Run the sharing reports on each site and each OneDrive (link, link)– Run reports based on audit logs (link) While these reports […]
https://f12.hu/2023/03/13/sharepoint-online-file-sharing-report-using-graph-api-and-powershell/
This will be a short post about a recent finding: AzureAD Conditional Access policies created from template may miss from your backups if not using Graph API beta endpoint. TL;DR– When you create a Conditional Access policy using the “New policy from template (Preview)” button, the policy will not show when querying policies using the […]
https://f12.hu/2023/02/28/conditional-access-policies-do-you-backup-them-all/
It’s funny when you are planning to post about a topic, then you encounter an error and then publish about the error instead. This was the case when I was comparing the app configuration policies for Edge and Chrome and came to the ‘Expected list value’ issue when trying to set up the URLBlocklist (sidenote […]
https://f12.hu/2023/02/16/intune-app-configuration-policy-edge-chrome-urlblocklist-on-android-expected-list-value-error/
There are certain scenarios where Microsoft’s OneDrive/SharePoint solution is not an option for storing data (eg. data localization restrictions enforced by law). However, if you still want to provide your users with the file sync experience and/or other collaboration features you may have came across Owncloud or Nextcloud as an alternative. But have you considered […]
https://f12.hu/2023/02/08/nextcloud-with-azuread-application-proxy/
There are several methods for monitoring Azure AD App registration expiration (like PowerAutomate or Azure Logic Apps) but these methods require extra licences or an Azure subscription. The PowerShell way is free and it only requires a new registration in AzureAD. TL;DR The script:
https://f12.hu/2023/01/29/monitor-azuread-app-registration-expiration-with-powershell-graphapi/
AzureAD Powershell is planned for deprecation (link) so I redesigned my Conditional Access Policy Backup solution originally posted here. This v2 edition uses an AzureAD app registration for unattended access (eg. scheduled script) and the Microsoft Graph API (but not the Microsoft Graph PowerShell module). The idea and the logic is the same as in […]
https://f12.hu/2023/01/13/backup-azuread-conditional-access-policies-v2-graph-api/
When there are multiple administrators in an AzureAD tenant, it is inevitable that one may change settings in Conditional Access policies – without notifying everyone involved. To keep track of changes you could regualarly check the AzureAD audit logs, or have an automation for it. I may be a bit old-fashioned, but I prefer to […]
https://f12.hu/2022/05/31/monitor-azuread-conditional-access-policy-changes-with-powershell-scheduled-script/