All posts in category GraphAPI

Delegating LAPS password retrieval at device level

Poor man’s EPM – delegate access to the LAPS password on a device basis.
(this alternative title is inspired by Jan Bakker’s “Poor man’s IGA” blog series)

by on February 22, 2026  •  Permalink
Posted in EntraID, GraphAPI
Tagged ,
Posted by Daniel Kovacs on February 22, 2026

https://f12.hu/2026/02/22/delegating-laps-password-retrieval-at-device-level/

Entra App instance property lock vs SAML signing certificate – an uncommon way of self-sabotage

Recently I tried to set up ClaimXRay NG with the guidance of DSInternals, learned things, failed here and there and stumbled upon a totally-not-helpful error message: “There was an error in the uploading the private certificate and password. Please try again or contact support.” To cut to the chase: This message appeared when I was […]

by on January 29, 2026  •  Permalink
Posted in AzureAD, EntraID, GraphAPI
Tagged ,
Posted by Daniel Kovacs on January 29, 2026

https://f12.hu/2026/01/29/entra-app-instance-property-lock-vs-saml-signing-certificate-an-uncommon-way-of-self-sabotage/

Powershell with Entra CBA – unattended access to Defender portal when Graph API or Application permission does not fit

One of my previous posts covered a “basic” way to track secure score changes using Graph API with application permissions. While I still prefer application permissions (over service accounts) for unattended access to certain resources, sometimes it is not possible – for example when you want to access resources which are behind the Defender portal’s […]

by on May 2, 2025  •  Permalink
Posted in AzureAD, Defender, GraphAPI, PowerShell
Tagged , , ,
Posted by Daniel Kovacs on May 2, 2025

https://f12.hu/2025/05/02/powershell-with-entra-cba-unattended-access-to-defender-portal-when-graph-api-or-application-permission-does-not-fit/

Find clients authenticating from unassigned AD subnets – using Defeder for Identity

Housekeeping with Defender for Identity – finding unassinged AD subnets using the IdentityLogonEvents table

by on October 25, 2024  •  Permalink
Posted in GraphAPI, KQL, MDI, PowerShell
Posted by Daniel Kovacs on October 25, 2024

https://f12.hu/2024/10/25/find-clients-authenticating-from-unassigned-ad-subnets-using-defeder-for-identity/

Tracking Microsoft Secure Score changes

Microsoft Secure Score is a useful feature in the Defender portal, but I missed the alerting option.

No Comments
by on May 6, 2024  •  Permalink
Posted in GraphAPI, PowerShell
Posted by Daniel Kovacs on May 6, 2024

https://f12.hu/2024/05/06/tracking-microsoft-secure-score-changes/

Entra Workload Identities – Trusted Certificate Authorities (public preview)

In the November 2023 – What’s New in Microsoft Entra Identity & Security w/ Microsoft Security CxE identity episode, a public preview feature of Entra Workload ID premium license was presented (link) which was actually announced on November 9th (link). I really love the idea of restricting application key credentials to a predefined list of […]

by on December 11, 2023  •  Permalink
Posted in Entra Workload Identities, GraphAPI, PowerShell
Tagged ,
Posted by Daniel Kovacs on December 11, 2023

https://f12.hu/2023/12/11/entra-workload-identities-trusted-certificate-authorities-public-preview/

Query Windows Hello for Business registrations and usage

So recently I was planning on requiring authentication stenghts in a Conditional Access policy – more precisely requiring Windows Hello for Business – when I realized that I’m not 100% sure that every user will meet this requirement. I wanted to make sure everybody has WHfB enrollment and that it is actively in use – […]

No Comments
by on October 15, 2023  •  Permalink
Posted in AzureAD, GraphAPI, PowerShell, Windows Hello for Business
Posted by Daniel Kovacs on October 15, 2023

https://f12.hu/2023/10/15/query-windows-hello-for-business-registrations-and-usage/

Fighting AzureAD App registration client secrets – step2: limiting app password lifetime

Disclaimer: the following configurations require Microsoft Entra Workload Identities Premium licence (link) In my previous post, I highlighted the risks of using password credentials for apps and how to spot client secret usage for service principals. This post will focus on limiting password lifetime for apps (scoped to tenant or specific application level) which can […]

No Comments
by on June 18, 2023  •  Permalink
Posted in AzureAD, Entra Workload Identities, GraphAPI
Tagged , , , ,
Posted by Daniel Kovacs on June 18, 2023

https://f12.hu/2023/06/18/fighting-azuread-app-registration-client-secrets-step2-limiting-app-password-lifetime/

Fighting AzureAD App registration client secrets – step1: reviewing client secret usage

Workload identity (including service principals) security keeps bugging me, especially the password credentials (aka client secret). I’m sure there are scenarios where this is the only option, but I see environments where these are used just because it is easier to implement. And one day I woke up and realized how dangerous it can be […]

No Comments
by on June 12, 2023  •  Permalink
Posted in AzureAD, GraphAPI, PowerShell
Tagged
Posted by Daniel Kovacs on June 12, 2023

https://f12.hu/2023/06/12/fighting-azuread-app-registration-client-secrets-step1-reviewing-client-secret-usage/

AzureAD App registrations – the “application” permission + credentials combination security nightmare

When talking about Azure AD security, we tend to put less focus on service principals/app registrations*. But when we take into consideration that these principals can have assigned API permissions and “static” credentials (certificate or password) and that these credentials in the wrong hands can cause serious damage, we may change our attitude.* While “App […]

by on May 6, 2023  •  Permalink
Posted in AzureAD, GraphAPI, PowerShell
Tagged , , , , ,
Posted by Daniel Kovacs on May 6, 2023

https://f12.hu/2023/05/06/azuread-app-registrations-the-application-permission-credentials-combination-security-nightmare/

« Older Posts