I recently read an article from Dr. Emin Huseynov about the toggle in Windows settings that disables passkeys for every user. While there can be specific circumstances where an organization may intentionally disable passkey usage, I – passkey fan – want to make sure it is enabled. I did not find any official solution to […]
All posts tagged PowerShell
Prevent disabling passkeys on Windows
Posted by Daniel Kovacs on April 18, 2026
https://f12.hu/2026/04/18/prevent-disabling-passkeys-on-windows/
Multitenant organization “cheat” to add group(s) to the default sync scope
Back in the days when M365 MTO was in preview, it was possible to add group(s) to the default sync scope – today, the documentation states that if you want to sync groups, “you must configure cross-tenant synchronization directly in Microsoft Entra ID”. It doesn’t say “it is impossible to add groups to the default […]
Posted by Daniel Kovacs on January 12, 2026
https://f12.hu/2026/01/12/multitenant-organization-cheat-to-add-groups-to-the-default-sync-scope/
Powershell with Entra CBA – unattended access to Defender portal when Graph API or Application permission does not fit
One of my previous posts covered a “basic” way to track secure score changes using Graph API with application permissions. While I still prefer application permissions (over service accounts) for unattended access to certain resources, sometimes it is not possible – for example when you want to access resources which are behind the Defender portal’s […]
Posted by Daniel Kovacs on May 2, 2025
https://f12.hu/2025/05/02/powershell-with-entra-cba-unattended-access-to-defender-portal-when-graph-api-or-application-permission-does-not-fit/
Entra Workload Identities – Trusted Certificate Authorities (public preview)
In the November 2023 – What’s New in Microsoft Entra Identity & Security w/ Microsoft Security CxE identity episode, a public preview feature of Entra Workload ID premium license was presented (link) which was actually announced on November 9th (link). I really love the idea of restricting application key credentials to a predefined list of […]
Posted by Daniel Kovacs on December 11, 2023
https://f12.hu/2023/12/11/entra-workload-identities-trusted-certificate-authorities-public-preview/
AzureAD App registrations – the “application” permission + credentials combination security nightmare
When talking about Azure AD security, we tend to put less focus on service principals/app registrations*. But when we take into consideration that these principals can have assigned API permissions and “static” credentials (certificate or password) and that these credentials in the wrong hands can cause serious damage, we may change our attitude.* While “App […]
Posted by Daniel Kovacs on May 6, 2023
https://f12.hu/2023/05/06/azuread-app-registrations-the-application-permission-credentials-combination-security-nightmare/
“Don’t do that” series – migrate personal user profile to (Azure)AD user profile with Win32_UserProfile.ChangeOwner method
Scenario: the business is now convinced that computers should be managed centrally (either with Active Directory or Azure Active Directory) instead of having WORKGROUP computers.Problem: after joining to (Azure)AD, users will have a new profile created. Gone are their settings, wallpaper, pinned icons, etc. You need to note these settings, copy the files to the […]
Posted by Daniel Kovacs on March 30, 2023
https://f12.hu/2023/03/30/dont-do-that-series-migrate-personal-user-profile-to-azuread-user-profile-with-win32_userprofile-changeowner-method/
SharePoint Online external file sharing report using Graph API and PowerShell
The story in short: one of my customers asked me if it is possible to generate a report on all content in Office365 shared externally. Doing some searches I found the following solutions:– Run the sharing reports on each site and each OneDrive (link, link)– Run reports based on audit logs (link) While these reports […]
Posted by Daniel Kovacs on March 13, 2023
https://f12.hu/2023/03/13/sharepoint-online-file-sharing-report-using-graph-api-and-powershell/
Conditional Access policies – do you backup them ALL?
This will be a short post about a recent finding: AzureAD Conditional Access policies created from template may miss from your backups if not using Graph API beta endpoint. TL;DR– When you create a Conditional Access policy using the “New policy from template (Preview)” button, the policy will not show when querying policies using the […]
Posted by Daniel Kovacs on February 28, 2023
https://f12.hu/2023/02/28/conditional-access-policies-do-you-backup-them-all/
Monitor AzureAD App registration expiration with PowerShell (GraphAPI)
There are several methods for monitoring Azure AD App registration expiration (like PowerAutomate or Azure Logic Apps) but these methods require extra licences or an Azure subscription. The PowerShell way is free and it only requires a new registration in AzureAD. TL;DR The script:
Posted by Daniel Kovacs on January 29, 2023
https://f12.hu/2023/01/29/monitor-azuread-app-registration-expiration-with-powershell-graphapi/
Monitor AzureAD Conditional Access Policy changes with PowerShell (Scheduled Script)
When there are multiple administrators in an AzureAD tenant, it is inevitable that one may change settings in Conditional Access policies – without notifying everyone involved. To keep track of changes you could regualarly check the AzureAD audit logs, or have an automation for it. I may be a bit old-fashioned, but I prefer to […]
Posted by Daniel Kovacs on May 31, 2022
https://f12.hu/2022/05/31/monitor-azuread-conditional-access-policy-changes-with-powershell-scheduled-script/