Granular permissions for working with files, list items and lists added to the Graph API!
Vasil Michev's Blog
by Vasil Michev
2w ago
The Graph API might be great in some regards, but in others leaves a lot to be desired. One such example is the permission granularity it offers, or in other words the fact that an app running with application permissions is able to perform actions against any and all resources of a given type (i.e. Mail.Read gives you access to every single mailbox within the tenant). To address such concerns, different teams within Microsoft took different approaches, for example the Exchange PG introduced the so-called application access policies. “Native” integration within the Exchange RBAC controls follo ..read more
Visit website
How to properly filter for specific enabled services via the Graph API/SDK
Vasil Michev's Blog
by Vasil Michev
3w ago
Time for another public service announcement: you might be doing filtering wrong! To be more precise, the filters you might be using in order to get a list of users with specific service enabled, Exchange Online Plan 2 for example, might not be giving you the correct results. So in this article, we will review some common mistakes and provide you with a filter query that will return the correct set of results. First, let me be clear that I’m not pointing fingers at anyone. Filtering in the Graph API leaves a lot to be desired, and is not as user-friendly as it should be. Case in point: lambda ..read more
Visit website
Less known Graph API endpoints you can use to ensure compliance with CIS benchmark
Vasil Michev's Blog
by Vasil Michev
1M ago
As I was going over the latest CIS guidelines for securing your Microsoft 365 estate, I noticed that some of the controls are marked as “manual”, even though programmatic methods to collect/remediate them do exists. Now I’m definitely no expert on the benchmark and I am not familiar with the methodology used to generate it, so I am not voicing any criticism on it. I simply wanted to publish some guidance for people that might be interested in automating some of those “manual” controls. Let’s dig into it. Idle session timeout Reporting on and configuring Idle session timeout for Microsoft 365 a ..read more
Visit website
How to fetch data for reports Microsoft is yet to provide Graph API endpoints for
Vasil Michev's Blog
by Vasil Michev
1M ago
Even in 2024, Microsoft 365 reporting story leaves a lot to be desired. The experience is spread across multiple interfaces and endpoints, each with its own implementation, controls and data formats. What’s worse, we still lack an uniform way to programmatically access and export the reports, with even “heavy hitters” such as Copilot not getting their Graph API report endpoint months into its worldwide release. Despite multiple requests from customers and ISVs alike, Microsoft is yet to add API support for many useful reports. In turn, this forces customers to rely to workarounds such as copyi ..read more
Visit website
Some ramblings around Continuous access evaluation, support for Graph and service principals
Vasil Michev's Blog
by Vasil Michev
2M ago
Before we start, a fair warning – this article mostly summarizes my recent experiments around Continuous access evaluation, there’s probably nothing of value to be found in it. Just another example of “I blog so I don’t forget” ? To set the stage, I was doing some random tests with the Graph explorer tool, when I noticed that the access token it uses seems to have an extended validity of 24h or so. Of course, I was aware of the Continuous access evaluation feature and the fact that using it results in issuing such “long-lived” tokens. What I was not aware of was the fact that the Graph as reso ..read more
Visit website
How to manage Entra ID delegate permissions for specific users
Vasil Michev's Blog
by Vasil Michev
2M ago
A somewhat common question I run over in the different communities I frequent is the possibility to add or remove user consent (delegate permissions) for a specific Entra ID integrated application (service principal). Annoyingly, some people seem to be convinced that such operations are only possible via the UI or not at all. I suppose we can blame this on the fact that the relevant Graph API documentation articles are a bit harder to find, or whatever. So let’s bring some visibility to this, shall we. Setting the stage First things first, let’s set the stage. We’re talking about delegate(d) p ..read more
Visit website
Changes in Set-UnifiedGroup result in lack of proper audit trail
Vasil Michev's Blog
by Vasil Michev
3M ago
As part of my investigation into the Microsoft 365 Group email address management story, I run a bunch of searches against Exchange Online’s Admin audit log as well as the Microsoft 365 Unified audit log. Some interesting observations arose from these, which hint that Microsoft might have changed the way some cmdlets work, or even the dual-write model itself. Read on for the details. Setting the stage First, a reminder that Microsoft is planning to remove access to Exchange Online’s Admin audit log by the end of this month (April 2024). In theory, not much should change for us customers, as ev ..read more
Visit website
How to manage email addresses for Microsoft 365 Groups
Vasil Michev's Blog
by Vasil Michev
3M ago
Recently, I’ve run into several discussions around how to use the Graph API to change the email address of an already provisioned Microsoft 365 Group (or Team). In all of them, a claim was made that this is possible by changing the mailNickname (“alias”) property of the group, after which supposedly some process would kick in and update the primary SMTP address of the group. Spoiler alert, it doesn’t, and you cannot use the Graph API for such operations. Since I had to run few tests to confirm this behavior, you will now suffer through another one of my articles, detailing the issue and the tr ..read more
Visit website
Search-Mailbox is no longer available in Exchange Online
Vasil Michev's Blog
by Vasil Michev
4M ago
After being away for a while (attending the Microsoft MVP Summit in Seattle and some additional traveling), I come bearing sad news. The beloved Search-Mailbox cmdlet, easily one of my favorite bits of code in Exchange, is no longer available in any of my Microsoft 365 tenants. A sad day ? Microsoft did warn us about this. Few times actually, though the community managed to change their mind when they initially tried to remove the cmdlet few years back. In a Message Center post dated Jan 4th, another announcement was made, with end of March 2024 being positioned as the deadline. As with any pr ..read more
Visit website
Querying the Microsoft 365 Unified Audit Log datamart via the Graph API
Vasil Michev's Blog
by Vasil Michev
5M ago
Over the past couple of months, several announcements have been made around the Microsoft 365 Unified audit log and the methods used to access it. Some changes were good, such as the improvements made on the UI side, where we finally got some more meaningful filters. Others fall under the expected (but still concerning category), such as the recently announced deprecation of the Exchange Online audit log cmdlets and their replacement with the UAL. Some were simply puzzling, such as the reduced number of results returned when using the Search-UnifiedAuditLog cmdlet and the now mandatory –Sessio ..read more
Visit website

Follow Vasil Michev's Blog on FeedSpot

Continue with Google
Continue with Apple
OR