As part of my investigation into the Microsoft 365 Group email address management story, I run a bunch of searches against Exchange Online’s Admin audit log as well as the Microsoft 365 Unified audit log. Some interesting observations arose from these, which hint that Microsoft might have changed the way some cmdlets work, or even the dual-write model itself. Read on for the details. Setting the stage First, a reminder that Microsoft is planning to remove access to Exchange Online’s Admin audit log by the end of this month (April 2024). In theory, not much should change for us customers, as ev ..read more

Recently, I’ve run into several discussions around how to use the Graph API to change the email address of an already provisioned Microsoft 365 Group (or Team). In all of them, a claim was made that this is possible by changing the mailNickname (“alias”) property of the group, after which supposedly some process would kick in and update the primary SMTP address of the group. Spoiler alert, it doesn’t, and you cannot use the Graph API for such operations. Since I had to run few tests to confirm this behavior, you will now suffer through another one of my articles, detailing the issue and the tr ..read more

After being away for a while (attending the Microsoft MVP Summit in Seattle and some additional traveling), I come bearing sad news. The beloved Search-Mailbox cmdlet, easily one of my favorite bits of code in Exchange, is no longer available in any of my Microsoft 365 tenants. A sad day ? Microsoft did warn us about this. Few times actually, though the community managed to change their mind when they initially tried to remove the cmdlet few years back. In a Message Center post dated Jan 4th, another announcement was made, with end of March 2024 being positioned as the deadline. As with any pr ..read more

Over the past couple of months, several announcements have been made around the Microsoft 365 Unified audit log and the methods used to access it. Some changes were good, such as the improvements made on the UI side, where we finally got some more meaningful filters. Others fall under the expected (but still concerning category), such as the recently announced deprecation of the Exchange Online audit log cmdlets and their replacement with the UAL. Some were simply puzzling, such as the reduced number of results returned when using the Search-UnifiedAuditLog cmdlet and the now mandatory –Sessio ..read more

Yesterday, Microsoft announced the public preview of Microsoft Entra License Utilization Insights, or in other words, a set of reports that aim to give you an overview of how features that require “Premium” Entra ID licenses are being leveraged within your organization. For the time being, these Insights only cover a handful of such features, namely Conditional Access policies (for the corresponding Entra Premium P1 license requirement) and the risk-based Conditional Access policies (for Entra Premium P2). Not much, but it’s a start. The feature itself is simple enough to use – all you need to ..read more

One of the resources I used in preparation for the latest version of my Entra ID service principals and applications reporting scripts was the Identity platform best practices article. In fact, some of the changes to the scripts are directly influenced by recommendations in said article, such as the inclusion of ReplyURIs and the various checks performed against them (which “calculates” the value of the HasBadURIs column). Others, I already had included in previous versions, such as the column to “detect” the use of insecure OAuth flows, or in general the recommendation to use certificates ins ..read more

While certainly interesting in nature, the recent Midnight Blizzard breach is just the same old story – unprotected account, unsecured environment, a lot of neglect and failure to adhere to the best practices and Microsoft’s own security guidance. If anything, it is another reminder of just how important covering your basics is. Which is exactly what we will do in this article, with an updated version of the script(s) to generate a report of all Entra ID directory role assignments within you organization, including the ones managed via Privileged Identity Management. Last time we did this exer ..read more

Today’s article will be an odd one, as its primary goal is to address some requests from the Q&A platform. In particular, the question about getting a list of all BitLocker recovery keys, posted back in June and subsequent requests on the same topic. The original query is easy enough to address – it’s a single cmdlet when using the Graph SDK for PowerShell: Connect-MgGraph -Scopes BitLockerKey.Read.All Get-MgInformationProtectionBitlockerRecoveryKey -All Things get a little more complicated if you want to include the actual key values within the output, as you will have to iterate over e ..read more

After updating the scripts to report on Entra-integrated applications (aka service principals) last week, it is time to take a look at the updated scripts to report on application registrations. While one can argue that this scenario is less important, due to its primarily internal focus, it should not be overlooked. More and more administrative or even pure business tasks nowadays require additional application registrations, especially when you want to combat “consent creep”. For ISVs, securing access and ensuring your applications are not overly permissioned is an important scenario. An eve ..read more

Today, we’re going to be looking at reporting for Entra-integrated third-party applications (or their local representation, service principals). Since the last time we examined this, Microsoft has released some additional reporting and analytics, added support for Custom security attributes, thus allowing us to target “tagged” service principals within Conditional Access policies, and introduced the Microsoft 365 App certification program. We’ve also seen the increase in attacks that specifically target applications and service principals, such as the one outlined in this article. With the abo ..read more