Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Nathan McNulty Profile picture
@NathanMcNulty
May 25, 2021 21 tweets 12 min read Read on X
Scrolly
Let's learn about Users in Azure AD :)

In this thread, I'm covering the Azure Portal and Powershell modules. We'll look at Graph API later (setup required).

If you haven't already signed up for a M365 dev account, check the thread below and follow along!
whoami

I've been managing AAD/O365 for almost a decade, and I absolutely can (and will) be wrong

Please correct me, nerd snipe, whatever your style is, if you see something wrong or have suggestions

I want value here for beginners and veterans alike, but we start with basics
So, let's get started by logging into portal.azure.com with the Global Admin (GA) account for our developer tenant

In the middle of the dashbord, you'll see a link to View Azure Active Directory. Go ahead and click on that ;)

On the left, click Users, then click New User
Something that will make these threads a little more unique is that I will cover less known topics, like break glass accounts

Use the Create user option to create 2 break glass accounts giving them GA (see pictures)

Best practices (learn for prod):
docs.microsoft.com/en-us/azure/ac…
I will cover Conditional Access/MFA in a different thread, but if this were prod, we'd be all over those policies right now :p

In a prod environment, you will want to spend time designing good CA policies for these accounts. Emergency access vs security is a tricky balance.
Next, let's look at Bulk operations.

And by look at, I mean I'll mention it's there but good luck getting it to work.

This has always been a pain and doesn't really scale you. Honestly, just skip this and use Powershell.

Import-Csv is your friend:
docs.microsoft.com/en-us/powershe…
In the Portal, if you click on a User, you can view the details about them.

This view can be extremely helpful for help desk/support staff, and it is much nicer than AD Users and Computers.

You'll notice the ability to edit, reset password, kill sessions, and delete at the top.
I created a GitHub repo for these M365 threads, and I will continue to add to it as I go.

The install commands seen in the images can be found there, and I've also included links to the Docs for each module.

Commands and scripts (later) will go here too

github.com/nathanmcnulty/…
To get up and running quickly, here's what I did. For best security, you should totally check the docs if you aren't sure if this is safe ;)

Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

Install-Module AzureADPreview

Install-Module MSOnline
It will not hurt anything to have all three of these modules installed alongside one another.

Having managed over 45K users in Google Workspace, I can definitively say Microsoft is the only large productivity suite provider that cares about IT admins by providing good tooling ;)
Let's create a user with the Azure Az Powershell module.

First, we need to connect:

Connect-AzAccount

Then we can create:

New-AzADUser -DisplayName "Test User 1" -UserPrincipalName "tuser1@domain.onmicrosoft.com" -Password (Read-Host -AsSecureString) -MailNickname "tuser1"
Now, let's create a user with the Azure AD module

Connect:

Connect-AzureAD

Create a password profile:

$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = "Haha, nice try!"

What what? Oh yeah, hang on.
New-AzureADUser cmdlet requires an object be passed into the -PasswordProfile paramter, so we have to create that first.

It's in the docs :p

docs.microsoft.com/en-us/powershe…

The rest of the command is too big for Twitter, so check my repo here:

github.com/nathanmcnulty/…
Last, let's create a user with the MSOnline module :)

Connect:

Connect-MsolService

Create:

New-MsolUser -UserPrincipalName "tuser3@domain.onmicrosoft.com" -DisplayName "Test User 3" -FirstName "Test" -LastName "User 3" -UsageLocation "US" -Password (Read-Host -AsSecureString)
Now lets look at how to get user details in each module.

My primary 3 uses for Get commands are to view user details (usually troubleshooting), search users and filter (Get-* | Where-Object...), and get an object to pipe into another command (Get-* | Where-Object {...} | Set-*).
Az Azure module:
Get-AzADUser -UserPrincipalName tuser1@domain.onmicrosoft.com

AzureAD module:
Get-AzureADUser -SearchString "tuser2"

MSOnline module:
Get-MsolUser -SearchString "tuser3"

More details can be found in the repo:
github.com/nathanmcnulty/…
Now let's talk about modifying users. This is where you'll spend a lot of time if you develop automation scripts.

Each module is a little different, so check the docs for the list of attributes.

If you are syncing from on-prem, many attributes cannot be modified in the cloud :(
To save some time, I've put all of the Set-* commands in the repo:

github.com/nathanmcnulty/…

Update-AzADUser is limited compared to the other two. That's why I'd suggest comparing all three and seeing which is the right tool for the job.

Keep an eye on Az modules - changes fast
Not sure if anyone will notice, but as I was playing with the modules, I tabbed through the options for UserType and discovered something I've never seen before.

Anyone know what a "viral" user type is?

Whatever it is, it doesn't sounds good, and I changed Test User Three to it
The last main function that I'll cover is deleting users.

Again, the commands are too long for Twitter, but you can find them all over on the repo:

github.com/nathanmcnulty/…

These 4 building blocks (New, Get, Set, and Remove) can help us automate user lifecycle in Azure AD.
Now that we have a handle on users, the next thread will be building groups. With that, we can do licensing, apps, and other fun stuff.

Hopefully you can see how you might be able to write scripts to build a lightweight IAM, and later, we'll talk AAD Connect and MS Graph :)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nathan McNulty

Nathan McNulty Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @NathanMcNulty

Nathan McNulty Profile picture
Jan 25
Hello for Business works great with AD integrated apps (Kerberos/NTLM), but it requires setting up a trust model

Very poorly generalized, Hello uses certificates that AD doesn't understand, so we need a way to request a Kerberos ticket with the certs

This is crazy easy now 🧵
Before I share how easy it is now, I want to share why people still hate Hello because its history was way more complicated

Originally we had certificate trust which required full PKI deploying certificates to all of your devices and AD

Doing this properly was really hard...
So with Server 2016, Microsoft introduced a massive improvement - key trust

This meant we only needed to put certificates on domain controllers

This was so much easier, but it still required PKI and setting up the templates

And a hybrid model was added to support Azure AD... Image
Read 6 tweets
Nathan McNulty Profile picture
Jan 24
I think the most common misunderstanding of Conditional Access is its relationship to authentication, and this results in not understanding how the rest of the controls actually work

Conditional Access performs authorization by evaluating tokens from the authentication service
This provides important insights 💡

CA policies cannot block anything until AFTER authentication occurs

This means CA cannot help with password spray/credential stuffing. This is why we have Password Protection and Smart Lockout.

learn.microsoft.com/en-us/entra/id…
learn.microsoft.com/en-us/entra/id…
This also means an attacker blocked by a CA policy either has a valid username/password or has a stolen token

When we don't understand this, we don't monitor and respond, and we give attackers more time with valid credentials

Identity Protection helps here, but it isn't perfect
Read 7 tweets
Nathan McNulty Profile picture
Jan 20
You likely aren't collecting all available events to the Unified Audit Log

First, not all events are enabled or retained optimally. Consider creating this policy in the Purview portal (leave users and record types blank to collect everything).

Retention is based on license... Image
This policy only applies to users with the Microsoft 365 Advanced Audit SKU assigned, audit records are retained for 1 year. Audit records for users without this SKU are retained for 180 days (thanks CISA for the bump up from 90 days!)

Second, this still doesn't get everything..
Next we have to enable all the records for mailbox auditing

But wait, Microsoft totally pinky promises that you don't need to manage these records because they enable them for you



It would be nice if they actually enabled everything, but they don't :-/ learn.microsoft.com/en-us/purview/…Image
Read 6 tweets
Nathan McNulty Profile picture
Sep 6, 2024
A common ask I get often is:

I want to require fresh strong authenticaton from a compliant device (or specific devices) when someone activates a role via PIM

So let's walk through that scenario really quick

If anything is unclear, just try harder!

I'm kidding, ask away 😜
First, if the built-in phishing resistant auth strength works for you, use it

If not, we can customize exactly what we want (avoid requiring one not allowed in another poilcy)

We can even define AAGUIDs to specify exact models of keys that must be used

learn.microsoft.com/en-us/entra/id…
Image
Second, we need to create an authentication context

This is like a label used to tie PIM activation to a specific Conditional Access policy. The name can be changed any time 😉


In our access token, this is the 'acr' value
learn.microsoft.com/en-us/entra/id…
learn.microsoft.com/en-us/entra/id…Image
Image
Read 5 tweets
Nathan McNulty Profile picture
Aug 8, 2024
In this thread, I will provide Graph PowerShell commands to find synced users with admin privileges

Microsoft has been very vocal about not granting privileges to synced accounts for about 4 years now

Read this post by @Alex_T_Weinert:


Then check below techcommunity.microsoft.com/t5/microsoft-e…
@Alex_T_Weinert For those with PIM, these two scopes will help us get what we need (remove the /'s):

Connect-MgGraph -Scopes 'RoleAssignmentSchedule./Read.Directory','RoleEligibilitySchedule./Read.Directory'

If you don't use PIM, I believe you only need: RoleManagement./Read.Directory
First, we can get a list of all synced users who have an active assignment:

# Get active assignments
Get-MgBetaRoleManagementDirectoryRoleAssignmentSchedule -ExpandProperty RoleDefinition,Principal,DirectoryScope -All | ForEach-Object {
if ($_.Principal.AdditionalProperties."@odata.type" -match '.user' -and $_.Principal.AdditionalProperties.onPremisesSyncEnabled -eq $true) {
Write-Output "$($_.RoleDefinition.DisplayName),$($_.Principal.AdditionalProperties.userPrincipalName)"
}
if ($_.Principal.AdditionalProperties."@odata.type" -match '.group') {
$roleName = $_.RoleDefinition.DisplayName
$members = (Get-MgGroupMember -GroupId $_.PrincipalId).AdditionalProperties.userPrincipalName
if ($members.Count -ne 0) { $members | ForEach-Object { Write-Output "$roleName,$_" }}
}
#if ($_.Principal.AdditionalProperties."@odata.type" -match '.servicePrincipal') {
#    Write-Output "$($_.RoleDefinition.DisplayName),$($_.Principal.AdditionalProperties.appId)"
#}
}
Read 6 tweets
Nathan McNulty Profile picture
Jul 31, 2024
How non-privileged users can make themselves admin of your SaaS apps - a short story :)

Let's say your company uses Salesforce and has configured SAML for SSO with your Identity Provider

Salesforce's SAML implementation lets us pass identity and roles (permissions) on the token
So we create a security group named "Salesforce Admins" and add our admins to the group

Then we configure the claims rule in our Identity Provider to send the role value of System Administrator for members of a group with the display name of "Salesforce Admin" 🚩
Unfortunately, display names are almost never unique, so anyone that can create or modify a group to match the display name can now add admins by adding them to this group

In Entra, ANYONE can create a group by default or owners of groups can modify them, no admin roles needed Image
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(