Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Nathan McNulty Profile picture
@NathanMcNulty
Apr 21, 2022 13 tweets 10 min read Read on X
Scrolly
I'm a huge fan of Azure Automation. If you're an #AzureAD / #M365 Admin and haven't used it before, then this thread is for you

You will need an Azure subscription, but the first 500 minutes/month are free!

Here's an example of how to automate Azure AD device cleanup :)
First, we're going to log into the Azure portal: portal.azure.com

Search for Automation and click on Automation Accounts

Then we'll click Create, pick the sub and resource group (or create one), give it a descriptive name, select a location, and hit Review + Create
If you haven't heard, the MSOnline and AzureAD PowerShell modules are going away at the end of the year

Instead, we are going to use the new Graph SDK PowerShell modules

So let's go under Modules, click Add a Module, browse the gallery, and add Microsoft.Graph.Authentication
Now, the Graph SDK PowerShell modules are a bit... different

There are modules for every scope rather than one large module like we used to have. So we just did the one required for Authentication, and we also need to add the Microsoft.Graph.Identity.DirectoryManagement module
Now, we need to create a Run as account since Automation's Managed Identities only work for Azure resources (AFAIK - please correct me!)

Next up, we need to grant Graph API permissions to managed devices to the Service Principal that was just created by our Automation Account
So let's head over to App registrations and search for the name of our Automation Account

Select the account, then go to API permissions, and click Add a permission

In the Request API permissions dialog, click Microsoft Graph, then select Application permissions
In the filter, we'll search for Device.ReadWrite.All

Expand Device, check the box for Device.ReadWrite.All, then click Add permission

Now click Grant admin consent for the Service Principal to be authorized for your tenant and confirm
The final step is to create our Runbook

Go back to your Automation account, click Runbooks under Process Automation, and then click Create a runbook

Give it a name, select PowerShell for type, and the runtime needs to match modules, so 5.1 if following the images so far
Here's the code to paste in:

github.com/nathanmcnulty/…

You can test code in the Test pane (add -WhatIf), but first... Apparently Graph is different than AzureADPreview, so we will need one additional step - adding the Service Principal to the Cloud Device Administrator role
Whoops, don't forget to Publish!

Now go to Azure AD - Roles and Administrators, earch for Cloud Device Administrator, click Add assignments, then search for the Service Principal for your Automation Account, and add it.

You should now be able to run with proper permissions!
If we go back to our Automation Account and look at the Runbook we just created, we can manually run this script by clicking Start. This will take us to the job where we can see output.

We can also see the history under Jobs for our Automation Account.

But let's schedule this!
Open your runbook, then click the Link to Schedule button

We want to link a schedule to our runbook, then add a schedule, and then configure it how we want :)
Here's an example of running daily at midnight

And that's really all there is to it!

You are now automating disabling of devices that haven't talked to AAD in 90 days :D

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nathan McNulty

Nathan McNulty Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @NathanMcNulty

Nathan McNulty Profile picture
Apr 11
And there it is - Passkey in Microsoft Authenticator!

If you'd like to set up Passkeys in Microsoft Authenticator, follow along. I'll provide a script to grab all existing AAGUIDs from your environment so we can configure this for testing without breaking existing keys :)
Image
Before we being, it's very important to call out that the Preview requires we set "Enforce attestation" to No, and for this reason, we NEED to restrict use to specific keys

In this case, we want to use the Allow option so that only those explicitly on the list can be registered Image
The query below can be used to identify all AAGUIDs currently in use in your environment

Add those along with these two :)

Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f


Image
Read 11 tweets
Nathan McNulty Profile picture
Mar 27
You might need to check your Teams Admin Center.. 😩

It looks like the defaults for 3rd party apps changed so users can now add over 2300 apps to Teams without requiring approval

To change this, click Actions - Org-wide app settings, turn off 3rd party apps (more in next tweet) Image
After changing "Let users install and use available apps by default" to Off, we'll see Assignments change from Everyone to Not Assigned
Image
Image
Unfortunately, we may have some cleanup to do as well...

This is a fun note, and I'm not actually sure how Entra user consent settings comes into play here :-/ Image
Read 5 tweets
Nathan McNulty Profile picture
Dec 6, 2023
This is a great graphic, but hopefully after reading this thread, it will tell an incomplete story

Too many orgs provide directory wide permissions allowing admins to have control over all users and all supported admins

It doesn't have to be this way, Entra ID supports scoping
9 years ago (!), Microsoft released a feature called Administrative Units

These were kind of like OUs, but also kind of like groups because you could be in more than one

These were designed to scope permissions like helpdesk admin to a subset of users

learn.microsoft.com/en-us/entra/id…
Initially, they only supported users but were expanded to support groups and devices, which also included some roles associated with those object types

One big issue had always been having to script add objects to AUs, but now we can use queries!

learn.microsoft.com/en-us/entra/id…
Read 6 tweets
Nathan McNulty Profile picture
Nov 20, 2023
Someone asked about recreating Security Defaults in Conditional Access so similar policies still apply but with more flexibility

This short thread is my best attempt based on the information available here:


Note: Entra ID P2 required for full replacementlearn.microsoft.com/en-us/microsof…
1) "Requiring all users and admins to register for MFA using the Microsoft Authenticator app or any third-party application using OATH TOTP"

For this, we need to combine the "Require multifactor authentication for all users" template with limiting use of Authentication methods Image
For this template, it is recommended to have a couple of emergency access accounts and ensure they are excluded



If you use Entra Connect, be sure to exclude the Directory Synchronization Accounts role

These are good practices on all MFA policies learn.microsoft.com/en-us/entra/id…
Image
Read 9 tweets
Nathan McNulty Profile picture
Nov 4, 2023
This is a *very* nuanced statement, and Brian offers some good clarifications in the thread

But I would also say Conditional Access is the only way to meaningfully improve security when ideal scenarios cannot be applied across the board

The real issue with CA is weak policies🧵
First, it's important to note that CA (authorization) comes AFTER authentication

You want significant security improvements? Require phishing resistant authentication - period

Can't do that in all cases? CA is your best tool to gradually improve and handle exceptions well
Remember that without CA, the only additional control you have is MFA

Ironically, for many orgs, per-user MFA is actually better than what they are doing with Conditional Access!

Why?

Because they don't choose All cloud apps -> Require MFA, and that leaves huge gaps
Read 5 tweets
Nathan McNulty Profile picture
Oct 27, 2023
I saw a guide on this a while back but can't find it anymore... :(

I don't have Windows 365 to test right now, but this is what *should* work and best of what I can remember from the thread/blog that I read some time last year...

Quick 🧵on Conditional Access filter for apps
Filter for apps was introduced late last year that allows us to leverage custom security attributes within Conditional Access policies

Very helpful for microservices architectures with constantly changing appIds, but also, apps not shown in the picker 💡

learn.microsoft.com/en-us/entra/id…
So first, we need to create custom security attributes. These are similar to a schema extension in AD - requires permissions and cannot be undone

Global Administrator does not have these privileges by default, so we must grant them to ourselves

Here's the primary two we need: Image
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(