Share this page!

Maybe Scrolly?
Nathan McNulty Profile picture
Twitter logo
Apr 21 13 tweets 10 min read
I'm a huge fan of Azure Automation. If you're an #AzureAD / #M365 Admin and haven't used it before, then this thread is for you

You will need an Azure subscription, but the first 500 minutes/month are free!

Here's an example of how to automate Azure AD device cleanup :)
First, we're going to log into the Azure portal: portal.azure.com

Search for Automation and click on Automation Accounts

Then we'll click Create, pick the sub and resource group (or create one), give it a descriptive name, select a location, and hit Review + Create
If you haven't heard, the MSOnline and AzureAD PowerShell modules are going away at the end of the year

Instead, we are going to use the new Graph SDK PowerShell modules

So let's go under Modules, click Add a Module, browse the gallery, and add Microsoft.Graph.Authentication
Now, the Graph SDK PowerShell modules are a bit... different

There are modules for every scope rather than one large module like we used to have. So we just did the one required for Authentication, and we also need to add the Microsoft.Graph.Identity.DirectoryManagement module
Now, we need to create a Run as account since Automation's Managed Identities only work for Azure resources (AFAIK - please correct me!)

Next up, we need to grant Graph API permissions to managed devices to the Service Principal that was just created by our Automation Account
So let's head over to App registrations and search for the name of our Automation Account

Select the account, then go to API permissions, and click Add a permission

In the Request API permissions dialog, click Microsoft Graph, then select Application permissions
In the filter, we'll search for Device.ReadWrite.All

Expand Device, check the box for Device.ReadWrite.All, then click Add permission

Now click Grant admin consent for the Service Principal to be authorized for your tenant and confirm
The final step is to create our Runbook

Go back to your Automation account, click Runbooks under Process Automation, and then click Create a runbook

Give it a name, select PowerShell for type, and the runtime needs to match modules, so 5.1 if following the images so far
Here's the code to paste in:

github.com/nathanmcnulty/…

You can test code in the Test pane (add -WhatIf), but first... Apparently Graph is different than AzureADPreview, so we will need one additional step - adding the Service Principal to the Cloud Device Administrator role
Whoops, don't forget to Publish!

Now go to Azure AD - Roles and Administrators, earch for Cloud Device Administrator, click Add assignments, then search for the Service Principal for your Automation Account, and add it.

You should now be able to run with proper permissions!
If we go back to our Automation Account and look at the Runbook we just created, we can manually run this script by clicking Start. This will take us to the job where we can see output.

We can also see the history under Jobs for our Automation Account.

But let's schedule this!
Open your runbook, then click the Link to Schedule button

We want to link a schedule to our runbook, then add a schedule, and then configure it how we want :)
Here's an example of running daily at midnight

And that's really all there is to it!

You are now automating disabling of devices that haven't talked to AAD in 90 days :D

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nathan McNulty

Nathan McNulty Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @NathanMcNulty

Nathan McNulty Profile picture
Nov 10, 2021
Lots of good patches today. Doing a quick thread on them as some of these have Event IDs that should be collected.

Domain controller impersonation using sAMAccountName spoofing

After applying KB5008102, collect System Log Event IDs 16990-16991 on DC's

support.microsoft.com/en-us/topic/kb…
To discover non-compliance sAMAccountName:

Get-ADComputer -LDAPFilter "(samAccountName=*)" | ? SamAccountName -NotLike "*$" | select DNSHostName, Name, SamAccountName

Non-compliant UserAccountControl:
Get-ADComputer -LDAPFilter "UserAccountControl:1.2.840.113556.1.4.803:=512"
Next up, Arbitrary modification of security sensitive computer object attributes

AD allows anyone to join devices to the domain by default.. So make sure you are locking this down regardless of patching status

Read 9 tweets
Nathan McNulty Profile picture
Nov 2, 2021
So you don't enforce MFA on all Azure admin roles? Not really sure where to start?

Looks like Microsoft has added a nice doc (and script in the doc) to help discover and assess your privileged users so you can minimize potential impacts ;)

docs.microsoft.com/en-us/azure/ac…
I think it's great they are pushing more and more content to make the message clear - all admins should be covered by strong authentication / conditional access policies

I am really curious about this though.. Anyone know what this refers to? Image
By the way, the docs here should be updated with a link to the Azure MFA Wizard (the docs folks are so awesome!)

Read 4 tweets
Nathan McNulty Profile picture
Sep 23, 2021
DMARC: Domain-based Message Authentication, Reporting and Conformance

Phew, that's a mouthful. Let's simplify this a bit.

DMARC lets you tell other mail servers what to do about email sent from your domains - apply policy and report

If you haven't done SPF/DKIM, do that first:
If you're using O365 and don't have DMARC reports going somewhere useful, you can now set this up for free:

microsoft.com/security/blog/…

Now, I'm not a big fan of how they handle DNS... but it's free? I've always used @dmarcian and really prefer the way they do it.

But let's test!
@dmarcian Cool, well, let's sign up:
use.valimail.com/Brand-Reputati…

Once you submit the form, you'll get a confirmation email with a link to activate your account

Following the link will take you to a page to set up your password. Heads up though, the password requirements are terrible... 😫
Read 11 tweets
Nathan McNulty Profile picture
Sep 18, 2021
Let's walk through setting up email in Office 365 :D

If you haven't added a custom domain or signed up for a free M365 Developer account, check the QT thread

To get started, let's sign into the M365 admin center (admin.microsoft.com) and sign into the DNS for your domain :)
While doing this setup through the M365 admin center is not required, it sure makes life easier if you don't know the DNS records off the top of your head

So we go under Settings - Domains, and you should see something like the picture below

Check your domain and continue setup Image
Now I'm going to warn you ahead of time, Microsoft has made some really dumb choices here...

I know it's to make life easier on people, but, well, you'll see :(

OK, so they tell you to add DNS records, and I'm going to hit Advanced Options and get the AAD/Intune records too ImageImage
Read 16 tweets
Nathan McNulty Profile picture
Aug 15, 2021
I'd like to talk about #windows for a minute

I know it's hard to do something that will last 20+ years, and maybe design choices from the 90's weren't the best ideas...

There are foundational issues that need to be addressed. A clean install of windows ruined by its foundation.
The amount of failures I'm seeing are just unacceptable. We can all agree who is mostly to blame, but that won't help fix the years of rot we're looking at.

I do believe this can be fixed, but it's going to require removing old, vulnerable crap and rebuilding with a better base
The bandaid fix approach used over the last 20 years has obviously failed the test of time

It may look OK on the outside, but it's lipstick on a pig. Eventually someone pays for the underlying issues.

I just wish that didn't have to be us
Read 4 tweets
Nathan McNulty Profile picture
Jul 16, 2021
It's finally time to learn about Groups in Azure AD :)

Groups are foundational components for granting access to resources, email delivery, and even assigning licenses within Azure AD.

But first, you need users, so if you haven't yet, go create some :)

In Azure AD, we have a few different types of groups

The main group types are security and Microsoft 365 groups, but in Exchange we also have distribution lists which are mail enabled groups with no security context

Each group also has an assigned and dynamic membership type
Now, before we start creating groups, I need to warn you that Microsoft stupidly believes any user should be able to create groups, both security and M365 types

What you should know is that they can select any email address they want 😱

Let's start here: portal.azure.com/#blade/Microso…
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(