Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Nathan McNulty Profile picture
@NathanMcNulty
Aug 8 6 tweets 2 min read Read on X
In this thread, I will provide Graph PowerShell commands to find synced users with admin privileges

Microsoft has been very vocal about not granting privileges to synced accounts for about 4 years now

Read this post by @Alex_T_Weinert:


Then check below techcommunity.microsoft.com/t5/microsoft-e…
@Alex_T_Weinert For those with PIM, these two scopes will help us get what we need (remove the /'s):

Connect-MgGraph -Scopes 'RoleAssignmentSchedule./Read.Directory','RoleEligibilitySchedule./Read.Directory'

If you don't use PIM, I believe you only need: RoleManagement./Read.Directory
First, we can get a list of all synced users who have an active assignment:

# Get active assignments
Get-MgBetaRoleManagementDirectoryRoleAssignmentSchedule -ExpandProperty RoleDefinition,Principal,DirectoryScope -All | ForEach-Object {
if ($_.Principal.AdditionalProperties."@odata.type" -match '.user' -and $_.Principal.AdditionalProperties.onPremisesSyncEnabled -eq $true) {
Write-Output "$($_.RoleDefinition.DisplayName),$($_.Principal.AdditionalProperties.userPrincipalName)"
}
if ($_.Principal.AdditionalProperties."@odata.type" -match '.group') {
$roleName = $_.RoleDefinition.DisplayName
$members = (Get-MgGroupMember -GroupId $_.PrincipalId).AdditionalProperties.userPrincipalName
if ($members.Count -ne 0) { $members | ForEach-Object { Write-Output "$roleName,$_" }}
}
#if ($_.Principal.AdditionalProperties."@odata.type" -match '.servicePrincipal') {
#    Write-Output "$($_.RoleDefinition.DisplayName),$($_.Principal.AdditionalProperties.appId)"
#}
}
And here's the one for eligible assignments:

# Get eligible assignments
Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -ExpandProperty RoleDefinition,Principal,DirectoryScope -All | ForEach-Object {
if ($_.Principal.AdditionalProperties."@odata.type" -match '.user' -and $_.Principal.AdditionalProperties.onPremisesSyncEnabled -eq $true) {
Write-Output "$($_.RoleDefinition.DisplayName),$($_.Principal.AdditionalProperties.userPrincipalName)"
}
if ($_.Principal.AdditionalProperties."@odata.type" -match '.group') {
$roleName = $_.RoleDefinition.DisplayName
$members = (Get-MgGroupMember -GroupId $_.PrincipalId).AdditionalProperties.userPrincipalName
if ($members.Count -ne 0) { $members | ForEach-Object { Write-Output "$roleName,$_" }}
}
#if ($_.Principal.AdditionalProperties."@odata.type" -match '.servicePrincipal') {
#    Write-Output "$($_.RoleDefinition.DisplayName),$($_.Principal.AdditionalProperties.appId)"
#}
}
@Alex_T_Weinert @odata This should enumerate direct user assignment and users who are a member of a role assigned group

I also left the code in there for those who were curious about service principals and maybe just wanted to trim the synced part and generate a full report

LMK if you find issues!
Oh, and here's the one for if you don't have PIM:

Get-MgDirectoryRole -All | ForEach-Object {
$roleMembers = Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id | Where-Object {
$_.AdditionalProperties.userPrincipalName -ne $null -and $_.AdditionalProperties.userPrincipalName -notmatch ".onmicrosoft.com"
}
if ($roleMembers.Count -ne 0) {
$roleName = $_.DisplayName
$roleMembers | ForEach-Object { if ((Get-MgUser -UserId $_.Id -Property OnPremisesSyncEnabled).OnPremisesSyncEnabled -ne $null) {
[array]$members += (Get-MgUser -UserId $_.Id).UserPrincipalName
}}
if ($members.Count -ne 0) { $members | Foreach-Object { Write-Output "$roleName,$_" }
Remove-Variable members
}
}
}

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nathan McNulty

Nathan McNulty Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @NathanMcNulty

Nathan McNulty Profile picture
Jul 31
How non-privileged users can make themselves admin of your SaaS apps - a short story :)

Let's say your company uses Salesforce and has configured SAML for SSO with your Identity Provider

Salesforce's SAML implementation lets us pass identity and roles (permissions) on the token
So we create a security group named "Salesforce Admins" and add our admins to the group

Then we configure the claims rule in our Identity Provider to send the role value of System Administrator for members of a group with the display name of "Salesforce Admin" 🚩
Unfortunately, display names are almost never unique, so anyone that can create or modify a group to match the display name can now add admins by adding them to this group

In Entra, ANYONE can create a group by default or owners of groups can modify them, no admin roles needed Image
Read 5 tweets
Nathan McNulty Profile picture
Jun 15
The OP is about excluding networks from MFA requirements (I'm not a fan)

But I want to focus on why we should set up Named/Trusted Locations and use them in a CA policy

Primarily, this enables Continuous Access Evaluation and tunes Identify Protection

learn.microsoft.com/en-us/entra/id…

Image
That doc is a long but valuable read, especially since CAE affects things you probably don't realize

To start, CAE aware tokens are only supported for Exchange, SharePoint, Teams, and Graph

While any 3rd party can integrate and use CAE, I am not aware of any vendor who did so Image
Access tokens are typically good for 60-90 minutes, but CAE aware tokens are good for 28 hours because they can be better revoked by risk/location/user changes

Apps that don't support CAE will still get 60-90 minute access tokens

You can verify your token has cp1 in xms_cc Image
Read 4 tweets
Nathan McNulty Profile picture
Jun 7
Managing policies for Defender AV on Servers is a big pain point

We have like 6 ways to do it, and for many orgs, there is no single option that covers everything you want.. 😩

Join me on this thread where I'll discuss the options, limitations, and design considerations
Group Policy - well known, easy to evaluate against benchmarks

Downsides:

Must be bound to AD (Azure VMs, backup systems, etc. often are not)

Need line of sight to a DC (usually not an issue for servers)

No additional Tamper Protection like we get from Intune sources
ConfigMgr - Native Antimalware policies

Downsides:

Missing lots of settings, always behind

No exclusion merging, results in tons of policies

Also no additional Tamper Protection

Requires line of sight, IBCM, or CMG (usually not an issue)

MS would like to kill ConfigMgr...
Read 8 tweets
Nathan McNulty Profile picture
May 22
I'm so excited to see these new records available to everyone :)

But also, please make sure you enable all of the audit records that you want to collect

Below, you will see the default records as compared to everything you could collect, and this is just for Owner events..

🧵
Image
First, if auditing isn't enabled, you aren't getting anything...

# Users w/o auditing
Get-Mailbox -Filter "AuditEnabled -eq 'False' -and RecipientTypeDetails -eq 'UserMailbox'"

To enable, add:

| ForEach-Object { Set-Mailbox -Identity $_.PrimarySmtpAddress -AuditEnabled $true
Second, defaults now contain Send and MailItemsAccessed, but still no SearchQueryInitiated* nor a bunch of other records :(

We can and should add them, but it's important to know this means we now need to monitor for new record types since we won't inherit them from defaults
Read 5 tweets
Nathan McNulty Profile picture
Apr 11
And there it is - Passkey in Microsoft Authenticator!

If you'd like to set up Passkeys in Microsoft Authenticator, follow along. I'll provide a script to grab all existing AAGUIDs from your environment so we can configure this for testing without breaking existing keys :)
Image
Before we being, it's very important to call out that the Preview requires we set "Enforce attestation" to No, and for this reason, we NEED to restrict use to specific keys

In this case, we want to use the Allow option so that only those explicitly on the list can be registered Image
The query below can be used to identify all AAGUIDs currently in use in your environment

Add those along with these two :)

Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f


Image
Read 11 tweets
Nathan McNulty Profile picture
Mar 27
You might need to check your Teams Admin Center.. 😩

It looks like the defaults for 3rd party apps changed so users can now add over 2300 apps to Teams without requiring approval

To change this, click Actions - Org-wide app settings, turn off 3rd party apps (more in next tweet) Image
After changing "Let users install and use available apps by default" to Off, we'll see Assignments change from Everyone to Not Assigned
Image
Image
Unfortunately, we may have some cleanup to do as well...

This is a fun note, and I'm not actually sure how Entra user consent settings comes into play here :-/ Image
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(