Revoke Admin Consent for a delegated permission on a Service Principal with the MS Graph PowerShell SDK

Scenario: You use the Microsoft Graph Explorer tool to test a query. It requires you to consent to a permission so you use your admin account to do this. However, you click the check box to consent for the entire organization… woops! You did not mean to give everyone permissions for “AuditLog.Read.All” so now you need to revoke this permission. The easiest way to revoke consent is to just delete…

Read More

Microsoft Graph PowerShell SDK – Use Client Secret instead of Certificate for Service Principal login

The AAD Graph PowerShell SDK allowed you to use a client secret for the Application only ( Service Principal ) login flow – also known as the client_credentials grant flow. The documentation for the new Microsoft Graph PowerShell SDK does not tell you how to use a client secret but instead, uses the more secure certificate method for the flow: Use app-only authentication with the Microsoft Graph PowerShell SDK |…

Read More

Retrieve Schema Extension Values for Devices from PowerShell

You can create complex schema extension properties for devices and then retrieve those specific properties from PowerShell. This blog post will walk you through how to do this. I created an app registration in my tenant to be the owner of my device schema extension following these instructions but for devices: Add custom data to groups using schema extensions – Microsoft Graph | Microsoft Docs One thing to point out…

Read More

How to get and update Directory Schema Extension Attributes with the Microsoft Graph .Net SDK

Microsoft Graph Directory Schema Extensions are a convenient way to store additional data on certain objects such as users or groups. You can read about them here. This blog post is assuming you have already registered an extension and now you’re looking to be able to retrieve the extension and values for a user ( I will use a user object as an example ) or update the value using…

Read More

Use the Microsoft.Graph PowerShell SDK to get a list of Devices that do not have BitLocker Recovery Keys

As you may be aware, the AzureAD powershell module is being deprecated at the end of the year along with the AD Graph endpoint. As a result, all customers need to migrate their code to the Microsoft Graph endpoint. This blog post will show you how to use the Microsoft.Graph PowerShell module to get a list of devices that do not have a BitLocker Recovery key in Azure. This would…

Read More

Python Scripts may be detected as web-crawler when making Microsoft Graph requests.

Sometimes, a python script that is making Microsoft Graph requests may be detected by the gateway as a web-crawler if you are using a pool manager and block the request. The error will look similar to this: {‘error’: {‘code’: ‘UnknownError’, ‘message’: ‘\r\n403 Forbidden\r\n\r\n 403 Forbidden \r\n Microsoft-Azure-Application-Gateway/v2 \r\n\r\n\r\n’, ‘innerError’: {‘date’: ‘{UTC Date/Time}’, ‘request-id’: ‘{guid}’, ‘client-request-id’: ‘{guid}’}}} To overcome this issue the easiest way is to use the MS Graph SDK…

Read More

Download the user signInActivity from the beta endpoint using Microsoft Graph Powershell module.

You can use the Microsoft Graph Powershell module to download last sign in date / time for users from the Beta endpoint ( the signInActivity is currently not available in v1.0 ) and save the list to a .csv file. You must have the Microsoft Graph powershell module installed. This document will help you get started. My powershell script:

Read More

Users unable to lookup other users in the MS Graph Users endpoint

The Microsoft Graph endpoint is how you can interact programmatically with your tenant data. One of the most common scenarios is a MS Graph request to look up a user or users in the tenant. If you’re using delegated permissions in your access token, for a user to look up another user, the access token will need the delegated permission of User.Read.All However, there are ways to prevent users from…

Read More

Using the Application.ReadWrite.OwnedBy API permission

You have an application, when authenticated, and you want to be able to update its own properties such as the Client Secret or Certificate. The Application.ReadWrite.OwnedBy allows the application to manage applications in which it is a owner of. Otherwise meaning if you want to update its own properties, it would be have to an owner of itself. You can do this using the Microsoft Graph API: For more information…

Read More

Why do I sometimes get a 404 when trying to update an Azure Directory object after I just created it?

Azure AD is a distributed computing system which means, all of the data must be duplicated to the various data centers. You can read about the architecture of Azure here. We occasionally see a case where a customer is using Microsoft Graph to programmatically create a user, group, application, etc. and getting the object id back from that request and then using that id to do some kind of management…

Read More