Auditing Azure AD Registered Applications

Azure AD Registered Applications are the Azure AD version of Active Directory Service Accounts. Over time, the number of them grow and grow, each having permissions to consume information from Azure AD and or Microsoft Graph. As an Administrator of Azure AD there is maintenance associated with these Registered Applications, namely credential validity and more important application validity.

Credential expiration associated with Azure AD Registered Applications is quickly visible via the Azure Portal. We can quickly see Current, Expired and Expiring Soon credentials as shown in the screenshot below.… [Keep reading] “Auditing Azure AD Registered Applications”

ChatOps for Azure Active Directory

Last year I wrote Lithnet Microsoft Identity Manager plug-ins for PoshBot. After publishing those I developed the majority of a PoshBot plugin to enable ChatOps for Azure Active Directory. Finally with a little more bandwidth at the start of 2020 I’ve been able to put the finishing touches on the module and release it. ChatOps for Azure Active Directory using PoshBot is available from the PowerShell Gallery here and the source in GitHub here.… [Keep reading] “ChatOps for Azure Active Directory”

Sending and Querying Custom Log Data to Azure Monitor Logs

Recently for a customer engagement we had the requirement to take log data from a 3rd party application and ingest it into Azure Log Analytics to make the data available in Azure Monitor. Sending Custom Log Data to Azure Monitor Logs is currently in Public Preview. This Microsoft article provides an overview of the capability.

In addition to the standard tiers of an application, you may need to monitor other resources that have telemetry that can’t be collected with the other data sources.[Keep reading] “Sending and Querying Custom Log Data to Azure Monitor Logs”

Zero-Touch BitLocker with PowerShell

The majority of IT engineers and architects traverse various forms of security on a daily basis ranging from our complex alphanumeric corporate logon passwords to the increasingly common MFA prompts on our mobiles. You could say that we have become experts in navigating modern security measures required to stay protected. But perhaps you’re not familiar in planning and rolling out that same security, at scale, to your organisation’s Windows laptops in the form of disk encryption.[Keep reading] “Zero-Touch BitLocker with PowerShell”

x.509 Details – A PowerShell Module for decoding x.509 Certificates with time to certificate expiry

I’ve just published my X509Details PowerShell Module to the PowerShell Gallery. The x.509 Details PowerShell Module contains the Get-X509Details cmdlet that decodes a base64 encoded PEM/CER format x.509 Certificate and converts it to a PowerShell Object. But wait, there’s more. The reason I created the x.509 Details PowerShell Module is because through automation I need to know what is the ‘Expiry Date’ for a certificate. The returned PowerShell Object from my Get-X509Details cmdlet in the X509Details Module also includes the expiry date-time in PowerShell DateTime format as ‘timeToExpiry‘.… [Keep reading] “x.509 Details – A PowerShell Module for decoding x.509 Certificates with time to certificate expiry”

Azure Backup PowerShell removal of backup protection of a Azure VM

Originally posted on Lucian.Blog. Follow Lucian on Twitter: @LucianFrango.

I’ve been looking at Azure Backup and migrating some Windows VM’s from one Recovery Services Vault to another. This is mainly because I’ve taken a look at some production deployed VM’s and found they were aligned to the reference architecture Disaster Recovery and Backup policies. Long story short, 6 VM’s needed to be moved to maintain consistency.

Things get interesting in that my previous level of access at a customer has changed and I’m time poor, so I thought I’d use PowerShell to achieve this faster.… [Keep reading] “Azure Backup PowerShell removal of backup protection of a Azure VM”

Microsoft Graph using MSAL with PowerShell

Microsoft Authentication Libraries (MSAL) became Generally Available in May 2019 after a very long preview cycle whilst the libraries evolved to reach parity with its predecessor the Azure Active Directory Authentication Libraries (ADAL). I’ve previously used and written posts on leveraging ADAL libraries with PowerShell for Azure AD/Microsoft Graph integration using PowerShell. With some upcoming projects it’s time for me to start integrating with Microsoft Graph using MSAL with PowerShell. This post details how I transitioned from ADAL to MSAL and reduced my scripts by 60-300 lines depending on the integration.… [Keep reading] “Microsoft Graph using MSAL with PowerShell”

Generate SailPoint IdentityNow v2 & v3 API Credentials

This post details how to generate SailPoint IdentityNow v2 and v3 API credentials. This method is valid as of Oct 2019 whereby v3 Credentials are now able to be generated via the SailPoint IdentityNow Portal and v2 Credentials can be generated via the IdentityNow API. v2 credentials are useful for some legacy API’s and API calls that are long running tasks (which thereby use Digest Auth) over using the v3 JWT method. These credentials can then be leveraged by the  SailPoint IdentityNow PowerShell Module for IdentityNow orchestration tasks.… [Keep reading] “Generate SailPoint IdentityNow v2 & v3 API Credentials”

SailPoint IdentityNow PowerShell Module

I’ve just published v1 of my SailPoint IdentityNow PowerShell Module.

NOTE: This is not an official SailPoint IdentityNow PowerShell Module.


  • Easy command-line use, after setting default configuration options and securely saving them to the current user’s profile.
  • Get an IdentityNow Organisation and Get / Update an Organisation Configuration
  • Search IdentityNow Users
  • Search IdentityNow Users Profiles
  • Search IdentityNow Entitlements
  • Create / Get / Update / Remove IdentityNow Access Profiles
  • Create / Get / Start IdentityNow Certification Campaigns
  • Get IdentityNow Certification Campaign Reports (output to file or return as PSObject)
  • Create / Get / Update / Remove IdentityNow Governance Groups
  • Create / Get / Update / Remove IdentityNow Roles
  • Get / IdentityNow Sources
  • Get Accounts from an IdentityNow Source
  • Create / Update / Remove IdentityNow Source Account (Flat File / Delimited Sources)
  • Get / Complete IdentityNow Tasks
  • Get IdentityNow Virtual Appliance Clusters (and clients (VA’s))
  • Get / Update IdentityNow Applications
  • ….
[Keep reading] “SailPoint IdentityNow PowerShell Module”

Multi-Threading Granfeldt PowerShell Management Agent Imports

As I’m sure you are familiar (with my many posts on the topic), the Granfeldt PowerShell Management Agent is extremely flexible. When used to integrate Microsoft Identity Manager with modern REST API’s it is easy to retrieve pages of results from a REST API and process the objects through the Management Agent. However sometimes you need to integrate Microsoft Identity Manager with an API (e.g. a SOAP WebService) that doesn’t provide functionality to page results.… [Keep reading] “Multi-Threading Granfeldt PowerShell Management Agent Imports”