https://dp666.net/tags/microsoft-graph/Recent content in Microsoft Graph on dp666Hugo -- gohugo.ioen-US© 2026 Daniel PetriMon, 15 Dec 2025 10:00:00 +0100https://dp666.net/blog/conditional-access-policy-report/Mon, 15 Dec 2025 10:00:00 +0100https://dp666.net/blog/conditional-access-policy-report/The Problem # You have 40 Conditional Access policies. Some target users, some target groups, some target roles. Some include locations, some exclude them. Some enforce MFA, some enforce compliant devices, some do both with different operators. And you need to answer the question: “What is our current CA posture?” The Entra ID portal shows one policy at a time. There is no native export. There is no overview that lets you see all policies side by side with all their conditions and controls. So you end up with a shared spreadsheet that someone manually maintains and that is always out of date.https://dp666.net/blog/complete-intune-assignment-report/Sat, 22 Nov 2025 10:00:00 +0100https://dp666.net/blog/complete-intune-assignment-report/The Problem # “Which group is this policy assigned to?” is a question you can answer in the portal. “Which policies are assigned to this group?” is harder. “Show me every assignment in the entire tenant” is impossible without scripting. Intune scatters assignments across device configurations, compliance policies, Settings Catalog, endpoint security, app protection policies, app configurations, scripts, update rings, Autopilot profiles, and applications. There is no single view. When you are troubleshooting why a device is getting a specific policy, or auditing your entire assignment model, you need everything in one place.https://dp666.net/blog/guest-account-lifecycle-management/Sun, 12 Oct 2025 10:00:00 +0100https://dp666.net/blog/guest-account-lifecycle-management/The Problem # Every B2B collaboration, vendor engagement, and external consultant invitation creates a guest account in your Entra ID tenant. Over time, these accumulate. People leave partner organizations, projects end, contracts expire – but the guest accounts persist. They retain whatever access they were granted, their tokens remain valid, and nobody reviews them. Access reviews help if someone’s running them. Usually, nobody is.https://dp666.net/blog/managed-identity-permissions-powershell/Fri, 26 Sep 2025 10:00:00 +0100https://dp666.net/blog/managed-identity-permissions-powershell/The Problem # Managed Identities are the recommended way to authenticate Azure resources – Azure Functions, Logic Apps, Automation Accounts – to Microsoft Graph. No secrets. No certificates. No credential rotation. The identity is managed by the platform. The problem comes when you need to assign Graph API permissions to that identity. Microsoft added basic portal support for this in late 2023 via Enterprise Applications, but it is click-heavy, not scriptable, and gives you no audit trail. If you’re deploying infrastructure as code, managing multiple identities, or need to know what every managed identity in your tenant can do – you need PowerShell.https://dp666.net/blog/audit-mfa-methods-via-graph-api/Sat, 12 Jul 2025 10:00:00 +0100https://dp666.net/blog/audit-mfa-methods-via-graph-api/The Problem # You can see which MFA methods users have registered. Entra ID tells you that. What it doesn’t tell you at a glance is which methods they’re actually using day-to-day. A user might have registered a FIDO2 key, a phone, and Microsoft Authenticator – but if they’re approving every sign-in with SMS, their registered FIDO2 key is security theater.https://dp666.net/blog/find-unassigned-intune-groups/Mon, 03 Mar 2025 10:00:00 +0100https://dp666.net/blog/find-unassigned-intune-groups/The Problem # Every Intune environment I’ve worked in has the same disease: groups that were created for a purpose, assigned to something, and then forgotten when the policy was deleted or reassigned. Over time, you end up with dozens – sometimes hundreds – of groups prefixed with “Intune” that are not assigned to anything. They clutter your group list, confuse new team members, and make it difficult to tell which groups are load-bearing and which are dead weight.https://dp666.net/blog/automate-autopilot-naming-group-tags/Tue, 22 Oct 2024 10:00:00 +0100https://dp666.net/blog/automate-autopilot-naming-group-tags/The Problem # Windows Autopilot group tags are how you tell Autopilot which profile to use. The profile drives the entire enrollment experience – what gets installed, how the device is configured, whether it even prompts for credentials. Get the group tag wrong and you get the wrong profile, which means devices enroll wrong, which means someone re-images them manually or explains to the help desk why 50 new kiosk machines went through OOBE like standard user deployments.https://dp666.net/blog/dynamic-user-and-device-enumeration-on-steroids/Tue, 11 Jul 2023 12:00:00 +0100https://dp666.net/blog/dynamic-user-and-device-enumeration-on-steroids/DUDE is evolving! A lot has happened since the beginning of DUDE. Let me share the initial purpose of the DUDE solution to refresh your memories: The purpose of this solution is to have dynamic user groups based on any attribute supported in Azure AD groups and a corresponding assigned device group. The script will then check who’s in the user group, grab all the users devices from Intune and add them to the corresponding device group. If a user is removed from the user group, their device will also automatically be removed from the device group.https://dp666.net/blog/dynamic-device-scope-tags-with-azure-functions-and-teams/Fri, 28 Oct 2022 12:00:00 +0100https://dp666.net/blog/dynamic-device-scope-tags-with-azure-functions-and-teams/So it’s finally time for a new version of DUDE! If you are reading about DUDE for the first time, I’ll tell you it stands for Dynamic User and Device Enumeration. The purpose of this solution is to have dynamic user groups based on any attribute supported in Azure AD groups and a corresponding assigned device group. The script will then check who’s in the user group, grab all the users devices from Intune and add them to the desired group. If a user is removed from the user group, their device will also automatically be removed from the device group.https://dp666.net/blog/dynamic-device-scope-tags-with-azure-functions/Thu, 09 Dec 2021 12:00:00 +0100https://dp666.net/blog/dynamic-device-scope-tags-with-azure-functions/In this previous blog post I showed you how to set dynamic device scope tags with azure automation. This time we will be using azure functions which will suite larger environments better. Based on my experience I would say that if you have 10k devices or less, go with the azure automation solution. If you have 10k devices or more, go with the azure functions solution. I will explain how you could set this up by creating dynamic user groups, for example for the HR department, and then have azure functions gather all the HR users devices and add them to the correct device group automatically. If the user attribute changes, for example if a user leaves the HR department, their devices will be removed from the device group automatically.https://dp666.net/blog/dynamic-device-scope-tags-with-azure-automation/Sat, 09 Oct 2021 12:00:00 +0100https://dp666.net/blog/dynamic-device-scope-tags-with-azure-automation/It feels like eventually all customers end up in this situation where they need to tag devices for administration, invoicing or something else. So the purpose of this post is to help you automate this process with the help of a PowerShell runbook in azure automation. Updated 2021–10–10 — Thanks to Michael Mardahl for pointing out that managed identity should be used instead of client secrets. I will explain how you could set this up by creating dynamic user groups, for example for the HR department, and then have the Runbook gather all the HR users devices from Intune and add them to the correct device group automatically. If the user attribute changes, for example if a user leaves the HR department, their devices will be removed from the device group automatically.