Using Dev Proxy to Identify Excessive Microsoft Graph Permissions in Your PowerShell Scripts

Using Dev Proxy to Identify Excessive Microsoft Graph Permissions in Your PowerShell Scripts

Comments 0 Comment

Objective

The goal of this article is to show how Microsoft Dev Proxy can be used to audit Microsoft Graph permissions in PowerShell scripts and detect unnecessary scopes. Instead of manually mapping Graph endpoints to permissions, you’ll learn how to automate least-privilege analysis, uncover permission creep, and integrate these checks into your development workflow.

With Microsoft’s Dev Proxy you can use the GraphMinimalPermissionsGuidance plugin to compare the permissions in the JWT that is sent to Microsoft Graph against the permissions needed for each request.

Resolution

Install Dev Proxy

First, we need to install Microsoft Dev Proxy. Microsoft has some great documentation for installing it on Windows, macOS and Linux in an automated fashion or manually. Since I am on macOS I am going to install it using homebrew:

brew tap dotnet/dev-proxy
brew install dev-proxy

Start Dev Proxy

Once you have it installed, run … Continue...

Stop Configuration Drift in Microsoft 365 Using the new Configuration Management API’s – A Deep Dive

Stop Configuration Drift in Microsoft 365 Using the new Configuration Management API’s – A Deep Dive

Comments 0 Comment

Overview

Microsoft has released into public preview a new set of APIs that enable administrators to monitor and alert on configuration changes across one or more tenants, spanning multiple Microsoft 365 workloads, including:

  • Microsoft Entra
  • Exchange Online
  • Microsoft Intune
  • Microsoft Defender
  • Microsoft Purview
  • Microsoft Teams

This product is currently in Public Preview. Features and functionality may change or experience issues, so please refer to Microsoft’s documentation for the most up-to-date information.

Current Limitations

At the time of this blog post, the limitations can be found below. You can check the latest limitations here.

Tenant Monitoring

  • 30 configurationMonitor objects per tenant
  • Each configurationMonitor runs at a fixed interval of 6 hours.
  • Can monitor up to 800 configuration resources per day per tenant, across all monitors.
    • Administrators have full control over how this quota is consumed, whether through a single monitor or multiple monitors. For example, if a monitor’s baseline includes 20
Continue...
How I Automated the Tracking of the Holiday Metra Train

How I Automated the Tracking of the Holiday Metra Train

Comments 0 Comment
source: https://www.facebook.com/MetraRail/posts/all-aboard-the-holiday-train-tickets-for-our-holiday-train-go-on-sale-monday-nov/865445549331428/

Objective

This post is a bit different from my usual content, as it may only be of interest to people living in the Chicagoland area. Chicago’s regional commuter rail is called the Metra, and during the holidays they have several trains that are decked out in holiday lights and the inside is decorated with lights, ornaments, and other holiday decor.

Note: This is not to be confused with the Metra holiday train where you ride it and meet Santa, while they may use the same trains, Metra will also use the holiday trains for regularly scheduled trains in and out of the city.

As a father with a kid who loves everything about trains, I looked to see if Metra published a schedule or if there was a way I could track the holiday trains so we could get on it. The only thing I found was the following websiteContinue...

Using PowerShell to Block GitLab Merges with Unchecked Issue Checkboxes

Using PowerShell to Block GitLab Merges with Unchecked Issue Checkboxes

Comments 0 Comment

Objective

This blog post demonstrates how to enforce acceptance criteria in GitLab merge requests using PowerShell pipelines. By validating that all checkboxes in linked issues are completed before a merge is allowed, development teams can ensure higher quality and consistency in their codebase. The solution leverages GitLab’s API to automatically check issue descriptions, report any unchecked items, and post comments on the merge request. This approach helps maintain accountability, reduces errors, and streamlines the review process for collaborative software projects.

Prerequisites

Resolution

Gitlab

Create an Access Token

First, we need to go to Personal access tokens to create a new PAT in Gitlab. Click the “Add new token” button. Give your token a name, description (optional) and expiration date. In the Scope section, select api. You can review the scope permissions here.

Next, when it shows you your token, copy it down for … Continue...

Notify Requesters When GitLab Issues Move Through the Development Pipeline

Notify Requesters When GitLab Issues Move Through the Development Pipeline

Comments 0 Comment

Objective

I use GitLab’s Customer Relationship Management (CRM) feature to track who requested each item. From there, I wanted a way for requesters to be automatically notified as their item moved through the development pipeline, from Backlog to In Progress, Testing/Review, and finally Done. GitLab supports webhooks that trigger on issue events such as creation, updates, closures, and openings. Using this capability, I built a PowerShell Azure function that receives the webhook payload, identifies when a status label changes, retrieves the CRM contact linked to the issue, and sends them an email notification.

Prerequisites

  • Gitlab Account for an access token and to create the webhook
  • Gitlab status as scoped Labels (ex: Status::In Progress)
    • You can change the logic within the Azure Function but by default is will be looking for the status scoped label to determine old and current status of an item.
  • Contacts filled out in Gitlab’s CRM (Plan
Continue...
Documentation as Code: Using YAML, GitHub Actions, and Azure to Power a Living Catalog

Documentation as Code: Using YAML, GitHub Actions, and Azure to Power a Living Catalog

Comments 0 Comment

Objective

More and more companies are moving into the world of DevOps and automation. As this grows, you begin to face a scaling problem. You now have dozens of automations interacting with different systems, each using its own API keys or managed identities. With so many moving pieces, you need a way to keep track of everything. After spending time looking through different products to help with this problem, I realized that we could lean into automation itself to help with a solution. When creating the product I kept several goals in mind:

  1. Be able to manage, update and deploy using Git. Leveraging CI/CD to update the front end for me.
  2. Automation project structure should be simple, I don’t want engineers or managers spending a lot of time adding or editing projects.
  3. The site should be easily customizable to fit different needs.
  4. Ability to track time saved and cost saved
Continue...
Building Event-Driven Automations in Microsoft 365 Using Graph Subscriptions

Building Event-Driven Automations in Microsoft 365 Using Graph Subscriptions

Comments 0 Comment

Objective

This post demonstrates how to use Microsoft Graph Subscriptions to create event-driven automation in Microsoft 365. Graph Subscriptions allow applications to receive real-time notifications when specific changes occur within Microsoft 365 resources such as users, groups, or mailboxes, without the need for constant polling. By subscribing to these change events, we can build responsive workflows that automatically react to updates like group membership changes and trigger downstream actions in Azure Functions or Automation Accounts.

In this article, I will create a Microsoft Graph Subscription that listens for changes to a specific group’s membership. When a user is added or removed, it triggers an Azure Function that identifies the user, looks them up in Microsoft 365, and then adds or removes them from the Proofpoint portal accordingly.

A subscription lifespan is dependent on the resource with some as short as 1 hour. Refer to the subscription lifetime documentation for more

Continue...
Auto Deploy Progressive Web Applications (PWA) using Intune or PowerShell

Auto Deploy Progressive Web Applications (PWA) using Intune or PowerShell

Comments 3 comments

Objective

In this article I will walk you through installing progressive web app’s, or PWA’s to endpoint machines using either PowerShell or Microsoft Intune. You may want to do this for users with frontline licenses that grant them web apps but not full desktop application’s.

What are Progressive Web Applications?

Progressive Web Apps (PWAs) are web applications that use modern web technologies to deliver an app-like experience to users, but without requiring them to install a traditional app from an app store. Think of them as a blend between websites and mobile/desktop apps.

Resolution

Below, I will walk you through installing PWA’s on end user machines silently, without user interaction.

Intune

The intune configuration policy follows the WebAppInstallForceList. You can currently define default_launch_container, create_desktop_shortcut, fallback_app_name, custom_name, custom_icon and install_as_shortcut. The site goes into detail what each setting configures.

Note: Currently there are … Continue...

Detect Modified SharePoint List Items and Retrieve Old Values in Sharepoint Using Logic Apps

Detect Modified SharePoint List Items and Retrieve Old Values in Sharepoint Using Logic Apps

Comments 0 Comment

Overview

I currently have a SharePoint list with an identity (person or group) column called “Owners,” where I can search for employees and add them to a list item. I then want to e-mail newly added people that they have been added to a list item so they can go and review the details of it.

While SharePoint does have an ‘automate’ feature where you can detect a list item’s column is modified, the only option is to send an email to all the people that are currently in that column. So, if you add a new person, it will re-email everyone who is already there. The other issue is that the e-mail says (below) is non-descript, so your users will be confused about why they are getting it.

Logic Apps does have a trigger that is “When an item is modified,” but its output is the current … Continue...

Automating Code Compliance: AI-Driven Code Style Enforcement for Pull Requests

Automating Code Compliance: AI-Driven Code Style Enforcement for Pull Requests

Comments 0 Comment

Overview

As teams increasingly rely on automation for code quality and compliance, ensuring consistent coding standards can be challenging during the pull request (PR) process. In this article, we explore how to build an AI-powered style enforcement pipeline using modern tools like GPT-4 and CI/CD workflows.

You’ll learn how to:

  • Enforce best practices and team-specific coding guidelines without manual intervention.
  • Integrate automated code reviews into your PR pipelines.
  • Leverage AI to detect style violations, generate actionable reports, and even suggest fixes.

With this in place, you can lower the amount of time code reviews take your engineers, and even have the Pull Request be rejected until the resolutions are addressed and marked as complete.

How It Works

  • We will set up a Pipeline that will be triggered upon a new Pull Request in the repository.
  • If there are modified PowerShell files (ex: .ps1, .psm1, .psd1)
  • Then, import
Continue...