Author

Brad Wyatt

My name is Bradley Wyatt; I am a Microsoft Most Valuable Professional and I am currently a Cloud Solutions Architect at PSM Partners in the Chicagoland area.

Posts by Brad Wyatt

Microsoft Graph API Endpoint Adds Last Successful Sign-In Date Time

Microsoft Graph API Endpoint Adds Last Successful Sign-In Date Time

Comments 0 Comment

Previously, if you wanted to find a user’s last successful sign-in to your Microsoft 365 tenant using the Microsoft Graph REST API, you would have to iterate through Entra ID sign-in logs. With new recent additions to the Microsoft Graph API Beta Endpoint, you can now return the UTC value just by parsing the user details and properties. The Microsoft documentation regarding the signInActivity resource type can be found here.

LastSignInDateTime vs LastSuccessfulSignInDateTime

The difference between lastSignInDateTime and lastSuccessfulSignInDateTime property is:

  • lastSignInDateTime: The last interactive sign-in date and time for a specific user. You can use this field to calculate the last time a user attempted to sign into the directory the directory with an interactive authentication method. This field can be used to build reports, such as inactive users. The timestamp represents date and time information using ISO 8601 format and is always in UTC time. For
Continue...
Getting Started with the IntuneCLI, an Automated Intune Management Solution

Getting Started with the IntuneCLI, an Automated Intune Management Solution

Comments 1 comment

Disclaimer: The IntuneAssistant is an ongoing project that is in development. The document below may be outdated in newer versions. The developer is very active on GitHub if you run into any issues. You should reference the GitHub Project: https://github.com/srozemuller/IntuneAssistant

I would also recommend checking out their blog at: Sander Rozemuller | All about Identity, AVD, Automation, DevOps, Monitoring, Intune and Security

Obtaining the IntuneAssistant

Manual

The first thing we need to do, is to download the CLI binary which can be found here. In my case, I am running a M1 Pro Mac so I will grab the MacOS ARM binary. I then placed it in a folder called “Dev” in the root of my Home directory.

Make the Binary Executable

The next step in the process is to make the binary executable. This is something that you do not have to do on a Windows machine, … Continue...

Centrally Manage Company Contacts and Deploy to Built-In Contacts App Using Intune, SharePoint, PowerShell and Graph API.

Centrally Manage Company Contacts and Deploy to Built-In Contacts App Using Intune, SharePoint, PowerShell and Graph API.

Comments 9 comments

I recently met with a company that was looking for a better way to get contacts to their employee’s work phones. Currently, they are sending a .vcf file and then having the employees manually save the contacts. While this works, the problem is if you need to send a new contact, you now need to send a new .vcf file to every employee and instruct them on how to save it. Similarly, if you ever need to remove a contact, you need to instruct your employees to manually delete that contact.

One of the first things I thought about, is creating an App Configuration Policy to force Outlook to sync contacts to native apps. Most of the contacts I need to sync to the phone were employees of the company so I figured it would sync from the Global Address List and then maybe I could create contacts in … Continue...

Windows LAPS Management, Configuration and Troubleshooting Using Microsoft Intune

Windows LAPS Management, Configuration and Troubleshooting Using Microsoft Intune

Comments 32 comments

Windows Local Administrator Password Solution (Windows LAPS) is a Windows Feature that allows IT Administrators to secure and protect local administrator passwords. This includes automatic rotation of passwords as well as backing up the passwords to Azure Active Directory or Active Directory. You can configure Windows LAPS on your Windows endpoints using Microsoft Intune.

Pre-requisites

To use Windows LAPS in Intune, ensure you’re using a supported Windows platform:

You might also have to enable Azure AD Local Administrator Password Solution (LAPS) within your Azure Tenant.

  • Azure Active Directory > Devices > Device Settings > Azure AD Local Administrator Password Solution (LAPS)
    Note: You may not have to do this once the product is
Continue...
Modern Active Directory – An update to PSHTML-AD-Report

Modern Active Directory – An update to PSHTML-AD-Report

Comments 13 comments

This is a guest blog by Mehdi Dakhama, you can check out his blog here. He has transformed and improved upon PSHTML AD Report.

About

This document presents the Modern Active Directory project, which aims to bring a more modern view on your Active Directory, whether to view key indicators or to perform advanced searches in a simple way.

With this PowerShell module that accesses your Active Directory in read-only mode, you can view and query your directory from a Web page. This directory status is generated on demand by executing a command or automatically so that you receive a daily report by e-mail.

Current Reporting and Limitations

Default console limits

By default, two consoles (DSA and DSAC) are proposed to administer the DA. These consoles have not evolved for several years and they are limited in terms of functionality. Moreover, the installation of these consoles requires administrator … Continue...

Set-ADUser: Dealing with Null Values when Importing a CSV; Working with Parameters and Properties that don’t Accept Empty Strings

Set-ADUser: Dealing with Null Values when Importing a CSV; Working with Parameters and Properties that don’t Accept Empty Strings

Comments 3 comments

Recently, I set out on populating a test Active Directory environment from a production environment. This included populating Active Directory Users and Computers with my users from production. I figured I could quickly export my users from production to a CSV file, include any properties I wanted to import over to the test environment, and then create the new users based on the CSV file using New-ADUser and Set-ADUser respectably. Quickly, I realized that I had a problem. I couldn’t just import the CSV file and have it iterate through each user because some parameters do not accept null values, meaning if I am calling the parameter, it wants a value, no exceptions. This is the same for LDAP properties as well that use the Replace parameter.

The Instance Parameter

The first possible fix I found, was the use of the Instance parameter. The Instance parameter will change properties of … Continue...

Migrate your Runbooks in Azure Automation to Managed Identities

Migrate your Runbooks in Azure Automation to Managed Identities

Comments 2 comments

Microsoft has recently announced that on September 30th, 2023, Azure Automation RunAs accounts, including Classic Run As accounts, will be retired so you will need to migrate your runbooks to managed identities for authentication. Managed Identities provide the same functionality as a RunAs accounts, plus:

  • Secure authentication to any Azure service that supports Azure Active Directory (Azure AD) authentication.
  • Minimized management overhead with easy access to resources.
  • Simplified runbooks with no requirement to use multi-line code.

Review your Automation Accounts

The first item that must be done, is to review your Automation Accounts within Azure to see which one, if any, are using RunAs or Classic RunAs Accounts. In Azure go to Automation Accounts. In the screenshot below we can see that I have a total of four (4) different automation accounts that span three (3) resource groups, and two (2) Azure subscriptions.

If I click an Automation Account and … Continue...

Enable Firefox Windows Single Sign-On using Intune

Enable Firefox Windows Single Sign-On using Intune

Comments 0 Comment

One reason you may want to enable Windows SSO within Firefox, is so that your users on Azure AD or Hybrid joined machines can log into Microosft 365 services, such as Outlook, without having to re-authenticate. In this post, I will show you how to leverage Intune and custom configuration profiles to configure Firefox to enable Windows SSO.

Prerequisites

  • Firefox ADMX file located here
  • Intune
  • Mozilla Firefox version 91 or newer
  • Intune Administrator
  • Test Machine with a valid Intune License

Create the Policy

  1. Navigate to the Intune admin portal
  2. Go to Devices > Windows > Configuration profiles > + Create profile
  3. Under ‘Platform‘ select Windows 10 and later. For ‘Profile type‘ select Templates, and then select a Custom template.
  4. Give you new configuration policy a good name and description so other administrators will understand what it does without having to view the configuration
Continue...
Allow Non-Admin Users to Manage Their Desktop Icons Using Intune

Allow Non-Admin Users to Manage Their Desktop Icons Using Intune

Comments 0 Comment

Many IT organizations do not allow their end users to be local administrators on company endpoints, and for good reason. But one issue I have ran across is that some applications install an icon on the public desktop (C:\Users\Public\Desktop) and the end user is unable to delete the icon as it requires administrative rights. Using PowerShell, we can modify the ACL of the public desktop folder and allow our non-admin users to delete these shortcuts.

Copy the PowerShell script below and save it somewhere we can reference it later. This script modifies the permissions for the folder ‘C:\Users\Public\Desktop’ and adds the ‘authenticated users‘ entity to it with the ‘modify’ permission.

$folderPath = "C:\Users\Public\Desktop"
$acl = Get-Acl $folderPath
$user = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-11')
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule ($user,"Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-ACL $folderPath $acl

Open a web browser and navigate to Intune.Microsoft.com > Devices > Scripts and Add a … Continue...

Fix Issue with Connecting Managed Google Play to Intune (We couldn’t connect to that service)

Fix Issue with Connecting Managed Google Play to Intune (We couldn’t connect to that service)

Comments 1 comment

Recently, I was connecting Google Play to Intune and ran across an issue that I did not see documented anywhere. I spent a great deal of time pulling my hair out trying to figure out where the disconnect was. I was at the intune portal (intune.microsoft.com) and went to Devices > Android > Android enrollment and clicked Managed Google Play to connect Google Play to Intune.

The Google Play window would pop up and I would sign into my account. In the top right corner you can see my account is signed in. I would click the Re-Enroll button (of if its your first time you would click Enroll or Sign-In)

I would get a redirection window that would hang for 15-20 seconds.

Until it ultimately failed with the following error:

Try that again using a different browser
We couldn’t connect to that service, likely because of settings put in
Continue...