At time of writing (April 2024), adding and using Enterprise Applications in Admin Units is not Supported by Microsoft yet. In fact, I am not aware of any official Previews. This Article is purely me playing around, if you use any of this in Production it’s on you. I have written quite a few Articles... » read more
While working on my appeal against Application.ReadWrite.All, I stumbled upon a potential way to rotate an application’s authentication certificate without Graph API permissions. After some experimentation, I was unable to get it running in PowerShell, so I set it aside for the time being to finish the article. However, the topic continued to intrigue me,... » read more
When Microsoft first disclosed the January Midnight Blizzard attack and posted their subsequent deeper analysis I followed the resulting content with great interest – risks posed by Enterprise Applications are a topic near and dear to me. I will try to keep this article standalone, but it might be a good idea to skim the... » read more
This article is the practical part of the Theory – for the answer to the question "What’s the purpose of all this?", please refer to that Article. To ensure I’m not seen as someone who says "someone should" and then does nothing, here follows a (by my standards) "quick" proof of concept on how password... » read more
In my work on the practical implementation of Password Rotation without Privileged Authentication Administrator, I stumbled upon a somewhat extensive challenge. When trying to use PowerShell to sign in to the Graph API using username + password, I couldn’t find a combination in the PowerShell SDK. The only method would be ClientID + Secret –... » read more
The Legacy Problem When this question is asked, the most common answers online unfortunately still use old PowerShell modules (Azure AD, Azure AD Preview, MSOL), which are being deprecated To try and help remedy this I have collected some solutions using the PowerShell Graph SDK. ! Necessary permissions are best found using Find-MgGraphCommand "<CmdLet>" Change... » read more
Entra ID Directory Extensions Have you ever wanted to save information in Entra ID, but couldn’t find an appropriate attribute to store your data? For example, storing someones nickname in a usable fashion? Or you need a specific attribute from your HR Software for Single Sign-On or authorization? Or for Dynamic Groups? If you have... » read more