Skip to content

The road to Microsoft MVP and beyond

Today, a slightly different post. I think it’s time to step away from the technical stuff for a moment and tell you more about my experiences in the Microsoft tech community so far. On July 5th, 2022, I was re-awarded for the first time, entering my second year as an MVP. It seemed like a good moment to look back. I will also share some tips and lessons learned. How it started Back in 2017, I was working as a… 

Automate issuing Temporary Access Pass for joiners with LifeCycle Workflows

On September 30th, 2022, Pim Jacobs and I did a session on the brand new Lifecycle Workflows feature in Azure AD Identity Governance. During that session, I did a demo showing the integration with Logic Apps. Using this extension, I could use the Graph API to create a new Temporary Access Pass for a new hire, 7 days before the first workday. This post will describe the steps to build the solution. Introduction to LifeCycle Workflows First, let us quickly… 

KB – Write requests (excluding DELETE) must contain the Content-Type header declaration.

This is a knowledgebase item. I hope it helps you out someday. The issue When using the HTTP action in Power Automate or Logic Apps in combination with Graph API, you get the following error: Write requests (excluding DELETE) must contain the Content-Type header declaration. Despite having a header included, you still got prompted with this error message. Cause In my case, this happened when the API required a body that I did not provide. I used it to create… 

Take control of your guests with the External Identities Policy

  • Azure AD
  • 5 min read

Today we take a look at the brand new External Identities Policy in Azure AD. This new policy controls whether external users can leave the guest Azure AD tenant via self-service controls. By default, guests in Azure AD can leave your organization whenever they want, using the MyAccount portal. If you want to prevent this, a new policy is here that allows you to take control. It’s a tenant-wide setting, which will apply to all guest users. Setting the policy… 

Block users from viewing their BitLocker keys

This post is mainly focused on a new tenant setting, where you can prevent your end-users from viewing their Bitlocker keys. By design, your users can see Bitlocker keys from devices they own from the MyAccount portal. My Account (microsoft.com) For some (large) enterprise organizations, this is an unwanted feature. Changing the setting Using PowerShell or Graph API, you can now disable this feature. This will apply to the entire tenant so that users without proper permissions will no longer… 

How to set up Evilginx to phish Office 365 credentials

Disclaimer Evilginx can be used for nasty stuff. It is the defender’s responsibility to take such attacks into consideration and find ways to protect their users against this type of phishing attacks. Evilginx should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties, or for educational purposes. That being said: on with the show. Today a step-by step tutorial on how to set up Evilginx and how to use it to phish for Office 365… 

How to deal with orphaned objects in Azure AD (Connect)

We have done hybrid identity for a couple of years now, and it looks like the vast majority is not going to change that soon. Over the past years, we had different tools to facilitate hybrid identity. When we started this journey, there was no Azure AD Connect. We used tools like Dirsync or FIM/MIM, and that was not always easy. Still today, proper management of Azure AD Connect can be quite complex. What’s the issue? Today we are going… 

Use a FIDO2 security key as Azure MFA verification method

This news seems to be kept under the radar a little bit, but I wanted to point out a new feature in Azure AD that might help out some organizations with their Azure MFA implementations. Take a look at this list of supported authentication methods, and notice that passwordless methods can also be used as a form of verification for Azure AD Multi-Factor Authentication: Microsoft Authenticator app Windows Hello for Business FIDO2 security key OATH hardware token (preview) OATH software… 

Get alerts on Azure resource assignments made outside PIM

Microsoft released a new public preview where admins can be alerted when assignments to Azure resources are made outside of Privileged Identity Management. This was already possible in combination with Azure AD roles, but the new preview now applies to Azure resources as well. Where alerts on Azure AD roles are enabled by default, alerts for Azure resources need to be enabled by an administrator first. This feature is extremely valuable when you want to govern your Privileged Access implementation,… 

Dynamic Administrative Units using on-prem Organizational Units

  • Azure AD
  • 4 min read

Gone are the days that I could start a workshop, session, or training with: “Do you know the big difference between Active Directory and Azure Active Directory? Azure AD is flat, where AD is not.” Well…… If there is one thing I’ve learned over the last years: it’s hard to do Zero Trust in a flat landscape. Lucky for us, we have Administrative Units nowadays. I really love Administrative Units (AUs) as they bring scoping to Azure AD. Until recently,…