Skip to content

Azure AD

Multi-stage approval for privileged roles using Azure AD Identity Governance

Privileged Identity Management is a great feature within Azure AD to provide just-in-time access to your admin roles and Azure resources. But some roles may require an extra level of security, for the simple fact the role is highly privileged, and (hopefully) rarely used. With the current capabilities, you are able to activate an approval step, but that is only limited to one approver. In this article, I will show you how you can use Azure AD Identity Governance to create… 

Read More »Multi-stage approval for privileged roles using Azure AD Identity Governance

KB – mobile phone number not in sync Azure AD Connect

This is a knowledgebase item. Hope it helps you out someday. The issue Some users reported that the mobile phone number in Azure Active Directory / Office 365 was different from the number in on-prem Active Directory. Even though these users were synced with Azure AD Connect, the mobile phone attribute was no longer in sync. Cause After some investigation, it seemed that the affected accounts were previously edited with the Set-MsolUser cmdlet from the MSOnline PowerShell module. To make… 

Read More »KB – mobile phone number not in sync Azure AD Connect

Download Intune PowerShell scripts with Graph Explorer

This quick post will show an easy method to fetch your PowerShell scripts after you have uploaded them using the Intune management portal. Unfortunately, the portal does not provide a UI to download the script content as soon as you hit that save button. Graph Explorer to the rescue There are multiple ways to do this using PowerShell scripts. If you want to bulk download all the scripts in your tenant, I recommend using this method, created by Oliver Kieselbach.… 

Read More »Download Intune PowerShell scripts with Graph Explorer

10 tips to secure your identities in Microsoft 365

I was recently invited by the Dutch Virtual Desktop User Group to present a session about Identity Security. Now, because this was in Dutch (my native language), I decided to do a ‘short’ write-up in English, so everybody can benefit from this. I shared 10 tips on how to secure your identities, but not before I showed how easy it is to phish Office 365 credentials, even if they are protected with MFA. You can also check the recording in… 

Read More »10 tips to secure your identities in Microsoft 365

Get started with multi-stage access reviews in Azure AD

  • Azure AD
  • 6 min read

Access reviews, part of the Azure AD Identity Governance module, is a great feature to reduce the risk associated with stale access assignments. Administrators can use Azure Active Directory (Azure AD) to create access reviews for group members or application access. Reviews can be delegated to group owners, managers, or specific users, but there is also the self-review option where users can review their own access. By default, this is a single-stage process. Now in preview, there is the option… 

Read More »Get started with multi-stage access reviews in Azure AD

Access reviews for Azure AD directory roles

This blog post is for all those organizations out there with stale, overprivileged accounts having standing access to Azure AD roles, that nobody knows about, far away from the HR systems and on/offboarding processes. This is often a huge problem and the elephant in the (security) room. Now, what can we do about it? I assume you are already aware of Azure AD Privileged Identity Management, and the great features that it brings. In short: with PIM you can reduce… 

Read More »Access reviews for Azure AD directory roles

Microsoft 365 self-service using Power Apps

This article was originally posted on the Microsoft 365 PnP Blog. I was inspired by this post from Loryan Strant, that used Microsoft Forms to add users to an Azure AD group so that they were upgraded to Windows 11. With that in mind, I created a mock-up and posted it on Twitter. Based on the reactions, I added this idea to my ToDo list. Fellow MVP Albert-Jan Schot also replied, and I asked him if he would like to… 

Read More »Microsoft 365 self-service using Power Apps

Act on group membership changes in Azure Active Directory

Did you ever want to act on a change in group membership in Azure AD, for example, when a user is added to or removed from a specific group? I have found an easy way to do this with the use of Power Automate. You can use this for a lot of use-cases. What do we need? For this solution, we use the Office 365 Groups connector in Power Automate that holds the trigger: ‘When a group member is added… 

Read More »Act on group membership changes in Azure Active Directory

Onboard FIDO2 keys using Temporary Access Pass in Azure AD

One of the requirements to use FIDO2 security keys with your Microsoft 365 or Azure Active Directory account is multi-factor authentication. So if the user has not added an authentication method, they need to do that first, in order to add the FIDO2 security key to the account. That is sort of a chicken and egg situation. To work around that, we can use Azure Active Directory’s Temporary Access Pass (TAP) to onboard the user. Using this method, TAP will… 

Read More »Onboard FIDO2 keys using Temporary Access Pass in Azure AD

Use Registration campaign to promote Microsoft Authenticator App

With all the new improvements to the Microsoft Authenticator App, this seems a good time to highlight a new capability in Azure AD: Registration Campain, also known as the nudge feature. Also, organizations should move away from phone transports for authentication. If your users use text (SMS) for second-factor authentication, they have very little context, and therefore might be confusing. On top of that, attackers use SIM jacking techniques to bypass those phone methods. By far the most secure way… 

Read More »Use Registration campaign to promote Microsoft Authenticator App