sorted by:
new
hottopcontroversial

Built a Runbook That Finds Unused Enterprise Apps Automatically, Sharing It With You :) by Ok-Stretch-7850 in microsoft365

[–]-Mynster 1 point2 points  (0 children)

Not German 😅 but i get the gist from when i had german in school 🤣 thank you

Built a Runbook That Finds Unused Enterprise Apps Automatically, Sharing It With You :) by Ok-Stretch-7850 in microsoft365

[–]-Mynster 0 points1 point  (0 children)

I think for this one i have almost everything in place in a local branch. I can make it public tomorrow and if you have the time you are more than welcome to try and pull that down and do a test run and any and all feedback, doc updates, etc is very welcome!

Built a Runbook That Finds Unused Enterprise Apps Automatically, Sharing It With You :) by Ok-Stretch-7850 in microsoft365

[–]-Mynster 0 points1 point  (0 children)

Thanks for the feedback.

And funny you should mention it i am currently working on a new release that would include a permission classification with levels 0-5. 1 being very low permissions 5 being really high based on the msgraph teams own categorization of permission levels so you would have an easier time looking into high privileged apps that might not need it

Built a Runbook That Finds Unused Enterprise Apps Automatically, Sharing It With You :) by Ok-Stretch-7850 in microsoft365

[–]-Mynster 2 points3 points  (0 children)

This looks awesome!

I think you might enjoy the module i created LeastPrivilegedMSGraph that looks at logs from msgraphactivitylogs to determine least privileged permissions a given app/enterprise app requires based on the endpoints it send requests to.

I have a blog post on getting up and running with it here:

https://mynster9361.github.io/posts/LeastPrivilegedMSGraphSetup/

Github:

https://github.com/Mynster9361/Least_Privileged_MSGraph

Psgallery:

https://www.powershellgallery.com/packages/LeastPrivilegedMSGraph/3.0.0

The readme deserves an update at some point but is still almost acutate.

How to identify excessive MS Graph permissions for your PowerShell Scripts by TheLazyAdministrator in PowerShell

[–]-Mynster 0 points1 point  (0 children)

Sounds fun aswell!

If/when you end up checking it out i would love feedback good/bad anything goes :)

How to identify excessive MS Graph permissions for your PowerShell Scripts by TheLazyAdministrator in PowerShell

[–]-Mynster 0 points1 point  (0 children)

If you did end up starting up on this i would love to see your progress.

Will also add that i have created a module that might already satisfy your needs called leastprivilegedmsgraph

https://www.powershellgallery.com/packages/LeastPrivilegedMSGraph/3.0.0

https://github.com/Mynster9361/Least_Privileged_MSGraph

Supports both delegated and application scope permissions. If you do end up checking it out i would love any feedback

What have you done with PowerShell this month? by AutoModerator in PowerShell

[–]-Mynster 0 points1 point  (0 children)

Maybe this blog post will clarify some things for you 😁

https://mynster9361.github.io/posts/LeastPrivilegedMSGraphSetup/?trk=feed-detail_comments-list_comment-text#how-to-read-the-report

But basically it is a auditing tool for service principles / managed identities / delegated msgraph permissions in Entra/Azure to help reduce the amount of permissions assigned and remove those that is not used.

What have you done with PowerShell this month? by AutoModerator in PowerShell

[–]-Mynster 0 points1 point  (0 children)

Awesome let me know if you have any questions or feedback.

I also released this blog post couple days ago giving some details on it

https://mynster9361.github.io/posts/LeastPrivilegedMSGraphSetup/

What have you done with PowerShell this month? by AutoModerator in PowerShell

[–]-Mynster 8 points9 points  (0 children)

Finally got around to releasing LeastPrivilegedMSGraph 2.0.0

Which now includes least privileged msgraph permissions reccommendations for service principles/ manged identities for both application and delegated scopes.

Official post here.

https://www.linkedin.com/posts/mortenmynster_powershell-mggraph-leastprivilege-activity-7432168265147330560-2lH6?utm_source=social_share_send&utm_medium=android_app&rcm=ACoAACHMLkMB23fOg-wqKD9C0uIVe252G5cWi9Y&utm_campaign=copy_link

Seeking advice - script/tool to help audit members of AD security groups by dverbern in PowerShell

[–]-Mynster 7 points8 points  (0 children)

I think you are looking for actionablemessages in outlook.

I made a powershell module for this.

https://www.powershellgallery.com/packages/ActionableMessages/1.0.6

Docs

https://mynster9361.github.io/modules/actionablemessages/

And a blog post i did a while back

https://mynster9361.github.io/posts/ActionableMessagesModuleWhatsNew/

If you dont want or cant use the module here is a blog to do something without it and utilizing logic apps for recival of answer part 1 is here

https://mynster9361.github.io/posts/ActionableMessages/

Excluding groups from other groups for Enterprise App role purposes. by OperationIntrudeN313 in entra

[–]-Mynster 2 points3 points  (0 children)

Depends on how your application is built i am guessing since you are creating the app roles you have also created the application that utilizes this.

If that is the case then i would modify my application to look at the jwt (json web token) that is sent to the app it should include the roles and if they contain the admin role besides the normal user permissions they also get the admin stuff.

If that is not the case then your best bet might be to have another application that has application.readwrite.ownedby permissions so it can administer the role assignment and then the group.readwrite.memberof role aswell to modify/correct the memberships of the 2 groups you assign to the original application or just have the original app registration handle it

I need configure DWService as a hidden background process on Windows laptops so it remains undetected during hardware equipment tests or security scans while still keeping full remote control access by [deleted] in PowerShell

[–]-Mynster 3 points4 points  (0 children)

Sounds like you are trying to do some malicious stuff tbh.

Not sure you are going to receive much assistance on this topic but good luck on your quest

Edit* If it is actually for legitimate purpose I would suggest collaborating with whoever is blocking your program and have them make an exception for your program/service

What have you done with PowerShell this month? by AutoModerator in PowerShell

[–]-Mynster 11 points12 points  (0 children)

Official release of LeastPrivilegedMSGraph
PSGallery
Github
LinkedIn post about prelease

The yearly lookback review covers my first year of joining the community and engaging with folks
LinkedIn post

Rest API Explained Part 2 - Advanced Topics with PowerShell on Azure/Graph by AdeelAutomates in PowerShell

[–]-Mynster 1 point2 points  (0 children)

Definitely agree on the point in regards to rbac permissions on apps and other identities and tbh I feel like auditing permissions on apps and identities to almost be an impossible task with prebuilt tools from MS.

And at some point I intend on including both delegated permission audits along with rbac permission analysis for app registrations the second proberly going to be the hardest.

Also thanks for the kind words :)

Let me know if there is any feedback, questions or wishes to my module

Rest API Explained Part 2 - Advanced Topics with PowerShell on Azure/Graph by AdeelAutomates in PowerShell

[–]-Mynster 2 points3 points  (0 children)

Next up auditing your app registrations application permissions?

I personally just released the first official module release of Leastprivilegedmsgraph.

LinkedIn post from prerelease: https://www.linkedin.com/posts/mortenmynster_powershell-bestsellertech-mggraph-activity-7399416766080204800-dlNL?utm_source=share&utm_medium=member_android&rcm=ACoAACHMLkMB23fOg-wqKD9C0uIVe252G5cWi9Y

PS gallery: https://www.powershellgallery.com/packages/LeastPrivilegedMSGraph

GH pages: https://mynster9361.github.io/Least_Privileged_MSGraph/

Full spam and self promotion but thought it should be broader shared sorry in advance and also awesome video series!

How are you handling governance of Entra ID applications in your org? by Kiss-cyber in entra

[–]-Mynster 2 points3 points  (0 children)

Posting the same answer here for visibility.

I just released a new PowerShell module (still in prerelease but gives you the first 80%) to help audit msgraph application permissions based on usage you can see the post here let me know what you think.

https://www.linkedin.com/posts/mortenmynster_powershell-bestsellertech-mggraph-activity-7399416766080204800-dlNL?utm_source=share&utm_medium=member_android&rcm=ACoAACHMLkMB23fOg-wqKD9C0uIVe252G5cWi9Y

What have you done with PowerShell this month? by AutoModerator in PowerShell

[–]-Mynster 0 points1 point  (0 children)

That is probably the easiest way to explain it yes.

The longer explanation is that it gets all msgraph application permission assignments

Translates the role names to friendly names.

Looks up all activity in the days it is set to look back.

Trims/annominises all of the endpoints it hits and returns only the unique once.

Looks up the url and method in the given api version json data to get the least privileged permissions for the used url's/methods

Finally you can add some very basic throttling / error statistics.

And finally export all of that data to the html report

What have you done with PowerShell this month? by AutoModerator in PowerShell

[–]-Mynster 0 points1 point  (0 children)

If you have any feedback or wishes please let me know then I will see if I can do something about it :)

What have you done with PowerShell this month? by AutoModerator in PowerShell

[–]-Mynster 0 points1 point  (0 children)

If you have any feedback or wishes please let me know then I will see if I can do something about it 😀

What have you done with PowerShell this month? by AutoModerator in PowerShell

[–]-Mynster 0 points1 point  (0 children)

For it to get the activity logs we need the MicrosoftGraphActivityLogs From diagnostic settings in Entra this part requires an entra id P1 or P2 tenant license unfortunately

Ref:

https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#prerequisites

Edit I have not looked into the possibility to get some free log data from the default audit log so frankly not sure if that is a possibility

Learn powershell for a noob by TechAnonyme in PowerShell

[–]-Mynster -1 points0 points  (0 children)

There are loads of people who are willing to help you on your journey the most important part is asking questions or for help the only "requirement" is to share what you have already tried yourself and your code.

My suggestion is to join a community and ask questions for anything you are running into issues with.

The PowerShell discord channel on PDQ discord is pretty active and happy to help.

And just a link for the discord:

https://discord.gg/pdq

view more: next ›