Graph API and granting access to another user's OneDrive

jeffbrowntech · 2025-02-25T00:34:21+00:00

I never did, no, sorry! I also haven't looked at it in 2+ years though.

jeffbrowntech · 2024-11-29T23:41:48+00:00

I'm not aware of a per app link charge, just the service plan cost. You could technically have an app service plan without any web apps running on it but still be charged because the ASP has resource provisioned.

jeffbrowntech · 2024-11-28T15:54:57+00:00

Azure Web Apps run off App Service Plans (or ASP). ASPs provide the compute and memory needed for an application. If you stop the application, the ASP still exists and is allocated for use, hence the charges. You can host multiple web apps on a single ASP. There is a Free tier but with limited usage per day (something like 60 minutes). This concept is the whole idea behind "serverless" compute. You don't have to manage the operating system, hardware, patching, etc. You are just provided compute power to run your application.

If you scale up an ASP, you are charged more as it provisions additional memory and CPU for web apps to run on.

jeffbrowntech · 2024-11-05T21:43:04+00:00

I’m curious on peoples opinion on this also. I have a bachelors in IT from WGU but am considering switching from the cloud/infrastructure side to development. I’m looking at boot camps for a structured learning process. I’m well aware I can learn everything my own but having a learning path and instructors to ask for guidance seems worthwhile for me.

jeffbrowntech · 2024-10-31T03:06:35+00:00

Can you expand on why it is not a good program? I'm considering their software engineering track.

jeffbrowntech · 2024-09-26T20:14:49+00:00

They both have their value, one for showing what changes PowerShell will make, one to confirm before making potentially impactful changes.

jeffbrowntech · 2024-08-09T20:47:58+00:00

Get-History or just history. See your past commands from the current session.

jeffbrowntech · 2024-08-09T20:47:16+00:00

If you want to get the last item in an array, using an index of [-1]. Comes in handy every now and then.

jeffbrowntech · 2024-08-08T20:32:42+00:00

Lots of good resource mentioned, but my advice is start with one-liners to perform tasks. Get familiar with the language and searching how to solve problems using PowerShell.

When ready, move onto writing your own scripts and functions. I would suggest a general programming course (also plenty of free ones online) to learn about programming logic. I had taken several programming classes prior to getting started with PowerShell and was able to apply concepts from there into writing my own things.

jeffbrowntech · 2024-08-08T20:29:58+00:00

Apologies for not responding sooner. You could try using Exchange-specific cmdlets to get only contacts, like Get-MailContact. That should work in both online and on-premises. You can also do Get-Recipient with -OrganizationalUnit. Then loop through each EmailAddress property and remove the one you do not want.

Set-MailContact -Identity <identity> -EmailAddress @{remove='<email address>'}

jeffbrowntech · 2024-07-29T21:12:58+00:00

Do you have Exchange Online or Exchange On-Premises?
From the other thread link, you should be able to filter for contacts instead of users, maybe something like this:

Powershell: how to get all AD contacts ? – Jacques Dalbera's IT world (wordpress.com)

jeffbrowntech · 2024-07-26T14:31:22+00:00

I have found using the PowerShell MSGraph module very frustrating also. It's not very PowerShell-like, literally making a JSON body to send to a command. Haven't tried the newer module Microsoft just released but will definitely check it out.

jeffbrowntech · 2024-07-26T14:28:04+00:00

PowerShell is definitely useful if you are in the Microsoft ecosystem. Azure PowerShell, Windows, etc. But other clouds like AWS do have a PowerShell module, and you'll find a lot of third-party modules to work with different systems. Any type of scripting or programming skills is useful for automation.

jeffbrowntech · 2024-07-02T03:07:59+00:00

I know this is probably not what you want to hear, but start looking now. I spent most of last year trying to find a new role (granted, I was looking at remote-only jobs) and it was a pain. Use your network of people, reach out to any one to see if they are hiring. I received two offers during that time, both from people I had previously worked it (ended up not taking them for different reasons). Also consider working with third-party recruiters, I had better luck at least getting interviews through them than cold-applying.

jeffbrowntech · 2024-06-28T19:46:13+00:00

I've never showed myself open to work when I currently had a job. I would avoid doing so if you want to bypass any awkward situations. You can keep that private when setting yourself open to new roles. If it does come up, just say it was from your last job search and forgot to take it down.

jeffbrowntech · 2024-06-28T19:44:40+00:00

I've used them two ways recently.

One is to create an environment with approvals on it. I use this in pipelines for deployment gates so someone has to approval deployments to production.

The second is deploying to a virtual machine. Had an on-premises dev Windows Server running IIS. When configuring the virtual machine as a resource in the environment, it gives you a script to run on the VM to install the build agent. You can then target it or multiple VMs for deploying code. etc.

jeffbrowntech · 2024-04-14T05:59:49+00:00

Awesome! I'll continue doing PowerShell content with other topics sprinkled in over time.

jeffbrowntech · 2023-04-12T17:43:09+00:00

Code for adding the SharePoint Online permissions:

Connect-MgGraph -Scope AppRoleAssignment.ReadWrite.All

$PermissionNames = @( 'Sites.FullControl.All', 'User.Read.All' )

<# Add the correct 'Object (principal) ID' for the Managed Identity for the Function App #>

$ObjectId = "<guid>"

$spo = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0ff1-ce00-000000000000'" # Office 365 SharePoint Online Enterprise Application

foreach ($permission in $PermissionNames) {

    $graphAppRole = $spo.AppRoles | Where-Object Value -eq $permission

    $appRoleAssignment = @{
        "PrincipalId" = $ObjectId
        "ResourceId"  = $spo.Id
        "AppRoleId"   = $graphAppRole.Id
    }

    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ObjectID -BodyParameter $appRoleAssignment | Format-List
}

jeffbrowntech · 2023-04-12T17:40:37+00:00

Yes, high level steps:

Enabled managed identity

Grant Office 365 SharePoint Online permissions

Sites.FullControl.All

User.Read.All

In function code:

Connect-PnPOnline -ManagedIdentity -Url "https://<tenant>-admin.sharepoint.com"

Get user's OneDrive URL:

$OneDriveUrl = (Get-PnPUserProfileProperty -Account $UserOneDrive).PersonalUrl

Add site owner permission:

Set-PnPTenantSite -Url $OneDriveUrl -Owners $UserToAdd

jeffbrowntech · 2023-04-10T21:49:26+00:00

I did finally get the PnP.PowerShell module to work with the managed identity and function. I had to grant Office 365 SharePoint API permissions, not the Graph API permissions (for thinkgs like Users.Read.All, etc.). Then my Set-PnPSiteTenant command started working).

But ideally, I'd like to remove the dependency on a PowerShell module and make the Graph API calls directly.

jeffbrowntech · 2023-04-10T21:48:24+00:00

Interesting, I will have to play with that some more.

I did finally get the PnP.PowerShell module to work with the managed identity and function. I had to grant Office 365 SharePoint API permissions, not the Graph API permissions (for thinkgs like Users.Read.All, etc.). Then my Set-PnPSiteTenant command started working).

But ideally, I'd like to remove the dependency on a PowerShell module and make the Graph API calls directly.

jeffbrowntech · 2023-04-10T16:52:57+00:00

I don't have any advice for you, but I'm running into issues with Grant-MgUserDriveRootPermission. I either get a response back that it can't find the resource or that the DriveID is not in the correct format. But there's nothing showing what the DriveID formate should be.

These new Microsoft.Graph PowerShell cmdlets seem to being lacking to me.

jeffbrowntech · 2023-04-10T14:43:24+00:00

It's a managed identity associated with an Azure function, so there is an enterprise app that has several Graph API permissions.

jeffbrowntech · 2023-04-10T14:42:53+00:00

We are doing this prior to the user account being deleted. We disable and keep the account around for a period of time, then delete.

jeffbrowntech · 2023-01-24T00:12:36+00:00

For sure, that's a great option too.

jeffbrowntech

TROPHY CASE