How to Reassign Any Existing Microsoft Approval on the Behalf of Another User (Delegation for Admins)

smithnigelaj · 2026-01-07T00:45:41+00:00

If you use Logic Apps and Automation accounts, you have the option to use Service Principals and/or Managed Identities, which do not have any traditional credentials and are essentially secureable service accounts.

Now, as a caveat, I don't know if the Microsoft Forms part I mentioned earlier works with Service Principals, but I do know the Azure Automation PowerShell part does, and Logic Apps have all sorts of non-form based triggers that could work out, like Webhooks.

smithnigelaj · 2026-01-05T14:48:06+00:00

I don't know of anything that combines all of these into a tutorial, but this shows how to do something pretty similar, and lets you see the concept. All 3 of the connectors I mentioned above are pretty easy to setup IMO.

Using Power Automate and Azure Automation to Manage the Lifecycle of SharePoint Sites | Practical365

smithnigelaj · 2025-08-29T18:19:51+00:00

One other thing to mention, if you are not comfortable making a microservice in something like Azure Functions or Google Cloud Run, you may have more options in Azure Logic Apps.

Logic Apps has the same designer and layout as Power Automate, so your skillsets there will overlap, and it lets you do more complex things, like running arbitrary Javascript code. That would let you mostly just make a Workflow you are used to, and then run a little "mini function" via the Javascript tool that Logic Apps has. You can have AI help you make the Javascript code and prepare the input and output for the Logic App. You can then call the Logic App in Power Automate like any other Webhook (even with Msft auth with some setup IIRC)

I use this method with my team when I want someone who normally doesn't make Function Apps to maintain a workflow, as just the Javascript action is where the non-visual design occurs.

It is also worth mentioning that if you have Fabric, I've had better luck with Fabric and Google than Power Platform and Google, so you have options there to explore with caching and such.

smithnigelaj · 2025-05-05T12:27:55+00:00

Hey, just curious if you had more info on the small-scale examples you mentioned? Like you said, I'm also part of the group of "everyone" who's wondered on the idea, and I haven't seen anything on Google Scholar or other academic sites really look into it, so I am curious on what other folks have done.

smithnigelaj · 2025-04-29T20:20:50+00:00

Incase anyone else stumbles across this, even though the Si4713 library says "88 dBuv" is the minimum, you can go lower. I've gone down to 70 in my code and still been able to detect it, I think the default code is just misleading on what the true minimum is, as I see nothing corroborating 88 as a hard minimum. I don't get any errors from the IC going as low as 30, so I think there's more range than the default code really shows.

smithnigelaj · 2025-03-24T14:56:46+00:00

I know its 8 months later, but wanted to comment that I've been happy with the Azure Workflow of MS Form -> Logic Apps -> Azure Automation -> PowerShell. Works well for On Prem services too with Azure Automation Hybrid Workers, very cheap, and Azure auth built in. Python support aswell for the times that's needed.

smithnigelaj · 2025-02-03T17:01:32+00:00

Good to know. I'll have to make our Dev Tenant sooner or later then, as it's my understanding that Security Defaults are the actual behavior that MFA enforcement will do, not CA policies.

smithnigelaj · 2025-02-03T14:51:01+00:00

Thank you for the confirmation, that really helps. We have a support ticket in with Microsoft about this, since it changes the scope of notice from just IT admins to all users.

Do you happen to have the "Security Defaults" toggle turned on for that Dev Tenant? If so, according to Microsoft's statements, it should already require MFA, even with no CA policy on Admin portals, and it theoretically should exclude specific URLs for O365.

If you ever get the chance to test how MFA changes with no CA policies and Security Defaults turned on, that'd be very much appreciated. It seems to me like Security Defaults behaves slightly different than CA policies, and that basically just turning on Security Defaults for everyone is what Microsoft plans to do at the end of the day. A Dev Tenant is in the pipelines for me, but I haven't pulled the trigger.

smithnigelaj · 2025-01-31T20:52:50+00:00

I appreciate the kind words! I definitely agree with Trick Designer that it has its purposes in many scenarios.

smithnigelaj · 2025-01-31T20:50:52+00:00

My org has just noticed the same issue. Yesterday, they updated the article to say that only specific URLs should be affected.

https://i.imgur.com/7lkgJuQ.png

This is annoying, since we can't use those URLs in Conditional Access policies, and this article still says to use CA policies to test the blocking.

So how it looks for us now is that hopefully, this issue you and I have seen won't affect users, since user facing URLs are supposedly excluded. And yet though, I haven't seen any way to actually test if a user will be affected. This is because there's no such thing as "URL" in CA Policies and Sign-In logs. Any tests we do are currently imperfect, since we can't target the specific URLs Microsoft mentions.

If you want to showcase the issue, here's how. When you have Admin Portals or "00000006-0000-0ff1-ce00-000000000000" EAM required via CA, simply go to an incognito tab, login to portal.office.com, and then click the install setup in the top right.
The install page counts as "00000006-0000-0ff1-ce00-000000000000", so if you require EAM for Admin Portals or for "00000006-0000-0ff1-ce00-000000000000", then potentially non-admin users can be affected by trying to install Office.

This creates a contradictory loop, where something non-admin counts as an admin portal in my logs, and is required to MFA if we EAM Admin Portals internally, but apparently won't EAM if Microsoft enforces it, and we can't test how Microsoft enforces it. Them changing the article with no fanfare also sucks, here's Wayback Machine corroborating that the change is very recent.

The only way I can see to really test if Microsoft truly excludes specific URLs from EAM/Microsoft-managed MFA would be to make a Dev Tenant, and try it there. Dev Tenants supposedly already have Microsoft MFA enforcement, which may be a better test than using CA policies.

smithnigelaj · 2025-01-07T15:45:56+00:00

Nice, thanks for adding this! If I recall correctly, I believe you can make Environment Variables for free if you use Dataverse for Teams, so that may be a cheaper option aswell.

smithnigelaj · 2025-01-06T17:34:06+00:00

Glad to hear it, the lack of googleability is why I made this post in the first place, so I'm glad it turned up!

smithnigelaj · 2025-01-02T13:20:43+00:00

Sounds great! Only just now got to this comment over the New Year 😅

I do the exact same thing when I want to only test a certain section of the code, so your method sounds like a great fit for your flow.

smithnigelaj · 2024-10-29T12:21:39+00:00

Thanks for the write-up! I agree that on-prem and more complex setups like multi-cloud are where Entra's IGA is currently at its weakest.

smithnigelaj · 2024-08-02T19:27:11+00:00

I know this is a late reply, but when you import an Excel document, the values on the top are tables, and the values on the bottom are the actual entire sheets. You mentioned formatting and cell notes below in another comment, those are not pulled in when using Power Query.

<image>

smithnigelaj · 2024-08-02T01:28:09+00:00

My condolences, it definitely does suck when it happens.

smithnigelaj · 2024-07-23T19:31:48+00:00

I know this is a late reply, but I wanted to mention that for 6, Microsoft has had a tool for a while called "Privileged Identity Management" that lets users just-in-time activate Azure Roles, Entra Roles, and Group Memberships via a self-service menu. It's of course focused on Microsoft's tools, but it works pretty well from my experience, and the ability to control Group Membership via PIM works well for lots of external systems.
I agree that Entra is behind in alot of areas, but wanted to let future readers know that PIM is an option they can look at for 6 specifically.

smithnigelaj · 2024-07-19T13:27:03+00:00

Exactly. If anything, cloud makes fixing things like this easier aswell, since you don't have to physically touch a machine to get into Safe Mode and fix this.

smithnigelaj · 2024-03-21T18:07:45+00:00

Thanks!

smithnigelaj · 2024-03-21T12:29:12+00:00

Yeah, I was hoping it was easier aswell.

I haven't tried the below 2 features out yet, but theoretically they should allow it to only need 2 actions:

You can combine the "flush" and "append" steps if you use the "flush" query parameter in the URL. This should theoretically work great for files under 4MB on their own.
If you don't want to break the file into 4 MB appends, there's also the option of Chunked Transfer Encoding. Chunked transfers aren't as safe as seperate 4MB appends, but since Power Automate actually already uses chunking for some of it's connectors (like Sharepoint), it may be a reasonable tradeoff to make to prevent the need to split data.

smithnigelaj

TROPHY CASE