This week, I have another real-time use case about the audit of all azure AD app registrations and notify the application credential (secret key or certificate) near to expiration. Registering an application in Azure AD establishes a trust relationship between your app and the Microsoft identity platform, The application registration can be used to authenticate on behalf of a user and request access to resource applications. I was asked to have a mechanism to monitor the azure ad app registrations and notify the app owner (if exist) if the secret key or certification expiration is nearby (x days). When I…
Author: Eswar Koneti
Conditional Access in Azure Active Directory needs no introduction. To read more information about Conditional Access, please refer to https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview In my recent assignment, there was an ask to back up the conditional access policies every day and also notify through email for a list of conditional policies that are created or modified in the last 24 hours. I know that there are many blog posts out there to monitor the conditional access policies by enabling the diagnostic settings (export the audit logs), creating logic apps, power automate and other tools in a programmatic way and alert instantly, but that…
It has been a while since Microsoft has released the combined registration (security) feature that helps users to register for both MFA and SSPR can register once if the methods in the Azure AD Multi-Factor Authentication and SSPR policies are enabled. For more information about Combined security information registration please read https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined One of the very common challenges that organizations had was, how can I restrict the security registration process within the trusted location and secure it from bad actors. To enforce the security registration process from a trusted location only and block from any other, we can make use…
I was recently looking for a solution to add a device to SCCM Collection using the Task sequence. During the search, I have found Trevor has a blog post on this. So before I use the code in the task sequence, I plan to test it on a client device. The full code is given below. You will have to change the parameters where needed. cmd /c powershell.exe -Command "&{$Me = $Env:COMPUTERNAME; Invoke-command -Computername "SCCMSERVERFQDN" -ArgumentList $Me -scriptblock {param($Me)Import-Module ConfigurationManager; cd SITECODE:; $Computer = Get-CMDevice -Name $Me; if ($Computer){Add-CMDeviceCollectionDirectMembershipRule -CollectionID 'COLLECTIONID' -ResourceId $computer.resourceid}}}"Query to add device to collection Login to client computer that doesn't have…
Managing software updates and creation of custom reports in ConfigMgr is OCEAN. You have so much data to visualize based on your needs. One of the very common requirements or reports is, find out the missing/required updates of a device that is managed by SCCM. If you have not moved the device management solution to Microsoft Intune, especially windows updates and you are still with ConfigMgr, then this post is for you. I have written a couple of blog posts on finding the missing/required updates for a specific device in SCCM are listed below for your reference. http://eskonr.com/2016/08/sccm-configmgr-sql-query-to-find-top-x-missing-updates-for-specific-collection-for-specific-update-group/ http://eskonr.com/2015/12/sccm-configmgr-ssrs-report-get-list-of-missing-updates-for-pc-from-specific-software-update-group/ likewise,…
Intune has a Co-management eligibility report (currently in preview) which provides an eligibility evaluation for devices that can be co-managed. For devices to become co-managed, they must be running on windows 10 and enroll to Azure Active Directory. For a full set of intune reports, please refer to https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports The other day, I was looking into the cloud-attached devices (preview) in Endpoint Manager for the co-management eligibility report. For more information about the Co-management eligibility report, https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports#co-management-eligibility-report-organizational From the report, in the dropdown list, I am interested viewing only the devices that need AAD join. Generating the report reveals that…
Microsoft has released the version 2111 for Configuration Manager (Current Branch) which is now available as in-console update and is currently via opt-in script. You can apply this update on sites that run version 2006 or later. If you are running older versions of the configuration manager, you will need to update the site to the supported version which you can see it in the console then update to 2111. For a list of new features and improvements in configuration Manager 2111, please read https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2111 Just like any other configuration manager build release , this build has some new features,enhancement,…
Microsoft has released the update 2107 for Configuration Manager (Current Branch) which is now available as in-console update. You don’t need to run opt-in script. You can apply this update on sites that run version 2002 or later. If you are running older versions of the configuration manager, you will need to update the site to the supported version which you see in the console then update to 2107. For a list of new features and improvements in configuration Manager 2107, please read https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2107 Just like any other configuration manager update release, i always try to look and see what…