Entra ID – AppReg Manager 2024 – v01

During my work as an IT Consultant, I frequently use PowerShell scripts to connect to Azure, Microsoft 365 or Microsoft Graph. When these scripts run automated on servers or in Azure Automate, I often use certificates for authentication. Creating these App Registrations in Entra ID portal is not very convenient.

I have used scripts before to create these App Regs. You might have seen it in my PSRoomSigning solution.

This script is a very complete App Reg Manager.

Features:

  • Create a new App Registration in Microsoft Entra ID with a new self-signed certificate.
  • Delete App Registrations in Microsoft Entra ID (multi select supported).
  • Report App Registrations with certificates/secrets that are expired or about to expire (export2csv).
  • Report API permissions or Role Permissions on App Registrations (export2csv).
  • Create a new self-signed certificate and add it to an existing App Registration (one that is about to expire).
  • You can choose how long the certificate is valid in days.
  • After creation it exports the certificate into a PFX file.
  • After creation it exports sample PowerShell code to use the new App Registration in PowerShell.

Requirements

  • Runs on PowerShell (only tested on Windows)
  • Uses Microsoft Graph PowerShell module (https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0)
  • Need Global Admin account or (….)

Installation:

  • Install the required PowerShell module: Install-Module -Name Microsoft.Graph
  • Extract the ZIP file to a scripts folder i.e. “c:\scripts\appregmgr”
  • Execute the script.

You can download the second (v2) version here.

.REVISIONS
2024_v02 – Update, Object ID instead of AppID was exported. Fixed.
2024_v01 – first release

Azure Snapshot Manager

Microsoft Azure is a great platform to host Virtual Machines. What native Azure doesn’t have is a good snapshot/checkpoint manager like Hyper-V does. Since some time now you can create disk snapshots per disk. If a Virtual Machine has multiple disks you have to create the snapshot for every disk. And for every disk it asks how you want to call it. Don’t even mention about putting the snapshot back in the VM.

That is where Azure Snapshot Manager comes in. This PowerShell based tool makes it a lot easier for you to create snapshots of all disks in one run. Also it allows you to apply the snapshot on any existing VM in the same region, but also create a new VM based of the selected snapshot. I have developed this script in a few iterations and I believe this version is ready to go into the wild.

If you have any suggestions or questions please check the About button on the site and let me know!

DISCLAIMER

Use of this script is at your own risk and responsibility: This script creates disk snapshots, attach and detach disks to new or existing VMs. No disks are deleted. Creating new Azure resources can increase costs on you Azure bill. Please take this into account.

DOWNLOAD

Download the script here: AzVMSnapshotMgr_v3.zip

Start the script and connect to Azure.

Continue reading Azure Snapshot Manager

PS RoomSigning 2022.02.05 (New Version)

Introduction

PSRoomSigning 2022 is a complete new version of the PowerShell based solution for RoomSigning. The solution has been reinvented because of issues with the 2021 version. If you installed the 2021 version and have “server error 500” sometimes please remove the old version and install this one.

RoomSigning 2022 will display the meetings in your meeting rooms in your environment. If you have an information display in your company restaurant or foyer you can display this information. Only meetings of today are displayed and meetings in the past are no longer on the screen, keeping it nice and clean.


Example of RoomSigning

How does it work?

The PowerShell script is designed to run as a scheduled task, or scheduled Azure Automation Runbook. The script needs a Service Principal Name in Azure AD with ‘Calendar.Read’ and ‘User.Read’ permissions. And when your target is Azure Web App Service the SPN needs Contributor permissions on the App Service.

When the script runs it will read the configured Exchange Online Room mailboxes and will render an HTML file in a configured target location. This HTML file is the visual representation of the Exchange Rooms. The HTML location needs to be a location where your display device can access it. This can be a webserver running local or in Azure or can be a local folder or a shared folder on a file share. If your client can access it, it will work.

Revision History:

2022 – Second release
• Reinvented the solution with extra jQuery script and splitting the HTML into two files.
• Add jQuery script for refreshing the page, making it more robust and stable.
• Requires webserver, doesn’t work local anymore.
• Fixed the PSRoomsigning_CreateResources.ps1 script now it works.

2021 – First release

Download the PSRoomSigning 2022 solution here.

PS RoomSigning

Introduction

PSRoomSigning is a PowerShell based solution for RoomSigning, you can run this script on your Windows based display device, webserver or run natively in Azure. RoomSigning will show the meetings of your meeting rooms in your environment. If you have an information display in your company restaurant or foyer you can display this information. Only meetings of today are displayed and meetings in the past are no longer on the screen.


Example of RoomSigning

How does it work?

The PowerShell script is designed to run as a scheduled task, or scheduled Azure Automation Runbook. The script needs a Service Principal Name in Azure AD with ‘Calendar.Read’ and ‘Directory.Read’ permissions. And when your target is Azure Web App Service the SPN needs Contributor permissions on the App Service.

When the script runs it will read the configured Exchange Online Room mailboxes and will render an HTML file in a configured target location. This HTML file is the visual representation of the Exchange Rooms. The HTML location needs to be a location where your display device can access it. This can be a webserver running local or in Azure or can be a local folder or a shared folder on a file share. If your client can access it, it will work.

The HTML file generated contains a 30 second auto refresh setting so when the script writes a new version it will be updated automatically.

Download the PSRoomSigning script here.

Azure VPN – Point to Site – Part 2/2

Welcome to part 2 of the Azure VPN blog, here you can find part 1. This part of the blog explains how to configure Azure VPN with Always ON and Azure Active Directory authentication and MFA. This will allow Modern Managed Azure AD Joined Windows 10 workplace to connect secure to the Azure network, and if required and you have a route back to on-premises you will be able to connect to on-premises network as well.

Continue reading Azure VPN – Point to Site – Part 2/2

Azure VPN – Part 1/2

This new Azure related blog describes how to extend your on-premises network to the Azure datacenter. The blog explains how to create an Azure Virtual Network, create VPN gateway, and connect it to your on-premises environment. In part 2 we expand this solution with Point-to-Site VPN, with Always ON – Azure VPN, allowing Modern Managed clients to connect via VPN to Azure Virtual Network, and if required to your on-premises network.


This picture shows the setup we are going to create in this BLOG.

The blog assumes you have basic knowledge about networking and how the Azure portal works. The region I usually work in is West Europe. Please adjust your region to you preferred Azure Region.

Part 1: Site-to-Site VPN

  1. Create Azure VNET
  2. Create Azure Virtual Network Gateway
  3. Create Virtual Machine in Azure
  4. Create Site-2-Site between Azure and Sophos XG
    1. Configure Azure
    2. Configure Sophos XG
    3. Proof of the pudding

Coming Soon: Part 2: Azure VPN (Point-to-Site)

Continue reading Azure VPN – Part 1/2

Azure AD – Directory Roles – Where are you?

Today I noticed something strange. I am scripting with AzureAD PowerShell against Azure AD. I have created a script that will create a Service Principal Name with Directory Reader role. This worked perfectly in my old trial/demo tenant and in customer tenants.

Last week I had to recreate my test lab environment because the licenses expired (I use 1 year demo tenants). Today I tried to create the SPN with the previously created PowerShell script and add the Directory Reader Role.

That script errored out at the line:
Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq “Directory Readers”}).Objectid -RefObjectId $sp.ObjectId

I tried logging in with Connect-AzureAD to the tenant in a new PowerShell window with my Global Admin account to the same tenant. After that I tried this command: Get-AzureADDirectoryRole


According to this PowerShell command there are only two Directory Roles.

Continue reading Azure AD – Directory Roles – Where are you?

Windows Virtual Desktop – Dutch Language pack

Windows Virtual Desktop – Windows 10 Multisession – comes only in one language, that is English. My native language is Dutch, and I work for a lot of Dutch clients who want their WVD also in Dutch.

Adding a different language manually on a Windows 10 laptop is not so hard, just go to the settings, language add the language … well you know the drill. When building your WVD image for W10 Multisession you need to add the language pack to the image. There are many ways to do so. Microsoft has documented this on this DOCS page: https://docs.microsoft.com/en-us/azure/virtual-desktop/language-packs

This BLOG Post will explain how to add the language pack to your image or running Session Hosts and create a GPO that will change the language for your users. Because my native language is Dutch, I will explain how to create the GPO for Dutch language. It should work for all languages.

Disclaimer:
Some GPO settings are registry values, most of them are reverse engineered by me. I changed the settings on a lab machine from English to Dutch and monitored what registry values changed. Also I verified those registry values with a regular Windows 10 Pro Dutch version installed from an ISO file. Those settings where used in my GPOs. Use this BLOG at your own risk. See my disclaimer.

Inspiration:

My setup:

  • Windows Server 2019 Domain Controller with AAD Connect running on an B2S in Azure
  • Windows 10 Multi Session 20H2 without M365 Apps for Enterprise
Continue reading Windows Virtual Desktop – Dutch Language pack

MDT in a Box – Additional Scripts

Scripts

In an earlier blogpost I explained how to install Microsoft Deployment Toolkit on a Windows Server running in Azure. This “MDT in a Box” allows you to create OS images for many purposes. To make the process easier I have developed some PowerShell scripts. The scripts where discussed in the online meetup of Dutch Windows Virtual Desktop User Group live session on December the 7th. This meetup was recorded and can be viewed here. (not available yet)

Three of them are listed here.

  • MDT_Deployment_v2.ps1
  • LTImdtimageversion.ps1
  • Tosysprep.ps1

These scripts work very well with the MDT in a Box machine I created (see this page for instructions on how to create that). For instruction on how to install these scripts in your MDT environment check this section below!

Continue reading MDT in a Box – Additional Scripts