Entra ID – AppReg Manager 2024 – v01

During my work as an IT Consultant, I frequently use PowerShell scripts to connect to Azure, Microsoft 365 or Microsoft Graph. When these scripts run automated on servers or in Azure Automate, I often use certificates for authentication. Creating these App Registrations in Entra ID portal is not very convenient.

I have used scripts before to create these App Regs. You might have seen it in my PSRoomSigning solution.

This script is a very complete App Reg Manager.


  • Create a new App Registration in Microsoft Entra ID with a new self-signed certificate.
  • Delete App Registrations in Microsoft Entra ID (multi select supported).
  • Report App Registrations with certificates/secrets that are expired or about to expire (export2csv).
  • Report API permissions or Role Permissions on App Registrations (export2csv).
  • Create a new self-signed certificate and add it to an existing App Registration (one that is about to expire).
  • You can choose how long the certificate is valid in days.
  • After creation it exports the certificate into a PFX file.
  • After creation it exports sample PowerShell code to use the new App Registration in PowerShell.


  • Runs on PowerShell (only tested on Windows)
  • Uses Microsoft Graph PowerShell module (https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0)
  • Need Global Admin account or (….)


  • Install the required PowerShell module: Install-Module -Name Microsoft.Graph
  • Extract the ZIP file to a scripts folder i.e. “c:\scripts\appregmgr”
  • Execute the script.

You can download the second (v2) version here.

2024_v02 – Update, Object ID instead of AppID was exported. Fixed.
2024_v01 – first release

Azure VPN – Point to Site – Part 2/2

Welcome to part 2 of the Azure VPN blog, here you can find part 1. This part of the blog explains how to configure Azure VPN with Always ON and Azure Active Directory authentication and MFA. This will allow Modern Managed Azure AD Joined Windows 10 workplace to connect secure to the Azure network, and if required and you have a route back to on-premises you will be able to connect to on-premises network as well.

Continue reading Azure VPN – Point to Site – Part 2/2

Azure AD – Directory Roles – Where are you?

Today I noticed something strange. I am scripting with AzureAD PowerShell against Azure AD. I have created a script that will create a Service Principal Name with Directory Reader role. This worked perfectly in my old trial/demo tenant and in customer tenants.

Last week I had to recreate my test lab environment because the licenses expired (I use 1 year demo tenants). Today I tried to create the SPN with the previously created PowerShell script and add the Directory Reader Role.

That script errored out at the line:
Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq “Directory Readers”}).Objectid -RefObjectId $sp.ObjectId

I tried logging in with Connect-AzureAD to the tenant in a new PowerShell window with my Global Admin account to the same tenant. After that I tried this command: Get-AzureADDirectoryRole

According to this PowerShell command there are only two Directory Roles.

Continue reading Azure AD – Directory Roles – Where are you?