Some ramblings around Continuous access evaluation, support for Graph and service principals

Does the Graph resource support Continuous Access Evaluation? How exactly are long-lived CAE tokens issued, and is it worth it to accept some additional risk as a tradeoff? But most importantly, beware of scenarios where CAE-capable service principal is compromised, as the advertised support for revocation seems to be a bit shady! …

Continue readingSome ramblings around Continuous access evaluation, support for Graph and service principals

How to manage Entra ID delegate permissions for specific users

In this article, we will detail how to manage delegate permissions (OAuth2PermissionGrant) for any Entra ID integrated application on a per-user basis via the Graph API or the Graph SDK for PowerShell. With this knowledge at hand, you should never have to add tenant-wide consents again! …

Continue readingHow to manage Entra ID delegate permissions for specific users

Remove user from all Microsoft 365 groups and roles (and more) via the Graph API (non-interactive)

A PowerShell script to remove user, or a set of users, from all groups they are a member of by using the Graph API methods. You can leverage the additional parameters of the script in order to also remove any directory role assignments, ownership assignments and delegate permission grants. The script supports Microsoft 365 Groups, Entra Security Groups, Exchange Distribution Groups and Mail-Enabled security groups. …

Continue readingRemove user from all Microsoft 365 groups and roles (and more) via the Graph API (non-interactive)