Reporting on Entra ID integrated applications (service principals) and their permissions

In this article, we are presenting you with an update version of the PowerShell script to report on Entra ID service principal objects and their properties and permissions. In addition, a version of the script running on the Graph SDK for PowerShell is also provided, for usage with delegate permissions. …

Continue readingReporting on Entra ID integrated applications (service principals) and their permissions

Script to review and remove service principal credentials

Last week, we explored Entra ID’s app instance property lock feature. As part of the process, we examined one possible way that bad actors could take advantage of the convoluted nature of working with multi-tenant applications within Microsoft 365 and their in-tenant representation, the service principal. As the app instance …

Continue readingScript to review and remove service principal credentials

We can finally report on last successful login timestamp in Entra ID

Today’s article will be a short one. In a small, but meaningful update, Microsoft has released a new addition to the signInActivity resource, which allows us to determine the last time a given user was able to sign in successfully to the service (“last successful login timestamp”). Until recently, we …

Continue readingWe can finally report on last successful login timestamp in Entra ID

Protect your multi-tenant applications from being hijacked by admins in the customer tenant

In this article, we demonstrate a somewhat convoluted method used by bad actors to obtain persistence and execute operations in the context of Entra ID multi-tenant applications, as well as the steps Microsoft is taking to address the issue. As the solution only covers part of the story, a follow up article and a PowerShell script will be needed to address it. …

Continue readingProtect your multi-tenant applications from being hijacked by admins in the customer tenant

Non-existent users show up in SignInActivity data (or how logs continue to disappoint)

Spotting some strange entries in the output of a Graph SDK cmdlet leads us down the rabbit hole of troubleshooting “missing” GUIDs in Entra ID. Or how SignInActivity data for users’ access to other tenants is collected …

Continue readingNon-existent users show up in SignInActivity data (or how logs continue to disappoint)