Automation – Get Practical

Automating a Monthly Azure Update Compliance Report with Logic Apps + Azure Resource Graph

Most patching dashboards are great for interactive views—but what if your stakeholders want a scheduled email that shows the current patch compliance for only a scoped set of servers (for example, those tagged for patch governance)? That’s where a small, reliable custom report shines.

In this post I’ll walk through the exact solution I built: a Logic App that queries Azure Update Manager data via Azure Resource Graph (ARG), filters to VMs tagged Monthly_Patch : yes, formats the results into a clean HTML email, and sends it on a monthly cadence.

Why a custom report?

No native email report: Azure Update Manager provides blades and workbooks, but not a ready-to-send, nicely formatted email.
Audience-specific scoping: We only want to report on VMs with a specific business tag (Monthly_Patch : yes).
Consistent sorting & formatting: Stakeholders wanted alphabetical order, readable timestamps, color-coded rows, and centered table content.
Lightweight & fast: With ARG we can query Update Manager resources directly—no Log Analytics workspace required for this report.

Continue reading “Automating a Monthly Azure Update Compliance Report with Logic Apps + Azure Resource Graph”

Extracting the Last Sign-In Date in Azure (Entra ID) with Microsoft Graph PowerShell

As a Cloud Engineer, I’m always looking for ways to automate processes and streamline the management of our Azure environment. Recently, a customer approached me with a challenge: they needed to extract the last sign-in date for every user in their tenant. Although the Entra ID portal provides this information, the customer required it in a CSV format so that their security team could review the data, collaborate with user managers, and determine if certain accounts were still needed.

The Challenge

The customer needed a consolidated CSV report that contained each user’s:

Display Name
User Principal Name
Email Address
Last Sign-In Date
Manager Information (which includes the manager’s display name and email)

Although the Entra ID portal displays sign-in data, it has its limitations:

Data Extraction vs. Portal View

While the Entra ID portal provides sign-in data, having it in CSV format enables deeper analysis and easier sharing among teams. This approach consolidates all the required information into one single report. Currently, the portal doesn’t allow you to add a manager column in the view, meaning that extracting manager details would otherwise be an extremely manual process.

Continue reading “Extracting the Last Sign-In Date in Azure (Entra ID) with Microsoft Graph PowerShell”

Creating a Self-Signed Certificates for Azure

When it comes to configuring applications or services that require SSL/TLS communication, having a self-signed certificate for testing or development purposes becomes almost indispensable. This is even more relevant when you’re dealing with services on Azure, where security is paramount.

Today, I’ll walk you through a PowerShell script that not only creates a self-signed certificate but also exports it in both .pfx and .cer formats.
Setting the Scene

Let’s start by defining some custom variables:

$friendlyName = “Azure SelfSigned Cert Name”
$subjectName = “CertificateName”
$certStorePath = “cert:\LocalMachine\My”
$exportPath = “C:\Temp\”
$passwordPlainText = “YourPasswordHere”

Here, $friendlyName is a descriptor for your certificate. $subjectName will serve as the Common Name (CN) for the certificate, and $certStorePath specifies the certificate store location in your system. Finally, $exportPath indicates where you want to save your certificate, and $passwordPlainText will be the password for your .pfx file.

Continue reading “Creating a Self-Signed Certificates for Azure”

Streamlining Role Management in Azure AD with PowerShell and Microsoft Graph

In today’s rapidly evolving IT ecosystem, effective role management is key. This is especially true for large organisations where managing roles for individual users can quickly become overwhelming. For businesses that leverage Microsoft Azure, there are robust tools at hand that can dramatically simplify and automate these intricate tasks. Among these tools, PowerShell in conjunction with Microsoft Graph stands out for its administrative efficiency.

In this blog post, we’re going to guide you through the process of crafting a PowerShell script that utilises Microsoft Graph to identify a specific Azure AD group and remove all roles assigned directly to all group members. Let’s get started!

Preparations

Before we dive in, there are a few prerequisites to note. Firstly, ensure that you have the Microsoft Graph PowerShell SDK installed. If not, use the Install-Module -Name Microsoft.Graph command in your PowerShell to add it.

Next, establish a connection to Microsoft Graph by using the Connect-MgGraph cmdlet.

Finally, remember to tread carefully when modifying user permissions. Scripts that implement bulk changes can be particularly powerful, but also potentially disruptive if not properly managed. It’s always wise to run tests with a small number of users before applying changes across an entire group.

Continue reading “Streamlining Role Management in Azure AD with PowerShell and Microsoft Graph”

Azure Function TimerTrigger1 failed due to timeout exception

Hello guys,

Today I’d like to share one of the issues that I had in Azure of one of the company customers I work for.

The customer has a script that turns VMs ON/OFF based on the time stated on the VM’s tag. For example, a VM has a tag “StartTime: 06:00” and “StopTime: 23:00”, this Azure Function runs every 1 hour and compares the current time with the time stated on the VM’s tag, if the time matches, the VM will be turned ON/OFF.

Everything was working very well, but when the customer decided to increase the number of tagged VMs, the Azure Function started returning with the timeout error. We initially thought it was the “Consumption plan”, which by default has a timeout of 5 minutes. We changed the plan, which allowed unlimited timeout (1 hour recommended by MS). And yet the function continues to give the timeout error.

We decided to split the VMs with a trigger for each subscription (The initial Azure function varies all subscriptions by looking for the tag and comparing the time), it didn’t work either.

We raised a ticket with MS, it took several days of troubleshoot and nothing to find the root cause of the problem. Until I decided to look deeper into the function code and realized that every time the function was executed and the script turned ON/OFF a VM, the function had a significant pause in between turning ON/OFF VMs.

So I decided to add to the code -NoWait and guess what? It worked!! The timeout stopped happening and the function started to be executed in less than 2 minutes, even with several VMs being tagged.

Initial code: Start-AzVM -Name $vm.Name -ResourceGroupName $vm.ResourceGroupName

Final code: Start-AzVM -Name $vm.Name -ResourceGroupName $vm.ResourceGroupName –NoWait

Ps. I don’t want to share the whole code, as I took it from the customer environment.

Apparently the function worker was waiting for a return from the previous command (Stop or Start the tagged VM), but in some cases the return wasn’t happening and the function was getting stuck.

In the moment I added the command to ignore the return (-NoWait) the function started working perfectly again.

That’s all for today guys, see you later!

Joao Costa