Microsoft Graph – Get Practical

Designing Safe Azure App Registration Secret Rotation (With Guardrails)

Automating Azure App Registration secret rotation is often discussed as a best practice, but implementing it safely is where the real challenge begins.

In many Azure environments, client secrets are stored in Azure Key Vault, expiry alerts are configured, and operational processes are defined. From a governance perspective, everything appears under control.

But monitoring secret expiration is not the same as designing a safe, deterministic rotation model.

Recently, I worked with a customer who had a mature Azure environment.

They had:

Azure Key Vault properly configured
Monitoring in place for secret expiry
Clear ownership of application registrations
Good operational discipline

So this wasn’t a “wild west” environment.

The problem was different.

Continue reading “Designing Safe Azure App Registration Secret Rotation (With Guardrails)”

Extracting the Last Sign-In Date in Azure (Entra ID) with Microsoft Graph PowerShell

As a Cloud Engineer, I’m always looking for ways to automate processes and streamline the management of our Azure environment. Recently, a customer approached me with a challenge: they needed to extract the last sign-in date for every user in their tenant. Although the Entra ID portal provides this information, the customer required it in a CSV format so that their security team could review the data, collaborate with user managers, and determine if certain accounts were still needed.

The Challenge

The customer needed a consolidated CSV report that contained each user’s:

Display Name
User Principal Name
Email Address
Last Sign-In Date
Manager Information (which includes the manager’s display name and email)

Although the Entra ID portal displays sign-in data, it has its limitations:

Data Extraction vs. Portal View

While the Entra ID portal provides sign-in data, having it in CSV format enables deeper analysis and easier sharing among teams. This approach consolidates all the required information into one single report. Currently, the portal doesn’t allow you to add a manager column in the view, meaning that extracting manager details would otherwise be an extremely manual process.

Continue reading “Extracting the Last Sign-In Date in Azure (Entra ID) with Microsoft Graph PowerShell”

Setting Up Custom Security Attributes with Microsoft Graph in Azure

So, you’ve probably heard about custom security attributes in Azure AD, right? If not, let me break it down for you. Azure AD lets the cool tech folks (like you and me) craft our own attributes in the directory. Think of it as putting a custom sticker or label on certain users. Maybe you’ve got people working in specific departments or on particular projects? These custom attributes are like those name tags at networking events but way less awkward. And the best part? These can be a game-changer when you’re setting up stuff like conditional access policies.

Before diving deep, you’ll need the Microsoft.Graph module. It’s your gateway to all things Microsoft Graph when you’re in the PowerShell realm.

Alright, setting up a custom attribute. Graph isn’t going to hand-deliver this one, but here’s a workaround:

# First things first, connect to Graph
Connect-MgGraph

# Details for our new attribute
$attributeDetails = @{
     id = “customExtension_DepartmentCode”
     dataType = “String”
     targetObjects = [“User”]
} | ConvertTo-Json

# Now, make it real
Invoke-MgGraphRequest -Method POST -Uri “https://graph.microsoft.com/v1.0/schemaExtensions” -Body $attributeDetails

Continue reading “Setting Up Custom Security Attributes with Microsoft Graph in Azure”