Skip to content

Enterprise Mobility + Security


Howdy folks!

Happy Friday to all of you! Just got back from an awesome RSA Conference. Thanks to all of you who stopped by our booth to chat!

Today Mark and team have whipped up an Azure AD Mailbag that answers some of the most frequent PowerShell questions Azure AD Admins have.

Have a great weekend,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Products and Services

—————————————-

Hey y’all,

Mark Morowczynski here with our Friday mailbag. It’s been an exciting week and we thought we’d cap it off with some more quick PowerShell tips and tricks. We’ve also added GraphAPI as well. If you haven’t started to learn that yet you really should. As always if there are topics and areas you’d like us to cover let us know on Twitter at @AzureAD, @MarkMorow and @Alex_A_Simons. On to the questions.

Question: In your PowerShell tips and trick post (http://blogs.technet.com/b/ad/archive/2016/01/08/azure-ad-mailbag-powershell-tips-and-tricks.aspx) you showed how to find “Guest” user in the directory using PowerShell. Can I do this via the GraphAPI?

Answer: Yes! You’ll want to change the userType attribute to “Guest” see more at https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#EntityreferenceUserEntity

Question: Is there a way in PowerShell to get the GUID of my Azure AD Tenant?

Answer: You’ll want to use the Get-MSOLCompanyInformation | select objectID. For more info https://msdn.microsoft.com/en-us/library/dn194126.aspx

Question: Is there a way in the GraphAPI to see what users and groups are assigned to a specific application?

Answer: Yes you’ll want to check out the AppRoleAssignment entity. https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#AppRoleAssignmentEntity

Question: Is there a way via PowerShell to get a report of what users have Azure AD Premium or EMS licenses assigned?

Answer: Yes. It’s all inside Get-MsolUser. This should help.

Get-MsolUser -All | where {$_.isLicensed -eq $True} | Select-Object -Property UserPrincipalName -ExpandProperty Licenses | ft UserPrincipalName,AccountSKUId

Question: I’ve recently attended one of the Azure AD Webinars on MFA and the speaker talked about turning on MFA for administrative accounts. How can I require my Global Admins to require MFA and still use PowerShell to do administration?

Answer: Yep, you’ll want to try the latest version of PowerShell we talked about at

https://blogs.technet.microsoft.com/ad/2015/10/20/azure-ad-powershell-public-preview-of-support-for-azure-mfa-new-device-management-commands/. To see all release history, see http://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-release-history.aspx

We hope you’ve found this post and this series to be helpful. For any questions you can reach us at
AskAzureADBlog@microsoft.com, the Microsoft Forums and on Twitter @AzureAD, @MarkMorow and @Alex_A_Simons

-Mark Morowczynski and Shane Oatman