Introduction

A shared mailbox allows multiple users to send and receive emails from a common address, making collaboration easier for teams. This guide walks you through creating a shared mailbox, assigning permissions, and verifying settings using PowerShell.

Using PowerShell provides faster and more efficient management, especially when handling multiple mailboxes.

---

🔹 Step 1: Connect to Microsoft 365 PowerShell

Before creating the shared mailbox, connect to Exchange Online.

Run the following command:

powershellCopyEditConnect-ExchangeOnline -UserPrincipalName [email protected]

📌 Replace [email protected] with your admin account email.

---

🔹 Step 2: Create the Shared Mailbox

Use this PowerShell command to create a shared mailbox:

powershellCopyEditNew-Mailbox -Shared -Name "TeamMailbox" -DisplayName "Team Shared Mailbox" -PrimarySmtpAddress "[email protected]"

📌 Replace "TeamMailbox" and "[email protected]" with your preferred mailbox name and email address.

---

🔹 Step 3: Assign Permissions

Once the mailbox is created, grant access to specific users.

Grant Full Access (Allows users to manage the mailbox)

powershellCopyEditAdd-MailboxPermission -Identity "[email protected]" -User "[email protected]" -AccessRights FullAccess -InheritanceType All

Grant Send As Permission (Allows users to send emails from the shared mailbox)

powershellCopyEditAdd-RecipientPermission -Identity "[email protected]" -Trustee "[email protected]" -AccessRights SendAs -Confirm:$false

📌 Replace "[email protected]" with the email of the user who needs access.

---

🔹 Step 4: Verify the Shared Mailbox and Permissions

Once configured, verify that the mailbox exists and has the correct settings.

Check Mailbox Details

powershellCopyEditGet-Mailbox -Identity "[email protected]" | Format-List DisplayName,PrimarySmtpAddress,RecipientTypeDetails

List Users with Full Access

powershellCopyEditGet-MailboxPermission -Identity "[email protected]" | Where-Object { $_.AccessRights -eq "FullAccess" -and $_.User -notlike "NT AUTHORITY\SELF" } | Select-Object User,AccessRights

List Users with Send As Permission

powershellCopyEditGet-RecipientPermission -Identity "[email protected]" | Where-Object { $_.AccessRights -eq "SendAs" } | Select-Object Trustee,AccessRights

---

🔹 Step 5: Confirm the Shared Mailbox in Microsoft 365

You can also check the mailbox in Microsoft 365 Admin Center:

1️⃣ Sign in to Microsoft Admin Center.
2️⃣ Go to Exchange Admin Center → Recipients → Shared.
3️⃣ Locate the mailbox and confirm the settings.

---

🚀 Conclusion

By following these steps, you can create, manage, and verify a shared mailbox using PowerShell.

✔ No license required
✔ Centralized team email management
✔ Easier collaboration

💬 How do you manage shared mailboxes in your organization? Share your best practices in the comments below! ⬇️

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Introduction VMware PowerCLI is a powerful tool that allows administrators to manage VMware environments using PowerShell. Whether you need to create virtual machines, check resource usage, or troubleshoot storage capacity, PowerCLI provides a streamlined approach to VMware management. Below is a guide to setting up PowerCLI and using essential commands for day-to-day VMware administration.

---

Step 1: Install and Import VMware PowerCLI

Before running VMware-related PowerShell commands, ensure that VMware PowerCLI is installed on your system.

Install-Module -Name VMware.PowerCLI -Scope CurrentUser -Force

After installation, import the module:

Import-Module VMware.PowerCLI

If you encounter SSL/TLS certificate warnings while connecting, configure PowerCLI to ignore invalid certificates:

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false

---

Step 2: Connect to vCenter Server

To manage your VMware environment, you need to authenticate with vCenter:

Connect-VIServer -Server <Your-VCenter-Server> -User <Your-Admin-User> -Password '<Your-Password>'

Once connected, you can retrieve information about your virtual infrastructure.

---

Step 3: List VMware Hosts

To view all available VMware hosts:

Get-VMHost

This provides a list of all ESXi hosts, their connection status, and available resources.

---

Step 4: Retrieve Virtual Machines

To get a list of all VMs in the environment:

Get-VM

For details of a specific VM:

Get-VM -Name <VM-Name>

---

Step 5: Checking vSAN Datastore Usage

One common challenge in VMware environments is monitoring vSAN datastore usage. To check storage space:

Get-VsanSpaceUsage -Cluster <Your-Cluster-Name>

To calculate the percentage of used space, run:

$vsanUsage = Get-VsanSpaceUsage -Cluster <Your-Cluster-Name>
$usedPercentage = 100 - (($vsanUsage.FreeSpaceGB / $vsanUsage.CapacityGB) * 100)
"vSAN Datastore is currently {0:N2}% full" -f $usedPercentage

---

Step 6: Creating a New Virtual Machine

If you need to create a new VM:

New-VM -Name <VM-Name> -VMHost <Host-Name> -Datastore <Datastore-Name> -DiskGB 50 -MemoryGB 4 -NumCPU 2

This command creates a VM with 50GB disk, 4GB RAM, and 2 CPUs.

---

Step 7: Cloning an Existing Virtual Machine

To create a clone of an existing VM:

New-VM -Name <New-VM-Name> -VM <Source-VM-Name> -Datastore <Datastore-Name> -VMHost <Target-Host>

---

Step 8: Managing VM Power States

To power on a VM:

Start-VM -VM <VM-Name>

To shut down a VM:

Stop-VM -VM <VM-Name> -Confirm:$false

To restart a VM:

Restart-VM -VM <VM-Name> -Confirm:$false

---

Step 9: Deleting a Virtual Machine

If a VM is no longer needed, you can remove it permanently:

Remove-VM -VM <VM-Name> -DeletePermanently -Confirm:$false

---

Step 10: Checking for Leftover Files in vSAN

Even after deleting a VM, some files may remain in the datastore. You can check for orphaned files:

Get-Datastore -Name <Datastore-Name> | Get-ChildItem -Recurse | Where-Object { $_.Name -like "*<VM-Name>*" }

To manually remove leftover files:

Remove-Item -Path "vmstore:\<Datastore-Name>\FolderName\<VM-Name>.vmdk" -Confirm:$false

---

Final Thoughts

Using PowerCLI to manage VMware environments improves efficiency and automation. Whether you need to monitor vSAN usage, create new VMs, or automate backups, PowerCLI provides a flexible solution. Keep this guide handy for reference as you work with VMware environments.

Have any useful PowerCLI commands that you frequently use? Share them in the comments below! 🚀

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Introduction

Phishing attacks are one of the most common cybersecurity threats that IT administrators face. A single click on a malicious email link can lead to credential theft, data exfiltration, or malware infections.

This guide provides a step-by-step approach to investigating and securing a potentially compromised account in Microsoft 365 using PowerShell and the Microsoft Security Portal.

---

🔹 Immediate Response: Disconnect & Secure the Affected Computer

Before investigating, act fast to prevent further damage:

1️⃣ Shut down the compromised computer immediately.
2️⃣ Disconnect from the network (unplug Ethernet, disable Wi-Fi).
3️⃣ Reset the password for the affected user.
4️⃣ Revoke all active sessions to log out any potential attacker.

PowerShell Command to Revoke Sessions:

powershellCopyEditRevoke-AzureADUserAllRefreshToken -ObjectId "[email protected]"

Reset MFA to Prevent Unauthorized Re-Login:

powershellCopyEditReset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName "[email protected]"

---

🔹 Step 1: Check for Unauthorized Sign-ins in Azure AD

Use Azure AD Sign-in Logs to check for suspicious login attempts.

PowerShell Command to Retrieve Sign-in Logs:

powershellCopyEditConnect-AzureAD
Get-AzureADAuditSignInLogs -Filter "status/errorCode ne '0'"

✅ Alternative:

• Go to Microsoft Security Portal
• Navigate to: Azure AD Sign-in Logs

🔍 Red Flags:

🚩 Logins from unexpected locations or devices
🚩 Multiple failed MFA attempts
🚩 Impossible travel scenarios (e.g., two logins from different continents within minutes)

---

🔹 Step 2: Investigate Phishing Emails Across the Organization

If an attacker sent phishing emails to multiple employees, run a Compliance Search to identify all affected mailboxes.

PowerShell Command to Search All Mailboxes for Suspicious Emails:

powershellCopyEditNew-ComplianceSearch -Name "CompanyPhishingScan" -ExchangeLocation All -ContentMatchQuery 'has:attachment OR has:link'
Start-ComplianceSearch -Identity "CompanyPhishingScan"

Check Results:

powershellCopyEditGet-ComplianceSearch -Name "CompanyPhishingScan" | Select Name, Status, Items

If Phishing Emails Are Found, Remove Them:

powershellCopyEditNew-ComplianceSearchAction -SearchName "CompanyPhishingScan" -Purge -PurgeType SoftDelete

🚨 Use HardDelete only if emails must be permanently removed.

---

🔹 Step 3: Check & Remove Hidden Forwarding Rules

Attackers often set up automatic forwarding to steal emails.

Check for Forwarding Rules:

powershellCopyEditGet-Mailbox -Identity "[email protected]" | Select ForwardingAddress, ForwardingSmtpAddress

Disable Auto-Forwarding if Found:

powershellCopyEditSet-Mailbox -Identity "[email protected]" -ForwardingAddress $null -ForwardingSmtpAddress $null

---

🔹 Step 4: Scan the Compromised Computer Before Reconnecting

Since a phishing link was clicked, scan the system for malware before reconnecting to the network.

Offline Windows Defender Scan:

powershellCopyEditStart-MpScan -ScanType FullScan

If Threats Are Found, Remove Them:

powershellCopyEditRemove-MpThreat -AllThreats

For a Deep Rootkit Scan, Use Windows Defender Offline:

powershellCopyEditStart-MpWDOScan

✅ This will restart the system and scan before Windows boots.

---

🔹 Step 5: Implement Long-Term Protection Measures

✅ Enable Safe Links & Safe Attachments in Microsoft Defender

• Safe Links: Blocks phishing links before users click them.
• Safe Attachments: Scans email attachments for malware before delivery.

Enable Safe Links Policy:

powershellCopyEditSet-SafeLinksPolicy -Identity "Default" -EnableSafeLinks $true -TrackClicks $true

Enable Safe Attachments Policy:

powershellCopyEditSet-MalwareFilterPolicy -Identity "Default" -EnableSafeAttachmentsForMail $true

---

✅ Educate Users on Phishing Awareness

🔹 Enable the “Report Message” button in Outlook so employees can easily flag suspicious emails.
🔹 Train employees to recognize phishing emails:
✔ Unexpected links
✔ Urgent language
✔ Sender impersonation

---

🚀 Final Wrap-Up: Is the Account and System Secure?

✔ Account fully secured: No unauthorized logins, MFA reset, all active sessions revoked.
✔ Email threats removed: No phishing emails remain in any mailbox.
✔ PC scanned and clean: No malware detected before reconnecting.
✔ Long-term protections enabled: Safe Links, Safe Attachments, user education.

✅ By following these steps, IT admins can quickly contain and prevent phishing incidents in Microsoft 365! 🚀

---

💬 What’s Next?

How does your organization handle phishing attacks? Share your best practices in the comments below! ⬇️

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

If you’re an IT professional or cloud enthusiast, you’ve likely used PowerShell to manage Azure resources. But did you know there’s a better way? Azure Cloud Shell offers a streamlined, cloud-based command-line experience that makes managing Azure easier than ever.

---

🚀 What is Azure Cloud Shell?

Azure Cloud Shell is a browser-based command-line tool that lets you manage Azure resources without the need to install or configure anything on your local machine. It supports both PowerShell and Bash, giving you flexibility depending on your workflow.

---

🔥 Why Use Azure Cloud Shell Over Local PowerShell?

✅ Pre-installed Azure Modules – No need to manually install or update Az PowerShell modules. ✅ Persistent Environment – Your session and files persist across devices. ✅ Works on Any OS – Since it’s browser-based, you can use it on Windows, Mac, or Linux. ✅ Built-in Authentication – No need to repeatedly sign in to Azure. ✅ Seamless Access to Azure Resources – Direct integration with your Azure subscriptions. ✅ Supports Both Bash & PowerShell – Choose the scripting environment that works best for you.

---

🔎 How to Access Azure Cloud Shell

1. Go to the Azure Portal: Open portal.azure.com.
2. Locate the Cloud Shell Icon: Look for the PowerShell logo (or the Bash icon) at the top-right of the screen.
3. Click to Launch: This will open a terminal at the bottom of the Azure Portal.
4. Sign In with Your Credentials: If prompted, sign in to Azure.
5. Authenticate: If needed, go to Microsoft Device Login and enter the code displayed.

---

🔧 Basic Azure Cloud Shell Commands to Get Started

🔹 Check Your Active Subscription

Get-AzContext  # Displays your current subscription

🔹 List All Azure Subscriptions

Get-AzSubscription  # Shows all available subscriptions

🔹 List All Resource Groups

Get-AzResourceGroup  # Displays all resource groups in your active subscription

🔹 List All Virtual Machines

Get-AzVM  # Lists all VMs in your subscription

🔹 Check Azure AD Users

Get-AzADUser -First 10  # Retrieves the first 10 users in Azure AD

🔹 Manage Storage Accounts

Get-AzStorageAccount  # Lists all storage accounts in your subscription

---

⚡ Why IT Admins Love Azure Cloud Shell

Azure Cloud Shell makes it easier to manage Azure environments without worrying about PowerShell version mismatches or module updates. It’s accessible from anywhere, even on a mobile device, making it a go-to tool for IT admins who need quick access to their cloud resources.

---

💡 Final Thoughts

If you’re still using local PowerShell to manage Azure, it’s time to upgrade your workflow. Azure Cloud Shell offers convenience, security, and efficiency—all without the hassle of local configurations.

Try it today and take your Azure management to the next level! 🚀

Windows updates can sometimes cause issues, especially when they force restarts or interfere with applications. This guide will show you how to remove pending updates to prevent Windows from installing them. These steps apply to both Windows 10 and Windows 11.

Step 1: Stop Windows Update Services

Before removing pending updates, you need to stop the Windows Update service.

Open Command Prompt (Admin) and run:

net stop wuauserv
net stop bits
net stop cryptsvc

Step 2: Delete Pending Updates

Once the services are stopped, delete the update files stored in SoftwareDistribution and WinSxS.

Command Prompt Method:

del /f /s /q C:\Windows\SoftwareDistribution\DataStore\* 
del /f /s /q C:\Windows\SoftwareDistribution\Download\* 
del /f /s /q C:\Windows\WinSxS\pending.xml

PowerShell Method:

Remove-Item -Path "C:\Windows\SoftwareDistribution\DataStore\*" -Force -Recurse
Remove-Item -Path "C:\Windows\SoftwareDistribution\Download\*" -Force -Recurse
Remove-Item -Path "C:\Windows\WinSxS\pending.xml" -Force

If access is denied to pending.xml, take ownership and modify permissions first:

takeown /f C:\Windows\WinSxS\pending.xml /A
icacls C:\Windows\WinSxS\pending.xml /grant Administrators:F

Then, retry deleting the file.

Step 3: Restart Windows Update Services

Once files are deleted, restart the Windows Update services:

net start wuauserv
net start bits
net start cryptsvc

Windows 11 Extra Step

On Windows 11, Tamper Protection in Windows Security may prevent modification of update files. If you encounter issues:

1. Open Windows Security
2. Navigate to Virus & Threat Protection > Manage Settings
3. Disable Tamper Protection temporarily
4. Follow the steps above and re-enable it after removal.

Conclusion

By following these steps, you can effectively remove pending Windows updates, preventing them from being installed. This is particularly useful for IT professionals managing production-critical systems.

Introduction In IT administration, managing Remote Desktop Protocol (RDP) sessions is essential to maintain system security and performance. Whether you need to log off a disconnected session or forcefully remove an active session, using Command Prompt (CMD) or PowerShell can streamline the process. This guide will walk you through the methods to list, disconnect, and remove RDP sessions.

---

Step 1: List Active RDP Sessions Before removing a session, you need to check which users are currently logged in. Run the following command in CMD:

query session /server:localhost

This will display all active and disconnected sessions along with their IDs.

Alternatively, in PowerShell, use:

qwinsta /server:localhost

Both commands provide the session ID required to log off a user.

---

Step 2: Log Off an RDP Session Once you have the session ID, you can log off a user session using CMD:

logoff <SessionID> /server:localhost

Example:

logoff 2 /server:localhost

This will terminate session ID 2.

In PowerShell, use:

rwinsta <SessionID>

Example:

rwinsta 2

This will remove session ID 2 from the system.

---

Step 3: Forcefully Remove a Stuck RDP Session If a session does not close properly, use this CMD command:

taskkill /F /IM mstsc.exe

This will forcefully terminate all remote desktop connections.

In PowerShell, use:

Stop-Process -Name mstsc -Force

This achieves the same result.

---

Conclusion Managing RDP sessions efficiently helps prevent resource exhaustion and unauthorized access. By using CMD or PowerShell, IT admins can quickly remove inactive or unresponsive RDP sessions, ensuring smooth operations. Bookmark these commands for future reference!

Introduction

Passing the AZ-104: Microsoft Azure Administrator exam requires hands-on experience with Azure services. This guide provides essential labs, PowerShell/CLI commands, and explanations of tricky concepts to help you prepare efficiently.

---

1️⃣ Compute (Virtual Machines & Availability)

Lab: Deploy a VM using PowerShell

New-AzVM -ResourceGroupName "TestRG" -Name "JetVM" -Location "EastUS" -Size "Standard_B2s" -Credential (Get-Credential)

✅ Key Concepts:

• VM Backup & Disaster Recovery → Use Azure Backup Vault.
• High Availability → Deploy VMs in Availability Zones.

---

2️⃣ Networking (VNETs, NSGs, VPNs, Peering)

Lab: Create a Virtual Network with Subnets and an NSG

New-AzVirtualNetwork -ResourceGroupName "TestRG" -Name "JetVNet" -Location "EastUS" -AddressPrefix "10.1.0.0/16"

✅ Key Concepts:

• VNet Peering vs VPN Gateway:
  • VNet Peering → Low latency, same region.
  • VPN Gateway → Cross-region, IPSec tunnels.

---

3️⃣ Storage (Blob, Files, Disks, Backups)

Lab: Create a Storage Account

New-AzStorageAccount -ResourceGroupName "TestRG" -Name "jetstorage01" -SkuName "Standard_LRS" -Location "EastUS"

✅ Key Concepts:

• Storage Tiers:
  • Hot → Frequent access
  • Cool → Infrequent access
  • Archive → Long-term storage, lowest cost

---

4️⃣ Identity & Access Management (IAM, RBAC, MFA)

Lab: Assign RBAC Role to a User

New-AzRoleAssignment -SignInName "<user-email>" -RoleDefinitionName "Reader" -Scope "/subscriptions/your-subscription-id"

✅ Key Concepts:

• RBAC vs Conditional Access:
  • RBAC → Controls Azure resources.
  • Conditional Access → Controls sign-in policies (MFA, device compliance).

---

5️⃣ Monitoring & Security (Azure Monitor, Defender for Cloud)

Lab: Set Up Alerts for High CPU Usage

New-AzMetricAlertRule -ResourceGroup "TestRG" -Name "CPUAlert" -TargetResourceId "/subscriptions/your-subscription-id/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/JetVM" -MetricName "Percentage CPU" -Threshold 80 -Operator GreaterThan -WindowSize 5m -EvaluationFrequency 1m

✅ Key Concepts:

• Azure Monitor vs Log Analytics:
  • Azure Monitor → Collects logs + metrics.
  • Log Analytics → Queries & analyzes logs.

---

🚀 Final Exam Prep Tips

✅ Hands-on practice in Azure Free Tier + Pluralsight Labs. ✅ Take full-length practice tests (MeasureUp, Tutorials Dojo). ✅ Master PowerShell/CLI for automation scenarios. ✅ Simulate exam conditions (time yourself, no distractions).

---

📌 Conclusion

By following these structured labs and understanding key concepts, you’ll be well-prepared to ace AZ-104. Keep practicing, and best of luck on your certification journey! 🚀

📝 Want more Azure tips? Follow my blog for more deep dives into Microsoft certifications and cloud solutions!

In modern IT environments, Cross-Tenant Synchronization (CTS) is essential for organizations managing multiple tenants in Microsoft Entra ID. It simplifies user provisioning, automates updates, and enhances collaboration across different organizations. However, one common challenge in CTS setups is the creation of multiple Microsoft Teams profiles instead of maintaining a single unified identity.

This issue occurs when organizations sync users between two or more tenants, but instead of retaining one Teams profile, users end up with duplicate profiles—causing confusion and workflow disruptions.

---

Why Do Users Get Multiple Teams Profiles?

There are several reasons why users might experience duplicate Teams profiles in a CTS environment. Below are the most common causes and recommended solutions.

---

1. B2B Collaboration vs. B2B Direct Connect

🔹 B2B Collaboration (traditional guest access) creates separate identities in each tenant, resulting in multiple Teams profiles.

🔹 B2B Direct Connect, on the other hand, allows seamless collaboration without generating separate guest accounts, helping to unify user identities across tenants.

✅ Solution: Enable B2B Direct Connect instead of B2B Collaboration to consolidate Teams profiles.

📌 Reference: B2B Direct Connect Overview

---

2. UPN and Email Address Mismatch

🔹 If a user’s User Principal Name (UPN) and email address don’t match across tenants, Teams may create a duplicate profile instead of linking the user’s existing profile.

🔹 Microsoft recommends matching UPNs with the primary SMTP address to ensure identity consistency across Entra ID and Teams.

✅ Solution: Align UPNs and primary email addresses across all tenants to avoid duplicate profiles.

📌 Reference: Plan and Troubleshoot UPN Changes in Microsoft Entra ID

---

3. Guest vs. Member Role in CTS

🔹 When users are synced into another tenant, they can be assigned as either Members or Guests.

🔹 If users are created as Guests, Teams may treat them as external users, resulting in a separate Teams profile.

✅ Solution: Configure Cross-Tenant Sync to assign synced users as Members instead of Guests to ensure a unified profile.

📌 Reference: Cross-Tenant Synchronization Overview

---

4. Microsoft Teams Cache Issues

🔹 In some cases, duplicate profiles persist due to cached credentials in Microsoft Teams.

✅ Solution: Clearing the Teams cache can force Teams to refresh user profiles, which may help resolve this issue.

📌 How to Clear Microsoft Teams Cache:

1. Windows:
   • Close Microsoft Teams.
   • Open Run (Win + R), type %appdata%\Microsoft\Teams, and hit Enter.
   • Delete all files inside the Teams folder.
   • Restart Teams.
2. Mac:
   • Quit Teams.
   • Open Finder > Go > Go to Folder and type ~/Library/Application Support/Microsoft/Teams.
   • Delete all contents in the Teams folder.
   • Restart Teams.
3. Mobile (iOS/Android):
   • Go to Settings > Apps > Microsoft Teams and clear cache/storage.

---

Final Thoughts

The multiple Teams profiles issue in Cross-Tenant Synchronization setups is primarily caused by B2B configuration settings, UPN mismatches, and role assignments.

By implementing:
✅ B2B Direct Connect,
✅ UPN and email address alignment,
✅ Assigning synced users as Members instead of Guests,
✅ Clearing Microsoft Teams cache when needed,

Organizations can reduce duplicate profiles in Microsoft Teams and create a seamless collaboration experience across tenants.

As Cross-Tenant Sync evolves, IT administrators should proactively monitor user identity behavior across tenants and leverage Microsoft Entra ID best practices to ensure a smooth and unified user experience.

Introduction

With the rise of remote work and cloud-based applications, organizations need secure and efficient ways to provide access to internal applications. Azure Application Proxy is a lightweight, cloud-based solution that allows users to access on-premises applications securely from anywhere without a VPN.

This blog will cover:
✅ What is Azure App Proxy?
✅ How it works
✅ Prerequisites for deployment
✅ Step-by-step setup using Azure Portal & PowerShell
✅ Best practices for security & performance

---

🔹 What is Azure Application Proxy?

Azure Application Proxy is a cloud-based service in Microsoft Entra ID (formerly Azure AD) that provides secure remote access to on-premises web applications.
✔ No VPN required – Reduces complexity & costs
✔ Single Sign-On (SSO) – Seamless authentication via Entra ID
✔ Secure & Scalable – Uses reverse proxy architecture
✔ Conditional Access Support – Controls access based on risk level

💡 Common Use Cases

🔹 Access legacy web apps from any device
🔹 Provide secure extranet access for partners
🔹 Replace traditional VPNs for application access
🔹 Enable remote access to intranet apps

---

🔹 How Does Azure App Proxy Work?

Azure App Proxy consists of two main components:

1. Application Proxy Service (Cloud-based)
   • Runs in Azure
   • Authenticates users via Entra ID
   • Sends requests to the on-premises connector
2. Application Proxy Connector (On-Premises Agent)
   • Installed inside the corporate network
   • Forwards authenticated requests to internal applications
   • Uses outbound traffic only (no firewall holes needed)

📌 Architecture Flow

1️⃣ User accesses app-protected URL
2️⃣ Azure App Proxy authenticates the user via Entra ID
3️⃣ Request is forwarded to the on-premises App Proxy Connector
4️⃣ Connector retrieves the response & sends it back via Azure Proxy

---

🔹 Prerequisites

Before deploying Azure App Proxy, ensure:
✅ Microsoft Entra ID (Azure AD) P1 or P2 license
✅ An on-premises Windows Server (2016+) to install the connector
✅ Outbound internet access on the connector server
✅ Domain-joined or cloud-hybrid environment (if using SSO)
✅ App must use HTTP/HTTPS (No TCP/UDP apps)

---

🛠️ Deploying Azure App Proxy

🔹 Step 1: Install Application Proxy Connector

📌 Run the following PowerShell command on your Windows Server:

powershellCopyEditInvoke-WebRequest -Uri https://aka.ms/aadappproxy -OutFile "AADAppProxyInstaller.exe"
Start-Process "AADAppProxyInstaller.exe" -ArgumentList "/quiet" -Wait

👉 Sign in with Global Admin credentials to register the connector.

Verify that the connector is running:

powershellCopyEditGet-Service | Where-Object { $_.DisplayName -match "Application Proxy Connector" }

---

🔹 Step 2: Register the Application in Azure

1️⃣ Sign into the Azure Portal
2️⃣ Go to Microsoft Entra ID → Enterprise Applications
3️⃣ Click New Application → On-premises Application
4️⃣ Set External URL (e.g., https://app.jetmariano.us)
5️⃣ Set Internal URL (e.g., http://internal-app-server.local)
6️⃣ Choose Pre-authentication method:
✔ Azure AD (Recommended) – Uses SSO & Conditional Access
✔ Passthrough – No authentication (use only if required)

---

🔹 Step 3: Configure Single Sign-On (SSO) (Optional)

If using SSO with Kerberos, configure:

powershellCopyEditSet-WebApplicationProxyApplication -Name "InternalApp" -BackendApplicationUrl "http://internal-app.local" -ExternalApplicationUrl "https://app.jetmariano.us" -ConnectorGroupID "ConnectorGroup1" -SSOType "KerberosConstrainedDelegation"

✅ This allows seamless authentication without repeated login prompts.

---

🔹 Step 4: Test & Secure the Application

🔹 Access your external URL and verify that it works.
🔹 Enable Conditional Access for added security.
🔹 Restrict access based on device compliance, location, MFA, etc.

---

🔒 Best Practices for Azure App Proxy

✔ Use Azure AD Pre-authentication – Avoid exposing internal apps
✔ Enable Conditional Access – Enforce MFA & compliance policies
✔ Monitor access logs – Track login attempts & potential threats
✔ Use HTTPS for internal apps – Encrypt traffic end-to-end
✔ Scale with multiple connectors – Ensure redundancy & load balancing

---

✅ Conclusion

Azure Application Proxy modernizes remote access by eliminating VPN dependencies and enhancing security with Azure AD SSO & Conditional Access.

🚀 Next Steps:
🔹 Explore Hybrid Azure AD Join for better identity management
🔹 Implement Privileged Access Management (PAM) for sensitive apps
🔹 Set up Azure AD Identity Protection to detect risk-based sign-ins

🔹 Have you implemented Azure App Proxy? Share your experience below! 💬

Introduction

Multi-Factor Authentication (MFA) is a crucial security measure in Microsoft Entra ID (formerly Azure AD) to protect against unauthorized access. However, users and administrators often encounter MFA lockout issues, preventing legitimate users from accessing their accounts. This can be due to device loss, incorrect configurations, or a lack of backup authentication methods.

In this blog, we will cover: ✅ Why MFA lockout happens
✅ How to reset MFA for users
✅ Bypass methods for emergency access
✅ Best practices to prevent future issues

---

🔍 Why Does MFA Lockout Happen?

MFA lockouts typically occur due to:

• Device Change – User loses access to their phone or resets their device
• Authenticator App Issues – User gets a new phone and doesn’t migrate the Authenticator app
• Phone Number Change – SMS authentication fails due to a new phone number
• Policy Restrictions – Conditional Access or legacy MFA settings prevent login
• MFA Throttling – Too many failed attempts lock out the user

---

🛠️ How to Reset MFA for a User

If a user is locked out, an Azure AD admin can reset their MFA settings. Here’s how:

🔹 Reset MFA via Microsoft Entra Admin Center

1. Sign in to Microsoft Entra Admin Center as an administrator.
2. Navigate to Users > All users
3. Search for the affected user and select them
4. Click Authentication methods > Require Re-register MFA
5. Have the user sign in again and set up MFA from scratch

---

🔹 Reset MFA Using PowerShell

Admins can reset MFA via PowerShell with Microsoft Graph PowerShell.

1️⃣ Connect to Microsoft Graph

powershellCopyEditConnect-MgGraph -Scopes "User.ReadWrite.All"

2️⃣ Find the user needing an MFA reset

powershellCopyEditGet-MgUser -UserId [email protected] | Select-Object DisplayName,UserPrincipalName,Id

3️⃣ Reset MFA settings for the user

powershellCopyEditRevoke-MgUserAuthenticationMethod -UserId [email protected]

4️⃣ Confirm the user is cleared of previous MFA methods

powershellCopyEditGet-MgUserAuthenticationMethod -UserId [email protected]

The user will now be prompted to re-enroll in MFA at their next login.

---

🚨 Emergency MFA Bypass Methods

In cases where users are locked out and immediate access is required, temporary workarounds can help.

1️⃣ Use a Temporary Access Pass (TAP)

A Temporary Access Pass (TAP) allows a user to log in without MFA for a limited time.

Enable TAP:

1. Go to Microsoft Entra Admin Center
2. Navigate to Users > Authentication Methods
3. Enable Temporary Access Pass policy

Issue a TAP for the user:

powershellCopyEditNew-MgUserAuthenticationTemporaryAccessPassMethod -UserId [email protected] -LifetimeInMinutes 30 -IsUsableOnce $true

The user can now sign in using the TAP and reset their MFA.

---

2️⃣ Add a Backup Authentication Method

If a user still has access to another sign-in method, add an additional MFA option.

Via Admin Portal:

1. Go to Users in Entra Admin Center
2. Select the user > Authentication methods
3. Click Add method and enter an alternate phone number or security key

Via PowerShell:

powershellCopyEditNew-MgUserAuthenticationPhoneMethod -UserId [email protected] -PhoneNumber "+1234567890" -PhoneType Mobile -SmsSignInState Enabled

Now, the user can verify via SMS instead.

---

3️⃣ Disable MFA Temporarily

⚠ Warning: This is a security risk and should only be used as a last resort.

Disable MFA for a user via PowerShell

powershellCopyEditSet-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements @()

OR disable MFA for an entire tenant (not recommended):

powershellCopyEditSet-MsolCompanySettings -PreventPerUserMFA $true

Re-enable MFA as soon as possible.

---

✅ Best Practices to Prevent MFA Lockouts

🔹 Enable Multiple Authentication Methods – Users should register both phone and Authenticator app.
🔹 Use Temporary Access Passes (TAP) – Helps in cases of device loss.
🔹 Educate Users on MFA Backup Codes – Encourage users to save backup codes.
🔹 Enable Admin Recovery Options – Allow trusted admins to reset MFA.
🔹 Monitor MFA Logs – Use Azure Sign-In Logs to track MFA failures:

powershellCopyEditGet-MgAuditLogSignIn -Filter "status/errorCode eq 500121"

---

📌 Conclusion

MFA is essential for securing accounts, but lockouts can frustrate users and disrupt productivity. By using TAP, PowerShell resets, and backup methods, admins can quickly restore access while keeping security intact.

🚀 What’s next? Consider automating MFA resets with Microsoft Graph API or setting up self-service MFA reset policies for users.

🔹 Have you experienced MFA lockout issues? What solutions worked best for you? Let’s discuss in the comments! 💬

Introduction to Azure SSO

Azure Single Sign-On (SSO) is an identity authentication mechanism that allows users to log in once and gain access to multiple applications without needing to re-enter credentials. It integrates with Azure Active Directory (Azure AD) and supports modern authentication protocols like SAML, OpenID Connect (OIDC), and OAuth 2.0.

Organizations use Azure SSO to improve security, user experience, and IT efficiency while reducing password fatigue and helpdesk requests for password resets.

---

🔹 Why Use Azure SSO?

✅ Improves Security – Reduces password-based attacks by enforcing authentication policies.
✅ Enhances User Experience – Eliminates the need for multiple logins across cloud apps.
✅ Reduces IT Workload – Minimizes helpdesk tickets for password resets.
✅ Centralized Access Control – Manages authentication and access policies in one place.
✅ Supports Hybrid Environments – Works with cloud and on-premises apps.

---

🔹 How Azure SSO Works

Azure SSO uses Azure AD as the identity provider (IdP) to authenticate users. The authentication flow varies based on the authentication protocol used:

1️⃣ SAML-based SSO – Azure AD sends a SAML token to authenticate the user.
2️⃣ OAuth 2.0 / OpenID Connect (OIDC) – The user is authenticated via an authorization token.
3️⃣ Password-based SSO – Azure AD stores credentials and auto-fills login fields for legacy apps.
4️⃣ Linked-based SSO – Redirects users to a third-party identity provider for authentication.

---

🔹 Implementing Azure SSO Using PowerShell

Step 1: Prerequisites

Before configuring SSO, ensure:
✅ You have Global Admin or Application Administrator role in Azure AD.
✅ The application supports SAML, OAuth, or OIDC.
✅ Azure AD Premium P1/P2 is available for Conditional Access policies (optional).
✅ You have PowerShell with AzureAD Module installed.

To install the AzureAD module, run:

powershellCopyEditInstall-Module AzureAD -Force -AllowClobber

Connect to Azure AD:

powershellCopyEditConnect-AzureAD

---

Step 2: Register an Application in Azure AD

To enable SSO, register the app in Azure AD.

Using PowerShell

1️⃣ Create the App Registration:

powershellCopyEdit$AppName = "MyAzureSSOApp"
$App = New-AzureADApplication -DisplayName $AppName
$AppId = $App.AppId

2️⃣ Create a Service Principal for the App:

powershellCopyEditNew-AzureADServicePrincipal -AppId $AppId

3️⃣ Assign Required Permissions (Example: Graph API)

powershellCopyEdit$Permission = "User.Read.All"
$AppRole = Get-AzureADServicePrincipal -Filter "AppId eq '$AppId'"
New-AzureADServiceAppRoleAssignment -ObjectId $AppRole.ObjectId -PrincipalId $AppRole.ObjectId -ResourceId $AppRole.ObjectId -Id $Permission

---

Step 3: Configure SSO for a SAML-based App

1️⃣ Enable SAML SSO

• Go to Azure AD > Enterprise Applications > Select App > Single sign-on
• Choose SAML
• Set Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) provided by the app.
• Download Azure AD Federation Metadata XML and provide it to the app vendor.

2️⃣ Configure User Attributes & Claims

powershellCopyEditSet-AzureADServicePrincipal -ObjectId $AppRole.ObjectId -Saml2TokenIssuerName "https://login.microsoftonline.com/{tenant_id}/v2.0"

3️⃣ Assign Users or Groups to the App

powershellCopyEdit$User = Get-AzureADUser -ObjectId "[email protected]"
Add-AzureADUserAppRoleAssignment -ObjectId $User.ObjectId -PrincipalId $AppRole.ObjectId -ResourceId $AppRole.ObjectId

---

🔹 Best Practices for Azure SSO

✔ Use Conditional Access Policies – Require MFA for risky sign-ins.
✔ Enforce Role-Based Access Control (RBAC) – Assign least privilege access.
✔ Use Azure AD Identity Protection – Detect and mitigate suspicious activities.
✔ Regularly Review Application Permissions – Ensure only necessary apps have access.
✔ Enable SSO Logging and Monitoring – Track authentication attempts in Azure AD Sign-in Logs.

---

🔹 Testing & Troubleshooting SSO

After setup, test SSO via MyApps (https://myapps.microsoft.com) or direct application login.

Common Fixes:

🔹 Incorrect Reply URL? Ensure the correct Assertion Consumer Service (ACS) URL is set.
🔹 User Not Assigned? Assign users or groups to the application.
🔹 Invalid SAML Assertion? Check SAML response in Azure AD Sign-in Logs.
🔹 SSO Failing for On-Prem Apps? Ensure Azure AD Connect is properly configured.

---

🔹 Conclusion

Azure SSO simplifies authentication, enhances security, and streamlines user access to applications. With Azure AD and PowerShell, you can automate SSO setup, manage user permissions, and enforce security best practices.

🚀 Next Steps:
✅ Test your SSO setup and monitor sign-in logs.
✅ Apply Conditional Access policies for better security.
✅ Integrate more apps to provide a seamless user experience.

For Azure AD, use Microsoft Graph PowerShell.

Step 1: Install & Connect to Azure AD

powershellCopyEditInstall-Module -Name Microsoft.Graph -Scope CurrentUser -Force
Connect-MgGraph -Scopes "User.Read.All"

Step 2: Retrieve Enabled Users from Azure AD

powershellCopyEdit$AzureEnabledUsers = Get-MgUser -Filter "accountEnabled eq true" | 
    Select-Object DisplayName, UserPrincipalName, Mail, Id 

$AzureEnabledUsers | Format-Table -AutoSize

✅ Filters only enabled accounts
✅ Displays key details (Display Name, UPN, Email, Object ID)

---

🔹 Step 3: Export Azure AD Enabled Users to CSV

powershellCopyEdit$AzureEnabledUsers | Export-Csv -Path "C:\Reports\AzureEnabledUsers.csv" -NoTypeInformation -Encoding UTF8

📌 Use this report for license management, compliance checks, and security audits.

---

🔹 Automating the Process (Scheduled Task)

To automate this script daily or weekly, set up a PowerShell scheduled task:

1️⃣ Save the script as EnabledUsersReport.ps1
2️⃣ Open Task Scheduler → Create Basic Task
3️⃣ Set Trigger (Daily, Weekly, etc.)
4️⃣ Set Action → Start a Program → powershell.exe -File C:\Scripts\EnabledUsersReport.ps1
5️⃣ Save & Run

✅ Now, you will get automated reports without manual effort! 🚀

---

🔹 Summary

✅ Enabled accounts must be regularly audited to maintain security & compliance.
✅ PowerShell simplifies the process of retrieving and exporting enabled accounts.
✅ On-Prem AD & Azure AD scripts ensure comprehensive user monitoring.
✅ Automating via scheduled tasks ensures continuous and hands-free monitoring.

By implementing this automation, IT administrators can proactively identify security risks, optimize licensing, and ensure compliance.

Automating the Disabling of Inactive Accounts in Active Directory & Azure AD Using PowerShell

Introduction

Inactive user accounts pose a serious security risk to any IT environment. Accounts that remain enabled but unused can be exploited by attackers, leading to potential data breaches, unauthorized access, and compliance violations.

By automating the identification and disabling of inactive accounts in Active Directory (AD) and Azure AD, organizations can enhance security and reduce attack surfaces.

This blog provides step-by-step PowerShell scripts to:
✅ Identify inactive accounts
✅ Disable inactive users automatically
✅ Export the results for auditing
✅ Schedule the task for continuous security

---

🔹 Why Disable Inactive Accounts?

📌 Security – Reduce the risk of unauthorized access.
📌 Compliance – Align with industry regulations (ISO 27001, NIST, GDPR, HIPAA).
📌 License Optimization – Free up unused Microsoft 365 & Azure AD licenses.
📌 Operational Efficiency – Keep Active Directory clean and organized.

Let’s automate this process using PowerShell. 🚀

---

🔹 Identifying & Disabling Inactive Accounts in On-Prem Active Directory

In Active Directory, a user is considered inactive if they haven’t logged in for a specific period (e.g., 90 days).

Step 1: Install & Import the Active Directory Module

Ensure the AD module is installed before running the script:

powershellCopyEditInstall-WindowsFeature -Name RSAT-AD-PowerShell
Import-Module ActiveDirectory

Step 2: Find Inactive Users (No Login for 90 Days)

powershellCopyEdit$InactiveUsers = Get-ADUser -Filter {Enabled -eq $true} -Properties LastLogonDate | 
    Where-Object { $_.LastLogonDate -lt (Get-Date).AddDays(-90) } | 
    Select-Object DisplayName, SamAccountName, LastLogonDate, Enabled

$InactiveUsers | Format-Table -AutoSize

✅ Retrieves all enabled users
✅ Filters users who haven’t logged in for 90+ days
✅ Displays Name, Username, Last Login Date

---

🔹 Step 3: Disable Inactive Users

powershellCopyEdit$InactiveUsers | ForEach-Object {
    Disable-ADUser -Identity $_.SamAccountName -Confirm:$false
}
Write-Host "Inactive accounts disabled successfully!" -ForegroundColor Green

📌 The accounts remain in AD but are disabled 🛑

---

🔹 Step 4: Export Disabled Users for Auditing

powershellCopyEdit$InactiveUsers | Export-Csv -Path "C:\Reports\DisabledUsers.csv" -NoTypeInformation -Encoding UTF8

📌 Keeps a record of disabled accounts for auditing & rollback if needed

---

🔹 Identifying & Disabling Inactive Users in Azure AD

For Azure AD, user inactivity is determined based on the LastSignInDateTime attribute.

Step 1: Install & Connect to Azure AD

powershellCopyEditInstall-Module -Name Microsoft.Graph -Scope CurrentUser -Force
Connect-MgGraph -Scopes "User.ReadWrite.All"

Step 2: Find Inactive Azure AD Users (90 Days of Inactivity)

powershellCopyEdit$AzureInactiveUsers = Get-MgUser -Filter "accountEnabled eq true" -Property DisplayName,UserPrincipalName,SignInActivity | 
    Where-Object { $_.SignInActivity.LastSignInDateTime -lt (Get-Date).AddDays(-90) } | 
    Select-Object DisplayName, UserPrincipalName, SignInActivity.LastSignInDateTime

$AzureInactiveUsers | Format-Table -AutoSize

✅ Retrieves all enabled users
✅ Filters users who haven’t signed in for 90+ days
✅ Displays Name, UPN, Last Sign-In Date

---

🔹 Step 3: Disable Inactive Azure AD Users

powershellCopyEdit$AzureInactiveUsers | ForEach-Object {
    Update-MgUser -UserId $_.UserPrincipalName -AccountEnabled:$false
}
Write-Host "Inactive Azure AD accounts disabled successfully!" -ForegroundColor Green

📌 Azure AD users are now disabled 🛑

---

🔹 Step 4: Export Disabled Azure AD Users for Auditing

powershellCopyEdit$AzureInactiveUsers | Export-Csv -Path "C:\Reports\DisabledAzureUsers.csv" -NoTypeInformation -Encoding UTF8

📌 Retains a record for compliance and rollback purposes

---

🔹 Automating the Process (Scheduled Task)

To automate the process, create a PowerShell script and schedule it to run periodically.

1️⃣ Save the script as DisableInactiveUsers.ps1
2️⃣ Open Task Scheduler → Create Basic Task
3️⃣ Set Trigger (e.g., Weekly, Monthly)
4️⃣ Set Action → Start a Program → powershell.exe -File C:\Scripts\DisableInactiveUsers.ps1
5️⃣ Save & Run

📌 Now, the script will run automatically, disabling inactive users on schedule.

---

🔹 Summary

✅ Inactive accounts are a security risk—automate their disabling.
✅ PowerShell simplifies managing on-prem AD & Azure AD users.
✅ Exporting logs ensures compliance and rollback safety.
✅ Automating with Task Scheduler keeps environments secure without manual work.

By implementing this automated approach, IT teams can enhance security, ensure compliance, and reduce risk—all with PowerShell! 🚀

Re-Enabling Disabled Users in Azure AD

For Azure AD, we need to use Microsoft Graph PowerShell.

Step 1: Install & Connect to Azure AD

powershellCopyEditInstall-Module -Name Microsoft.Graph -Scope CurrentUser -Force
Connect-MgGraph -Scopes "User.ReadWrite.All"

Step 2: Find Disabled Users in Azure AD

powershellCopyEdit$DisabledAzureUsers = Get-MgUser -Filter "accountEnabled eq false" -Property DisplayName, UserPrincipalName | 
    Select-Object DisplayName, UserPrincipalName

$DisabledAzureUsers | Format-Table -AutoSize

✅ Lists all disabled users in Azure AD

---

🔹 Step 3: Re-Enable Disabled Azure AD Users

powershellCopyEdit$DisabledAzureUsers | ForEach-Object {
    Update-MgUser -UserId $_.UserPrincipalName -AccountEnabled:$true
}
Write-Host "All disabled Azure AD users have been re-enabled!" -ForegroundColor Green

📌 Azure AD users are now restored and can log in again 🔄

---

🔹 Step 4: Export Re-Enabled Azure AD Users for Auditing

powershellCopyEdit$DisabledAzureUsers | Export-Csv -Path "C:\Reports\ReEnabledAzureUsers.csv" -NoTypeInformation -Encoding UTF8

📌 Keeps an audit log of re-enabled accounts

---

🔹 Automating the Re-Enablement Process (Scheduled Task)

To automate the process, create a PowerShell script and schedule it to run periodically.

1️⃣ Save the script as ReEnableUsers.ps1
2️⃣ Open Task Scheduler → Create Basic Task
3️⃣ Set Trigger (e.g., Weekly, Monthly)
4️⃣ Set Action → Start a Program → powershell.exe -File C:\Scripts\ReEnableUsers.ps1
5️⃣ Save & Run

📌 Now, the script will run automatically, checking for and re-enabling disabled users.

---

🔹 Summary

✅ Automating re-enablement helps streamline IT operations.
✅ PowerShell makes it easy to manage AD & Azure AD accounts.
✅ Exporting logs ensures accountability for security compliance.
✅ Task Scheduler keeps everything automated.

By implementing this automated approach, IT teams can quickly restore access when needed, without manual work. 🚀

Automating User Notifications for Account Disablement & Re-Enablement Using PowerShell

🔹 Introduction

Managing user accounts effectively requires clear communication between IT and employees. When a user’s account is disabled or re-enabled, notifying them (or their manager) reduces confusion and improves security compliance.

This blog provides PowerShell scripts to:
✅ Automatically notify users when their account is disabled
✅ Send alerts when accounts are re-enabled
✅ Email managers about account status changes
✅ Export logs for auditing

---

🔹 Why Automate Account Status Notifications?

📌 Security Awareness – Notifies users when access is revoked or restored.
📌 Compliance – Ensures logs are maintained for security audits.
📌 Operational Efficiency – Eliminates manual notifications from IT.
📌 User Experience – Keeps employees informed about their account status.

---

🔹 Prerequisites

🔹 SMTP Server or Microsoft 365 Exchange Online (for sending emails)
🔹 PowerShell module installed for Active Directory and Microsoft Graph

🔹 Step 1: Configure Email Settings

Define email settings for notifications:

powershellCopyEdit$SMTPServer = "smtp.office365.com"
$SMTPPort = 587
$FromEmail = "[email protected]"
$Credential = Get-Credential  # Enter email credentials for authentication

---

🔹 Notifying Users When Their Account is Disabled

Step 2: Identify Recently Disabled Users

powershellCopyEdit$DisabledUsers = Get-ADUser -Filter {Enabled -eq $false} -Properties DisplayName, EmailAddress, Manager | 
    Select-Object DisplayName, EmailAddress, Manager

✅ Finds all recently disabled users

---

Step 3: Send Email Notifications

powershellCopyEditforeach ($User in $DisabledUsers) {
    $Subject = "Your Account Has Been Disabled"
    $Body = @"
Hello $($User.DisplayName),

Your account has been disabled due to security policies or organizational requirements. 
If you need further assistance, please contact IT Support.

Best regards,  
IT Support Team
"@

    Send-MailMessage -To $User.EmailAddress -From $FromEmail -Subject $Subject -Body $Body -SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $Credential
}

📌 Notifies users that their access has been disabled.

---

Step 4: Notify Their Manager (Optional)

If users have managers assigned in Active Directory, notify them too:

powershellCopyEditforeach ($User in $DisabledUsers) {
    $Manager = Get-ADUser -Identity $User.Manager -Properties EmailAddress
    if ($Manager.EmailAddress) {
        $ManagerSubject = "Account Disabled Notification - $($User.DisplayName)"
        $ManagerBody = @"
Hello,

The account for $($User.DisplayName) has been disabled. 
Please reach out to IT if further actions are required.

Best regards,  
IT Support Team
"@
        Send-MailMessage -To $Manager.EmailAddress -From $FromEmail -Subject $ManagerSubject -Body $ManagerBody -SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $Credential
    }
}

📌 Managers are informed about user account deactivation.

---

🔹 Notifying Users When Their Account is Re-Enabled

Step 5: Identify Recently Re-Enabled Users

powershellCopyEdit$ReEnabledUsers = Get-ADUser -Filter {Enabled -eq $true} -Properties DisplayName, EmailAddress | 
    Select-Object DisplayName, EmailAddress

✅ Finds all users who were just re-enabled

---

Step 6: Send Account Re-Enablement Notifications

powershellCopyEditforeach ($User in $ReEnabledUsers) {
    $Subject = "Your Account Has Been Re-Enabled"
    $Body = @"
Hello $($User.DisplayName),

Your account has been re-enabled, and you can now log in as usual.  
If you experience any issues, please contact IT Support.

Best regards,  
IT Support Team
"@

    Send-MailMessage -To $User.EmailAddress -From $FromEmail -Subject $Subject -Body $Body -SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $Credential
}

📌 Notifies users that their access has been restored.

---

🔹 Automating Notifications for Azure AD Users

If managing Azure AD, use Microsoft Graph PowerShell.

Step 7: Install & Connect to Azure AD

powershellCopyEditInstall-Module -Name Microsoft.Graph -Scope CurrentUser -Force
Connect-MgGraph -Scopes "User.ReadWrite.All", "Mail.Send"

Step 8: Identify Disabled Users in Azure AD

powershellCopyEdit$DisabledAzureUsers = Get-MgUser -Filter "accountEnabled eq false" -Property DisplayName, Mail | 
    Select-Object DisplayName, Mail

Step 9: Send Notification to Disabled Azure AD Users

powershellCopyEditforeach ($User in $DisabledAzureUsers) {
    $Subject = "Your Account Has Been Disabled"
    $Body = "Hello $($User.DisplayName),`n`nYour account has been disabled. Contact IT for assistance."
    
    Send-MgUserMail -UserId $User.Mail -Message @{
        Subject = $Subject
        Body = @{ Content = $Body; ContentType = "Text" }
    }
}

📌 Azure AD users will receive an email alerting them about their account status.

---

🔹 Automating the Process with Task Scheduler

To automate the notifications:

1️⃣ Save the script as AccountNotifications.ps1
2️⃣ Open Task Scheduler → Create Basic Task
3️⃣ Set Trigger (e.g., Daily at 8 AM)
4️⃣ Set Action → Start a Program → powershell.exe -File C:\Scripts\AccountNotifications.ps1
5️⃣ Save & Run

📌 Now, account status changes will trigger email notifications automatically.

---

🔹 Summary

✅ Users receive notifications when their account is disabled/re-enabled.
✅ Managers get alerts about changes to their team’s access.
✅ Automation ensures no manual emails are needed.
✅ Works for both Active Directory & Azure AD.
✅ Logs can be exported for security compliance.

By implementing this automated notification system, IT teams can streamline account management, improve communication, and enhance security awareness. 🚀

Enforcing MFA Before Re-Enabling User Accounts – PowerShell Automation

🔹 Introduction

Multi-Factor Authentication (MFA) is a crucial security layer that helps prevent unauthorized access, especially after a user account is disabled and later re-enabled. Before restoring access, it’s best practice to enforce MFA enrollment to enhance security and prevent potential account compromise.

This blog provides a PowerShell script to:
✅ Automatically check MFA status before re-enabling accounts
✅ Require MFA enrollment before re-enabling
✅ Send notifications to users and IT teams

---

🔹 Why Enforce MFA Before Re-Enabling Accounts?

📌 Security Enhancement – Prevents unauthorized access after re-enablement.
📌 Compliance Requirements – Many security frameworks require MFA enforcement.
📌 Risk Mitigation – Reduces the risk of compromised credentials being reused.
📌 Automation Efficiency – Ensures a seamless security-first workflow.

---

🔹 Prerequisites

🔹 Azure AD Module installed (Install-Module AzureAD)
🔹 PowerShell with Admin Rights
🔹 Global Administrator or Privileged Authentication Admin Role

---

🔹 Step 1: Connect to Microsoft Entra ID (Azure AD)

powershellCopyEditInstall-Module -Name AzureAD -Force
Import-Module AzureAD
Connect-AzureAD

📌 This will prompt for admin credentials to authenticate.

---

🔹 Step 2: Identify Recently Disabled Users

powershellCopyEdit$DisabledUsers = Get-AzureADUser -All $true | Where-Object { $_.AccountEnabled -eq $false } |
    Select-Object DisplayName, UserPrincipalName, ObjectId

📌 Finds all disabled user accounts.

---

🔹 Step 3: Check MFA Enrollment Status

powershellCopyEditforeach ($User in $DisabledUsers) {
    $MFAStatus = Get-MsolUser -UserPrincipalName $User.UserPrincipalName | Select-Object -ExpandProperty StrongAuthenticationMethods
    if ($MFAStatus -eq $null) {
        Write-Host "MFA not enabled for $($User.DisplayName). Enforcing MFA before re-enabling..." -ForegroundColor Yellow
        # Proceed to enforce MFA
    } else {
        Write-Host "MFA already enabled for $($User.DisplayName). Ready to re-enable." -ForegroundColor Green
    }
}

📌 This script checks if MFA is enabled before proceeding.

---

🔹 Step 4: Enforce MFA Enrollment for Users Without MFA

powershellCopyEditforeach ($User in $DisabledUsers) {
    $MFAStatus = Get-MsolUser -UserPrincipalName $User.UserPrincipalName | Select-Object -ExpandProperty StrongAuthenticationMethods
    if ($MFAStatus -eq $null) {
        Write-Host "Forcing MFA registration for $($User.DisplayName)..."
        Set-MsolUser -UserPrincipalName $User.UserPrincipalName -StrongAuthenticationRequirements @(@{State="Enabled"; })
        
        # Send notification email to user
        $Subject = "MFA Enrollment Required Before Account Re-Enablement"
        $Body = "Hello $($User.DisplayName),`n`nYour account is being re-enabled, but MFA is required before accessing your account. Please complete MFA enrollment immediately."
        Send-MailMessage -To $User.UserPrincipalName -From "[email protected]" -Subject $Subject -Body $Body -SmtpServer "smtp.office365.com" -Credential (Get-Credential)
        
        Write-Host "MFA enforced and email notification sent to $($User.DisplayName)." -ForegroundColor Cyan
    }
}

📌 This forces MFA enrollment and notifies the user via email.

---

🔹 Step 5: Re-Enable the User Account

powershellCopyEditforeach ($User in $DisabledUsers) {
    $MFAStatus = Get-MsolUser -UserPrincipalName $User.UserPrincipalName | Select-Object -ExpandProperty StrongAuthenticationMethods
    if ($MFAStatus -ne $null) {
        Write-Host "Re-enabling account for $($User.DisplayName)..." -ForegroundColor Green
        Set-AzureADUser -ObjectId $User.ObjectId -AccountEnabled $true

        # Notify the user
        $Subject = "Your Account Has Been Re-Enabled"
        $Body = "Hello $($User.DisplayName),`n`nYour account has been successfully re-enabled. You may now log in using MFA."
        Send-MailMessage -To $User.UserPrincipalName -From "[email protected]" -Subject $Subject -Body $Body -SmtpServer "smtp.office365.com" -Credential (Get-Credential)

        Write-Host "Account re-enabled and email sent to $($User.DisplayName)." -ForegroundColor Cyan
    }
}

📌 Only users who have completed MFA enrollment will be re-enabled.

---

🔹 Automating the Process

To automate MFA enforcement before re-enabling accounts:

1️⃣ Save the script as Enforce-MFA-AccountReenable.ps1
2️⃣ Open Task Scheduler → Create Basic Task
3️⃣ Set Trigger (e.g., Daily at 8 AM)
4️⃣ Set Action → Start a Program → powershell.exe -File C:\Scripts\Enforce-MFA-AccountReenable.ps1
5️⃣ Save & Run

📌 Now, all disabled accounts must complete MFA before being re-enabled!

---

🔹 Summary

✅ Users cannot log in until MFA is configured
✅ Automated enforcement ensures security compliance
✅ Users and IT teams are notified via email
✅ Script works for both Active Directory & Azure AD
✅ Scheduled automation eliminates manual work

With this automation, IT teams can enforce MFA before restoring user access, ensuring security-first policies and preventing unauthorized logins. 🚀