Introduction

A shared mailbox allows multiple users to send and receive emails from a common address, making collaboration easier for teams. This guide walks you through creating a shared mailbox, assigning permissions, and verifying settings using PowerShell.

Using PowerShell provides faster and more efficient management, especially when handling multiple mailboxes.

---

🔹 Step 1: Connect to Microsoft 365 PowerShell

Before creating the shared mailbox, connect to Exchange Online.

Run the following command:

powershellCopyEditConnect-ExchangeOnline -UserPrincipalName [email protected]

📌 Replace [email protected] with your admin account email.

---

🔹 Step 2: Create the Shared Mailbox

Use this PowerShell command to create a shared mailbox:

powershellCopyEditNew-Mailbox -Shared -Name "TeamMailbox" -DisplayName "Team Shared Mailbox" -PrimarySmtpAddress "[email protected]"

📌 Replace "TeamMailbox" and "[email protected]" with your preferred mailbox name and email address.

---

🔹 Step 3: Assign Permissions

Once the mailbox is created, grant access to specific users.

Grant Full Access (Allows users to manage the mailbox)

powershellCopyEditAdd-MailboxPermission -Identity "[email protected]" -User "[email protected]" -AccessRights FullAccess -InheritanceType All

Grant Send As Permission (Allows users to send emails from the shared mailbox)

powershellCopyEditAdd-RecipientPermission -Identity "[email protected]" -Trustee "[email protected]" -AccessRights SendAs -Confirm:$false

📌 Replace "[email protected]" with the email of the user who needs access.

---

🔹 Step 4: Verify the Shared Mailbox and Permissions

Once configured, verify that the mailbox exists and has the correct settings.

Check Mailbox Details

powershellCopyEditGet-Mailbox -Identity "[email protected]" | Format-List DisplayName,PrimarySmtpAddress,RecipientTypeDetails

List Users with Full Access

powershellCopyEditGet-MailboxPermission -Identity "[email protected]" | Where-Object { $_.AccessRights -eq "FullAccess" -and $_.User -notlike "NT AUTHORITY\SELF" } | Select-Object User,AccessRights

List Users with Send As Permission

powershellCopyEditGet-RecipientPermission -Identity "[email protected]" | Where-Object { $_.AccessRights -eq "SendAs" } | Select-Object Trustee,AccessRights

---

🔹 Step 5: Confirm the Shared Mailbox in Microsoft 365

You can also check the mailbox in Microsoft 365 Admin Center:

1️⃣ Sign in to Microsoft Admin Center.
2️⃣ Go to Exchange Admin Center → Recipients → Shared.
3️⃣ Locate the mailbox and confirm the settings.

---

🚀 Conclusion

By following these steps, you can create, manage, and verify a shared mailbox using PowerShell.

✔ No license required
✔ Centralized team email management
✔ Easier collaboration

💬 How do you manage shared mailboxes in your organization? Share your best practices in the comments below! ⬇️

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Introduction VMware PowerCLI is a powerful tool that allows administrators to manage VMware environments using PowerShell. Whether you need to create virtual machines, check resource usage, or troubleshoot storage capacity, PowerCLI provides a streamlined approach to VMware management. Below is a guide to setting up PowerCLI and using essential commands for day-to-day VMware administration.

---

Step 1: Install and Import VMware PowerCLI

Before running VMware-related PowerShell commands, ensure that VMware PowerCLI is installed on your system.

Install-Module -Name VMware.PowerCLI -Scope CurrentUser -Force

After installation, import the module:

Import-Module VMware.PowerCLI

If you encounter SSL/TLS certificate warnings while connecting, configure PowerCLI to ignore invalid certificates:

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false

---

Step 2: Connect to vCenter Server

To manage your VMware environment, you need to authenticate with vCenter:

Connect-VIServer -Server <Your-VCenter-Server> -User <Your-Admin-User> -Password '<Your-Password>'

Once connected, you can retrieve information about your virtual infrastructure.

---

Step 3: List VMware Hosts

To view all available VMware hosts:

Get-VMHost

This provides a list of all ESXi hosts, their connection status, and available resources.

---

Step 4: Retrieve Virtual Machines

To get a list of all VMs in the environment:

Get-VM

For details of a specific VM:

Get-VM -Name <VM-Name>

---

Step 5: Checking vSAN Datastore Usage

One common challenge in VMware environments is monitoring vSAN datastore usage. To check storage space:

Get-VsanSpaceUsage -Cluster <Your-Cluster-Name>

To calculate the percentage of used space, run:

$vsanUsage = Get-VsanSpaceUsage -Cluster <Your-Cluster-Name>
$usedPercentage = 100 - (($vsanUsage.FreeSpaceGB / $vsanUsage.CapacityGB) * 100)
"vSAN Datastore is currently {0:N2}% full" -f $usedPercentage

---

Step 6: Creating a New Virtual Machine

If you need to create a new VM:

New-VM -Name <VM-Name> -VMHost <Host-Name> -Datastore <Datastore-Name> -DiskGB 50 -MemoryGB 4 -NumCPU 2

This command creates a VM with 50GB disk, 4GB RAM, and 2 CPUs.

---

Step 7: Cloning an Existing Virtual Machine

To create a clone of an existing VM:

New-VM -Name <New-VM-Name> -VM <Source-VM-Name> -Datastore <Datastore-Name> -VMHost <Target-Host>

---

Step 8: Managing VM Power States

To power on a VM:

Start-VM -VM <VM-Name>

To shut down a VM:

Stop-VM -VM <VM-Name> -Confirm:$false

To restart a VM:

Restart-VM -VM <VM-Name> -Confirm:$false

---

Step 9: Deleting a Virtual Machine

If a VM is no longer needed, you can remove it permanently:

Remove-VM -VM <VM-Name> -DeletePermanently -Confirm:$false

---

Step 10: Checking for Leftover Files in vSAN

Even after deleting a VM, some files may remain in the datastore. You can check for orphaned files:

Get-Datastore -Name <Datastore-Name> | Get-ChildItem -Recurse | Where-Object { $_.Name -like "*<VM-Name>*" }

To manually remove leftover files:

Remove-Item -Path "vmstore:\<Datastore-Name>\FolderName\<VM-Name>.vmdk" -Confirm:$false

---

Final Thoughts

Using PowerCLI to manage VMware environments improves efficiency and automation. Whether you need to monitor vSAN usage, create new VMs, or automate backups, PowerCLI provides a flexible solution. Keep this guide handy for reference as you work with VMware environments.

Have any useful PowerCLI commands that you frequently use? Share them in the comments below! 🚀

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Introduction

Phishing attacks are one of the most common cybersecurity threats that IT administrators face. A single click on a malicious email link can lead to credential theft, data exfiltration, or malware infections.

This guide provides a step-by-step approach to investigating and securing a potentially compromised account in Microsoft 365 using PowerShell and the Microsoft Security Portal.

---

🔹 Immediate Response: Disconnect & Secure the Affected Computer

Before investigating, act fast to prevent further damage:

1️⃣ Shut down the compromised computer immediately.
2️⃣ Disconnect from the network (unplug Ethernet, disable Wi-Fi).
3️⃣ Reset the password for the affected user.
4️⃣ Revoke all active sessions to log out any potential attacker.

PowerShell Command to Revoke Sessions:

powershellCopyEditRevoke-AzureADUserAllRefreshToken -ObjectId "[email protected]"

Reset MFA to Prevent Unauthorized Re-Login:

powershellCopyEditReset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName "[email protected]"

---

🔹 Step 1: Check for Unauthorized Sign-ins in Azure AD

Use Azure AD Sign-in Logs to check for suspicious login attempts.

PowerShell Command to Retrieve Sign-in Logs:

powershellCopyEditConnect-AzureAD
Get-AzureADAuditSignInLogs -Filter "status/errorCode ne '0'"

✅ Alternative:

• Go to Microsoft Security Portal
• Navigate to: Azure AD Sign-in Logs

🔍 Red Flags:

🚩 Logins from unexpected locations or devices
🚩 Multiple failed MFA attempts
🚩 Impossible travel scenarios (e.g., two logins from different continents within minutes)

---

🔹 Step 2: Investigate Phishing Emails Across the Organization

If an attacker sent phishing emails to multiple employees, run a Compliance Search to identify all affected mailboxes.

PowerShell Command to Search All Mailboxes for Suspicious Emails:

powershellCopyEditNew-ComplianceSearch -Name "CompanyPhishingScan" -ExchangeLocation All -ContentMatchQuery 'has:attachment OR has:link'
Start-ComplianceSearch -Identity "CompanyPhishingScan"

Check Results:

powershellCopyEditGet-ComplianceSearch -Name "CompanyPhishingScan" | Select Name, Status, Items

If Phishing Emails Are Found, Remove Them:

powershellCopyEditNew-ComplianceSearchAction -SearchName "CompanyPhishingScan" -Purge -PurgeType SoftDelete

🚨 Use HardDelete only if emails must be permanently removed.

---

🔹 Step 3: Check & Remove Hidden Forwarding Rules

Attackers often set up automatic forwarding to steal emails.

Check for Forwarding Rules:

powershellCopyEditGet-Mailbox -Identity "[email protected]" | Select ForwardingAddress, ForwardingSmtpAddress

Disable Auto-Forwarding if Found:

powershellCopyEditSet-Mailbox -Identity "[email protected]" -ForwardingAddress $null -ForwardingSmtpAddress $null

---

🔹 Step 4: Scan the Compromised Computer Before Reconnecting

Since a phishing link was clicked, scan the system for malware before reconnecting to the network.

Offline Windows Defender Scan:

powershellCopyEditStart-MpScan -ScanType FullScan

If Threats Are Found, Remove Them:

powershellCopyEditRemove-MpThreat -AllThreats

For a Deep Rootkit Scan, Use Windows Defender Offline:

powershellCopyEditStart-MpWDOScan

✅ This will restart the system and scan before Windows boots.

---

🔹 Step 5: Implement Long-Term Protection Measures

✅ Enable Safe Links & Safe Attachments in Microsoft Defender

• Safe Links: Blocks phishing links before users click them.
• Safe Attachments: Scans email attachments for malware before delivery.

Enable Safe Links Policy:

powershellCopyEditSet-SafeLinksPolicy -Identity "Default" -EnableSafeLinks $true -TrackClicks $true

Enable Safe Attachments Policy:

powershellCopyEditSet-MalwareFilterPolicy -Identity "Default" -EnableSafeAttachmentsForMail $true

---

✅ Educate Users on Phishing Awareness

🔹 Enable the “Report Message” button in Outlook so employees can easily flag suspicious emails.
🔹 Train employees to recognize phishing emails:
✔ Unexpected links
✔ Urgent language
✔ Sender impersonation

---

🚀 Final Wrap-Up: Is the Account and System Secure?

✔ Account fully secured: No unauthorized logins, MFA reset, all active sessions revoked.
✔ Email threats removed: No phishing emails remain in any mailbox.
✔ PC scanned and clean: No malware detected before reconnecting.
✔ Long-term protections enabled: Safe Links, Safe Attachments, user education.

✅ By following these steps, IT admins can quickly contain and prevent phishing incidents in Microsoft 365! 🚀

---

💬 What’s Next?

How does your organization handle phishing attacks? Share your best practices in the comments below! ⬇️

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

If you’re an IT professional or cloud enthusiast, you’ve likely used PowerShell to manage Azure resources. But did you know there’s a better way? Azure Cloud Shell offers a streamlined, cloud-based command-line experience that makes managing Azure easier than ever.

---

🚀 What is Azure Cloud Shell?

Azure Cloud Shell is a browser-based command-line tool that lets you manage Azure resources without the need to install or configure anything on your local machine. It supports both PowerShell and Bash, giving you flexibility depending on your workflow.

---

🔥 Why Use Azure Cloud Shell Over Local PowerShell?

✅ Pre-installed Azure Modules – No need to manually install or update Az PowerShell modules. ✅ Persistent Environment – Your session and files persist across devices. ✅ Works on Any OS – Since it’s browser-based, you can use it on Windows, Mac, or Linux. ✅ Built-in Authentication – No need to repeatedly sign in to Azure. ✅ Seamless Access to Azure Resources – Direct integration with your Azure subscriptions. ✅ Supports Both Bash & PowerShell – Choose the scripting environment that works best for you.

---

🔎 How to Access Azure Cloud Shell

1. Go to the Azure Portal: Open portal.azure.com.
2. Locate the Cloud Shell Icon: Look for the PowerShell logo (or the Bash icon) at the top-right of the screen.
3. Click to Launch: This will open a terminal at the bottom of the Azure Portal.
4. Sign In with Your Credentials: If prompted, sign in to Azure.
5. Authenticate: If needed, go to Microsoft Device Login and enter the code displayed.

---

🔧 Basic Azure Cloud Shell Commands to Get Started

🔹 Check Your Active Subscription

Get-AzContext  # Displays your current subscription

🔹 List All Azure Subscriptions

Get-AzSubscription  # Shows all available subscriptions

🔹 List All Resource Groups

Get-AzResourceGroup  # Displays all resource groups in your active subscription

🔹 List All Virtual Machines

Get-AzVM  # Lists all VMs in your subscription

🔹 Check Azure AD Users

Get-AzADUser -First 10  # Retrieves the first 10 users in Azure AD

🔹 Manage Storage Accounts

Get-AzStorageAccount  # Lists all storage accounts in your subscription

---

⚡ Why IT Admins Love Azure Cloud Shell

Azure Cloud Shell makes it easier to manage Azure environments without worrying about PowerShell version mismatches or module updates. It’s accessible from anywhere, even on a mobile device, making it a go-to tool for IT admins who need quick access to their cloud resources.

---

💡 Final Thoughts

If you’re still using local PowerShell to manage Azure, it’s time to upgrade your workflow. Azure Cloud Shell offers convenience, security, and efficiency—all without the hassle of local configurations.

Try it today and take your Azure management to the next level! 🚀

Windows updates can sometimes cause issues, especially when they force restarts or interfere with applications. This guide will show you how to remove pending updates to prevent Windows from installing them. These steps apply to both Windows 10 and Windows 11.

Step 1: Stop Windows Update Services

Before removing pending updates, you need to stop the Windows Update service.

Open Command Prompt (Admin) and run:

net stop wuauserv
net stop bits
net stop cryptsvc

Step 2: Delete Pending Updates

Once the services are stopped, delete the update files stored in SoftwareDistribution and WinSxS.

Command Prompt Method:

del /f /s /q C:\Windows\SoftwareDistribution\DataStore\* 
del /f /s /q C:\Windows\SoftwareDistribution\Download\* 
del /f /s /q C:\Windows\WinSxS\pending.xml

PowerShell Method:

Remove-Item -Path "C:\Windows\SoftwareDistribution\DataStore\*" -Force -Recurse
Remove-Item -Path "C:\Windows\SoftwareDistribution\Download\*" -Force -Recurse
Remove-Item -Path "C:\Windows\WinSxS\pending.xml" -Force

If access is denied to pending.xml, take ownership and modify permissions first:

takeown /f C:\Windows\WinSxS\pending.xml /A
icacls C:\Windows\WinSxS\pending.xml /grant Administrators:F

Then, retry deleting the file.

Step 3: Restart Windows Update Services

Once files are deleted, restart the Windows Update services:

net start wuauserv
net start bits
net start cryptsvc

Windows 11 Extra Step

On Windows 11, Tamper Protection in Windows Security may prevent modification of update files. If you encounter issues:

1. Open Windows Security
2. Navigate to Virus & Threat Protection > Manage Settings
3. Disable Tamper Protection temporarily
4. Follow the steps above and re-enable it after removal.

Conclusion

By following these steps, you can effectively remove pending Windows updates, preventing them from being installed. This is particularly useful for IT professionals managing production-critical systems.

Introduction In IT administration, managing Remote Desktop Protocol (RDP) sessions is essential to maintain system security and performance. Whether you need to log off a disconnected session or forcefully remove an active session, using Command Prompt (CMD) or PowerShell can streamline the process. This guide will walk you through the methods to list, disconnect, and remove RDP sessions.

---

Step 1: List Active RDP Sessions Before removing a session, you need to check which users are currently logged in. Run the following command in CMD:

query session /server:localhost

This will display all active and disconnected sessions along with their IDs.

Alternatively, in PowerShell, use:

qwinsta /server:localhost

Both commands provide the session ID required to log off a user.

---

Step 2: Log Off an RDP Session Once you have the session ID, you can log off a user session using CMD:

logoff <SessionID> /server:localhost

Example:

logoff 2 /server:localhost

This will terminate session ID 2.

In PowerShell, use:

rwinsta <SessionID>

Example:

rwinsta 2

This will remove session ID 2 from the system.

---

Step 3: Forcefully Remove a Stuck RDP Session If a session does not close properly, use this CMD command:

taskkill /F /IM mstsc.exe

This will forcefully terminate all remote desktop connections.

In PowerShell, use:

Stop-Process -Name mstsc -Force

This achieves the same result.

---

Conclusion Managing RDP sessions efficiently helps prevent resource exhaustion and unauthorized access. By using CMD or PowerShell, IT admins can quickly remove inactive or unresponsive RDP sessions, ensuring smooth operations. Bookmark these commands for future reference!

Introduction

With the rise of remote work and cloud-based applications, organizations need secure and efficient ways to provide access to internal applications. Azure Application Proxy is a lightweight, cloud-based solution that allows users to access on-premises applications securely from anywhere without a VPN.

This blog will cover:
✅ What is Azure App Proxy?
✅ How it works
✅ Prerequisites for deployment
✅ Step-by-step setup using Azure Portal & PowerShell
✅ Best practices for security & performance

---

🔹 What is Azure Application Proxy?

Azure Application Proxy is a cloud-based service in Microsoft Entra ID (formerly Azure AD) that provides secure remote access to on-premises web applications.
✔ No VPN required – Reduces complexity & costs
✔ Single Sign-On (SSO) – Seamless authentication via Entra ID
✔ Secure & Scalable – Uses reverse proxy architecture
✔ Conditional Access Support – Controls access based on risk level

💡 Common Use Cases

🔹 Access legacy web apps from any device
🔹 Provide secure extranet access for partners
🔹 Replace traditional VPNs for application access
🔹 Enable remote access to intranet apps

---

🔹 How Does Azure App Proxy Work?

Azure App Proxy consists of two main components:

1. Application Proxy Service (Cloud-based)
   • Runs in Azure
   • Authenticates users via Entra ID
   • Sends requests to the on-premises connector
2. Application Proxy Connector (On-Premises Agent)
   • Installed inside the corporate network
   • Forwards authenticated requests to internal applications
   • Uses outbound traffic only (no firewall holes needed)

📌 Architecture Flow

1️⃣ User accesses app-protected URL
2️⃣ Azure App Proxy authenticates the user via Entra ID
3️⃣ Request is forwarded to the on-premises App Proxy Connector
4️⃣ Connector retrieves the response & sends it back via Azure Proxy

---

🔹 Prerequisites

Before deploying Azure App Proxy, ensure:
✅ Microsoft Entra ID (Azure AD) P1 or P2 license
✅ An on-premises Windows Server (2016+) to install the connector
✅ Outbound internet access on the connector server
✅ Domain-joined or cloud-hybrid environment (if using SSO)
✅ App must use HTTP/HTTPS (No TCP/UDP apps)

---

🛠️ Deploying Azure App Proxy

🔹 Step 1: Install Application Proxy Connector

📌 Run the following PowerShell command on your Windows Server:

powershellCopyEditInvoke-WebRequest -Uri https://aka.ms/aadappproxy -OutFile "AADAppProxyInstaller.exe"
Start-Process "AADAppProxyInstaller.exe" -ArgumentList "/quiet" -Wait

👉 Sign in with Global Admin credentials to register the connector.

Verify that the connector is running:

powershellCopyEditGet-Service | Where-Object { $_.DisplayName -match "Application Proxy Connector" }

---

🔹 Step 2: Register the Application in Azure

1️⃣ Sign into the Azure Portal
2️⃣ Go to Microsoft Entra ID → Enterprise Applications
3️⃣ Click New Application → On-premises Application
4️⃣ Set External URL (e.g., https://app.jetmariano.us)
5️⃣ Set Internal URL (e.g., http://internal-app-server.local)
6️⃣ Choose Pre-authentication method:
✔ Azure AD (Recommended) – Uses SSO & Conditional Access
✔ Passthrough – No authentication (use only if required)

---

🔹 Step 3: Configure Single Sign-On (SSO) (Optional)

If using SSO with Kerberos, configure:

powershellCopyEditSet-WebApplicationProxyApplication -Name "InternalApp" -BackendApplicationUrl "http://internal-app.local" -ExternalApplicationUrl "https://app.jetmariano.us" -ConnectorGroupID "ConnectorGroup1" -SSOType "KerberosConstrainedDelegation"

✅ This allows seamless authentication without repeated login prompts.

---

🔹 Step 4: Test & Secure the Application

🔹 Access your external URL and verify that it works.
🔹 Enable Conditional Access for added security.
🔹 Restrict access based on device compliance, location, MFA, etc.

---

🔒 Best Practices for Azure App Proxy

✔ Use Azure AD Pre-authentication – Avoid exposing internal apps
✔ Enable Conditional Access – Enforce MFA & compliance policies
✔ Monitor access logs – Track login attempts & potential threats
✔ Use HTTPS for internal apps – Encrypt traffic end-to-end
✔ Scale with multiple connectors – Ensure redundancy & load balancing

---

✅ Conclusion

Azure Application Proxy modernizes remote access by eliminating VPN dependencies and enhancing security with Azure AD SSO & Conditional Access.

🚀 Next Steps:
🔹 Explore Hybrid Azure AD Join for better identity management
🔹 Implement Privileged Access Management (PAM) for sensitive apps
🔹 Set up Azure AD Identity Protection to detect risk-based sign-ins

🔹 Have you implemented Azure App Proxy? Share your experience below! 💬

Introduction

Multi-Factor Authentication (MFA) is a crucial security measure in Microsoft Entra ID (formerly Azure AD) to protect against unauthorized access. However, users and administrators often encounter MFA lockout issues, preventing legitimate users from accessing their accounts. This can be due to device loss, incorrect configurations, or a lack of backup authentication methods.

In this blog, we will cover: ✅ Why MFA lockout happens
✅ How to reset MFA for users
✅ Bypass methods for emergency access
✅ Best practices to prevent future issues

---

🔍 Why Does MFA Lockout Happen?

MFA lockouts typically occur due to:

• Device Change – User loses access to their phone or resets their device
• Authenticator App Issues – User gets a new phone and doesn’t migrate the Authenticator app
• Phone Number Change – SMS authentication fails due to a new phone number
• Policy Restrictions – Conditional Access or legacy MFA settings prevent login
• MFA Throttling – Too many failed attempts lock out the user

---

🛠️ How to Reset MFA for a User

If a user is locked out, an Azure AD admin can reset their MFA settings. Here’s how:

🔹 Reset MFA via Microsoft Entra Admin Center

1. Sign in to Microsoft Entra Admin Center as an administrator.
2. Navigate to Users > All users
3. Search for the affected user and select them
4. Click Authentication methods > Require Re-register MFA
5. Have the user sign in again and set up MFA from scratch

---

🔹 Reset MFA Using PowerShell

Admins can reset MFA via PowerShell with Microsoft Graph PowerShell.

1️⃣ Connect to Microsoft Graph

powershellCopyEditConnect-MgGraph -Scopes "User.ReadWrite.All"

2️⃣ Find the user needing an MFA reset

powershellCopyEditGet-MgUser -UserId [email protected] | Select-Object DisplayName,UserPrincipalName,Id

3️⃣ Reset MFA settings for the user

powershellCopyEditRevoke-MgUserAuthenticationMethod -UserId [email protected]

4️⃣ Confirm the user is cleared of previous MFA methods

powershellCopyEditGet-MgUserAuthenticationMethod -UserId [email protected]

The user will now be prompted to re-enroll in MFA at their next login.

---

🚨 Emergency MFA Bypass Methods

In cases where users are locked out and immediate access is required, temporary workarounds can help.

1️⃣ Use a Temporary Access Pass (TAP)

A Temporary Access Pass (TAP) allows a user to log in without MFA for a limited time.

Enable TAP:

1. Go to Microsoft Entra Admin Center
2. Navigate to Users > Authentication Methods
3. Enable Temporary Access Pass policy

Issue a TAP for the user:

powershellCopyEditNew-MgUserAuthenticationTemporaryAccessPassMethod -UserId [email protected] -LifetimeInMinutes 30 -IsUsableOnce $true

The user can now sign in using the TAP and reset their MFA.

---

2️⃣ Add a Backup Authentication Method

If a user still has access to another sign-in method, add an additional MFA option.

Via Admin Portal:

1. Go to Users in Entra Admin Center
2. Select the user > Authentication methods
3. Click Add method and enter an alternate phone number or security key

Via PowerShell:

powershellCopyEditNew-MgUserAuthenticationPhoneMethod -UserId [email protected] -PhoneNumber "+1234567890" -PhoneType Mobile -SmsSignInState Enabled

Now, the user can verify via SMS instead.

---

3️⃣ Disable MFA Temporarily

⚠ Warning: This is a security risk and should only be used as a last resort.

Disable MFA for a user via PowerShell

powershellCopyEditSet-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements @()

OR disable MFA for an entire tenant (not recommended):

powershellCopyEditSet-MsolCompanySettings -PreventPerUserMFA $true

Re-enable MFA as soon as possible.

---

✅ Best Practices to Prevent MFA Lockouts

🔹 Enable Multiple Authentication Methods – Users should register both phone and Authenticator app.
🔹 Use Temporary Access Passes (TAP) – Helps in cases of device loss.
🔹 Educate Users on MFA Backup Codes – Encourage users to save backup codes.
🔹 Enable Admin Recovery Options – Allow trusted admins to reset MFA.
🔹 Monitor MFA Logs – Use Azure Sign-In Logs to track MFA failures:

powershellCopyEditGet-MgAuditLogSignIn -Filter "status/errorCode eq 500121"

---

📌 Conclusion

MFA is essential for securing accounts, but lockouts can frustrate users and disrupt productivity. By using TAP, PowerShell resets, and backup methods, admins can quickly restore access while keeping security intact.

🚀 What’s next? Consider automating MFA resets with Microsoft Graph API or setting up self-service MFA reset policies for users.

🔹 Have you experienced MFA lockout issues? What solutions worked best for you? Let’s discuss in the comments! 💬

Introduction to Azure SSO

Azure Single Sign-On (SSO) is an identity authentication mechanism that allows users to log in once and gain access to multiple applications without needing to re-enter credentials. It integrates with Azure Active Directory (Azure AD) and supports modern authentication protocols like SAML, OpenID Connect (OIDC), and OAuth 2.0.

Organizations use Azure SSO to improve security, user experience, and IT efficiency while reducing password fatigue and helpdesk requests for password resets.

---

🔹 Why Use Azure SSO?

✅ Improves Security – Reduces password-based attacks by enforcing authentication policies.
✅ Enhances User Experience – Eliminates the need for multiple logins across cloud apps.
✅ Reduces IT Workload – Minimizes helpdesk tickets for password resets.
✅ Centralized Access Control – Manages authentication and access policies in one place.
✅ Supports Hybrid Environments – Works with cloud and on-premises apps.

---

🔹 How Azure SSO Works

Azure SSO uses Azure AD as the identity provider (IdP) to authenticate users. The authentication flow varies based on the authentication protocol used:

1️⃣ SAML-based SSO – Azure AD sends a SAML token to authenticate the user.
2️⃣ OAuth 2.0 / OpenID Connect (OIDC) – The user is authenticated via an authorization token.
3️⃣ Password-based SSO – Azure AD stores credentials and auto-fills login fields for legacy apps.
4️⃣ Linked-based SSO – Redirects users to a third-party identity provider for authentication.

---

🔹 Implementing Azure SSO Using PowerShell

Step 1: Prerequisites

Before configuring SSO, ensure:
✅ You have Global Admin or Application Administrator role in Azure AD.
✅ The application supports SAML, OAuth, or OIDC.
✅ Azure AD Premium P1/P2 is available for Conditional Access policies (optional).
✅ You have PowerShell with AzureAD Module installed.

To install the AzureAD module, run:

powershellCopyEditInstall-Module AzureAD -Force -AllowClobber

Connect to Azure AD:

powershellCopyEditConnect-AzureAD

---

Step 2: Register an Application in Azure AD

To enable SSO, register the app in Azure AD.

Using PowerShell

1️⃣ Create the App Registration:

powershellCopyEdit$AppName = "MyAzureSSOApp"
$App = New-AzureADApplication -DisplayName $AppName
$AppId = $App.AppId

2️⃣ Create a Service Principal for the App:

powershellCopyEditNew-AzureADServicePrincipal -AppId $AppId

3️⃣ Assign Required Permissions (Example: Graph API)

powershellCopyEdit$Permission = "User.Read.All"
$AppRole = Get-AzureADServicePrincipal -Filter "AppId eq '$AppId'"
New-AzureADServiceAppRoleAssignment -ObjectId $AppRole.ObjectId -PrincipalId $AppRole.ObjectId -ResourceId $AppRole.ObjectId -Id $Permission

---

Step 3: Configure SSO for a SAML-based App

1️⃣ Enable SAML SSO

• Go to Azure AD > Enterprise Applications > Select App > Single sign-on
• Choose SAML
• Set Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) provided by the app.
• Download Azure AD Federation Metadata XML and provide it to the app vendor.

2️⃣ Configure User Attributes & Claims

powershellCopyEditSet-AzureADServicePrincipal -ObjectId $AppRole.ObjectId -Saml2TokenIssuerName "https://login.microsoftonline.com/{tenant_id}/v2.0"

3️⃣ Assign Users or Groups to the App

powershellCopyEdit$User = Get-AzureADUser -ObjectId "[email protected]"
Add-AzureADUserAppRoleAssignment -ObjectId $User.ObjectId -PrincipalId $AppRole.ObjectId -ResourceId $AppRole.ObjectId

---

🔹 Best Practices for Azure SSO

✔ Use Conditional Access Policies – Require MFA for risky sign-ins.
✔ Enforce Role-Based Access Control (RBAC) – Assign least privilege access.
✔ Use Azure AD Identity Protection – Detect and mitigate suspicious activities.
✔ Regularly Review Application Permissions – Ensure only necessary apps have access.
✔ Enable SSO Logging and Monitoring – Track authentication attempts in Azure AD Sign-in Logs.

---

🔹 Testing & Troubleshooting SSO

After setup, test SSO via MyApps (https://myapps.microsoft.com) or direct application login.

Common Fixes:

🔹 Incorrect Reply URL? Ensure the correct Assertion Consumer Service (ACS) URL is set.
🔹 User Not Assigned? Assign users or groups to the application.
🔹 Invalid SAML Assertion? Check SAML response in Azure AD Sign-in Logs.
🔹 SSO Failing for On-Prem Apps? Ensure Azure AD Connect is properly configured.

---

🔹 Conclusion

Azure SSO simplifies authentication, enhances security, and streamlines user access to applications. With Azure AD and PowerShell, you can automate SSO setup, manage user permissions, and enforce security best practices.

🚀 Next Steps:
✅ Test your SSO setup and monitor sign-in logs.
✅ Apply Conditional Access policies for better security.
✅ Integrate more apps to provide a seamless user experience.

For Azure AD, use Microsoft Graph PowerShell.

Step 1: Install & Connect to Azure AD

powershellCopyEditInstall-Module -Name Microsoft.Graph -Scope CurrentUser -Force
Connect-MgGraph -Scopes "User.Read.All"

Step 2: Retrieve Enabled Users from Azure AD

powershellCopyEdit$AzureEnabledUsers = Get-MgUser -Filter "accountEnabled eq true" | 
    Select-Object DisplayName, UserPrincipalName, Mail, Id 

$AzureEnabledUsers | Format-Table -AutoSize

✅ Filters only enabled accounts
✅ Displays key details (Display Name, UPN, Email, Object ID)

---

🔹 Step 3: Export Azure AD Enabled Users to CSV

powershellCopyEdit$AzureEnabledUsers | Export-Csv -Path "C:\Reports\AzureEnabledUsers.csv" -NoTypeInformation -Encoding UTF8

📌 Use this report for license management, compliance checks, and security audits.

---

🔹 Automating the Process (Scheduled Task)

To automate this script daily or weekly, set up a PowerShell scheduled task:

1️⃣ Save the script as EnabledUsersReport.ps1
2️⃣ Open Task Scheduler → Create Basic Task
3️⃣ Set Trigger (Daily, Weekly, etc.)
4️⃣ Set Action → Start a Program → powershell.exe -File C:\Scripts\EnabledUsersReport.ps1
5️⃣ Save & Run

✅ Now, you will get automated reports without manual effort! 🚀

---

🔹 Summary

✅ Enabled accounts must be regularly audited to maintain security & compliance.
✅ PowerShell simplifies the process of retrieving and exporting enabled accounts.
✅ On-Prem AD & Azure AD scripts ensure comprehensive user monitoring.
✅ Automating via scheduled tasks ensures continuous and hands-free monitoring.

By implementing this automation, IT administrators can proactively identify security risks, optimize licensing, and ensure compliance.

Automating the Disabling of Inactive Accounts in Active Directory & Azure AD Using PowerShell

Introduction

Inactive user accounts pose a serious security risk to any IT environment. Accounts that remain enabled but unused can be exploited by attackers, leading to potential data breaches, unauthorized access, and compliance violations.

By automating the identification and disabling of inactive accounts in Active Directory (AD) and Azure AD, organizations can enhance security and reduce attack surfaces.

This blog provides step-by-step PowerShell scripts to:
✅ Identify inactive accounts
✅ Disable inactive users automatically
✅ Export the results for auditing
✅ Schedule the task for continuous security

---

🔹 Why Disable Inactive Accounts?

📌 Security – Reduce the risk of unauthorized access.
📌 Compliance – Align with industry regulations (ISO 27001, NIST, GDPR, HIPAA).
📌 License Optimization – Free up unused Microsoft 365 & Azure AD licenses.
📌 Operational Efficiency – Keep Active Directory clean and organized.

Let’s automate this process using PowerShell. 🚀

---

🔹 Identifying & Disabling Inactive Accounts in On-Prem Active Directory

In Active Directory, a user is considered inactive if they haven’t logged in for a specific period (e.g., 90 days).

Step 1: Install & Import the Active Directory Module

Ensure the AD module is installed before running the script:

powershellCopyEditInstall-WindowsFeature -Name RSAT-AD-PowerShell
Import-Module ActiveDirectory

Step 2: Find Inactive Users (No Login for 90 Days)

powershellCopyEdit$InactiveUsers = Get-ADUser -Filter {Enabled -eq $true} -Properties LastLogonDate | 
    Where-Object { $_.LastLogonDate -lt (Get-Date).AddDays(-90) } | 
    Select-Object DisplayName, SamAccountName, LastLogonDate, Enabled

$InactiveUsers | Format-Table -AutoSize

✅ Retrieves all enabled users
✅ Filters users who haven’t logged in for 90+ days
✅ Displays Name, Username, Last Login Date

---

🔹 Step 3: Disable Inactive Users

powershellCopyEdit$InactiveUsers | ForEach-Object {
    Disable-ADUser -Identity $_.SamAccountName -Confirm:$false
}
Write-Host "Inactive accounts disabled successfully!" -ForegroundColor Green

📌 The accounts remain in AD but are disabled 🛑

---

🔹 Step 4: Export Disabled Users for Auditing

powershellCopyEdit$InactiveUsers | Export-Csv -Path "C:\Reports\DisabledUsers.csv" -NoTypeInformation -Encoding UTF8

📌 Keeps a record of disabled accounts for auditing & rollback if needed

---

🔹 Identifying & Disabling Inactive Users in Azure AD

For Azure AD, user inactivity is determined based on the LastSignInDateTime attribute.

Step 1: Install & Connect to Azure AD

powershellCopyEditInstall-Module -Name Microsoft.Graph -Scope CurrentUser -Force
Connect-MgGraph -Scopes "User.ReadWrite.All"

Step 2: Find Inactive Azure AD Users (90 Days of Inactivity)

powershellCopyEdit$AzureInactiveUsers = Get-MgUser -Filter "accountEnabled eq true" -Property DisplayName,UserPrincipalName,SignInActivity | 
    Where-Object { $_.SignInActivity.LastSignInDateTime -lt (Get-Date).AddDays(-90) } | 
    Select-Object DisplayName, UserPrincipalName, SignInActivity.LastSignInDateTime

$AzureInactiveUsers | Format-Table -AutoSize

✅ Retrieves all enabled users
✅ Filters users who haven’t signed in for 90+ days
✅ Displays Name, UPN, Last Sign-In Date

---

🔹 Step 3: Disable Inactive Azure AD Users

powershellCopyEdit$AzureInactiveUsers | ForEach-Object {
    Update-MgUser -UserId $_.UserPrincipalName -AccountEnabled:$false
}
Write-Host "Inactive Azure AD accounts disabled successfully!" -ForegroundColor Green

📌 Azure AD users are now disabled 🛑

---

🔹 Step 4: Export Disabled Azure AD Users for Auditing

powershellCopyEdit$AzureInactiveUsers | Export-Csv -Path "C:\Reports\DisabledAzureUsers.csv" -NoTypeInformation -Encoding UTF8

📌 Retains a record for compliance and rollback purposes

---

🔹 Automating the Process (Scheduled Task)

To automate the process, create a PowerShell script and schedule it to run periodically.

1️⃣ Save the script as DisableInactiveUsers.ps1
2️⃣ Open Task Scheduler → Create Basic Task
3️⃣ Set Trigger (e.g., Weekly, Monthly)
4️⃣ Set Action → Start a Program → powershell.exe -File C:\Scripts\DisableInactiveUsers.ps1
5️⃣ Save & Run

📌 Now, the script will run automatically, disabling inactive users on schedule.

---

🔹 Summary

✅ Inactive accounts are a security risk—automate their disabling.
✅ PowerShell simplifies managing on-prem AD & Azure AD users.
✅ Exporting logs ensures compliance and rollback safety.
✅ Automating with Task Scheduler keeps environments secure without manual work.

By implementing this automated approach, IT teams can enhance security, ensure compliance, and reduce risk—all with PowerShell! 🚀

Re-Enabling Disabled Users in Azure AD

For Azure AD, we need to use Microsoft Graph PowerShell.

Step 1: Install & Connect to Azure AD

powershellCopyEditInstall-Module -Name Microsoft.Graph -Scope CurrentUser -Force
Connect-MgGraph -Scopes "User.ReadWrite.All"

Step 2: Find Disabled Users in Azure AD

powershellCopyEdit$DisabledAzureUsers = Get-MgUser -Filter "accountEnabled eq false" -Property DisplayName, UserPrincipalName | 
    Select-Object DisplayName, UserPrincipalName

$DisabledAzureUsers | Format-Table -AutoSize

✅ Lists all disabled users in Azure AD

---

🔹 Step 3: Re-Enable Disabled Azure AD Users

powershellCopyEdit$DisabledAzureUsers | ForEach-Object {
    Update-MgUser -UserId $_.UserPrincipalName -AccountEnabled:$true
}
Write-Host "All disabled Azure AD users have been re-enabled!" -ForegroundColor Green

📌 Azure AD users are now restored and can log in again 🔄

---

🔹 Step 4: Export Re-Enabled Azure AD Users for Auditing

powershellCopyEdit$DisabledAzureUsers | Export-Csv -Path "C:\Reports\ReEnabledAzureUsers.csv" -NoTypeInformation -Encoding UTF8

📌 Keeps an audit log of re-enabled accounts

---

🔹 Automating the Re-Enablement Process (Scheduled Task)

To automate the process, create a PowerShell script and schedule it to run periodically.

1️⃣ Save the script as ReEnableUsers.ps1
2️⃣ Open Task Scheduler → Create Basic Task
3️⃣ Set Trigger (e.g., Weekly, Monthly)
4️⃣ Set Action → Start a Program → powershell.exe -File C:\Scripts\ReEnableUsers.ps1
5️⃣ Save & Run

📌 Now, the script will run automatically, checking for and re-enabling disabled users.

---

🔹 Summary

✅ Automating re-enablement helps streamline IT operations.
✅ PowerShell makes it easy to manage AD & Azure AD accounts.
✅ Exporting logs ensures accountability for security compliance.
✅ Task Scheduler keeps everything automated.

By implementing this automated approach, IT teams can quickly restore access when needed, without manual work. 🚀

Automating User Notifications for Account Disablement & Re-Enablement Using PowerShell

🔹 Introduction

Managing user accounts effectively requires clear communication between IT and employees. When a user’s account is disabled or re-enabled, notifying them (or their manager) reduces confusion and improves security compliance.

This blog provides PowerShell scripts to:
✅ Automatically notify users when their account is disabled
✅ Send alerts when accounts are re-enabled
✅ Email managers about account status changes
✅ Export logs for auditing

---

🔹 Why Automate Account Status Notifications?

📌 Security Awareness – Notifies users when access is revoked or restored.
📌 Compliance – Ensures logs are maintained for security audits.
📌 Operational Efficiency – Eliminates manual notifications from IT.
📌 User Experience – Keeps employees informed about their account status.

---

🔹 Prerequisites

🔹 SMTP Server or Microsoft 365 Exchange Online (for sending emails)
🔹 PowerShell module installed for Active Directory and Microsoft Graph

🔹 Step 1: Configure Email Settings

Define email settings for notifications:

powershellCopyEdit$SMTPServer = "smtp.office365.com"
$SMTPPort = 587
$FromEmail = "[email protected]"
$Credential = Get-Credential  # Enter email credentials for authentication

---

🔹 Notifying Users When Their Account is Disabled

Step 2: Identify Recently Disabled Users

powershellCopyEdit$DisabledUsers = Get-ADUser -Filter {Enabled -eq $false} -Properties DisplayName, EmailAddress, Manager | 
    Select-Object DisplayName, EmailAddress, Manager

✅ Finds all recently disabled users

---

Step 3: Send Email Notifications

powershellCopyEditforeach ($User in $DisabledUsers) {
    $Subject = "Your Account Has Been Disabled"
    $Body = @"
Hello $($User.DisplayName),

Your account has been disabled due to security policies or organizational requirements. 
If you need further assistance, please contact IT Support.

Best regards,  
IT Support Team
"@

    Send-MailMessage -To $User.EmailAddress -From $FromEmail -Subject $Subject -Body $Body -SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $Credential
}

📌 Notifies users that their access has been disabled.

---

Step 4: Notify Their Manager (Optional)

If users have managers assigned in Active Directory, notify them too:

powershellCopyEditforeach ($User in $DisabledUsers) {
    $Manager = Get-ADUser -Identity $User.Manager -Properties EmailAddress
    if ($Manager.EmailAddress) {
        $ManagerSubject = "Account Disabled Notification - $($User.DisplayName)"
        $ManagerBody = @"
Hello,

The account for $($User.DisplayName) has been disabled. 
Please reach out to IT if further actions are required.

Best regards,  
IT Support Team
"@
        Send-MailMessage -To $Manager.EmailAddress -From $FromEmail -Subject $ManagerSubject -Body $ManagerBody -SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $Credential
    }
}

📌 Managers are informed about user account deactivation.

---

🔹 Notifying Users When Their Account is Re-Enabled

Step 5: Identify Recently Re-Enabled Users

powershellCopyEdit$ReEnabledUsers = Get-ADUser -Filter {Enabled -eq $true} -Properties DisplayName, EmailAddress | 
    Select-Object DisplayName, EmailAddress

✅ Finds all users who were just re-enabled

---

Step 6: Send Account Re-Enablement Notifications

powershellCopyEditforeach ($User in $ReEnabledUsers) {
    $Subject = "Your Account Has Been Re-Enabled"
    $Body = @"
Hello $($User.DisplayName),

Your account has been re-enabled, and you can now log in as usual.  
If you experience any issues, please contact IT Support.

Best regards,  
IT Support Team
"@

    Send-MailMessage -To $User.EmailAddress -From $FromEmail -Subject $Subject -Body $Body -SmtpServer $SMTPServer -Port $SMTPPort -UseSsl -Credential $Credential
}

📌 Notifies users that their access has been restored.

---

🔹 Automating Notifications for Azure AD Users

If managing Azure AD, use Microsoft Graph PowerShell.

Step 7: Install & Connect to Azure AD

powershellCopyEditInstall-Module -Name Microsoft.Graph -Scope CurrentUser -Force
Connect-MgGraph -Scopes "User.ReadWrite.All", "Mail.Send"

Step 8: Identify Disabled Users in Azure AD

powershellCopyEdit$DisabledAzureUsers = Get-MgUser -Filter "accountEnabled eq false" -Property DisplayName, Mail | 
    Select-Object DisplayName, Mail

Step 9: Send Notification to Disabled Azure AD Users

powershellCopyEditforeach ($User in $DisabledAzureUsers) {
    $Subject = "Your Account Has Been Disabled"
    $Body = "Hello $($User.DisplayName),`n`nYour account has been disabled. Contact IT for assistance."
    
    Send-MgUserMail -UserId $User.Mail -Message @{
        Subject = $Subject
        Body = @{ Content = $Body; ContentType = "Text" }
    }
}

📌 Azure AD users will receive an email alerting them about their account status.

---

🔹 Automating the Process with Task Scheduler

To automate the notifications:

1️⃣ Save the script as AccountNotifications.ps1
2️⃣ Open Task Scheduler → Create Basic Task
3️⃣ Set Trigger (e.g., Daily at 8 AM)
4️⃣ Set Action → Start a Program → powershell.exe -File C:\Scripts\AccountNotifications.ps1
5️⃣ Save & Run

📌 Now, account status changes will trigger email notifications automatically.

---

🔹 Summary

✅ Users receive notifications when their account is disabled/re-enabled.
✅ Managers get alerts about changes to their team’s access.
✅ Automation ensures no manual emails are needed.
✅ Works for both Active Directory & Azure AD.
✅ Logs can be exported for security compliance.

By implementing this automated notification system, IT teams can streamline account management, improve communication, and enhance security awareness. 🚀

Enforcing MFA Before Re-Enabling User Accounts – PowerShell Automation

🔹 Introduction

Multi-Factor Authentication (MFA) is a crucial security layer that helps prevent unauthorized access, especially after a user account is disabled and later re-enabled. Before restoring access, it’s best practice to enforce MFA enrollment to enhance security and prevent potential account compromise.

This blog provides a PowerShell script to:
✅ Automatically check MFA status before re-enabling accounts
✅ Require MFA enrollment before re-enabling
✅ Send notifications to users and IT teams

---

🔹 Why Enforce MFA Before Re-Enabling Accounts?

📌 Security Enhancement – Prevents unauthorized access after re-enablement.
📌 Compliance Requirements – Many security frameworks require MFA enforcement.
📌 Risk Mitigation – Reduces the risk of compromised credentials being reused.
📌 Automation Efficiency – Ensures a seamless security-first workflow.

---

🔹 Prerequisites

🔹 Azure AD Module installed (Install-Module AzureAD)
🔹 PowerShell with Admin Rights
🔹 Global Administrator or Privileged Authentication Admin Role

---

🔹 Step 1: Connect to Microsoft Entra ID (Azure AD)

powershellCopyEditInstall-Module -Name AzureAD -Force
Import-Module AzureAD
Connect-AzureAD

📌 This will prompt for admin credentials to authenticate.

---

🔹 Step 2: Identify Recently Disabled Users

powershellCopyEdit$DisabledUsers = Get-AzureADUser -All $true | Where-Object { $_.AccountEnabled -eq $false } |
    Select-Object DisplayName, UserPrincipalName, ObjectId

📌 Finds all disabled user accounts.

---

🔹 Step 3: Check MFA Enrollment Status

powershellCopyEditforeach ($User in $DisabledUsers) {
    $MFAStatus = Get-MsolUser -UserPrincipalName $User.UserPrincipalName | Select-Object -ExpandProperty StrongAuthenticationMethods
    if ($MFAStatus -eq $null) {
        Write-Host "MFA not enabled for $($User.DisplayName). Enforcing MFA before re-enabling..." -ForegroundColor Yellow
        # Proceed to enforce MFA
    } else {
        Write-Host "MFA already enabled for $($User.DisplayName). Ready to re-enable." -ForegroundColor Green
    }
}

📌 This script checks if MFA is enabled before proceeding.

---

🔹 Step 4: Enforce MFA Enrollment for Users Without MFA

powershellCopyEditforeach ($User in $DisabledUsers) {
    $MFAStatus = Get-MsolUser -UserPrincipalName $User.UserPrincipalName | Select-Object -ExpandProperty StrongAuthenticationMethods
    if ($MFAStatus -eq $null) {
        Write-Host "Forcing MFA registration for $($User.DisplayName)..."
        Set-MsolUser -UserPrincipalName $User.UserPrincipalName -StrongAuthenticationRequirements @(@{State="Enabled"; })
        
        # Send notification email to user
        $Subject = "MFA Enrollment Required Before Account Re-Enablement"
        $Body = "Hello $($User.DisplayName),`n`nYour account is being re-enabled, but MFA is required before accessing your account. Please complete MFA enrollment immediately."
        Send-MailMessage -To $User.UserPrincipalName -From "[email protected]" -Subject $Subject -Body $Body -SmtpServer "smtp.office365.com" -Credential (Get-Credential)
        
        Write-Host "MFA enforced and email notification sent to $($User.DisplayName)." -ForegroundColor Cyan
    }
}

📌 This forces MFA enrollment and notifies the user via email.

---

🔹 Step 5: Re-Enable the User Account

powershellCopyEditforeach ($User in $DisabledUsers) {
    $MFAStatus = Get-MsolUser -UserPrincipalName $User.UserPrincipalName | Select-Object -ExpandProperty StrongAuthenticationMethods
    if ($MFAStatus -ne $null) {
        Write-Host "Re-enabling account for $($User.DisplayName)..." -ForegroundColor Green
        Set-AzureADUser -ObjectId $User.ObjectId -AccountEnabled $true

        # Notify the user
        $Subject = "Your Account Has Been Re-Enabled"
        $Body = "Hello $($User.DisplayName),`n`nYour account has been successfully re-enabled. You may now log in using MFA."
        Send-MailMessage -To $User.UserPrincipalName -From "[email protected]" -Subject $Subject -Body $Body -SmtpServer "smtp.office365.com" -Credential (Get-Credential)

        Write-Host "Account re-enabled and email sent to $($User.DisplayName)." -ForegroundColor Cyan
    }
}

📌 Only users who have completed MFA enrollment will be re-enabled.

---

🔹 Automating the Process

To automate MFA enforcement before re-enabling accounts:

1️⃣ Save the script as Enforce-MFA-AccountReenable.ps1
2️⃣ Open Task Scheduler → Create Basic Task
3️⃣ Set Trigger (e.g., Daily at 8 AM)
4️⃣ Set Action → Start a Program → powershell.exe -File C:\Scripts\Enforce-MFA-AccountReenable.ps1
5️⃣ Save & Run

📌 Now, all disabled accounts must complete MFA before being re-enabled!

---

🔹 Summary

✅ Users cannot log in until MFA is configured
✅ Automated enforcement ensures security compliance
✅ Users and IT teams are notified via email
✅ Script works for both Active Directory & Azure AD
✅ Scheduled automation eliminates manual work

With this automation, IT teams can enforce MFA before restoring user access, ensuring security-first policies and preventing unauthorized logins. 🚀

Introduction to SAML

Security Assertion Markup Language (SAML) is an XML-based authentication standard used for Single Sign-On (SSO). It allows users to log in once and access multiple applications without entering credentials repeatedly.

Why Use SAML?

• Enhanced Security: SAML enables authentication via an identity provider (IdP) rather than storing credentials in multiple applications.
• SSO Capabilities: Users only log in once to access different apps.
• Interoperability: Works across various identity providers and service providers.

How SAML Works

1. User Requests Access: The user tries to access an application (Service Provider – SP).
2. Redirect to Identity Provider (IdP): The user is redirected to the IdP for authentication.
3. Authentication & Assertion: The IdP verifies credentials and sends a SAML assertion (authentication token) back.
4. User Gains Access: The SP validates the assertion and grants access.

---

How to Configure SAML Authentication in Entra ID

To set up SAML-based authentication in Entra ID, follow these steps:

Step 1: Register an Enterprise Application

1. Go to Microsoft Entra ID in the Azure Portal.
2. Navigate to Enterprise Applications > New Application.
3. Select Non-gallery application and provide a name for your app.
4. Click Create.

Step 2: Configure Single Sign-On (SSO)

1. In the newly created app, go to Single sign-on.
2. Choose SAML as the authentication method.
3. Configure the Basic SAML Configuration:
   • Identifier (Entity ID): https://yourapp.com
   • Reply URL (Assertion Consumer Service URL): https://yourapp.com/sso/callback
   • Sign-on URL: https://yourapp.com/login
4. Click Save.

Step 3: Download & Share SAML Metadata

• Download the Federation Metadata XML from the SAML Signing Certificate section.
• Provide this XML file to the Service Provider (SP) to complete the integration.

Step 4: Assign Users to the Application

1. Go to Users and Groups in the Enterprise Application.
2. Assign users who should have access to the app.

Step 5: Test SSO

1. Click on Test SSO in the SAML settings.
2. Ensure authentication is successful and users can log in.

---

Configuring SAML in Entra ID Using PowerShell

You can automate the setup using PowerShell with the Microsoft Graph API.

Step 1: Connect to Microsoft Graph

powershellCopyEditConnect-MgGraph -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"

Step 2: Register an Enterprise Application

powershellCopyEdit$enterpriseApp = New-MgServicePrincipal -AppId "00000003-0000-0000-c000-000000000000"

Step 3: Configure SAML SSO

powershellCopyEdit$sp = Get-MgServicePrincipal -Filter "DisplayName eq 'YourAppName'"

# Set SAML properties
Update-MgServicePrincipal -ServicePrincipalId $sp.Id -PreferredTokenSigningKeyThumbprint "YourThumbprint"

Step 4: Assign Users

powershellCopyEdit$user = Get-MgUser -UserPrincipalName "[email protected]"
New-MgUserAppRoleAssignment -UserId $user.Id -ResourceId $sp.Id -AppRoleId "Role ID"

---

Conclusion

SAML authentication provides a secure and efficient way for users to authenticate with multiple applications using a single sign-on (SSO) process. Configuring SAML in Microsoft Entra ID enhances security, simplifies user access, and integrates seamlessly with cloud-based applications.

Entra ID App Registration – Introduction, Purpose, and PowerShell Guide

Introduction

Microsoft Entra ID (formerly known as Azure AD) is the identity and access management (IAM) solution for Microsoft cloud services. App registration in Entra ID is essential for integrating applications with Entra ID, enabling authentication and authorization for users and services.

Purpose of Entra ID App Registration

Entra ID App Registration allows developers and IT admins to:

• Enable secure authentication for applications.
• Configure permissions for Microsoft Graph and other APIs.
• Use OAuth 2.0 and OpenID Connect for secure authentication.
• Enable multi-tenant access for applications.

By registering an app, you establish its identity with Entra ID, allowing it to authenticate users and access resources.

---

Creating an Entra ID App Registration Using PowerShell

To create an app registration in Entra ID using PowerShell, follow these steps:

Prerequisites

• You must have AzureAD or Microsoft.Graph PowerShell module installed.
• You need Global Administrator or Application Administrator permissions.

Steps to Create an App Registration Using PowerShell

Step 1: Install and Connect to Microsoft Graph PowerShell

powershellCopyEdit# Install the Microsoft Graph PowerShell module if not installed
Install-Module Microsoft.Graph -Scope CurrentUser

# Connect to Entra ID with the required permissions
Connect-MgGraph -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"

Step 2: Create the App Registration

powershellCopyEdit# Define the application name
$appName = "MyEntraApp"

# Register the application
$app = New-MgApplication -DisplayName $appName

# Output the app details
$app

Step 3: Create a Service Principal for the App

powershellCopyEdit# Create a service principal to enable authentication for the app
$sp = New-MgServicePrincipal -AppId $app.AppId

# Output the service principal details
$sp

Step 4: Assign API Permissions

powershellCopyEdit# Define API permissions
$graphPermission = @{
    "resourceAppId" = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
    "resourceAccess" = @(@{"id"="Role ID";"type"="Role"})  # Replace Role ID with the specific permission ID
}

# Assign permissions to the app
Update-MgApplication -ApplicationId $app.Id -RequiredResourceAccess $graphPermission

Step 5: Generate a Client Secret

powershellCopyEdit# Create a client secret for the application
$clientSecret = Add-MgApplicationPassword -ApplicationId $app.Id -DisplayName "MySecret"

# Output client secret details
$clientSecret

Step 6: Retrieve the App Details

powershellCopyEditWrite-Host "Application ID: $($app.AppId)"
Write-Host "Service Principal ID: $($sp.Id)"
Write-Host "Client Secret: $($clientSecret.SecretText) (Copy this as it won't be retrievable again!)"

Conclusion

By following these steps, you have successfully registered an application in Microsoft Entra ID using PowerShell. This setup allows your app to authenticate users, request API permissions, and securely interact with cloud resources.

In today’s rapidly evolving cybersecurity landscape, Multi-Factor Authentication (MFA) plays a pivotal role in securing user access to critical systems and data. While Azure Active Directory (now Entra ID) provides a robust and comprehensive MFA solution, ensuring that users are using the right authentication methods and tracking that data can be time-consuming without proper automation.

In this blog, we’ll explore what it means to identify users with phone-based MFA in Entra ID, why it’s important to automate this process, and how using PowerShell can significantly streamline the task.

---

Understanding Phone-based MFA in Entra ID

Phone-based MFA refers to the method of using a mobile phone or a phone number to authenticate users trying to access applications, services, or systems in Entra ID. This typically involves one of two methods:

• Phone App Notification: The user receives a push notification to their phone and must approve or deny the login attempt.
• Phone App OTP (One-Time Password): The user receives a temporary code (OTP) on their phone, which they must enter to complete the authentication.

While these are robust forms of authentication, not every user within an organization will necessarily have phone-based MFA set up. Additionally, some users may be using alternate authentication methods, such as hardware tokens or biometrics, while others may have not configured any form of MFA at all.

Based on my experience, phone-based MFA can cause issues with cross-tenant synchronization. Specifically, users who have phone-based MFA set up may face challenges in being provisioned to other tenants. The “NotInScope” and “NotEffectivelyEntitled” errors are often encountered during cross-tenant sync, preventing the proper provisioning of these users. This can cause delays and disrupt workflows, highlighting the importance of understanding and monitoring the MFA configurations of users across tenants.

Why Track Active Users with Phone-based MFA?

Ensuring that the right users are utilizing MFA, especially phone-based methods, is a key component of maintaining a secure environment. Here are a few reasons why tracking active users with phone-based MFA is crucial for your organization:

1. Enhanced Security: With the rise of phishing attacks and data breaches, enforcing MFA provides an additional layer of security, ensuring that even if a user’s password is compromised, unauthorized access is still blocked. Phone-based MFA is one of the most secure forms of two-factor authentication.
2. Compliance: Many organizations are bound by regulatory requirements, such as GDPR or HIPAA, that mandate MFA for accessing sensitive data. By ensuring that active users have MFA set up, especially phone-based methods, you can stay compliant with industry standards.
3. User Experience: Simplified user access can lead to fewer friction points in daily workflows. With phone-based MFA, users can easily authenticate themselves without needing complicated hardware setups. Tracking and reporting on these users ensures that your organization stays on top of who’s set up and using MFA.
4. Auditing and Reporting: Having visibility into the MFA status of your users is important for security auditing. Automated reporting ensures you’re not missing any critical configurations, and it can highlight any gaps that need addressing.
5. Efficiency: Manual checks for MFA statuses and configurations can be tedious, especially for larger organizations with hundreds or thousands of users. By automating this process, you free up time for other essential tasks.

---

Automating the MFA Reporting Process in Entra ID

Manual auditing of MFA configurations can be error-prone, especially when done across large environments with multiple users. Automating the process not only improves accuracy but also ensures that the task is completed consistently.

PowerShell provides a simple yet powerful solution for automating the reporting of active users who have phone-based MFA enabled in Entra ID. Here is how you can automate this process using PowerShell:

Using the AzureAD Module:

powershellCopy# Connect to Azure AD
Connect-AzureAD

# Get the list of active users with phone-based MFA enabled
$usersWithPhoneMFA = Get-AzureADUser -All $true | 
    Where-Object {
        $_.AccountEnabled -eq $true -and
        (Get-AzureADUserMFA -ObjectId $_.ObjectId).Methods |
        Where-Object { $_.MethodType -eq "PhoneAppNotification" -or $_.MethodType -eq "PhoneAppOTP" }
    }

# Display the users
$usersWithPhoneMFA | Select DisplayName, UserPrincipalName

Using the MSOnline Module:

powershellCopy# Connect to MSOnline Connect-MsolService # Get the list of active users with phone-based MFA enabled $usersWithPhoneMFA = Get-MsolUser -All | Where-Object { $_.BlockCredential -eq $false -and ( $_.StrongAuthenticationMethods.MethodType -eq "PhoneAppNotification" -or $_.StrongAuthenticationMethods.MethodType -eq "PhoneAppOTP" ) } # Display the users $usersWithPhoneMFA | Select DisplayName, UserPrincipalName

---

Why Automate This Process?

Automating the reporting of active users with phone-based MFA brings a multitude of benefits:

• Time-Saving: Automation allows you to quickly run reports and receive accurate information, which can otherwise take hours when done manually.
• Real-Time Visibility: With automation, you get updated data at any time, helping you respond to potential security risks in real-time.
• Scalability: Whether you have 10 or 10,000 users, automation ensures that the process scales to match your organization’s size without increasing the workload.
• Accuracy: The automation removes the risk of human error, ensuring that the right users are being reported and that configurations are accurate.

---

Conclusion

Tracking active users with phone-based MFA is essential to maintaining security and compliance within your organization. By automating this process with PowerShell, you can save valuable time, improve reporting accuracy, and make better, data-driven decisions regarding your organization’s security posture.

Automating these tasks also prepares your organization to scale efficiently and ensures that all users are adhering to the security standards you’ve set.

If you haven’t yet automated your MFA reporting process, consider implementing a PowerShell solution and integrate it into your IT operations today. It’s a small investment that will yield significant improvements in both security and efficiency.

Introduction

Provisioning users in Azure AD ensures security and compliance, especially with Multi-Factor Authentication (MFA) and proper licensing. This guide walks through setting up a new user with M365 E3 licensing using PowerShell.

Prerequisites

✔ PowerShell installed
✔ Azure AD module installed (Install-Module AzureAD)
✔ Global Admin or User Admin role in Azure

PowerShell Script

powershellCopyEdit# Connect to Azure AD
Connect-AzureAD

# Create a new user
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = "P@ssw0rd!"

New-AzureADUser -UserPrincipalName "[email protected]" `
                -DisplayName "New User" `
                -PasswordProfile $PasswordProfile `
                -MailNickName "newuser" `
                -AccountEnabled $true

# Assign Microsoft 365 E3 License
$license = Get-AzureADSubscribedSku | Where-Object {$_.SkuPartNumber -eq "ENTERPRISEPACK"}
Set-AzureADUserLicense -ObjectId "[email protected]" -AddLicenses @(@{SkuId=$license.SkuId})

# Enable MFA
$StrongAuthRequirement = New-Object -TypeName Microsoft.Open.AzureAD.Model.StrongAuthenticationRequirement
$StrongAuthRequirement.RelyingParty = "*"
$StrongAuthRequirement.State = "Enabled"
Set-MsolUser -UserPrincipalName "[email protected]" -StrongAuthenticationRequirements @($StrongAuthRequirement)

Write-Host "User provisioned successfully with MFA and E3 license."

✅ Done! Your new user is now provisioned with an E3 license and MFA enforced.