Articles, views, and insights about the practical application of the Microsoft Graph APIs (including the Microsoft Graph PowerShell SDK) from Practical365.com
In this article, we guide you through the process of using the Graph Activity Log and Kusto Query Language (KQL) to hunt for common indicators of mailbox compromise, with useful tips along the way.
App management audit events are captured when changes are made to Entra registered and enterprise apps. Critical app management audit events should be closely monitored to ensure that permissions are used properly and attackers haven't attempted to penetrate the tenant to extract data. This article explains how to find and analyze audit data for some critical app management audit events and run the code as an Azure Automation runbook.
A new Set-MgDriveItemSensitivityLabel cmdlet makes it easier to assign sensitivity labels in PowerShell scripts. However, the cmdlet does not get around the restriction imposed by Microsoft on using metered APIs. Apps still must be registered as Azure resources before scripts can run the cmdlet. It's easy to understand why, even if it seems strange at first.
In this episode of Practical Protection, we dive into the basics of Threat Hunting, tools you can use, and even some DIY hunting advice.
In the first installment of Securing Microsoft 365 with Graph Activity Logs, Mezba Uddin dives into the essentials of the Microsoft Graph Activity Log, what it does, its importance for visibility, and how to get it running to start seeing it's data.
Everyone learns from experience. This article covers five important building blocks for writing great Graph PowerShell scripts, the product of hard-won experience and many mistakes. Filtering, properties, permissions, and pagination all make the list.
App secrets are used to authenticate registered apps with Entra ID. App secrets (or passwords) are convenient and easy to use, but they're relatively insecure. The default app management policy for the tenant can block app secrets while custom app management policies can allow selective apps to use app secrets for testing or other well-defined purposes. All explained here.
In the second part of this series on Controlling Access to Microsoft 365 Entra ID Apps, Ingo dives into the process of creating custom Role-Based Access Control (RBAC) to Improve Security in your tenant.
In this article, Mezba Uddin reviews using Audit Logs and the Graph API to perform six specific investigation actions in Exchange Online to help keep your email environment safe.
After a year or so of using the AuditLog Query Graph API, we have enough experience to be able to explain how to take advantage of the API and when it could be used to run audit searches instead of the Search-UnifiedAuditLog cmdlet. There's lots of PowerShell code in this article to give anyone who wants to experiment with the API a good start to finding audit events.
This article describes how to create a report about group-based licensing assignments and any errors that might have occurred. The code uses the Microsoft Graph PowerShell SDK to fetch information about the groups used for licensing assignments, interpret the assignments, find users with assignment errors, and send email to inform administrators about what's been found.
The need to restore deleted user accounts sometimes arises. The process is well understood and options are available to do the job in the Entra and Microsoft 365 admin centers. But if you need to restore a deleted user account and change its user principal name, that operation can only be done with PowerShell. This article explores why updating a user principal name during a restore might be necessary and the code to restore accounts.
