Using Microsoft Graph to Find Inactive Guest Users in Azure Active Directory

Description:

You have been using Azure Active Directory for a while. Now you notice you have several "external - guest" user listed in your Azure AD users. You need to gather the list of inactive guest user account.

Resolution:

We can try to get the list of inactive users by using Microsoft Graph.

Connect-MgGraph -Scopes "User.Read.All","AuditLog.Read.All"

 #Logon using Global Admin

$guestUsers = Get-MgUser -Filter "userType eq 'Guest' and accountEnabled eq true" -Property DisplayName, UserPrincipalName, SignInActivity, CreatedDateTime

$inactiveGuestUsers = $guestUsers | Where-Object {($_.SignInActivity.LastSignInDateTime -lt (Get-Date).AddDays(-90)) -or ($_.SignInActivity.LastSignInDateTime -eq $null)}

# Display the list of inactive guest users

$inactiveGuestUsers | Select-Object DisplayName, UserPrincipalName, @{Name="LastSignInDateTime"; Expression={$_.SignInActivity.LastSignInDateTime}}, CreatedDateTime

Multiple Prompt when creating Azure AD Kerberos Server object

Description:

You want to Deploy Windows Hello For Business with Hybrid Cloud Kerberos type in your environment.
You have met all the require prerequisites. However when trying to create Azure AD Kerberos Server object using below PowerShell command you encounter multiple prompt asking for Azure AD credential.

# Specify the on-premises Active Directory domain. A new Azure AD
# Kerberos Server object will be created in this Active Directory domain.
$domain = $env:USERDNSDOMAIN
# Enter an Azure Active Directory global administrator username and password.
$cloudCred = Get-Credential -Message 'An Active Directory user who is a member of the Global Administrators group for Azure AD.'
# Enter a domain administrator username and password.
$domainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.'
# Create the new Azure AD Kerberos Server object in Active Directory
# and then publish it to Azure Active Directory.
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

Resolution:

Make sure the Azure AD Global Administrator account that you are using during configuration are not included in any of Azure AD Conditional Access rules. You may also need to close the previous PowerShell session and try again.

How to connect to RDP with Azure AD account?

Description:

You have an Azure AD joined machine in the network. You want to use the Azure AD credentials to remote desktop that machine.

You try to enter the Azure AD username and password when prompted, however the login process is always fail.

Resolution:

1. Open Control Panel and go to System, then open Remote settings.

2. Uncheck the Allow connections only from computers running Remote Desktop with Network Level Authentication.

3. Edit the RDP connection file in notepad.

4. Add a line to the file and type "enablecredsspsupport:i:0". Save the File.

5. Use the RDP connection file to connect to the Azure AD  joined machine.

Azure AD Connect - AD DS Connector Account

If we want to know the specifics of the service account for the Active Directory connector(s). 

Use the following two lines of Windows PowerShell:

Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

Get-ADSyncADConnectorAccount