Site Img

A blog about cloud stuff - by Stian A. Strysse

Granting workload identities least-privilege mailbox access via Microsoft Graph

Workload identities, meaning apps, managed identities and other service principals, can be granted tenant-wide application access to all mailbox resources via Microsoft Graph. Learn how to scope permissions down to specific mailboxes.

Post thumbnail
Post thumbnail
Forget about POP3, IMAP, Exchange Web Services (EWS) and other legacy protocols for accessing mailbox resources programmatically. These protocols are being deprecated by Microsoft, and rightly so. See my blog post on blocking legacy authentication for more details. [Read More]

Connecting to SharePoint Online using Managed Identity with granular access permissions

Microsoft Graph and SharePoint Online supports some granular access permissions using Sites.Selected application scope in Graph, and app access role permissions in Site collections. It even works with Managed Identities.

Post thumbnail
Post thumbnail
The Sites.Selected application scope was introduced in Microsoft Graph some time ago to support granular app access permissions in SharePoint Online. With this scope one can grant application access to specific SharePoint Online site collections, instead of granting access to all site collections in the tenant, and this is very... [Read More]

Stop using client secrets and certificates, start using Managed Identities

Managed Identities can be used instead of app client secrets and certificates for Azure resources authenticating to Azure AD. Let's look at what a Managed Identity is and how to use it.

Post thumbnail
Post thumbnail
Whenever an Azure resource needs to authenticate to Azure AD, an identity needs to be provided to the Azure resource. Historically, this process involved creating an App registration with a Service Principal, and adding app credential as a client secret (password string) or a certificate. Then providing the app credential... [Read More]

Control access to Azure Storage Blobs with Attribute-based Access Control conditions

Let's look at how to configure access to Azure Storage Blobs using Attribute-based Access Control (ABAC) paired with Custom Security Attributes

Post thumbnail
Post thumbnail
Last week I published a blog post describing the basics of Custom Security Attributes, and how it can be utilized paired with ABAC. Now I will dive further into this topic and describe how to get a working configuration with ABAC conditions using Custom Security Attributes for Azure Blobs Storage.... [Read More]

Block legacy authentication protocols using Azure AD Conditional Access policy

Let's look at blocking legacy authentication protocols in a global company's Azure AD with full control and ease of mind

Post thumbnail
Post thumbnail
I recently worked with a global company to help them tighten the security in their Azure AD tenant, including blocking legacy authentication protocols with Conditional Access policies. Now, blocking legacy authentication isn’t anything new, and there are official Microsoft documentation, guides and blog posts covering this topic, but none the... [Read More]

Getting started with Custom Security Attributes in Azure AD

This blogpost explores the new Custom Security Attributes public preview feature in Azure AD

Post thumbnail
Post thumbnail
Azure AD has a schema with common attributes for resources like users, e.g. displayName, userPrincipalName, companyName, department and so on. You can also add custom extension attributes via an Application object to extend the schema. However, these attributes are public for all Azure AD users in the organization and should... [Read More]

Getting started with Microsoft Graph

Let's go from zero to somewhat hero by getting familiar with topics like REST API, JSON, HTTP methods, access tokens, permission scopes, Graph Exporer, Powershell SDK and more in this blogpost series covering Microsoft Graph.

Post thumbnail
Post thumbnail
Intended for – but not limited to – IT Pros and developers who are familiar with Powershell or other scripting and code languages, who work with Microsoft cloud services, but still haven’t started to look into Microsoft Graph. The goal of this blogpost series is to understand what Microsoft Graph... [Read More]