Microsoft – MattiasVdl

Export Last Sign-in data for all users

GitHub

mattiasvdlbe/Azure Active Directory/ExportLastSigninAllUsers

Why?

We wanted to do a clean-up of our Microsoft tenant.
All accounts which where inactive for a long time needed to be removed.
We noticed there was no way to make a quick export of the “Last sign-in” date of all users.
You can visualise these dates in the Microsoft Entra user page, but if you create an export of the users, this data is missing.

Microsoft Entra admin center – Last (non-)interactive sign-in time

What?

Script which creates a .csv export containing the Last interactive and non-interactive sign-in for all users on the tenant.
The data in this export can be successful or unsuccessful.

How we got here?

After some searching, I found a way to export this data using PowerShell and the AADPreview module.
However, on further inspection, I noticed the export was limited to only 1000 records.
This was by far insufficient, as it only covered a couple of days of activity on our tenant.

The search continued.
In the end, I arrived at the Microsoft Graph as the easiest way to create an export of the list Sign-in data from the users in our tenant.

While exploring what I could export from the Graph, I found the correct data but noticed the data was paged, as it the number of records was to big.
You couldn’t view all records in one go.
Also the data was in .json format which wasn’t ideal.

While searching for a way to export all records to 1 .csv file, I came across this great response of “JanardhanaVedham-MSFT” on a post on the Microsoft Learn website.
The script he posted was exactly what I was looking for and worked perfectly fine.

Below I’ll explain in a bit more detail how exactly I got it to work.

How it works

Create an Azure App Registration

Specify a name for this app registration.
All other settings are set correctly.

Microsoft Entra admin center – App Registration

Specify the API permissions for this app.
You can delete the default “User.Read.All” permission with Type “User”.
Then add the following 2 “Application permissions”:
– AuditLog.Read.All
– User.Read.All

After adding these permissions you’ll have to Grant admin consent for MSFT.
For this you’ll need a Global Administrator.

Microsoft Entra admin center – App Registration – API permissions

Copy the “Application (client) ID” and “Directory (tenant) ID” to the PowerShell script you can download on my GitHub.

Microsoft Entra admin center – App Registration – App ID & Tenant ID

Finally, we need to create the App Secret.
Go to “Cetificates & secrets” and create a new “Client secret”
You can chose description and the time the secret will be valid.

Microsoft Entra admin center – App Registration – Create Client Secret

After creating the Client secret, you can copy the “Value” to the Powershell script, and afterwards, the script should be working.

Microsoft Entra admin center – App Registration – Client Secret Value

Make sure to copy the Client Secret immediately, as it will be hidden automatically after the admin logs off, and possibly after some time.
It’s not possible to retrieve this secret afterwards.

Microsoft Entra admin center – App Registration – Client Secret Value Hidden

In case you forgot to copy the secret value, and it’s hidden, you’ll have to create a new one.
Also remember this secret is only valid for the specified period.
You will need to create a new secret after this period if you want to keep using the script.

Run the script now you’ve filled in the necessary Azure App Registration details.

You’ll find the export here:

C:\Temp\ReportUserSignin.csv

All set to open the report in Excel, or any other application you want to use to analyse or work with the .csv file.

Get this data through Postman

You can also access this data through Postman.
Below I’ll go through the steps to set Postman up and get this same export.

First, Install Postman on your pc.
Postman API Platform
You can also use it in your browser, but you’ll need to perform an extra step then. This is explained well in the video Jeremy Thake made (Getting started with Microsoft Graph Postman workspace (youtube.com).
I’ll cover how I got it to work in the desktop version.
Once you’ve got Postman installed, it will ask you to create an account.
Do this and once your signed in, and got Postman open on your pc, you can continue.
Go to https://aka.ms/graphpostmanwkspc and create a fork of this workspace.

Postman – Create a fork of Microsoft Graph workspace

Open de desktop app of Postman and add your “Environment”.

Change the name of the environment to something you’ll recognise.
In my case I’ve used my tenant name “MattiasVdl”.
Then add the 3 variables we’ll need:
– ClientID
– ClientSecret (I’ve made the Type “Secret” as I prefer the secret to be hidden after it’s entered)
– TenantID

The values you need to fill in here need to be created by creating an new App Registration for Postman.

Create a new App registration in Microsoft Entra.
Give it a name, and don’t forget to set the “Redirect URI” to “Web” and https://oauth.pstmn.io/v1/browser-callback

This is also described in the “Get Started part in the Graph Workspace you just forked.

Microsoft Graph workspace – Get started – Step 2: Create an Azure AD application

Copy the “Application (client) ID” and paste it under “ClientID” in the Environment you created.
Do the same for the “Directory (tenant) ID” which needs to be pasted under “TenantID” in the Environment.

Postman – Environment – ClientID & TenantID

After adding these permissions you’ll have to Grant admin consent for MSFT.
For this you’ll need a Global Administrator.

Now we’re only missing the “Client Secret”.
For this we’ll need to create a new “Client secret” for the App registration we made.

Copy the “Value” of the client secret you created, and paste it under “ClientSecret” in your newly created environment in Postman.

Make sure to copy the Client Secret immediately, as it will be hidden automatically after the admin logs off, and possibly after some time.
It’s not possible to retrieve this secret afterwards.
In case you forgot to copy the secret value, and it’s hidden, you’ll have to create a new one.
Also remember this secret is only valid for the specified period.
You will need to create a new secret after this period if you want to keep using the script.

Don’t forget to Save the configuration of your Environment

Make sure you have your Environment selected on the top right in Postman, then go to the “Application” folder in the fork you created and go to the tab “Authorization”.
This is where we’ll have to request our token to be allowed to make the calls to the Graph.

Postman – Microsoft Graph workspace – Application – Authorization

When you hover over the text in red, you’ll notice the values of your environment are being used.

Postman – Microsoft Graph workspace – Application – Authorization – Hover over variables

Scroll all the way down and click on “Get New Access Token”
You should receive this notification.

Postman – Microsoft Graph workspace – Application – Authorization – Authentication complete

Click on “Proceed”, and you’ll see the token.
Click on “Use Token”

Postman – Microsoft Graph workspace – Application – Authorization – Use Token

Now you should see the token is saved in the application

Postman – Microsoft Graph workspace – Application – Authorization – Token loaded

Everything is set up now to make the request for the data through Postman.
First I create a new folder under “Application” in my fork of the Microsoft Graph.
In this folder I’ll save my own requests.
Here you’ve got an example of the request I created and executed in Postman.

Postman – Microsoft Graph workspace – Application – New Request created and called

The results we get back from Postman are in .json format, so you’ll have to convert it in case you want it in another format.
Also, this method does not load all row, but limits it to the top 999 in this case.
Exporting many more than 1000 records is not recommended.
Instead you should use paging, which will then add “@odata.nextlink” to the export, to link you through to the request which will give you the data for the next x-number of records.
Example below:

Postman – Microsoft Graph workspace – Application – New Request – First response with nextlink

Postman – Microsoft Graph workspace – Application – New Request – Response from nextlink

Sources

Graph Explorer | Try Microsoft Graph APIs – Microsoft Graph
- Response of “JanardhanaVedham-MSFT” on this post on the Microsoft Learn site.
  https://learn.microsoft.com/en-us/answers/questions/658043/export-of-graph-query-results
  - Use Postman with the Microsoft Graph API – Microsoft Graph | Microsoft Learn
  - Use query parameters to customize responses – Microsoft Graph | Microsoft Learn

Manage window location using a script

GitHub

mattiasvdlbe/Windows/ManageAppLocation

Why?

We where asked to help with setting up the work desk of the operator of a new line which was being installed.
After talking to the people involved in the project, the operators and analysing what there exact requirements, we ended up suggesting 2 big 43″ 4k displays connected to 1 pc.

This made sure we had enough screen real estate to display all of the tools and applications which they need to do there job, but the default Windows window snapping system is insufficient.
The operator has more than 8 different windows, and some need to be shown bigger than others.

We could use FancyZones, which is part of Power Toys to customize where and how the different windows can be snapped in place.
However, if the user needs to snap all the different windows in place every time the pc is restarted, this would get really annoying.

We decided to check if we couldn’t achieve this with just a hotkey on the keyboard which calls a script.

After doing some research, I found the best and easiest way to achieve this currently is using a command line utility called NirCmd from NirSoft.

I would have preferred not having to use a 3rd party utility to achieve this, but this didn’t seem to be possible yet, or wasn’t as user friendly.
In the near future, we might be able to use the upcoming API exposed by the Windows UIAutomation platform, but this is only available at the moment if the Windows Insider Preview SDK is installed.

What?

Script in which we specify the size of specific windows, and where they need to be positioned on the screen.

Change the language of the users mailbox

A new employee started at the company I work for.
He speaks German, and our environment is set up in Dutch.

After creating and setting up his account, we noticed his mailbox remained in Dutch, even though we set the language everywhere we could in the GUI and AD to German (de-DE).
This included the changes I wrote about in this post:
https://www.mattiasvdl.be/display-language-in-hybrid-environment/

Outlook – Foldernames in Dutch while everything else in German

As everything is in German (web browser, Windows, Microsoft 365, …) except for his mailbox which was displayed in Dutch, I decided to user the Exchange Powershell module in order to check if I can find any language or regional settings which might be hidden in the UI.

And what do you know! That’s exactly what I found. A hidden setting in Exchange online which specifies the language of the mailbox.

Powershell ExchangeOnline module – MailboxRegionalConfiguration shows the hidden language setting

After changing the language here, you can force the folder names to be reset by starting Outlook using the “/resetfoldernames” argument.

The foldernames should now be displayed in the language you specified using Powershell.

Below you can find the code I used:

# Install the ExchangeOnline module incase you haven't got the module yet:
Import-Module ExchangeOnlineManagement

# Connect to ExchangeOnline:
Connect-ExchangeOnline -UserPrincipalName %YourAdminUPN%

# Check what language is currently set for the user:
Get-MailboxRegionalConfiguration -Identity %UPNOfTheUserMailbox%

# Change the language for this mailbox:
Set-MailboxRegionalConfiguration -Identity %UPNOfTheUserMailbox% -Language %LanguageCode%

# Disconnect from ExchangeOnline:
Disconnect-ExchangeOnline

The language codes you can use can be found here:
[MS-OE376]: Part 4 Section 7.6.2.39, LCID (Locale ID) | Microsoft Learn

Outlook – Teams Meeting – Change language of invite

Without meeting policy

By default, most users have the Office Display Language set to their native language.
When sending out a Teams meeting request in Outlook, you will notice this meeting request will use the Office Display Language.

If you prefer the meeting request to be sent out in a different language, you’ll have to adjust your Office Display Language to the language you prefer for the meeting requests.

Outlook – Change Office display language

After changing the Office display language, restart Microsoft Outlook and restart Outlook.

Note: After restarting Outlook, you’ll notice the first Teams meeting invite you try to create will still be in the language that was previously set.
Just close this meeting request and create a new one.
This one should be in your new Office display language.

Using a policy to set default meeting request language

In an Organisation environment, it might be more interesting if this can be managed by the system administrators.

It is possible to pin the language used for the meeting invites down by using a Teams Policy.
The option which needs to be set is sadly enough not visible in the Teams Admin Center, so we’ll have to adjust this setting through Powershell.
For this we’ll need to use the MicrosoftTeams Module.

Below you’ll find the PowerShell commands which I used to add the Teams Meeting invite in 2 languages when you click on the Teams Meeting button in Outlook.

Outlook – Example 2 languages in meeting request

As this is a policy change, you will need to have a policy group to which you want to assign it.
I’ve created a new Meeting Policy (MattiasVdlTestGroup) just for testing functionality:

In case you haven’t installed the MicrosoftTeams module yet in PowerShell, execute the following code:

Install-Module -Name MicrosoftTeams -Scope CurrentUser

When you’ve got the module installed, connect to your tenant using the command:

Connect-MicrosoftTeams

A pop-up window will appear in which you will have to select the account which has Teams admin rights.

First I want to check to make sure the custom Meeting Policy I created can be found and what settings can be set for it.
For this I used the following command:

Get-CsTeamsMeetingPolicy

This gave me this result:

Next we want to the languages for the meeting requests.
In my case, I’ve set the language “en-GB” and “it-IT”.
This is done with the following code:

Set-CsTeamsMeetingPolicy -Identity "MattiasVdlTestGroup" -MeetingInviteLanguages "en-GB,it-IT"

Language codes can be found here:
[MS-OE376]: Part 4 Section 7.6.2.39, LCID (Locale ID) | Microsoft Learn

Finally I wanted to assign this Meeting Policy to a custom security group I created in Azure Active Directory.
This is done in the Teams Admin Center:

Teams Admin Center – Group policy assignment

The policy with the lowest number has the highest priority.
More information about this:
Assign policies to users and groups – Microsoft Teams | Microsoft Learn

Source:

Teams Meeting Invitation Language Set by Meeting Policy (office365itpros.com)

Package and Upload Intune Win32 app using .ps1 script

GitHub

mattiasvdlbe/MS Endpoint Manager/Apps/PackageAndUploadIntuneWin32AppUsingPs1Script

Why?

A couple of months ago, I needed to create a lot of Win32 apps.
As I knew these apps would have to be updated and repackaged quite a few times in the future, I decided it would be worth the effort to automate this process using a script.

The purpose of these apps was to create a shortcut under the Start Menu of the end user which points to a script placed under %PROGRAMDATA%.
When executing this script, a check was done to see if the end user is working in the office or remote.
If the end user works remotely, then the application is started in an RDS environment. Otherwise, the app gets started locally on his device.

This post is focussed on the deployment of Intune Win32 apps using a Powershell script, and as such doesn’t contain the code I mentioned above.

What?

PackageAndUploadIntuneWin32App.ps1
This Powershell script contains all of the code to generate the 3 needed Powershell scripts, package the application and upload it to Intune.

The 3 Powershell scripts which need to be generated:
– App_MattiasVdl_Setup.ps1
This script is used to create the shortcut under the start menu, and copy the script, which is executed by the shortcut, to the correct location.
– App_MattiasVdl.ps1
This is the script which gets executed when a user clicks on the shortcut which was created under the Start Menu.
All logic which was in this script has been removed, and all it does now is display a message box.
– App_MattiasVdl_Detection.ps1
This script is used by Intune to detect whether or not the application has been correctly installed on the device.

To start off with, a lot of variables are declared which are later used in the application.

We specify an array which contains the different types of scripts which need to be created.

The script makes use of “template” scripts, in which there are strings of text that get replace by the correct values.
The location of these template scripts is defined in the variables.

We also specify in these variables what the name of the application needs to be, what icon to use and the log which should be used in Intune.

We use a foreach loop to generate the necessary scripts.

First we load the script into a variable, and save the output URL to a variable so we can use it later.

Next we modify the script which we loaded into a variable.
We replace all instanced of the variables we placed in the template (using the “{}” as a way to easily be able to replace the strings without replacing things which shouldn’t be replaced.

Then the modified script gets saved to the output URL which we saved to a variable earlier.

The script copies the icon over from the original location to the folder which will be be packaged and uploaded to InTune.

All necessary preparations have now been done and we’re ready to package the application.
This is done using the IntuneWinAppUtil.exe, which is also available on my Repository, but I recommend you download the latest version of this app from the original creator (microsoft/Microsoft-Win32-Content-Prep-Tool).

Now it’s time to upload the application to InTune.
First we set some of the variables which will be used.
Change the TenantID in line 106 “Connect-MSIntuneGraph” to your own TenantID.

In my example script I’m not setting any dependencies, supersedence or assignments.
These can all be added automatically, but in my case, I prefer to manually check up on the applications which are uploaded and assign them to the relevant groups manually.

App_Link_Application_Setup.ps1

This script contains the base code, which is edited by the main script, and is used to install the application script and shortcuts on the end-user device.

Note:
There are multiple ways of adding folders and files to your Start Menu.
Only for 1 user: %APPDATA%\Microsoft\Windows\Start Menu\Programs
For all users: %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs

Also keep in mind that the name of the shortcut can’t be the same of the name of the folder. If the name of the folder is identical to the name of the shortcut, then the folder will not be shown!

App_Link_Application.ps1

This is the script which will get executed when the end-user presses the shortcut which has been added in there Start Menu.

App_Link_Application_Detection.ps1

This is the detection script which reports back to Intune whether or not the applications has been installed correctly.

Note:
In order for a detection script to work properly, it needs to both exit with code 0 AND write something to STDOUT

Sources

Display language in Hybrid environment

In a cloud environment, you can change your display language on Microsoft 365 (https://www.office.com) when you click on the gear icon on the top right of the page, and then selecting “Change your language”.

For users in a Hybrid environment, the possibility to chose the display language is greyed out.

Office.com – Change display language greyed out

In order to change the Display language, the user needs to contact the administrator of his organisation, which can then change the language to the preferred language in Active Directory.

The administrator needs to change the attribute “preferredLanguage” to the preferred language code under the users properties (Attribute Editor), in Active Directory Users and Computers.

Active Directory Users and Computers – User properties – Attribute Editor

After setting this value to the prefered value, it will take some time before this value is synced to Azure Active Directory, and take effect for the user in Office.com.

To speed up this proces, you can trigger a Delta sync from the server which contains the “Azure AD Connect” application.

Open a elevated Powershell Prompt on that machine, and type in the following code:

Start-ADSyncSyncCycle -PolicyType Delta

Once the sync is completed, you should see the same value as you set under “preferedLanguage” in the properties of the user in Active Directory, appear in the Azure Active Directory admin center in “Overview” – “Properties”:

Azure Active Directory admin center – Preferred language

Next time the user in question logs in on Office.com, the language should be changed to the set value.

Update User Data

GitHub

mattiasvdlbe/Azure Active Directory/UpdateUserData

Why?

After updating the user data of a big list of users in Active Directory, we noticed the Usage Location was not updated in Azure Active Directory.
For this I created another script which goes over the same .csv file as the script did which updated the AD information.

What?

See my post about the script which I created to update the Active Directory User data.

This script loads in the same .csv file and loops over all users in the file and updates the necessary fields.

Update User Data

GitHub

mattiasvdlbe/Active Directory/UpdateUserData

Why?

I had to make a bulk update of data for a list of users, and instead of opening each user profile one by one and changing the values, I decided to write a script which could do this in bulk for me. It saved me a lot of time and avoided typing and other user errors.
I only needed to make sure the input csv was set up correctly.

What?

I started of with an export of all necessary fields from the Active directory, made this a bit more readable for the people responsible for determining the data which needs to be updated, and provided the file to them for correction of the data.
When I received the file back, I made sure all necessary data was filled in, generated the necessary codes for the countries, and generate the .csv file this script needs to make the updates.

This script loads in the .csv file and loops over all users in the file and updates the necessary fields.

More information

The titles in the .csv file are the names used in AD.
You can look these up in the “Attribute Editor” tab.
For the Country details:
- “c” = 2-character ISO-3166 country code (ex.: BE)
- “co” = the name of the country as a text string (ex.: Belgium)
- “countryCode” = the country code for the user’s language of choice (ex.: 56)

List of ISO 3166 country codes – Wikipedia

In this script I only changed a couple of fields, as more where not required in this case.
I also just cleared some attributes, without replacing them.
You should be able to edit the code based on this example in case you need to edit more attributes.

Enable PrtScr Snipping Tool

GitHub

mattiasvdlbe/MS Endpoint Manager/Proactive Remediations/PR_U_EnablePrtScrSnippingTool

Why?

The Windows Snipping tool is a very useful tool to quickly make print screen of specific parts of your screen.

The ability to start the application by clicking on the print screen button on your keyboard instead of having to open the program manually can save you time and is just a big convenience.

In the windows settings, you can manually enable this setting, but I’ve created a script so this functionality can be pushed to the devices of the end users without manual action.
This saves me or the end user having to remember to turn this setting on after they start using a newly rolled out device.

What?

This script checks if this function is enabled.
In the settings of Windows, you can find this setting here:

Set Print screen button to open Screen Snipping Tool

In case this option isn’t enabled yet, the remediation is triggered which will enable this function.

It also creates a log with some text outputs which are specified in the script.
For this, it uses an implemented function called “Write-Log()”
If you want to use this script, don’t forget to change the log output path.

Time And Date Correction

GitHub

mattiasvdlbe/MS Endpoint Manager/Proactive Remediations/PR_S_TimeAndDateCorrection

Why?

Some time ago, we had some devices which were no longer running on the correct time.
On the devices in question the users didn’t have administrator permissions, so they couldn’t change the time and date themselves.

As the end users needed to be able to continue their work as soon as possible, and the issue wasn’t widespread, we decided to just create a small script to fix the issue.
The script shared in this post, is more advanced, and has more options.

If you want to use it, check if all things checked and set in this script are relevant in your case.

What?

This script does some checks to make sure the end user device is using the correct date and time.

Things the proactive remediation checks:

StartupType of the Windows Time Service is set to “Manual” (which is the default setting)
Windows Time Service is running
“Set the time automatically” is activated
Location use is allowed (Privacy setting).
Location use needs to be allowed if you want to allow the system to automatically detect what time zone your currently in.
“Set the time zone automatically” is enabled
Compare NtpServer time and the local computer time.
If there’s a difference of more than 15 seconds either way (ahead or behind)

In case any of these checks fails, the remediation gets triggered, which then puts the system back to our desired configuration.

Other functions which are implemented:

Get-CurrentNtpServer()
Get-NtpTime()
All credits to Tim Curwick for this function.
https://madwithpowershell.blogspot.com/2016/06/getting-current-time-from-ntp-service.html

I’ve only added a While loop to retry retrieving the NtpTime in case it fails the first time around. In case of failure, it retries again after 30 seconds. It can retry at most 2 times.