Nathan McNulty
@nathanmcnulty.com
Loves Jesus, loves others | Husband, father of 4, security solutions architect, love to learn and teach | Microsoft MVP | @TribeOfHackers | 🐘infosec.exchange@nathanmcnulty
Nice! Not dumb, just sometimes the way they store the data doesn't make any sense when viewed from outside of whatever their internal design/architecture is.
Sometimes there's a good reason for why they did things a certain way, sometimes nobody knows, lol
Sometimes there's a good reason for why they did things a certain way, sometimes nobody knows, lol
November 10, 2025 at 6:05 PM
Nice! Not dumb, just sometimes the way they store the data doesn't make any sense when viewed from outside of whatever their internal design/architecture is.
Sometimes there's a good reason for why they did things a certain way, sometimes nobody knows, lol
Sometimes there's a good reason for why they did things a certain way, sometimes nobody knows, lol
I'll have to look later when I can get some time on my laptop, but look for the Service Principal AppID for Entitlement management: ec245c98-4a90-40c2-955a-88b727d97151
I bet we see this in Audit Logs, but not sure about stored in Graph on the assignments...
I bet we see this in Audit Logs, but not sure about stored in Graph on the assignments...
November 10, 2025 at 5:51 PM
I'll have to look later when I can get some time on my laptop, but look for the Service Principal AppID for Entitlement management: ec245c98-4a90-40c2-955a-88b727d97151
I bet we see this in Audit Logs, but not sure about stored in Graph on the assignments...
I bet we see this in Audit Logs, but not sure about stored in Graph on the assignments...
I bet you would have to use /beta for this
There's a bunch of stuff in here where you have to use both APIs to do things...
Like expiration is only in /beta but you can't do Verified ID in /beta...... So you have to hit /v1.0/ then patch/put /beta/ :-/
There's a bunch of stuff in here where you have to use both APIs to do things...
Like expiration is only in /beta but you can't do Verified ID in /beta...... So you have to hit /v1.0/ then patch/put /beta/ :-/
November 10, 2025 at 5:48 PM
I bet you would have to use /beta for this
There's a bunch of stuff in here where you have to use both APIs to do things...
Like expiration is only in /beta but you can't do Verified ID in /beta...... So you have to hit /v1.0/ then patch/put /beta/ :-/
There's a bunch of stuff in here where you have to use both APIs to do things...
Like expiration is only in /beta but you can't do Verified ID in /beta...... So you have to hit /v1.0/ then patch/put /beta/ :-/
I don't think it differentiates between Active assignment through PIM vs Entra roles
If you are looking only for assignments through Access Packages, I would have to do a lot of digging - those APIs are a mess with inaccurate documentation... :-/
If you are looking only for assignments through Access Packages, I would have to do a lot of digging - those APIs are a mess with inaccurate documentation... :-/
November 10, 2025 at 5:42 PM
I don't think it differentiates between Active assignment through PIM vs Entra roles
If you are looking only for assignments through Access Packages, I would have to do a lot of digging - those APIs are a mess with inaccurate documentation... :-/
If you are looking only for assignments through Access Packages, I would have to do a lot of digging - those APIs are a mess with inaccurate documentation... :-/
Like this?
# Get active assignments
Get-MgBetaRoleManagementDirectoryRoleAssignmentSchedule -ExpandProperty RoleDefinition,Principal,DirectoryScope -All
# Get eligible assignments
Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -ExpandProperty RoleDefinition,Principal,DirectoryScope -All
# Get active assignments
Get-MgBetaRoleManagementDirectoryRoleAssignmentSchedule -ExpandProperty RoleDefinition,Principal,DirectoryScope -All
# Get eligible assignments
Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -ExpandProperty RoleDefinition,Principal,DirectoryScope -All
November 10, 2025 at 5:41 PM
Like this?
# Get active assignments
Get-MgBetaRoleManagementDirectoryRoleAssignmentSchedule -ExpandProperty RoleDefinition,Principal,DirectoryScope -All
# Get eligible assignments
Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -ExpandProperty RoleDefinition,Principal,DirectoryScope -All
# Get active assignments
Get-MgBetaRoleManagementDirectoryRoleAssignmentSchedule -ExpandProperty RoleDefinition,Principal,DirectoryScope -All
# Get eligible assignments
Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -ExpandProperty RoleDefinition,Principal,DirectoryScope -All
Every time I see stuff like this, my reaction is always the same
a man with a beard and mustache is laughing with his mouth open
ALT: a man with a beard and mustache is laughing with his mouth open
media.tenor.com
November 3, 2025 at 11:04 PM
Every time I see stuff like this, my reaction is always the same
Unix be like let's just shorten that up a bit - "jek" sounds good 🙃
November 3, 2025 at 12:18 AM
Unix be like let's just shorten that up a bit - "jek" sounds good 🙃
It's crazy the amount of effort that can go into building enough resiliency :p
October 31, 2025 at 4:43 AM
It's crazy the amount of effort that can go into building enough resiliency :p
lol, Bejing Mike cracked me up so much, pointed it out in one of my conference sessions recently :p
October 26, 2025 at 8:46 PM
lol, Bejing Mike cracked me up so much, pointed it out in one of my conference sessions recently :p
Hehe, neither is really better or worse imo, just an order to ensure no conflicts
October 26, 2025 at 8:45 PM
Hehe, neither is really better or worse imo, just an order to ensure no conflicts
This is why a consultant's answer is always "it depends"
Are Cross Tenant Access Settings included in Entra Free? Well, it depends™️
There are many controls where All/None is in the Free tier, but Some/Targeted requires P1 btw
Sure would be nice to have a list somewhere... 😡
Are Cross Tenant Access Settings included in Entra Free? Well, it depends™️
There are many controls where All/None is in the Free tier, but Some/Targeted requires P1 btw
Sure would be nice to have a list somewhere... 😡
October 21, 2025 at 4:58 AM
This is why a consultant's answer is always "it depends"
Are Cross Tenant Access Settings included in Entra Free? Well, it depends™️
There are many controls where All/None is in the Free tier, but Some/Targeted requires P1 btw
Sure would be nice to have a list somewhere... 😡
Are Cross Tenant Access Settings included in Entra Free? Well, it depends™️
There are many controls where All/None is in the Free tier, but Some/Targeted requires P1 btw
Sure would be nice to have a list somewhere... 😡
Sign-in frequency of every time? 🙃 😂
October 19, 2025 at 2:58 AM
Sign-in frequency of every time? 🙃 😂
🤣
I was updating internal documentation for our auditors and was like, "crap, I missed this update last year, better correct it" and then the auditors said the item didn't exist.
Sure enough, the rename never hit this wonderfully buried page in Entra, lol
The docs are good though :)
I was updating internal documentation for our auditors and was like, "crap, I missed this update last year, better correct it" and then the auditors said the item didn't exist.
Sure enough, the rename never hit this wonderfully buried page in Entra, lol
The docs are good though :)
October 19, 2025 at 2:57 AM
🤣
I was updating internal documentation for our auditors and was like, "crap, I missed this update last year, better correct it" and then the auditors said the item didn't exist.
Sure enough, the rename never hit this wonderfully buried page in Entra, lol
The docs are good though :)
I was updating internal documentation for our auditors and was like, "crap, I missed this update last year, better correct it" and then the auditors said the item didn't exist.
Sure enough, the rename never hit this wonderfully buried page in Entra, lol
The docs are good though :)
Thanks Simon! Really appreciate having some pictures too :)
October 14, 2025 at 8:21 PM
Thanks Simon! Really appreciate having some pictures too :)