Browsed by
Author: Steven Hosking

Microsoft Graph and Client ID’s

Microsoft Graph and Client ID’s

Recently I have been working in PowerShell to access Microsoft Graph, primarily to interact with Intune. My starting point has been the Samples provided by Microsoft here:¬†https://github.com/microsoftgraph/powershell-intune-samples while extending the samples to modify the AAD user objects I started getting Access Denied even with a Global Admin account, really weird right, well it comes down to the $clientid variable in the samples which are for the “Microsoft Intune PowerShell” Service¬†Principal, I needed to use the “Microsoft Azure PowerShell” Service Principal.

Sounds easy enough right? After spending a little time scouring the internet I couldn’t find the “ClientID” for Azure Active Directory, in the end I got around it by finding the GUID on another blog (Don’t recall the Blog).

Which got me thinking, this information should be stored somewhere on the Tenant, and after much investigation I’ve fond the Service Principal’s via using the AzureAD PowerShell module with the “Get-AzureADServicePrincipal” command, if your tenant is look mine you will have a flash of objects fly by we have over 300+ objects in ours, luckily I have demo Tenant which I can run Get-AzureADServicePrincipal to obtain the full list of ClientID’s which are there by default, with Intune enabled we have 21 objects, in this solution we are only looking for the 2 ClientID’s for Microsoft Azure PowerShell and Microsoft Azure PowerShell, which are (The full connection scripts for PowerShell to Microsoft Graph have a look in the samples in the above link):

AAD ClientID = “1950a258-227b-4e31-a9cf-717495945fc2”

Intune ClientID = “d1ddf0e4-d672-4dae-b554-9d5bdfd93547”

To note when you return the full list of the Service Principal’s with PowerShell the ClientID is named AppID.

Depending upon how the Service Principal’s have been configured you might not be able to use the AppID in PowerShell to invoke commands on Microsoft Graph.

Good Luck

Steve.

Create a Device Collection based on a User Collection

Create a Device Collection based on a User Collection

I had an interesting discussion with a past colleague the other day where he was asking around to find out if it was possible to create a Device Collection based off a User Collection using the Primary Device option. After a bit of back and forth and him providing the query he was using for the user collection we started playing around with SubSelect queries to see if we can even reference User objects in the device collection.

So to start off we create the simple user query of get user x when in domain y like so:

select *

from SMS_R_User

where SMS_R_User.UserPrincipalName Like ‘%hosking%’

and SMS_R_USER.WindowsNTDomain like ‘%domain%’

Which will return my user account into a User Collection let’s call “Steves User Account” with a collection ID of “P0100024” from here we will move over to the device collection area of the console and create a collection called “Steve Primary Computers” and for this collection we will use the following query:

select *

from SMS_R_System

where SMS_R_System.resourceID in

(select SMS_UserMachineRelationship.resourceID

from SMS_R_User

join SMS_UserMachineRelationship on SMS_UserMachineRelationship.UniqueUserName = SMS_R_User.UniqueUserName

where SMS_R_User.UserPrincipalName Like ‘%hosking%’

and SMS_R_USER.WindowsNTDomain like ‘%domain%’)

So what we are doing here is using the SMS_UserMachineRelationship table which holds the information for Primary Computers for each user, and limiting the search for my username and Domain, which we then return the ResourceID, and finally we then return the SMS_R_system Resources which are in the query into the Device collection.

So this works great, but it does mean that I now have the same query in 2 different locations so if I want to change the query in the User Collection, I will then need to update the query in the Computer Collection.

So we looked at just including the User Collection itself in the query, this information is actually captured in a table accessible via WMI in tables that share this type of naming convention: SMS_CM_RES_COLL_<CollectionID> so from here we wrote this query:

select sms_r_system.name

from SMS_R_System

where SMS_R_System.resourceID in

(select SMS_UserMachineRelationship.resourceID

from SMS_CM_RES_COLL_P0100024

join SMS_UserMachineRelationship on SMS_UserMachineRelationship.UniqueUserName = SMS_CM_RES_COLL_P0100024.SMSID)

This query is even easy then the middle one as all we are doing using the UniqueUserName field from the SMS_UserMachineRelationship table and joining it with the SMSID from the collection table and returning the ResourceID like we did in the previous query.

Good Luck

Steve