All posts by Brian Nøhr

Intune: Graph API with Json

The Microsoft Graph API is a very powerful way to consume, integrate and interact with Microsoft Cloud services.

With a few scripts or PowerShell lines you’ll be able to setup many of the policies within Intune.

The below example is a Json for a compliance policy to iOS devices, and by combining that with some scripting from gihub you’ll be able to do a Intune setup in no time.

$odata = “@odata.type”
$iOSpolicy =
@{
$odata = “#microsoft.graph.iosCompliancePolicy”
“description”= “Created using Microsoft Graph”
“displayName”= “iOS Compliance Policy”
“passcodeBlockSimple”= $true
“passcodeExpirationDays”= 90
“passcodeMinimumLength”= 8
“passcodeMinutesOfInactivityBeforeLock”= 5
“passcodePreviousPasscodeBlockCount”= 2
“passcodeMinimumCharacterSetCount”= 0
“passcodeRequiredType”= “alphanumeric”
“passcodeRequired”= $true
“osMinimumVersion”= “9.0”
“osMaximumVersion”= “11.0”
“securityBlockJailbrokenDevices”= $true
“deviceThreatProtectionEnabled”= $true
“deviceThreatProtectionRequiredSecurityLevel”= “low”
}

 

Lock the Company Portal in single app mode until user sign-in

With the release of Intune yesterday (27 August 2018), it is now possible to run the Company Portal in Single App mode if you authenticate a user through the Company Portal instead of Setup Assistant during DEP enrollment.

This option locks the device immediately after Setup Assistant completes so that a user must sign in to access the device. This process makes sure that the device completes onboarding and is not orphaned in a state without any user tied.

Create a custom banned password list in Azure AD

I have seen many users creating a passwords using common local words such as a school, sports team, or famous person, which let them easy to guess. Within Azure AD you can create a custom banned password list, which will allow you to add strings to evaluate and block, in addition to the global banned password list from Microsoft, when users and administrators attempt to change or reset a password.

How to create a banned password list

Before you can configuring the custom banned password list you must have an Azure Active Directory Premium P1 or P2 license.

  • Sign-in to the Azure portal and browse to Azure Active Directory -> Authentication methods -> Password protection (Preview)
  • Set the option Enforce custom list to Yes
  • Add strings to the Custom banned password list, one string per line
    • The custom banned password list can contain up to 1000 words
    • The custom banned password list is case-insensitive
    • The minimum string length is four characters and the maximum is 16 characters
    • The custom banned password list considers common character substitution
      • Example: “o” and “0” or “a” and “@”
  • When you’re done, click Save

 

bannedpasswords

When you try to reset a password to something that would be banned, you’ll see the following error message:

Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.