How to find last logged in user on Intune/Azure - azure

I am currently working on a project where I am needing to find the active username (not the device name or hostname) of associates on the machines. Since there was no standard naming convention when the devices were provisioned, I am looking to find a way to figure out or see the last logged in users through Azure AD or Intune.
Not sure if I am making this post in the correct place, if not please be kind and suggest where I should post this.
Thanks!

To fetch the details of last logged on users on Intune, make use of below query in Microsoft Graph Explorer:
GET https://graph.microsoft.com/beta/deviceManagement/managedDevices/{managedDeviceId}
The above query will only work on beta version of Microsoft Graph.
Please check the required permissions below:
In the output response, you can find the UserId and LastlogonDateTime in usersLoggedOn field.
In order to display the username via UserId, make use of powershell script mentioned in this reference.
Note: The Microsoft Graph API for Intune requires an active Intune license for the tenant. Beta version is subject to change don't use it for production.
For more information, please refer below links:
Get windowsManagedDevice - Microsoft Graph beta | Microsoft Docs
Find out last logon user of MDM assigned Coporate Device - Microsoft Q&A

Related

Get correct telephone properties from Azure AD using Graph API

I'am trying to get user phones from Azure AD using Graph API but without luck.
If I in Powershell use the MsOnline module and issue the following command:
get-azureAdUser | select userPrincipalName,mobile,telephonenumber
I get a userlist including all the telephone numbers.
But if I in Graph use the command
https://graph.microsoft.com/v1.0/users?$select=userPrincipalName,mobilephone,businessphones
the telephone fields is empty. The list contains the same users, but much of the information is missing.
Is it possible to get the phone numbers using Graph API by using some other command?
Few things to check:
Please check access token you are using has necessary permissions. Refer documentation to learn about required permission to access.
For example, you need to use either Directory.Read.All or User.Read.All. Both however require Admin Consent
Also consider Phone Numbers are not available for personal Microsoft Accounts (MSA). They're only returned for Work/School accounts (AAD)
If you still face issues, share request id and timestamp from Graph Explorer.

Azure AD - Sign-in using email as an alternate ID

I realize this is probably a "noob" question but I am trying to follow this guide to enable our users to sign in to Microsoft Azure AD using their email address instead of their UPN.
Some background: Our org uses a UPN scheme that is different from a users email address. Our UPN's follow the format abc12d#organization.com while user's email is firstname.last#organization.com. This enables us to have unique UPN's no matter how big our org scales. I am new to Azure AD but I've managed to integrate most of our 3rd party systems with Azure.
The problem: I mapped the user email field as the UPN for one of our services (Apple Business Manager) and now when a user tries to sign in to their Apple ID, it tries to sign them into Azure with firstname.last#organization.com instead of Azure UPN abc12d#organization.com. Because we have not enabled Microsoft's Sign-in using email as an alternate ID feature, the sign in window tries to sign them into an account that doesn't exist.
What I've tried: I know the simple solution would be to just change the mapping in Apple Business Manager to use the users true UPN from Azure but most of our sign-in's now use the users email so I really don't want to create confusion. I have tried to follow the guide mentioned above, which I assume is referring to using PowerShell in Azure and not your on-prem AD DS service (but it does not specify). Every time I attempt to follow the guide, I get an error message on step 3 in PowerShell that says Get-AzureADPolicy: The term 'Get-AzureADPolicy' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
I have tried reading though various online forms but am yet to encounter anyone who is encountering this error for this specific use case. No other online documentation has helped me resolve the problem. In my mind, it is probably user error and limited experience with Azure and PowerShell cloud.
Any help would be greatly appreciated! I am happy to provide more information as needed.
Get-AzureADPolicy is under Azure Active Directory PowerShell 2.0-preview.
You need to install the preview release using:
Install-module AzureADPreview
Don't forget to import it:
Import-Module AzureADPreview
Note that you cannot install both the preview version and the GA version on the same computer at the same time.
Reference here. If it still doesn't work, running UnInstall-Module AzureAD before you install preview version may be helpful.

Can't use application permissions (roles) to access Microsoft Graph API group calendar

My goal is to list the calendar events of an Office 365 group using the Microsoft Graph API.
The endpoint used is https://graph.microsoft.com/v1.0/groups/{id}/events based on the documentation. Using the Graph Explorer, I'm able to get the information with my delegated permissions. The problem is when I make the same call using application permissions. I'm positive JWT token contains the required roles to make the call (Group.Read.All, Group.ReadWrite.All) but I'm getting the following error:
Access is denied. Check credentials and try again
Curiously enough, I'm able to get the group /v1.0/groups/{id} but whatever is related to it's calendar and events isn't accessible.
Using application permissions to look at group resources/contents is not currently supported. Please see known issues here: https://developer.microsoft.com/en-us/graph/docs/concepts/known_issues#groups-and-microsoft-teams.
If this is required for your scenarios, please vote for
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/18747862-app-authentication-to-retrieve-conversation-messag or
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/16851937-allow-application-only-consent-to-read-conversation
Both of which are about app-only access to group conversations (similar to group events).
Otherwise please create a new user voice request.

Azure AD application preconsent not working

(Related to this question)
I have an application that should be automatically usable for all customer tenants, and therefore tried this tutorial to enable preconsent.
After doing the Powershell commands and getting again the application, I can see that it is enabled:
PS C:\Windows\system32> $graphResponse.value.recordConsentConditions
SilentConsentForPartnerManagedApp
However, when creating a new tenant(or using an existing one) and trying to access Microsoft Graph's /users call, I get a 500 error until I navigate to https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={0}&prompt=admin_consent (with {0} being the cliendId of the app), sign in as an admin and accept the delegation.
Am I missing a step here?
After a contact with Microsoft support, this is a bug on their side. They told me yesterday that the engineer team acknowledged it. It will be fixed.
In order to query the MS Graph, your app will need to be granted the appropriate permissions by an end user or by an administrator of the tenant. Usually the best way to acquire consent from an administrator is by using the prompt=admin_consent parameter, as you've done above.
If for some reason you must do so via powershell, you can create an oAuth2PermissionGrant object using a consentType of AllPrincipals.
Personally I wouldn't recommend using the recordConsentConditions property. It's only there for legacy reasons - I don't even know what it does.

Office 365 API for Global Address List?

I'm experimenting with the API for Office 365... I can see the results of this query okay:
https://outlook.office365.com/ews/odata/Me/Contacts?$select=DisplayName,EmailAddress1,Birthday,Categories
It shows the contacts stored against a certain user.
Is there an equivalent function for querying the contacts that are stored in the "Global Address List? The one you get to if you go to the "Admin" link and then the "Users and Groups" link.
Right now, the Office 365 API is based on the User giving the App consent to particular permissions. The Global Address List is not one of these right now. if this is something you are interested in, I would highly recommend submitted this to UserVoice where our engineering team is monitoring http://aka.ms/OfficeDevFeedback
Azure Active Directory Graph API will provide what you are looking for.
MSDN reference - "Get Contacts"
Newer documentation is at: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/api-catalog

Resources