Category Archives: M365Permissions

Automation, EntraID, Identity, M365Permissions, Powershell

Categorizing Service Principals in Entra

12/09/2025 JosL Leave a comment

For M365Permissions I wanted to categorize service principals in an actually useful way.

This is what I came up with so far

    function get-servicePrincipalType{
        Param(
            [Parameter(Mandatory=$true)][object]$spn
        )

        #managed identities are simple :)
        if($spn.servicePrincipalType -eq "ManagedIdentity"){
            return "ManagedIdentity"
        }        

        #other SPN's can be hosted by us, by Microsoft or by a third party 
        #Although 9188040d-6c67-4c5b-b112-36a304b66dad is also officially Msft, it contains consumer apps not built or vetted by Microsoft thus we treat it as third party
        if($spn.appOwnerOrganizationId -in ("f8cdef31-a31e-4b4a-93e4-5f571e91255a","72f988bf-86f1-41af-91ab-2d7cd011db47","7579c9b7-9fa5-4860-b7ac-742d42053c54")){
            return "MicrosoftApplication"
        }elseif($spn.appOwnerOrganizationId -eq &lt;YOURTENANTID>){
            #this is either a homebrew app or an AI agentic app
            if($spn.tags -and ($spn.tags -contains "AgenticApp" -or $spn.tags -contains "AIAgentBuilder")){
                return "AiAgent"
            }else{
                return "InHouseApplication"
            }
        }else{
            return "ThirdPartyApplication"
        }              
    }

Azure, M365Permissions

Azure VM Spot Pricing API

15/08/2025 JosL Leave a comment

The Azure Retail Prices API does not give correct prices for SPOT VM’s (which can change at any time).

As I use SPOT VM’s a lot to scan largers tenants with M365Permissions to avoid throttling and get results FAST, I needed a reliable way to get the lowest priced F-series VM to temporarily finish a scan queue before getting discarded again.

I created an initial function using the ‘hidden’ retail billing API which calls the ‘https://s2.billing.ext.azure.com/api/Billing/Subscription/GetSpecsCosts?SpotPricing=true’ endpoint.

My post on Linked then got some advice Morten which I now finally got around into creating a function for, using an official instead of ‘hidden’ API!

This resulted in the Get-VmSpotPrices function, which I’m sharing for free through Github:

https://github.com/jflieben/assortedFunctionsV2/blob/main/Get-VmSpotPrices.ps1

M365Permissions, Powershell

Converting onedrive url to UPN

30/06/2025 JosL Leave a comment

Had a bit of a struggle converting onedrive for business url’s reliably to UPN’s.

Since a path might contain /personal/ multiple times, and we have those pesky national tenants with special url’s to deal with…

So thought I’d share:

function Get-UPNFromOnedriveUrl{
    Param(
        [string]$url
    )

    $userName = ''
    if ($url -match ':\/\/.*?\..*?\/personal\/(.*?)\/') {
        $userName = $matches[1]
    }else {
        Throw "Invalid OneDrive URL format: $url"
    }

    if(!$global:tenantODStyleDomains){
        $global:tenantODStyleDomains = New-GraphQuery -Uri "https://graph.microsoft.com/v1.0/domains" -Method GET -resource "https://graph.microsoft.com" | ForEach-Object { $_.id.replace(".","_") }
    }

    foreach($tenantODStyleDomain in $global:tenantODStyleDomains){
        if($userName -like "*_$tenantODStyleDomain"){
            $prefix = $userName.Replace("$tenantODStyleDomain","") 
            $suffix = $tenantODStyleDomain.Replace("_",".")
            break
        }
    }

    return "$prefix@$suffix".Replace("_","").ToLower()
}

Automation, Azure, Exchange Online, Identity, M365Permissions, Microsoft Teams, Office 365, OneDrive for Business, PowerBI, Powershell, Security, Sharepoint Online

M365Permissions v1.2.3

16/06/2025 JosL Leave a comment

Performance improvements and Onenote Notebooks.

Today’s release has a ‘special guest’; Morten (blog)! He completely rewrote the entra user and group retrieval code, greatly improving both performance and total capacity!

Other changes of note:

Add support for Onenote Notebook sharing permissions
Treat anonymous sharing links as ‘deleted’ if the sharing level at the site forbids anonymous sharing

Full changelog here

Download / Use:

M365Permissions module page | Github | PSGallery

Automation, Azure, Exchange Online, Identity, M365Permissions, Microsoft Teams, Office 365, OneDrive for Business, PowerBI, Powershell, Security, Sharepoint Online

M365Permissions v1.2.2

19/05/2025 JosL Leave a comment

Are you also curious about all those PowerApps and Flows in your environment? Orphaned ones maybe? Or when someone leaves the company?

1.2.2 adds scanning of PowerApps and Flows! Only when using SPN auth. (setup instructions)

In addition to that, I’ve also added provisional support for scans of tenants in USGOV, USDOD and China. Since I don’t have a test tenant there, I’ll have to rely on you to test how it performs there.

Full changelog here

Download / Use:

M365Permissions module page | Github | PSGallery