What is the best way to execute PowerShell graph command executed against Azure / Entra ID ?

EnterpriseArchitect 5,136

What is the best way to execute the PowerShell graph command executed against Azure / Entra ID ?

$date = (Get-Date -Format "yyyy-MM-dd") 2Get-MgRiskDetection -All -Filter "ActivityDateTime ge $date and RiskLevel eq 'high'"

The report will be sent to my email address with the above script when there is a result.

Michael Cameron 587 Reputation points

2024-05-27T15:44:37.01+00:00

Define "best". What are you trying to achieve? Whatever way you choose will require authentication and the tenant has to be licensed to support this.

Sounds like a powershell function app with a timer trigger but I'm kind of guessing about your requirements
Sina Salam 7,286 Reputation points

2024-05-27T17:00:00.69+00:00
Hello EnterpriseArchitect,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are asking the best practices to automate the execution of a PowerShell script that queries Azure AD/Entra ID and sends the results via email.

This prescribed solution was based on the scenario given and your questions, while focusing on the problem statement. Based on my experience, the best practices used based on Microsoft standard and use case are the followings:

Install Required Modules, you will need to ensure you have the AzureAD and Microsoft.Graph modules installed.

Authenticate to Azure, you will connect to the Azure AD/Entra ID using your credentials.

Run the Command, you will have to execute the PowerShell command to get the (risk detections) or your desire purpose.

Check for Results, then verify if there are any results.

Send an Email, if there are results, send an email with the report.

Use Task Scheduler to run the script daily at a specified time.

Best Regards,

Sina Salam
EnterpriseArchitect 5,136 Reputation points

2024-05-29T06:30:53.4766667+00:00

I wanted to avoid using any Onpremise server to execute the script with the password in clear text executed with Task scheduler.

so how can I deploy the script on Azure Function or Power Automate instead?
Sina Salam 7,286 Reputation points

2024-05-29T21:13:02.5633333+00:00
Hi EnterpriseArchitect,

Thank you for your feedback.

Absolutely, you can definitely use Azure Functions or Power Automate to run your scripts.

For the Azure Functions:

Create a Function App in Azure portal.

Create a new function in the Function App. Choose the trigger that suits your needs (for example, an HTTP trigger if you want to call your function via an HTTP request).

Write your script in the function's code editor. Azure Functions support multiple languages including JavaScript, C#, Python, and PowerShell.

Store your sensitive data like passwords in Azure Key Vault and access them from your function using Managed Identities. This way, you don't have to store passwords in clear text in your scripts.

Save and test your function.

For the Power Automate:

Create a new flow in Power Automate.

Choose the trigger that suits your needs.

Add an action to run your script. If your script is a PowerShell script, you can use the "Run PowerShell script" action. If it's a different type of script, you might need to use the "Run inline code" action or similar.

Write your script in the action's code editor.

Store your sensitive data like passwords in Azure Key Vault and access them from your flow. This way, you don't have to store passwords in clear text in your scripts.

Save and test your flow.

Remember, both Azure Functions and Power Automate are secure and scalable solutions for running your scripts in the cloud without the need for an on-premise server.

BR,

Sina
EnterpriseArchitect 5,136 Reputation points

2024-06-03T12:16:57.4433333+00:00

@Sina Salam ,
OK, with the Azure Function, how can I integrate the https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.secretmanagement/?view=ps-modules with the PowerShell script above so it can be executed when there is user risk triggered in Azure AD / Entra ID?
Sina Salam 7,286 Reputation points

2024-06-03T12:33:37.67+00:00
Hi EnterpriseArchitect,

Thank you for asking more,

To integrate the SecretManagement PowerShell module with an Azure Function, you can follow these steps, this will be step 3 from above, after you have created your Function App:

Install the SecretManagement Module: In your Azure Function, you can install the SecretManagement module using the command Install-Module -Name Microsoft.PowerShell.SecretManagement -Repository PSGallery -Force.

Register the Azure Key Vault with SecretManagement: After installing the SecretManagement module, you can register your Azure Key Vault with it. This can be done using the Register-SecretVault cmdlet with your Azure Key Vault name and Subscription ID.

Use Azure Key Vault Secrets in Automation: Once you’ve registered your Azure Key Vault with SecretManagement, you can use the Get-Secret cmdlet to retrieve secrets from your Azure Key Vault.

Integrate with Azure AD / Entra ID: If there’s a user risk triggered in Azure AD / Entra ID, you can execute your PowerShell script in the Azure Function. You can use the retrieved secrets in your script as needed.

For more reading and step-by-steps kindly read the below resources:

Use Azure Key Vault in automation - PowerShell:

https://learn.microsoft.com/en-us/powershell/utility-modules/secretmanagement/how-to/using-azure-keyvault?view=ps-modules.

Create a Function App and Function.

Install the SecretManagement Module.

Store Secrets in Azure Key Vault.

Microsoft.PowerShell.SecretManagement.

Configure Managed Identity for the Function App.

Write the PowerShell Script.

Success,

Sina

1 answer

Givary-MSFT 30,851 Reputation points Microsoft Employee

2024-05-31T08:08:46.1833333+00:00
@EnterpriseArchitect To execute the PowerShell Graph command against Azure/Entra ID and send the report to your email address, you can follow these steps:

Connect-MgGraph cmdlet. You will need to provide your credentials and consent to the necessary permissions.

Run the command to get the risk detections with high risk level for the current date: $date = (Get-Date -Format "yyyy-MM-dd") $riskDetections = Get-MgRiskDetection -All -Filter "ActivityDateTime ge $date and RiskLevel eq 'high'"

Check if the $riskDetections variable contains any results. If there are no results, you can exit the script. If there are results, you can continue with sending the report to your email address.

Use the Send-MailMessage cmdlet to send the report to your email address. Here is an example:

$emailFrom = "sender@example.com" $emailTo = "recipient@example.com" $emailSubject = "High Risk Detections Report" $emailBody = "Please find attached the report for high risk detections for $date." $attachmentPath = "C:\Reports\HighRiskDetections.csv" $smtpServer = "smtp.example.com" $smtpPort = 587 $smtpCredential = Get-Credential $emailParams = @{ From = $emailFrom To = $emailTo Subject = $emailSubject Body = $emailBody SmtpServer = $smtpServer SmtpPort = $smtpPort Credential = $smtpCredential UseSsl = $true Attachments = $attachmentPath } Send-MailMessage @emailParams

In this example, the report is saved as a CSV file at C:\Reports\HighRiskDetections.csv. You will need to modify the $emailFrom, $emailTo, $smtpServer, $smtpPort, and $smtpCredential variables to match your email settings. You can also modify the email subject and body to your liking.

Save the script as a .ps1 file and schedule it to run at a desired frequency using Azure Automation.

Note: The above suggestion is AI-generated and appears to be valid upon review. Please test it in a test environment before deploying it to production.

Let me know if you have any further questions, feel free to post back.
Please sign in to rate this answer.
EnterpriseArchitect 5,136 Reputation points

2024-06-03T12:15:15.4433333+00:00

@Givary-MSFT ,
How can I use this module https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.secretmanagement/?view=ps-modules to prevent hard coding the Password in the script?
Sign in to comment

Share via

What is the best way to execute PowerShell graph command executed against Azure / Entra ID ?

1 answer