365

v0.0.20 EntraFIDOFinder is out

October 20, 2025 by ClaytonT Leave a Comment

4 New keys have been added and a few changes in capabilities!

New Keys:

Hyper FIDO Pro NFC – 23195a52-62d9-40fa-8ee5-23b173f4fb52
Hyper FIDO Pro (CTAP2.1, CTAP2.0, U2F) – 6999180d-630c-442d-b8f7-424b90a43fae
DEMIA SOLVO Fly 80 R3 FIDO Card c – dda9aa35-aaf1-4d3c-b6db-7902fd7dbbbf
IDEMIA SOLVO Fly 80 R3 FIDO Card e – def8ab1a-9f91-44f1-a103-088d8dc7d681

Updated Keys:

Updated ‘NFC’ for AAGUID ‘3f59672f-20aa-4afe-b6f4-7e5e916b6d98’ from ‘✅’ to ‘❌’.
Updated ‘USB’ for AAGUID ‘b12eac35-586c-4809-a4b1-d81af6c305cf’ from ‘✅’ to ‘❌’.
Updated ‘NFC’ for AAGUID ‘b12eac35-586c-4809-a4b1-d81af6c305cf’ from ‘✅’ to ‘❌’.
Updated ‘NFC’ for AAGUID ‘9d3df6ba-282f-11ed-a261-0242ac120002’ from ‘✅’ to ‘❌’.
Updated ‘USB’ for AAGUID ’39a5647e-1853-446c-a1f6-a79bae9f5bc7′ from ‘❌’ to ‘✅’.
Updated ‘BLE’ for AAGUID ’39a5647e-1853-446c-a1f6-a79bae9f5bc7′ from ‘❌’ to ‘✅’.
Updated ‘USB’ for AAGUID ‘820d89ed-d65a-409e-85cb-f73f0578f82a’ from ‘❌’ to ‘✅’.
Updated ‘BLE’ for AAGUID ‘820d89ed-d65a-409e-85cb-f73f0578f82a’ from ‘❌’ to ‘✅’.

How have your FIDO2 implementations been going? Would love to hear your stories!

PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.20
GitHub: https://github.com/DevClate/EntraFIDOFinder

EntraFIDOFinder Update

September 26, 2025 by ClaytonT Leave a Comment

There haven’t been much changes the past couple months, but finally a biggish update happened where Microsoft has added 10 more keys that are Attestation capable.

Added Attestation capable keys:

Chipwon Clife Key | 930b0c03-ef46-4ac4-935c-538dccd1fcdb
HID Crescendo 4000 FIDO | aa79f476-ea00-417e-9628-1e8365123922
ID-One Key | 82b0a720-127a-4788-b56d-d1d4b2d82eac
ID-One Key | f2145e86-211e-4931-b874-e22bba7d01cc
VeridiumID Passkey Android SDK | 8d4378b0-725d-4432-b3c2-01fcdaf46286
VeridiumID Passkey iOS SDK | 1e906e14-77af-46bc-ae9f-fe6ef18257e4
VinCSS FIDO2 Fingerprint | 9012593f-43e4-4461-a97a-d92777b55d74
YubiKey 5 Series with NFC – Enhanced PIN | 662ef48a-95e2-4aaa-a6c1-5b9c40375824
YubiKey 5 Series with NFC – Enhanced PIN (Enterprise Profile) | b2c1a50b-dad8-4dc7-ba4d-0ce9597904bc
YubiKey 5 Series with NFC KVZR57 | 9eb7eabc-9db5-49a1-b6c3-555a802093f4

Are you requiring attestation? How has your implementation of FIDO2 keys been?

Don’t forget about the web version at: https://devclate.github.io/EntraFIDOFinder/Explorer/

Need the module?
– PowerShell: Install-PSResource EntraFIDOFinder
– PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.19
– GitHub: https://github.com/DevClate/EntraFIDOFinder

Did you know: SSPR/Password Reset Edition

August 18, 2025 by ClaytonT Leave a Comment

Did you know if you convert to the combined experience for SSPR and password reset, you can remove less secure phone, email, and text authentication? This is as long as you have Authenticator registered and higher methods allowed. See below for SSPR.

This works for SSPR and for password reset through My Sign-Ins.

The gotcha is if you have 2 methods required for SSPR, it will say your not registered for SSPR even if your enabled for it, but only have 1 method (Microsoft Authenticator) registered. As you can see below.

I would definitely recommend adding more secure options as well but at the minimum I’d use Authenticator or higher.

How do you keep your user protected in this situation?

Hope this quick tip was useful and have a great day!

How to Delete Recurring Planner Tasks with PowerShell

July 30, 2025 by ClaytonT Leave a Comment

Are you using PowerShell and Microsoft Planner? I feel it doesn’t get the love it deserves, and to be honest, I hadn’t used PowerShell with Planner in a while, but wanted to get back into it. I first starting using the Microsoft.Graph.Planner and found some limitations that were possible if you used the Graph API directly. One of the things that stood out was you couldn’t call a Plan or Bucket by its real name, only by its ID. Yes, I could have added some logic to make it so, but realized that it also couldn’t remove recurring tasks. I thought it was going to be a quick fix, but found out hours later that wasn’t the case.. hence this post!

Let’s get into the process now.

First, we are going to go to planner.microsoft.cloud and click on the task you want or click on the plan, then on the task you want.

Once you are there you will find the ID in the URL

Below you will see in bold the “TaskId.” The “PlanId” is right after ‘plan/’. They will always be in these locations.

<https://planner.cloud.microsoft/webui/plan/1L__9CleiAwPwqMXDEPEALPQKPa9/view/board/task/1Peq3A7__1EXqot27RoV53QYBZuS?tid=26my427d-m317-83y1-63r0-4suv1pe421y8>

Next we will create a $TaskId variable, where you will put the TaskId inside of it

$TaskId = "1Peq3A7__1EXqot27RoV53QYBZuS"

Before we go farther, lets connect to Microsoft Graph (beta) with these scopes

Connect-MgGraph -Scopes 'Tasks.ReadWrite','Group.ReadWrite.All'

Then you’ll want to get the Task information and save it to the $Task variable to use later. This is important as this will store the ETAG value that you will need to delete the task, as this value changes anytime something changes with that task.

$task = Invoke-MgGraphRequest -Uri "<https://graph.microsoft.com/beta/planner/tasks/$taskId>"

Now here is the fun part, there is no way as of right now to delete a recurring meeting in one call. The best way I found to do it is to first cancel the recurrence then delete it. After doing more research I found later on that it does say you have to ‘$null’ out “Schedule” from Microsoft Learn. I figured it out the hard way when I was using “Developer Tools” to see the API requests it was doing on each click.

Let’s cancel the recurrence, first we have to build out the body to null out schedule and we do that like below.

$body = @{
    recurrence = @{
        schedule = $null
    }
} | ConvertTo-Json -Depth 3

After the body, we create the the “Header” for the request. We do that by below. This is very important because if you don’t Graph won’t know the exact task you are trying to change.

$headers = @{ 
    "If-Match" = $task.'@odata.etag'
    "Content-Type" = "application/json"
}

Now that we have TaskID, Body, and Header we can update(PATCH) the recurring task to a non recurring task.

Invoke-MgGraphRequest -Method PATCH -Uri "<https://graph.microsoft.com/beta/planner/tasks/$taskId>" -Body $body -Headers $headers

Perfect, you have canceled the recurring task and can now delete it. This may seem repetitive, but as of right now it’s the only way to do it. You have to get the task information again because it will now have a new ETAG, and will fail if you try to use the previous one.

$task = Invoke-MgGraphRequest -Uri "<https://graph.microsoft.com/beta/planner/tasks/$taskId>"

And we will have to put the updated ETAG in the header

$headers = @{ 
    "If-Match" = $task.'@odata.etag'
    "Content-Type" = "application/json"
}

We could have done this part in the beginning, but didn’t want to throw too much at you in the beginning, but here we will create the URI as a variable to make the API request shorter and easier to read.

$Uri = "<https://graph.microsoft.com/beta/planner/tasks/$taskId”>

The moment is finally here, where we actually get to delete the task…

Invoke-MgGraphRequest -uri $Uri -Method Delete -Headers $Headers

That’s it! Now go back to planner and confirm that is has been deleted.

Congrats on deleting your first recurring task! Below, I’ve put the whole script so you can see it all together and you can update the TaskId then run it to to delete recurring tasks.

If you’re interested in learning more about Planner and PowerShell, stay tuned as I may have some ideas to make using them together even easier.

$taskId = "1Peq3A7__1EXqot27RoV53QYBZuS"

$task = Invoke-MgGraphRequest -Uri "<https://graph.microsoft.com/beta/planner/tasks/$taskId>"

# Cancel the recurrence by setting schedule to null
$body = @{
    recurrence = @{
        schedule = $null
    }
} | ConvertTo-Json -Depth 3

$headers = @{ 
    "If-Match" = $task.'@odata.etag'
    "Content-Type" = "application/json"
}

Invoke-MgGraphRequest -Method PATCH -Uri "<https://graph.microsoft.com/beta/planner/tasks/$taskId>" -Body $body -Headers $headers

$task = Invoke-MgGraphRequest -Uri "<https://graph.microsoft.com/beta/planner/tasks/$taskId>"

$headers = @{ 
    "If-Match" = $task.'@odata.etag'
    "Content-Type" = "application/json"
}

$Uri = "<https://graph.microsoft.com/beta/planner/tasks/$taskId”>

Invoke-MgGraphRequest -uri $uri -Method Delete -Headers $headers

Let me know if you have any questions or feedback, have a great day!

Why does my 365 Admin Audit Log sometime say it’s disabled, but other times enabled? Am I being compromised?

July 16, 2025 by ClaytonT Leave a Comment

Let me first start this off with I’m 99% sure you aren’t being compromised, but read on to see what I mean.

I first ran into this when I was running Maester and I saw that it said my test failed for having Unified Audit Log enabled. I then went to my Purview Portal and saw that it was enabled. Next I ran the command:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

And received this output:

UnifiedAuditLogIngestionEnabled : False

It got me worried, as why is the PowerShell version saying it failed, but the GUI isn’t. Honestly, I usually trust the PowerShell output before the GUI. Then I run the PowerShell command to set it to “True.”

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

And received this output:

WARNING: The command completed successfully but no settings of 'Admin Audit Log Settings' have been modified.

Are you scratching your head like I was? I thought, maybe it’s because on the portal it shows it’s enabled, it is seeing it there and not changing it. Why not put that in the warning message though?

I did a little research and found Audit Log Enable Disable | MSFT which is where this little gem is located

Important

Be sure to run the previous command in Exchange Online PowerShell. Although the Get-AdminAuditLogConfig cmdlet is also available in Security & Compliance PowerShell, the UnifiedAuditLogIngestionEnabled property is always False, even when auditing is turned on.

And that is when it clicks, I connect to ExchangeOnlineManagement first then IPPSSession which must be causing the issue! I then disconnect with “Disconnect-ExhangeOnline”, and reconnect using “Connect-ExchangeOnline.” Now for the moment of truth:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

UnifiedAuditLogIngestionEnabled : True

Success! But now the “why does this happen and why haven’t more people reported this?” I asked my buddy Sam Erde, had he seen this before? And he was perplexed as I was. Then he started digging a bit, and saw that you couldn’t use -NoClobber as it is from the same module.

The crazy part is, if you export both versions, they are the exact same code! What could it be? Is it how the IPPSSession connects to the API? If so, why not put a message saying you are connecting with IPPSSession, please disconnect and use connect-exchangeonline?

The mystery still continues, but I know Sam is working on a fix to handle this more consistently and hopefully have a fix shortly!

Have you been burned by this before?

Cliff notes version:

You weren’t compromised (unless you see it being changed in the logs and/or you ensure you are checking it correctly)
Make sure when checking for AuditLog is enabled through PS that your not using IPPSSession for the command
Sam Erde is working on a fix for Maester

Hope this saves you some headaches and have a great day!

EntraFIDOFinder Update

June 23, 2025 by ClaytonT Leave a Comment

June( v0.0.18) update is here and we skipped May as I could tell they were still making some changes so I didn’t push them to the PowerShell gallery. This month they removed 50+ keys as they were unapproved models, but there are still over 150 keys that are Entra Attestation capable!

How is your FIDO2 journey going? What are you wishing this module could do?

Appreciate all feedback and have a great day!

PowerShell Gallery: https://www.powershellgallery.com/packages/EntraFIDOFinder/0.0.18
GitHub: https://github.com/DevClate/EntraFIDOFinder
Web Version: https://devclate.github.io/EntraFIDOFinder/Explorer/