编辑

通过

Microsoft Entra PowerShell best practices

  • 项目

This article shares best practices for using the Microsoft Entra PowerShell module to boost performance, enhance security, and scale reliably.

Register an app instead of using a Microsoft Enterprise app

You can register your own applications tailored to different use cases with specific permissions, such as for marketing or help desk teams. This approach allows for more granular permission management and minimizes the security impact if an app is compromised. To create a registered app, see Create a custom application.

Sign in using the application you register by running:

Connect-Entra -ClientId <your-custom-app-id> -TenantId <your-tenant-id>

You can also use the aliases AppId or ApplicationId in place of ClientId.

Security

Apply the following consent and authorization best practices in your app to enhance security:

  • Apply least privilege: Grant users and apps only the lowest privileged permission they require to call the Microsoft Entra resource. Choose the least privileged permissions. For example, if the app reads only the profile of the currently signed-in user, grant User.Read instead of User.ReadBasic.All. For a full list of permissions, see permissions reference.

  • Use Disconnect-Entra: Always run Disconnect-Entra to remove all credentials and contexts associated with an account. This properly cleans up and closes connections when they're no longer needed, reducing the risk of unauthorized access if the session is left open or someone else accesses your PowerShell environment.

  • Use the correct permission type based on scenarios: Avoid using both application and delegated permissions in the same app. If you're building an interactive application where a signed-in user is present, your application should use delegated permissions. If, however, your application runs without a signed-in user, such as a background service or daemon, your application should use application permissions.

  • Be thoughtful with application permissions: Avoid using application permissions for interactive scenarios to prevent security and compliance risks, as this can unintentionally elevate a user's privileges and bypass administrator policies.

  • Be thoughtful when configuring your app: This affects end user and admin experiences, along with application adoption and security. For example:

    • Your application's name, logo, domain, publisher verification status, privacy statement, and terms of use show up in consent and other experiences. Configure these settings carefully so that your end users understand them.
    • Consider who consents to your application - either end users or administrators - and configure your application to request permissions appropriately.
    • Ensure that you understand the difference between static, dynamic, and incremental consent.

  • Watch out for permission creep - Keep an eye on the permissions that accrue for the registered app over time.

  • Leverage Security defaults and Conditional Access - protect users with Microsoft Entra multifactor authentication using Conditional Access (for licensed organizations) and security defaults (for unlicensed organizations).

  • Leverage Microsoft Entra recommendations - Microsoft Entra recommendations feature diligently monitor your tenant’s status, ensuring it remains secure and healthy. You have visibility into used apps, expiring credentials, over-privileged applications among others.

  • Limit app sign-in to only assigned identities - The Assignment Required property helps manage access to applications by ensuring only assigned users can sign in.

Connect-Entra -Scopes 'Application.ReadWrite.All'
$servicePrincipal = Get-EntraServicePrincipal -Filter "DisplayName eq 'Contoso Demo App'"
$parameters = @{
    ServicePrincipalId = $servicePrincipal.Id
    AppRoleAssignmentRequired = $True
}
Set-EntraServicePrincipal @parameters

Performance optimizations

The following practices can help you optimize performance when working with Microsoft Entra PowerShell:

Use a filter

Filtering is done on the server side by limiting your selection to retrieve a subset of a collection, which helps reduce unnecessary network traffic and data processing.

Get-EntraUser -Filter "startsWith(DisplayName,'Ada')"

Select only required properties

Selecting the required properties by using the -Property parameter to only get required properties.

Define the page size

For requests that return many objects, increase the page size to its maximum value of 999 using -top parameter.

Get-EntraUser -All -Top 999

Maintenance

Apply the following maintenance best practices to ensure your Microsoft Entra PowerShell module and scripts are up to date and functioning optimally:

Keep Microsoft Entra PowerShell module up to date

Keeping your module up to date is crucial for several reasons. Firstly, it allows you to benefit from the latest features and enhancements, ensuring you have access to the most current cmdlets and functionalities. More importantly, regular updates improve your security posture. Our team consistently implements security fixes and patches, helping to protect your systems from vulnerabilities.

Tip

If you use the Microsoft Entra PowerShell with Azure Automation, update the PowerShell modules in your Azure Automation accounts as well.

Update-Module -Name Microsoft.Graph.Entra

After upgrading your module, remove the older versions.

Use Get-Help

Get-Help provides comprehensive documentation directly in the command line. It offers detailed information about Microsoft Entra PowerShell cmdlets, functions, scripts, and concepts, including usage examples, accepted parameters, and output. Get-Help promotes efficient scripting and helps avoid common mistakes.

Get-Help Get-EntraUser -Detailed

Use the debug option

-Debug helps you in troubleshooting by providing detailed diagnostic information as you interact with Microsoft Entra PowerShell. It can help you understand exactly how your scripts are functioning and where any problems might arise during development and testing phase.

Get-EntraUser -Top 1 -Debug

To send debug output stream to a log file, use:

Get-EntraUser -Top 1 -Debug 5>> <your-log-filepath>
  • 5 - represents the stream number, Debug Stream. For more information about streams, see Output Streams.
  • >> - represents the redirection operator. For more information about redirection operators, see Redirection Operators.