Field Notes

The knowledge base — notes, code, papers, and mirrors, all in one place so none of it can be lost. PowerShell, M365 / Azure, CrowdStrike / Sentinel, tooling, and reference material. Every entry is tagged to its source (my repo, GitHub, vendor docs) and labeled by who wrote it. Click a card to expand it: copy the code, grab the repo, or follow the source.

GITHUB LINK Microsoft Graph PowerShell (MS Docs) ↗ signInActivity resource (MS Docs) ↗

Stale accounts are the quietest attack surface in any tenant. This is the script I reach for when an audit turns up a pile of “hasn’t logged in since last year” objects. It runs dry by default — nothing changes until you pass -Commit.

# Requires: Microsoft.Graph module, Directory.ReadWrite.All + AuditLog.Read.All
param(
  [int]$InactiveDays = 90,
  [switch]$Commit
)

Connect-MgGraph -Scopes "User.ReadWrite.All","AuditLog.Read.All" | Out-Null
$cutoff = (Get-Date).AddDays(-$InactiveDays).ToString("o")

$stale = Get-MgUser -All -Property "id,displayName,userPrincipalName,accountEnabled,signInActivity" |
  Where-Object {
    $_.AccountEnabled -and
    $_.SignInActivity.LastSignInDateTime -and
    $_.SignInActivity.LastSignInDateTime -lt $cutoff
  }

"Found $($stale.Count) accounts inactive > $InactiveDays days" | Write-Host -ForegroundColor Yellow

foreach ($u in $stale) {
  "{0,-40} last: {1}" -f $u.UserPrincipalName, $u.SignInActivity.LastSignInDateTime | Write-Host
  if ($Commit) {
    Update-MgUser -UserId $u.Id -AccountEnabled:$false
    Add-Content -Path "./disabled-$(Get-Date -f yyyyMMdd).log" -Value $u.UserPrincipalName
  }
}

if (-not $Commit) { Write-Host "`nDRY RUN. re-run with -Commit to apply." -ForegroundColor Cyan }

Notes that bit me: signInActivity requires an Entra ID P1 license on the tenant and the AuditLog.Read.All scope, or the property comes back null and every account looks “stale.” Always confirm the property populates before you trust the filter.

GITHUB LINK Custom analytics rules (MS Docs) ↗ KQL reference (MS Docs) ↗

Every out-of-the-box impossible-travel rule drowns you in false positives the moment someone connects through a corporate VPN egress in another region. This is the tuned version — it joins against a watchlist of known egress IPs and only fires when the velocity is physically implausible AND the ASN isn’t trusted.

let knownEgress = _GetWatchlist('CorpVpnEgress') | project IPAddress;
SigninLogs
| where ResultType == 0
| where isnotempty(LocationDetails.geoCoordinates.latitude)
| extend lat = todouble(LocationDetails.geoCoordinates.latitude),
         lon = todouble(LocationDetails.geoCoordinates.longitude)
| where IPAddress !in (knownEgress)
| sort by UserPrincipalName asc, TimeGenerated asc
| serialize
| extend prevLat = prev(lat), prevLon = prev(lon),
         prevTime = prev(TimeGenerated), prevUser = prev(UserPrincipalName)
| where UserPrincipalName == prevUser
| extend km = geo_distance_2points(lon, lat, prevLon, prevLat) / 1000.0
| extend hours = datetime_diff('minute', TimeGenerated, prevTime) / 60.0
| where hours > 0
| extend kmh = km / hours
| where kmh > 900   // faster than a commercial jet = impossible
| project TimeGenerated, UserPrincipalName, IPAddress, km, hours, kmh

The serialize + prev() pattern is the trick — it lets you compare each sign-in to the user’s previous one without an expensive self-join. Threshold of 900 km/h is deliberately above cruising speed so layovers don’t trip it. Pair it with a CrowdStrike Identity Protection policy for the response side.

GITHUB LINK Azure custom roles (MS Docs) ↗ RBAC best practices (MS Docs) ↗

The default Contributor role is a loaded gun — it can do almost everything except grant access, which means an ops engineer with Contributor can still delete your resource locks, rewrite policy assignments, and nuke a whole RG. This custom role keeps day-to-day power but removes the destructive governance verbs.

{
  "Name": "Ops Engineer (Constrained)",
  "Description": "Manage compute/network/storage. No RBAC, policy, or lock changes.",
  "Actions": [
    "Microsoft.Compute/*",
    "Microsoft.Network/*",
    "Microsoft.Storage/*",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Insights/*/read"
  ],
  "NotActions": [
    "Microsoft.Authorization/*/write",
    "Microsoft.Authorization/*/delete",
    "Microsoft.Authorization/locks/*",
    "Microsoft.Resources/subscriptions/resourceGroups/delete"
  ],
  "AssignableScopes": [
    "/subscriptions/00000000-0000-0000-0000-000000000000"
  ]
}

Deploy it with:

az role definition create --role-definition ops-constrained.json

The NotActions block is doing the real work here — Actions grants the wildcard, then NotActions carves out the governance surface. Scope it to a management group instead of a single subscription if you want it tenant-wide; just swap AssignableScopes. Keep the JSON in your IaC repo so the role is version-controlled, not click-opsed.

Field Notes

Bulk-disable inactive M365 accounts with PowerShell + Graph

Sentinel: hunting impossible-travel without the noise

Azure: least-privilege RBAC at scale with a custom role