PowerShell – Set the account profile picture from Azure AD

If you ever need to set the local Windows user account profile pictures from Azure AD, you can use the following script.

The script leverages the Graph API through a service principal (app) in Azure AD. There is some requirements before running the script:

You can run the script “manually” or deploy it with Azure Intune. You can run the script under your own or with the “nt authority\system” account. Just be sure that the account have access to write to the following registry path “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users” and it child objects.

The only thing you need to change in the script is three variables (line 43, 44 and 45) for the Azure AD app information.

Here is a basic walk through of what the script actually does:

  1. Create folder structure in “C:\Scripts\ProfilePicture” to store pictures, script and logs. The folder path can be changed to your liking on line 33, 34 and 39.
  2. Start transcript logs to “C:\Scripts\ProfilePicture\Logs\”.
  3. Get the access token for Graph API.
  4. Get user information (UPN, Username and SID) that have already logged in to the local device.
  5. Download user profile photo for each user in “C:\Scripts\ProfilePicture\Data\”.
  6. Sets registry keys to use the downloaded photo for each user.
  7. Create a task schedule (if it doesn’t exist) so it updates any picture change in Azure AD.
  8. Copy the script to location “C:\Scripts\ProfilePicture”.

You may need to compile the code into an executable, this will disguise the client secret used to retrieve the profile pictures. One way of turning a PowerShell script into an executable is to use this script, but remember to change the schedule task in the code to point to the .exe file instead of the .ps1 before compiling.

 

Azure AD – Access to BitLocker Recovery Keys

Azure Active Directory

Wonder how to give access to see bitlocker recovery keys in Azure AD? – Look no further!

I’m have been searching for a while after how to grant access to the Azure AD (AAD) BitLocker recovery keys by the “least privilege principle” (PoLP).

You need to have global administrator in order to follow this tutorial, if you are ready, let’s go!

Read More