Retrieving all Hybrid AAD joined Devices

When starting a pilot for Hybrid Azure AD join, it can be useful to keep track of the number of devices that currently are already Hybrid Azure AD joined.

The most straight-forward way to do so is within the GUI of the Azure AD portal:

However, when used for reporting or other reasons, a scripted solution often is a better fit. The below PowerShell snippet returns all devices that are:

  • Known in Azure AD
  • Joined in a local domain
  • Running Windows 10

A requirement to run this script is being connected to Azure AD by using Connect-AzureAD for instance.

Get-AzureADDevice -All $true |Where-Object {($_.DeviceTrustType -eq "ServerAD") -and ($_.DeviceOSType -eq "Windows") -and ($_.DeviceOSVersion -like "10*")}

Run AAD Connect Sync & Monitor Status

Depending on the size of an AD environment (and more specifically, the number and location of objects that are in scope to be synced), a delta sync can take anywhere between a couple of seconds and significantly longer.

Checking if a sync currently is running is possible using a couple of methods. When sticking to PowerShell, the following commands can be utilized:

Start-AdSyncSyncCycle: running this command interactively when a sync is running will result in an “in your face” error message similar to the following:

Get-AdSyncScheduler: this command outputs the configuration settings of the sync process and also includes the state, wether or not it is running:

While all of the above are usable, they are not that user friendly, and require a user to retry the command in order to know *when* sync has been completed.

The below PowerShell code (let’s not call it a script, shall we?) does the following things:

  • Checks if a sync process currently is running
  • If not, starts a delta sync
  • Notifies the user / admin when the delta sync is finished
# verify if ADSync module is loaded, and if not, load it.
$module = Get-Module "ADsync"
if ($module -eq $null)
Import-Module AdSync
    Write-Host "ADSync Module already loaded"

# verify if a sync is currently running. If not, start a delta sync
$sync = Get-AdSyncScheduler

if ($sync.SyncCycleInProgress -eq $False)
Start-AdSyncSyncCycle -Policytype "Delta" |Out-Null

# periodically test if sync is running until it's... not running anymore
do {
    Write-Host "Azure AD Connect Sync Cycle in Progress..." -ForegroundColor "Yellow"
    $sync = Get-AdSyncScheduler
} until ($sync.SyncCycleInProgress -eq $False)

Write-Host "Azure AD Connect Sync Cycle is finished." -ForegroundColor "Green"

PowerShell Quicktip: list all Azure MFA-enabled users

Recently, I got a question from a customer to list all users that already enrolled in Azure MFA (through, for example, the url

The following PowerShell code lists all non-disabled users that already enrolled in Azure MFA:

Get-MsolUser -All | Where-Object {$_.StrongAuthenticationMethods -ne $null -and $_.BlockCredential -eq $False} | Select-Object UserPrincipalName

Spring 2020 – Security Webinars

Also during (a somewhat different) spring, Microsoft is keeping its promise by delivering webinars to introduce new and improved technology.

Be sure to mark the dates!

April 15MCAS: Enabling Secure Remote Work
April 20MSSP Support
April 22Threat Hunting on AWS using Sentinel
November 21st Using Sigma to accelerate your SIEM transformation to Azure Sentinel

Details and registration information can be found on

The certificate “name” on “servername” has expired

When logging in to a customers Exchange Server 2013 environment recently, a pop up caught my eye, indicating the following errror:

An expired certificate as such obviously isn’t such a weird event. However, when zooming into the error, the server that the error referred to was an old, already decommissioned, Exchange Server!

The following locations were checked, to no avail:

  • Get-ExchangeServer
  • Get-ExchangeCertificate
  • ADSI Edit
  • Certificate store on all Exchange Servers

After some googling searching the web with Bing, I found a solution on the web.

Get-Mailbox -Arbitration | Search-Mailbox -DeleteContent

Keep in mind, to run the command, specific permissions are required. A management role needs to be created with Mailbox Import Export assigned role. Assigning the Discovery Management role is not enough!