Month: January 2025

Using Filtering in Microsoft Graph SDK

In this post we will be going through using different filter types in Microsoft Graph SDK.
Using filters is useful when trying to return specific results or subset of data.

To check if a command supports filtering we can look up the command on the Microsoft Learn page or try -Filter.

There a few different operators we can use for filtering below is the full list.

  • eq
  • not ne
  • startswith
  • endswith
  • in
  • le
  • ge
  • not and endswith
  • not and startswith
  • not and eq
  • not and in contains
  • has

Once we know the command supports filtering, we need find a property to filter on for users we will use display name.

Get-MgUser -Filter "DisplayName eq 'Name'"

To find all displaynames that start P we can use startsWith(DisplayName, ‘value’)

Get-MgUser -Filter "startsWith(DisplayName, 'P')"

To filter using a variable we can create a new variable with a value and call that in side the filter. This can be use when doing foreach loops to go through each object in an array.

We can also use filtering to return objects by date, the date has to be formatted in a specific way or the filter will error out.

The data has to be yyyy-MM-ddT00:00:00Z To get the correct date format we can use ToString and the format. 

$date = (Get-Date).AddDays(-30).ToString('yyyy-MM-ddT00:00:00Z')
Get-MgAuditLogSignIn -Filter "AppDisplayName eq 'OfficeHome' and CreatedDateTime ge $($date)" | Select-Object AppDisplayName,CreatedDateTime

Filtering is an import to learn when using Microsoft Graph without it, it can be difficulty to find the right data or objects.

Filtering also helps improve performance and reduce the amount of data retrieved from Microsoft Graph.

Create Azure Alert Using KQL Custom Search

In this post we will be going through creating an alert rule using Azure monitor and custom log search.

This can be setup for for most services in Azure that are set to use Azure log work space or have activity logs but we will be setting up for a Azure VM in this post.

We needed to create an alert for a specific server that we have powered off and wanted to be alerted when it was powered on.

There is no out of the box alerting for this, we end up deciding to use an alert rule with a KQL query.

First we need to logon to the Azure portal and go to the VM we wanted to alert on.

Select Alerts blade and create custom alert rule.

Select custom log search from the drop down signal name.

Add the search query. I used the AzureAcitivty table and search for the operation value name for virtual machine start action.

AzureActivity
| where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/START/ACTION' and ActivityStatusValue == 'Success'
| where EventSubmissionTimestamp >= (ago(2h))

We will also need to set the required measurement type, aggregation type and aggregation.

I used count as I want to alert when there is a count greater than 1, as this will mean the VM has been booted up.

Next we need to set the alert logic.

Set the operator, threshold value and frequency check for the alert. I set the threshold to greater than one alert and evaluate the logs every 2 hours.

We can change the preview to view the current aggregate, which is one for me as I started the VM earlier in the day.

Next we need to either create a new action group or use a pre existing one. I will be creating a new group.

This can be set to send email, SMS message, push notification or voice message.

Next we need to set the subscription and resource group for the alert. We will also set the alert rule severity, name, description and region.

We can also set advanced option like automatically resolving alerts.

Next we set the tags to be used, if required.

Last step is to review and confirm all the settings.

To test we can Power on the VM and check if the alert fires in the Azure portal and we received the email alert.

Setting up alerts using custom log search’s can be very usefully especially if there is no out of the box report.