Need to enable MFA on Azure AD to the users accounts which iam creating using powershell through Automation account which will runs on Hybrid Worker, so when the user is created will set the timer for few seconds **Start-Sleep -Seconds ** to perform MFA action, please assist me to understand kind of permissions, modules and connections to Azure Ad to enable MFA using automation account using powershell script on Azure AD for the same, i have found some useful documents but there are portal based policies. Thanks in Advance
To enable MFA on Azure AD, you need to have roles like Global Administrator or Security Administrator or Conditional Access Administrator on your Azure AD tenant.
Make sure to acquire Azure AD Premium P1 license if you want to use conditional access policies for enabling MFA.
Get yourself assigned with Contributor role under subscription where your automation account exists.
I tried to reproduce the same in my local environment and got results like below:
I ran the below script by connecting with user having Global Administrator role that created new user with MFA enabled like below:
Connect-MsolService
$user=New-MsolUser -DisplayName "Demo User" -UserPrincipalName "demouser#xxxxxxxxxx.onmicrosoft.com" -Password "xxxxxxxxxxxx1234#"
# Wait for the user account to be created
Start-Sleep -Seconds 30
$strongAuth = #()
$strongAuth += New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$strongAuth[0].RelyingParty = "*"
$strongAuth[0].State = "Enabled"
Set-MsolUser -UserPrincipalName "demouser#xxxxxxxxxxx.onmicrosoft.com" -StrongAuthenticationRequirements $strongAuth
Response:
When I checked the same in Portal, new user named Demo User created successfully like below:
To check whether MFA is enabled or not, I tried to sign in with above newly created user credentials that asked for MFA like below:
If you want to use same script, make sure to install MSOnline module before running script like this:
Install-Module -Name MSOnline
Import-Module -Name MSOnline
Connect-MsolService
If you are performing these operations via service principal, you need to assign roles or permissions for service principal too.
Reference:
Enable Azure AD Multi-Factor Authentication | Microsoft Learn
Related
We have an Azure PowerShell script to automate the provisioning of resources in our customers' subscription. As part of the process we deploy a VM based off a custom image hosted in our own image gallery. In order to do so we require our customers to grant access (user consent) to our enterprise application in their tenants.
As of now we achieve that through an OAuth2 link that we ask them to edit with their own tenant ID and open in browser:
https://login.microsoftonline.com/<customer-tenant-id>/oauth2/authorize?client_id=cd3df191-153a-4ae1-9766-5fe7a7f3032e&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com
This link authenticates them and asks for the requested permissions to be accepted:
After that, our enterprise application should be listed in their subscriptions with the following permissions:
We would like for this pre-requisite to be addressed programmatically by our deployment script. Is there any way we can achieve that via Azure PowerShell?
To no avail, I've checked quite a few pages online and several similar questions here on SO. They are different in the sense that they are requesting Admin Consent rather than User Consent (mind that ours only require User Consent, see screenshot below). Also, some questions are specific to Azure CLI or simply Azure Portal (not an option for us as we are working with Azure PowerShell).
PS: Sorry in advance for my lack of knowledge in regards to Azure AD and the Consent Framework in general.
Consent can be used to grant app roles (application permissions) and delegated permissions.
What you're trying to do here is to create a delegated permission grant. Specifically, you're trying to grant a delegated permission on behalf of an individual user (instead of on behalf of all users).
You can't do this with Azure PowerShell.
You can, however, do this with Microsoft Graph PowerShell. The cmdlet you use, will be New-MgOauth2PermissionGrant. This cmdlet calls the Microsoft Graph API to create a delegated permission grant. The PowerShell cmdlet requires the following parameters:
ClientId - The object ID of the client app's service principal. This is the service principal which will be gaining privileges.
ConsentType - In this case, this should be "Principal", indicating you want to grant this delegated permission on behalf of a single principal (a user).
PrincipalId - This is the object ID of the user on behalf of who the client app will be able to act.
ResourceId - The object ID of the API's service principal. This is the service principal representing the API that exposes the delegated permissions you want to grant.
Scope - The space-separated list of permissions to grant.
So, for example, if we wanted to grant the Microsoft Graph delegated permission User.Read, on behalf of user with user principal name bob#example.com, we could do the following:
$userUpn = "bob#example.com"
$clientAppId = "738a2731-dd81-4263-824b-74cf6dee9da0"
$resourceSpn = "https://graph.microsoft.com"
$scope = "User.Read"
# Retrieve the user, and the client and resource service principals
$user = Get-MgUser -Filter "userPrincipalName eq '$userUpn'"
$client = Get-MgServicePrincipal -Filter "appId eq '$clientAppId'"
$resource = Get-MgServicePrincipal -Filter "servicePrincipalNames/any(n:n eq '$resourceSpn')"
# Grant the delegated permissions for Microsoft Graph to the client, on behalf of the user
$grant = New-MgOAuth2PermissionGrant `
-ClientId $client.Id `
-ConsentType "Principal" `
-PrincipalId $user.Id `
-ResourceId $resource.Id `
-Scope $scope
I want to connect PowerShell to Azure with the command Connect-AzAccount. I am connected successfully with a warning: Unable to acquire token for tenant 'xxx'.
When I run commenad Get-AzVM I have error message: et-AzVM: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.
Any tips and help please?
There could be possibility that your account is associated with the more than one tenant. In one of the tenant you may not have the desired permissions.
Rather than connecting to all the tenants, you could specify the tenant you would like to connect to :
Connect-AzAccount -Tenant <Your Tenant ID>
If you are still encountering the issue for your tenant as well. More likely there is a permission issue.I would suggest you reach out necessary stake holder (Tenant Admin for instance) to grant you the necessary permissions to run the powershell commandlet.
I set up a visual studio project template that runs setup scripts to automatically register an application and create application insights for the app.
The problem is the app registration uses the AzureAD module while the application insights (and the resource group creation if needed) use the Az modules, so I end up needing to do
Connect-AzAccount
Connect-AzureAD
Which prompts the user for their login twice. Is there a way to use the auth from one to authenticate the other?
I've seen similar questions suggesting using get-credential but since my org has multi factor auth that wont work.
Other suggestions were to use a service principal but I don't want to store anything specific in the template and want the auth tied to the user.
I know the Az module has functionality similar to the AzureAD (New-AzADApplication) but there are a few things I can't figure out how to do. Specifically, set the applications permissions to sign in on Microsoft graph and set the application owner to the authenticated user. That is why i'm using the AzureAD module instead
If you want to use the same session to connect Azure and Azure AD in PowerShell, please refer to the following script
Connect-AzAccount
$context=Get-AzContext
Connect-AzureAD -TenantId $context.Tenant.TenantId -AccountId $context.Account.Id
Get-AzureADUser
I am using a script to create Azure AD user, but when user login, it showing there are no any subscription for that users.
Now kindly let me know if you share the script to automate the process for assigning roles to that users automatically when he\she login in azure portal
Hoping for quick response
you cannot assign roles exactly when user logs into the portal, but you can assign roles to the users once you create them:
New-AzRoleAssignment -ObjectId xxx -Scope '/subscriptions/%subscription_guid%' `
-RoleDefinitionName Contributor (or Owner, Reader, etc)
You can use -signInName instead of the ObjectId, but since you just created the user you should have its ObjectId anyway
For CLI you can consult this article: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli
This one for powershell: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-powershell
So I am trying to set up an application on azure AD that can, among other things delete users.
I have the application registered and use the client id and secert to gain teh access token.
I was able to give the application permissions to create users and that works fine, but when i go to delete over the graph API i get a 403 Insufficient privileges to complete the operation.
I am trying this over the graph rest API. The user that i am attempting to delete was made through the rest call as well. The user is in the same tenant as the application , so i am not trying to delete users from multiple tenants.
It seems what i need to do is give the application either Global admin or Company admin rights, but i am spinning wheels on where and or how to do this.
Any help would be appreciated.
Take a look at my answer here.
You can elevate the level of access an Application has in your tenant
by adding the service principal of that application to the Company Administrator Directory Role. This will give the Application the same
level of permissions as the Company Administrator, who can do
anything. You can follow these same instructions for any type of
Directory Role depending on the level of access you want to give to
this application.
Note that this will only affect the access your app has in your tenant.
Also you must already be a Company Administrator of the tenant to follow these instructions.
In order to make the change, you will need to install the Azure
Active Directory PowerShell
Module.
Once you have the module installed, authenticate to your tenant with
your Administrator Account:
Connect-MSOLService
Then we need to get the Object ID of both the Service Principal we
want to elevate, and the Company Administrator Role for your tenant.
Search for Service Principal by App ID GUID:
$sp = Get-MsolServicePrincipal -AppPrincipalId <App ID GUID>
Search for Directory Role by Name
$role = Get-MsolRole -RoleName "Company Administrator"
Now we can use the Add-MsolRoleMember command to add this role to
the service principal.
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
To check everything is working, lets get back all the members of the
Company Administrator role:
Get-MsolRoleMember -RoleObjectId $role.ObjectId
You should see your application in that list, where RoleMemberType
is ServicePrincipal and DisplayName is the name of your
application.
Now your application should be able to perform any Graph API calls
that the Company Administrator could do, all without a user signed-in,
using the Client Credential Flow.
Let me know if this helps!
UPDATE:
The answer above has been updated to use Azure Active Directory V2 PowerShell
If you don't have the AzureAD module already installed you will need to install it. See Azure Active Directory PowerShell Module Version for Graph for Azure AD administrative tasks for more info about the module or simply run:
Install-Module AzureAD
Once you have the module installed, authenticate to your tenant with your Administrator Account:
Connect-AzureAD
Then we need to get the Service Principal we want to elevate, and the Company Administrator Role for your tenant.
$sp = Get-AzureRmADServicePrincipal | Where DisplayName -eq '<service-principal-name>'
Search for Directory Role by Name
$role = Get-AzureADDirectoryRole | Where DisplayName -eq 'Company Administrator'
Now we can use the Add-AzureADDirectoryRoleMember command to add this role to the service principal.
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.Id
To check everything is working, lets get back all the members of the Company Administrator role:
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
You should see your application in that list, where DisplayName is the name of your application.
Now your application should be able to perform any Graph API calls that the Company Administrator could do, all without a user signed-in, using the Client Credential Flow.