I am able to add service principals and individual users to Azure Active Directory group with command:
Add-AzADGroupMember -TargetGroupObjectId GROUPID -MemberObjectId MEMBERID
I'm giving the user assigned managed identity principal id from the portal as MemberObjectId. I suppose the ID is something else, but what it is and how to get it? I have tried client id as well, with no luck.
When I try to run the same command with user assigned managed id, it fails with the error:
Line | 143 | Az.MSGraph.internal\New-AzADGroupGraphRefMember #PSBoundP … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Resource 'XXXXX-...' does not exist or one of its queried reference-property objects | are not present.
I tried to reproduce the same in my environment and got below results
I have one User Assigned Managed Identity named UserassignedMI like below:
To add the above identity to Azure AD group, I ran the same command as you by giving Client ID and got same error as below:
Add-AzADGroupMember -TargetGroupObjectId <GroupID> -MemberObjectId <Client ID>
Response:
But when I used Object (principal) ID for -MemberObjectID, it worked and gave results successfully like below:
Add-AzADGroupMember -TargetGroupObjectId <GroupID> -MemberObjectId <Object (principal) ID>
Get-AzADGroupMember -GroupObjectId <GroupID>
Response:
When I checked the same in Portal, managed identity added to the group successfully like below:
Related
By using the below command, trying to assign a role to the managed identity using PowerShell runbook(5.1 Runtime version).
$roleAssignment = New-AzRoleAssignment -ObjectId 'xxxx-xxxx-xxxx-xxxx' -Scope '/subscriptions/xxxx-xxxx-xxxx/resourceGroups/xxxxxxxxx' -RoleDefinitionName 'Contributor'
When we execute the runbook we ran into the below error.
Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.
But, When executed the same command from local PowerShell ISE we are able to assign the role with out any fail.
How to make runbook to assign the role to the user assigned identity.
Can any one help me solve this.
Unable to assign a role to user assigned identity through Azure Run books (1).html
Unable to assign a role to user assigned identity through Azure Run books
Exception of type ‘Microsoft.Rest.Azure.CloudException’ was thrown.
To resolve the above error, I would suggest you try to follow the below workaround that worked for me: -
Go to Azure AD --> App registrations --> Select your app --> API Permissions --> Add permission --> Microsoft Graph (You can select any Azure resource for which you want to grant permissions for) --> Application Permissions --> Directory --> Directory.Read.All
Then grant admin consent for the selected permissions for that particular resource.
Here, you can select other services which you are using, also in ‘Request API Permissions’ other than Microsoft Graph, you can use other APIs that you are working since the process is same as shown in the below snapshot: -
I want to get the object id of a member in a group not all the object id's of a members in a group, i am using below command
Get-AzureADGroupMember -ObjectId "00438306-7g37-4638-a72d-0ee890017680
I am using powershell; what is the query to get the particular member object id in a group Azure Active Directory.
https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadgroupmember?view=azureadps-2.0
To get the particular member object id in a group Azure Active Directory, use the below command
Get-AzureADUser -ObjectId "test#tenant.com"
This command gets the specified user.
when im trying to remove role assignment for a storage account using azure automation account
Remove-AzRoleAssignment -SignInName "john#example.com" -RoleDefinitionName "Storage File Data SMB Share Contributor" -Scope "/subscriptions/000-8888-7777/resourceGroups/$resourcegroup/providers/Microsoft.Storage/storageAccounts/$storageaccount"
using above command getting
Cannot find principle using specified options
Email you provide seem to be not correct SigninName.
If you have access to Azure Active Directory you may check User Principal Name for this user and try it instead. In case of my private subscription it did end with onmicrosoft.com. If you use User Principal Name you should get results you expect.
The error "Cannot find principle using specified options" usually occurs if you don't have the required privileges.
Make sure to run as an Administrator and login with Admin credentials to Azure AD.
I tried in my environment and got the same error when the role is missing with incorrect sign-in name like below:
Please check whether the role you are trying to remove is existing or not in the scope like below:
Get-AzRoleAssignment -SignInName "UPN" | FL DisplayName, RoleDefinationName, Scope
Ensure to give correct UPN (User Principal Name) of the user.
Make use of the above response to run the below command:
Remove-AzRoleAssignment -SignInName "UPN" -RoleDefinitionName "Storage File Data SMB Share Contributor" -Scope "Your_Scope"
Please recheck the scope you are providing.
Wrote the below script to get the MFA status for all admins.
Works well. But I want to run this using the credential of a service principal and looks like Connect-MsolService does not have an option to do that.
Alternatively, Connect-AzAccount has the option to do that but in Az Powershell I dont find a way to get the MFA details of the users.
Is there a way to get the MFA details of the user using service principal?
Connect-MsolService
$output_file_location = "c:\temp\azure_admins_mfa_status_"+$(get-date -f yyyy-MM-dd-HH-mm-ss)+".csv"
$admin_roles = "Company Administrator","Billing Administrator","Conditional Access Administrator","Exchange Service administrator","Helpdesk administrator","Password administrator","Security administrator","Sharepoint Service administrator"
# Gets all the members in the admin roles in the roles list above
# Gets the MFA status for each member
# Appends the below data points to a file specified in the $output_file_location variable
# DisplayName,E-mail,Role,MFA-Requirements, MFA-Methods, MFA-MethodsDefault
function get-mfs-status
{
foreach ($roleName in $admin_roles)
{
write-output $roleName
$members = Get-MsolRoleMember -RoleObjectId $(Get-MsolRole -RoleName $roleName).ObjectId
#write-output $members
foreach ($member in $members)
{
write-output $member.EmailAddress
}
foreach ($member in $members)
{
write-output $member
Get-MsolUser -UserPrincipalName $member.EmailAddress | select DisplayName, `
#{N='E-mail';E={$_.userPrincipalName}}, `
#{N='Role';E={$roleName}}, `
#{N='MFA-Requirements';E={(($_).StrongAuthenticationRequirements.state)}}, `
#{N='MFA-Methods';E={(($_).StrongAuthenticationMethods.MethodType)}}, `
#{N='MFA-MethodsDefault';E={($_.StrongAuthenticationMethods | where isdefault -eq 'true').MethodType}} `
| select DisplayName,E-mail,Role, MFA-Requirements, MFA-Methods, MFA-MethodsDefault| Export-Csv $output_file_location -Append `
}
}
}
get-mfs-status
• No, you cannot retrieve the MFA details of the users in an Azure AD using service principal through powershell because service principal is generated for an instance of Azure resource, not an identity which has already been assigned an Azure AD role regarding the scope that has been defined with it. Thus, as an identity though of an Azure AD administrator has the scope of the whole subscription which hosts multiple tenants of your organization, has been defined with some roles and assignments pertaining to that scope. You can create a service principal with that ID logged in to Azure Powershell for the scope of your signed in ID but cannot retrieve the MFA status of users in Azure AD because when you pass the service principal in a variable to pass it as a credential and log in to the Microsoft 365 online, it cannot actuate them to the identity credentials and M365 doesn’t consider it.
Also, to get the status of MFA details of the users, you must connect to MS Online, you cannot retrieve it through Azure AD. Even if you convert the service principal secret in plain text and pass it as a credential to connect to M365, it doesn’t consider it nor it actuates the credentials.
• Instead, if you log into Azure/M365 using your actual credentials, i.e., ID and password, you will be able to retrieve the details provided you have the required role assignments and access.
Reference link for service principal usage: - https://learn.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-6.6.0
It's beta but how about that:
https://learn.microsoft.com/en-us/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&tabs=http
I'm trying to grant API Permissions on an App registration programatically using terraform.
I dont know how to get the id of the permission that i want to grant. I've tried copy and paste of a permission used elsewhere from the manifest file, but it doesnt look to be that simple.
This description of the setting is from the Terraform documentation.
id - (Required) The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes.
Does anyone know how to get the permission guids that are used here? are they specific to an app registration? I'm guessing so.
The id in the terraform is not that in your screenshot, in your screenshot, it is the consent displayname of the permission, not the id, it just happens to be a guid.
To get the id, you could use the AzureAD powershell as below.
For example, get the id of the xxx-nex-kv-access API delegated permission like your screenshot.
1.Find the service principal.
Get-AzureADServicePrincipal -SearchString "xxx-nex-kv-access"
The command will list all the service principals related to xxx-nex-kv-access, make sure which one you need, then copy the ObjectId and AppId of it. (If there is no result, you can use Get-AzureADServicePrincipal with no parameter to list all the service principal and find the one you need.)
2.Use the ObjectId to get the delegated permission.
$sp = Get-AzureADServicePrincipal -ObjectId "<ObjectId>"
$sp.Oauth2Permissions | select Id,AdminConsentDisplayName,Value
The Id is that you want, in the terraform, specify that like below.
required_resource_access {
resource_app_id = "<AppId>"
resource_access {
id = "<Id>"
type = "Scope"
}
}
Besides, you should notice the type property has two vaules, Scope and Role, you should know the Scope is Delegated permission and Role is Application permission.
So if you want to add the Application permission permission, you need to use the command as below, then in the terraform, use type = "Role".
$sp = Get-AzureADServicePrincipal -ObjectId "<ObjectId>"
$sp.AppRoles | select Id,DisplayName,Value