I want to find ObjectId of a user, but I can't use Get-AzADUser module as I don't have privilege to install this module.
Get-AzRoleAssignment, Get-AzContext is accessible to me
Is there any other way to find ObjectId of a user with any other module.
Any help would be GREATLY appreciated
I agree with Ceeno Qi-MSFT. Alternatively, you can also use below approach:
I tried to reproduce the same environment and got the below results:
To get the ObjectId of a user in Azure, you can make use of AzureAD module:
Install-Module AzureAD -Scope CurrentUser
Connect-AzureAD
You can make use of either one of the below commands to retrieve ObjectID:
Get-AzureADUser -ObjectId "XXX#***.onmicrosoft.com"
OR
Get-AzureADUser -Filter "userPrincipalName eq 'XXX#***.onmicrosoft.com'"
Response:
You can make use of Microsoft Graph API to retrieve the Azure AD Users ObjectID:
GET https://graph.microsoft.com/v1.0/users/ruk#imukhan1998gmail.onmicrosoft.com?$select=id
During my test, you could run the Azure Powershell task with the command Get-AzADUser -DisplayName <String> to query the oid.
================================================================
Update on 11/22
You could also test to use the az command of az ad user list [--display-name] with local cli.
And it could also be put in Azure DevOps pipeline.
Related
we had an azure tenant.
we opened a new one, and passed our users to the new tenant and then added our users to the old tenants as guests.
Passing means that we deleted our users from the first tenant, then we migrated the domain to the new tenant and we created the users with the same properties in the new tenant.
since then every time we try to connect to azure using powershell with the commend Connect-azaccount -TenantId we get the following error:
Unable to acquire token for tenant '***' with error 'SharedTokenCacheCredential authentication unavailable. No account matching the specified username: *** tenantId: *** was found in the cache.'
does someone knows hoe to fix this?
thank you
we have tried every thing we found online.
we tries clear-azcontext, deleting the certificated from our machines, deleting powershell and reinstalling, etc...
Unable to acquire token for tenant xxx with error SharedTokenCacheCredential authentication unavailable. No account matching the specified username: xxx tenantId: xxx was found in the cache
The error usually occurs if the user is not present in the tenant you are trying to sign-in.
To check the error in detail, you can try debugging like below:
$DebugPreference = "Continue"
Connect-AzAccount -TenantID XXXX
Based on the debug details, you can check which Tenant is the user being connected to or any user details.
Try to connect with Subscription ID like below:
Connect-AzAccount -Subscription SubscriptionID -TenantId TenantID
Check if the user is having MFA enabled and try connecting with Global Admin account. And it might be the scenario where the account might be still cached in the local machine, so try if it works in another machine.
You can also make use of Device Authentication like below:
Connect-AzAccount -Tenant TenantID -UseDeviceAuthentication
Open the browser and enter the code:
Make sure to install the Az module like below:
Initially clear the cache and try to install by setting execution policy
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Install-Module Az
Import-Module Az
Update-Module -Name Az
Check whether the user account in the Tenant has required permissions to the subscription.
Try to select the Context in PowerShell:
Get-AzContext -ListAvailable
Select-AzContext -Name Name
Or you can set context to the SubscriptionID by including TenantID:
Set-AzContext -Subscription $subscription -Tenant $tenantId | Out-null
If still the issue persists, it might be some environment problem while migrating the domain.
For me the problem seemed to be related to using a "legacy" account (or whatever they're called). Making and using a new account seemed to resolve the issue for me.
I am running an Azure Powershell task in Azure DevOps.
Inside the script I use the following command
Get-AzureRmADUser -UserPrincipalName $adusernameNewPermission
But my Release pipeline fails with following error code
##[error]Value cannot be null.
Parameter name: token
First I thought that the command didn't have the right context or enough permission so I've added the defaultprofile.
Get-AzureRmADUser -DefaultProfile (Get-AzureRmContext) -UserPrincipalName $adusernameNewPermission
The GetAzureRmContext did go to the right context if I print the output of that command.
The command itself didn't had any problem when running locally (with my own user account) So the only reason I think its heading is that the service connection doesn't have the right to perform that action. But my user account has the least permissions on the tenant whilst the service connnection in azure devops has much more permissions.
It's driving me crazy where the problem lays with this one. Which token does it mean ? No reasonable error message :(
Does someone encounter the same problem or knows what I am missing ?
PS: the $adusernameNewPermission variable works like I said the exact same code runs perfectly on my local machine with the only difference being the user that is logged in.
Did you try using Get-azureaduser instead? This is a command that requires the function to be authenticated against Azure AD.
$azurePassword = ConvertTo-SecureString $env:client_secret -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($env:clientid , $azurePassword)
Connect-AzAccount -Credential $psCred -TenantId $env:tenantid -ServicePrincipal
If you're using the Script Type of "Script File Path," check that you're not trying to pass in any arguments (such as -token).
I'd try 2 things to get back to basics. This will let you know if it is actually the AzDO Service Principal or not and the type of object to use in the pipeline.
Test the functionality of the command in its simplest form and run it with the account as a string:
Get-AzureRmADUser -UserPrincipalName "achahbar#stankoverflow.com"
#OR
$UPN = "achahbar#stankoverflow.com"
Get-AzureRmADUser -UserPrincipalName $UPN
Assuming this works and depending on what your variable contains you simply need to pass the the UPN/Email object into the command:
Get-AzureRmADUser -UserPrincipalName $adusernameNewPermission.UPN
If this doesn't work pdate your task to Version 4 (Preview) and update your commands to Get-AzADUser and test step 1. again
I fixed this issue by changing the service connection in Azure DevOps that was created with a managed identity. I created a new service connection with a service principal and this doesn't gave me any errors about the value token. Hope any person who looks for this issue in the future got an answer by this.
I currently try to migrate an existing PowerShell script that uses the old MSOnline PowerShell module to the AzureAD (V2) module. I am able to replace most of the cmdlets but I don't find a replacement for the Get-MsolUserRole cmdlet to retrieve administrator roles for a specific user.
The similar AzureAD (V2) cmdlets doesn't allow me to query the roles by the objectId of the user (they require the role objectid).
Any suggestions?
The closest equivalent is Get-AzureADUserMembership, but since this will also include other membership (e.g. group memberships), you will need to filter the results down to only directory roles:
Get-AzureADUserMembership -ObjectId "user#example.com" -All $true `
| Where-Object { $_.ObjectType -eq "Role" }
I have checked in every possible area in the classic Azure portal but I can't seem to find the "Global Administrator" for the directory to which I belong.
Is there a way to find this out in the portal?
You should be able to look up the company administrators in your tenant by making two queries to the AAD or Microsoft Graph API.
The first query will allow you to identify the objectId of the "Company Administrator" role in your tenant.
https://graph.windows.net/<tenant>/directoryRoles
Then you need to find the directoryRole where "roleTemplateId": "62e90394-69f5-4237-9190-012177145e10", and save the objectId.
Next you can query the members of that directoryRole using the following:
https://graph.windows.net/<tenant>/directoryRoles/<objectId>/members
Try it all out using the Graph Explorer, and it's demo Tenant:
Query 1
Query 2
Let me know if this helps!
Global Administrators are also called Company Administrators. The following PowerShell script can help you print out all your Company Administrators. The Install-Module is included in case you do not already have the AzureAD PS Module installed.
# Install-Module AzureAD
Connect-AzureAD -TenantID [Your Tenant ID]
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser
Currently there's no way on the portal, however using PowerShell, enter the following code:
Connect-MsolService #to connect to your Azure tenant
Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Company Administrator").ObjectId
I need to wire up a stateless worker ad-hoc to perform a long running job based off a user action that self destructs when its done. I am trying to run New-AzureRmResourceGroupDeployment from within a PoSh Function App and cannot figure out how to authenticate to Azure from within the PoSh script.
I tried this:
$accountName = "myID#mydomain.com"
$pwd = ConvertTo-SecureString "password" -AsPlainText -Force
$cred = new-object PSCredential($accountName, $pwd)
Add-AzureRmAccount -Credential $cred
New-AzureResourceGroupDeployment -ResourceGroupName yadda yadda
And I get an error message that I need to use an Organization ID (which I am, our Azure AD is federated and we use AD Sync (and SiteMinder w/o WS-* if that matters)):
Add-AzureRmAccount : -Credential parameter can only be used with Organization ID credentials. For more information, please refer to http://go.microsoft.com/fwlink/?linkid=331007&clcid=0x409 for more information about the difference between an organizational account and a Microsoft account.
I tried "Login-AzureRMAccount -Credential $cred" with similar results.
If I do the Add- or Login- cmdlets from a PoSh window on my local machine (which is member joined to AD) with the -Credential flag I get a similar error. If I run the cmdlets without the credential I am prompted for credentials through an interactive ID/PW window (I do not have to enter my password once I type in my ID).
Does anyone know how I can do the authentication? I would be okay with authenticating like above, some sort of pass through credential from our web layer, or even an Option C I don't know about.
You will need to use service principal for authentication. A sample with instructions can be found here.
Azure Function role like permissions to Stop Azure Virtual Machines
For that you would need to use Service Principal auth. I don't think there is any sense of copypasting Azure Doc's to this answer, just consult this document:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal