Is there a way to convert a Security or Microsoft 365 group to a Mail-enabled security group?
I tried to perform such a function, but it did not bring the proper result
Set-AzureADGroup -ObjectId $ObjectId -SecurityEnabled $true
Related
I have created Dynamic Group for assigning License to All Azure AD user automatically using powershell in production Environment.
Here is my script:
`New-AzureADMSGroup -DisplayName "us_demo_group" -Description " your Descriptions-MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -membershipRule "(user.department -contains ""Marketing"")" -membershipRuleProcessingState "On"
Add-AADGroupLicenseAssignment -groupId "a5e95316-1c03-44d7-afac-efd0e788122c" -accountSkuId "your skuid:FLOW_FREE"
`
My script is working fine, but when I tried to create a bulk users using Excel File, Users are not getting License, always showing **No License assignment Found **.
Any help is appreciated.
I tried to reproduce the same in my environment to assign the license to Azure AD user dynamically using power shell
I have created Azure dynamic group using powerShell, name-TestGroup1 with condition.
#Install AzureADLicensing Module
Install-Module -Name AzureADLicensing
#Import AzureADPreview
Import-Module AzureADPreview
#Connect to Azure AD
Connect-AzureAD
New-AzureADMSGroup -DisplayName "TestGroup1" -Description "This group contains information of users from us domain" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -membershipRule "(user.department -contains ""Finance"")" -membershipRuleProcessingState "On"
TestGroup1 created once execute the above code.
Assign the license to group, like below
#Get All License with SKUID
Get-AADGroupLicenseAssignment -All
You can fetch the group ID, like below.
#Assign License to Group
Add-AADGroupLicenseAssignment -groupId "GroupIDObject ID" -accountSkuId "Your SKUID"
Create bulk user in Azure Active Directory, like below.
Azure Portal > Default Directory > Users > Bulk Operations > Bulk Create
Make sure mention the department value for moving the users to dynamic group automatically.
Download the excel file and add the value in excel and save, like below.
Once add the value in excel and Upload the excel to Azure, like below.
Successfully created bulk- users with license in Azure AD.
You can view the users in assigned group.
License assigned to group users automatically.
Successfully assigned Azure license to created users.
I can't find a way to view all the group memberships of a service principal in Azure. I can of course see the service principal in the list of "Direct Members" from the perspective of the group.
For example:
myGroup123 has members -> Rob, John, and servicePrincipal9
If I look at "servicePrincipal9", I can't see that it is a member of "myGroup123"
Is there a way to find this info in the Portal? Via powershell? Via CLI?
Get the group membership of a group for a service principal
$Groups = New-Object Microsoft.Open.AzureAD.Model.GroupIdsForMembershipCheck
$Groups.GroupIds = (Get-AzureADGroup -Top 1).ObjectId
$SPId = (Get-AzureADServicePrincipal -Top 1).ObjectId
Select-AzureADGroupIdsServicePrincipalIsMemberOf -ObjectId $SPId -GroupIdsForMembershipCheck $Groups
OdataMetadata Value
------------- -----
https://graph.windows.net/85b5ff1e-0402-400c-9e3c-0f9e965325d1/$metadata#Collection(Edm.String) {093fc0e2-1d6e-4a1b-9bf8-effa0196f1f7}
Kindly go through the document and check if it helps.
Get the groups and directory roles that this servicePrincipal is a member of. This operation is transitive and will include all groups that this service principal is a nested member of from the following document
Get the groups and directory roles that this servicePrincipal is a direct member of. This operation is not transitive. Check this document
Powershell approach via a MSFT support engineer:
Get-AzureADServicePrincipalMembership -ObjectId <String> [-All <Boolean>]
Documentation: https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadserviceprincipalmembership?view=azureadps-2.0
I have an azure function, that is backed by managed identity.
On the same AD there is office 365 with a SharePoint site called "demonews".
How do I add permissions/add the managed identity to the group "demonews" such it can access the SharePoint API?
I tried Add Member on SharePoint site, I tried on AD Group to add a member. The dropdown do not find a managed identity.
I think this what you are looking for:
https://finarne.wordpress.com/2019/03/17/azure-function-using-a-managed-identity-to-call-sharepoint-online/
Essentially you will get the azure service principal for office 365 SharePoint as well as the roles.
#Get the sharePoint principal
$sharePoint = (Get-AzureADServicePrincipal -SearchString “Office 365 SharePoint”).ObjectId
#Get the Roles for that principal
$appRoles = Get-AzureADServicePrincipal -SearchString “Office 365 SharePoint” | %{$_.AppRoles}
#Find the specific role
$appRole = AppRoles.Where({ $_.Value -eq "Sites.Manage.All" }
#You will also need to get the service principal for your function app
#Get the function app object id
$myfunctionapp = (Get-AzureADServicePrincipal -SearchString “myfunctionapp”).ObjectId
#assign the role to the MSI for the sharepoint resource
New-AzureADServiceAppRoleAssignment -ObjectId $myfunctionapp -PrincipalId $myfunctionapp -ResourceId $sharePoint -Id $appRole
You can then use the local MSI endpoint and secret to obtain a token.
I have created a new custom AppRole in App Manifest and I want to assign this new AppRole to all the user's of the application. I researched on this and I find several links on how to assign new AppRole to a user using Powershell or Bash, but I need to assign new AppRole to all the users (nearly 1500 users) using a script. Does anyone have any idea how to do this ?
Below are few links I looked into, but it assign role to a single user:
https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureaduserapproleassignment?view=azureadps-2.0
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal
You already looked at Azure Portal and the UI available and it isn't very well suited for bulk operations (only one role can be assigned at a time, users have to be selected one by one and there isn't a way to bulk select users based on some criteria etc.)
Following options might help you:
Assign a group to role instead of individual users
This requires a premium version of Azure AD. It's much more convenient not just for first time assignment but for managing overall.
Scripting/API options (PowerShell, CLI, Azure AD Graph API, Microsoft Graph API)
Idea will be to loop through all users (or desired subset of users based on some criteria) and assign the appropriate app role to them.
Here's a sample script for PowerShell.
Connect-AzureAD -TenantId <Your Tenant Id>
$app_name = "RolesWebApp"
$app_role_name = "Writer"
# Get the service principal for the app and app role
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
$users = Get-AzureADUser -Top 10
foreach ($user in $users)
{
# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId
$user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
}
Take a look at this SO thread where we discussed something very similar and has more details on each of the individual options.
Special note on Microsoft Graph API:
Even though for most scenarios it will be recommended to work with Microsoft Graph API instead of Azure AD Graph API. This particular functionality is only available in beta endpoint. So it would not be advisable to use it for any production code. Working with appRoleAssignments
my organization has around 2000 applications which are required to be configured With Azure AD SSO and for that they need to be registered and allowed access to users on Azure AD.
I know how to do it manually, but is there any way to automate this whole process so that, I can register the application and grant users access they required?
thank you
Dheeraj Kumar
You can automate creation with Microsoft Graph API or Azure AD Graph API (though you should prefer MS Graph when possible).
In this case since you have what is basically a batch scenario in your hands, I feel PowerShell might be a good option.
There is a PowerShell module for administering Azure AD:
https://learn.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0
https://www.powershellgallery.com/packages/AzureADPreview/2.0.0.127
First you sign in with
Connect-AzureAD
Then we can create an Application:
$app = New-AzureADApplication -DisplayName 'Created from PS' -IdentifierUris #('https://mytenant.onmicrosoft.com/PSTest1')
Then we need to create the service principal, this is normally done by the portal:
$sp = New-AzureADServicePrincipal -AppId $app.AppId -AppRoleAssignmentRequired $true
Note the AppRoleAssignmentRequired parameter.
Setting it to true will require users to be assigned to the app before they can login.
If you don't want that, just leave it out.
Now we can assign users.
You will need a user's ObjectId to assign them to the app.
You can use Get-AzureADUser in various ways to get the users you want to assign.
But the assignment can then be done like this:
New-AzureADUserAppRoleAssignment -Id '00000000-0000-0000-0000-000000000000' -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -ObjectId $user.ObjectId
If you had specified roles in your app for users, you could use the role's id instead of all zeros.
All zeros translates to "Default access" in the portal.