I'm trying to import a CSV file to do a bulk service accounts and change to password never expire in Azure. I think it loop is called foreach.
$connect = Connect-AzureAD -AccountId $env:USERNAME#company.com
Set-AzureADUser -ObjectId test01#company.com -PasswordPolicies DisablePasswordExpiration
I think it loop is called foreach
Yes, Use the foreach to do bulk operation.
Workaround follows:
# you can use the below code for bulk opertation
Import-CSV "<user file>" | foreach {
Set-AzureADUser -ObjectId $_.UserPrincipalName -PasswordPolicies DisablePasswordExpiration
}
Result
Changes applied in Azure AD
Related
I have to update a Script which should create an application in Azure and subsequently use it to traverse resources.
Among the commands to update is to create a credential for the application created.
$AppSPN = New-AzADServicePrincipal -DisplayName "Move_Validation_SPN"
subsequently I need to use a credential to traverse the resources, according to the same Microsoft documentation, it can be created like this:
$creds = New-Object `
-TypeName "Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Models.ApiV10.MicrosoftGraphPasswordCredential" `
-Property #{ 'DisplayName' = $name; 'StartDateTime' = $startDate; 'EndDateTime' = $endDate }
New-AzADAppCredential -ApplicationId $AppSPN.appId -PasswordCredentials #creds
Here comes the question, when I create a Token, how do I retrieve the password from the MicrosoftGraphPasswordCredential object? which is: $creds
$Token = Get-Token -TenantId $TenantId -SubscriptionID $SourceSub.Id -ApplicationID $AppSPN.appID -ApplicationKey $creds
From version 6.6.0, there are breaking changes in this cmdlet New-AzADAppCredential.
As mentioned in this MS Doc, Az PowerShell cmdlets module moved from Azure AD Graph to Microsoft Graph. So, it is better to use the cmdlet of New-AzureADApplicationPasswordCredential.
Workaround:
As mentioned here, there should be a mistake in the official doc, in the example, it uses the New, not Get.If you try New, it appears like the doc.
Source: New-AzureADApplicationPasswordCredential
I am preparing the report which contains all the users access level tenant wise from the azure.
is there any one command or script to get all the users access level from Azure tenant ?
That is a little be trick: The PS library for Azure is different from the PS library for the AD. You must cross informations.
You must get all users from you AD using the command above and save as variable
$allUsers = Get-ADUsers -Filter *
Now you can navigate to all subscriptions into your tenant, all resource groups and resources and for each and every one get the IAM (who came with the objectId of the user) and cross with the variable $allUsers to identify everyone.
The sample is not the best but maybe can help you:
Connect-AzAccount
$listIAM = New-Object System.Collections.ArrayList
$listSubscriptions = Get-AzSubscription
foreach($subscription in $listSubscriptions){
Set-AzContext -SubscriptionId $subscription.SubscriptionId
# Now you have all roleAssignements for this subscription
$subscriptionIAM = Get-AzRoleAssignment -Scope /subscriptions/$subscription.SubscriptionId
$listIAM.Add($subscriptionIAM) | Out-Null
# Navigate into resource groups
$listResourceGroups = Get-AzResourceGroup
foreach($resourceGroup in $listResourceGroups){
$rgIAM = Get-AzRoleAssignment -ResourceGroupName $resourceGroup.ResourceGroupName
$listIAM.Add($rgIAM) | Out-Null
# Navigate into resources
$listResources = Get-AzResource -ResourceGroupName $resourceGroup
foreach($resource in $listResources){
$rIAM = Get-AzRoleAssignment -Scope $resouce.ResourceId
$listIAM.Add($rIAM) | Out-Null
}
}
}
You can do this in either PowerShell or the Graph API. Both methods are in preview (the graph API calls are under the beta branch).
#Get the user
$userId = (Get-AzureADUser -Filter "userPrincipalName eq 'alice#contoso.com'").ObjectId
#Get direct role assignments to the user
$directRoles = (Get-AzureADMSRoleAssignment -Filter "principalId eq '$userId'").RoleDefinitionId
Prerequisites
AzureADPreview module when using PowerShell
Microsoft.Graph module when using PowerShell
Admin consent when using Graph Explorer for Microsoft Graph API
https://learn.microsoft.com/en-us/azure/active-directory/roles/list-role-assignments-users
Is there away I can download a list of all the users in an Azure group to an excel file? We have large Azure groups and want an easier way to send a list to a group of users for review. It would be even better if I could automate this procedure maybe even email it to the users once a week.
I hope you can help!
Colin
You could directly bulk download the members of a group in your organization to a CSV file using Azure AD Portal. It seems the easiest way.
The other methods need to loop all users in the group. The following is an example with Powershell.
$group_ObjectId = ""
$members = Get-AzureADGroupMember -ObjectId $group_ObjectId -All $true
ForEach ($member in $members){
Write-output $group.DisplayName "," $member.ObjectId "," $member.ObjectType $member.UserType "," $member.UserPrincipalName >> C:\scripts\output.csv
}
And create weekly scheduled task with Scheduled Task. For more details, see here.
$action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-File C:\scripts\getUserList.ps1'
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Saturday -At 3am
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "Task Name Here"
I am calling powershell script to add ADF into key vaults access policies using the following command
If I grant it through portal UI, it works. What could be wrong with the following code or should i use different Api?
$Id = (Get-AzureRmDataFactoryV2 -ResourceGroupName $ResourceGroupName -Name $DataFactoryName).Identity.PrincipalId
Write-Host "Add permissions to key vault"
Set-AzureRmKeyVaultAccessPolicy -VaultName $AKVName -ObjectId $Id -PermissionsToSecrets Get,Set
I get this Error:Set-AzureRmKeyVaultAccessPolicy : 'AccessPolicies' exceeds maximum item count of '16'.
It should add permission to ADF for the given key vault
Thanks
I found my answer in the below post
https://social.msdn.microsoft.com/Forums/azure/en-US/ee3ec74a-3103-4795-92fb-ee5ec5298d38/add-key-vault-access-policy-using-power-shell-does-not-work?forum=AzureKeyVault
I'm trying to create a system where PowerShell gathers data from multiple tenants and deplays in a report. One of the datapoints that needs to be checked, is whether administrators have MFA enabled or not. In order to pull this data, I use the following
$credentials = <credentials>;
Connect-MSOLService -Credential $credentials;
foreach ($role in Get-MsolRole) {
foreach ($adminUser in (Get-MsolRoleMember -All -RoleObjectId $role.ObjectId -MemberObjectTypes #("User"))) {
$isMFA = ($adminUser.StrongAuthenticationRequirements -match 'Microsoft.Online.Administration.StrongAuthenticationRequirement').Count -gt 0;
#Do stuff
}
}
This works. Problem is, this script is running in a queue triggered azure function. It is triggered on a timer, meaning all triggers will run simultaneously. When the first connection is made, all other data requests pulls data from the same tenant.
Is there any way I can ensure each requests makes its own connection, or to limit the scope of the msol connection?
The only solution I can think of is running the scripts synchronous, but that would result in very poor performance.
Indeed, when triggered by a queue, it would seem that multiple runs of the same function aren't at all isolated.
One approach you can take is to wrap your PowerShell code which should run isolated, into it's own PowerShell job, using Start-Job. Here's an example I tested successfully.
# Receive queue message
$input = Get-Content $queueItem -Raw
# Pass the input queue message as a parameter to a new job.
$job = Start-Job -ArgumentList $input -ScriptBlock {
param($queueMessage)
# Load the MSOnline PowerShell module
Import-Module $env:CONTOSO_PathToMSOnline
# Retrieve the credentials from where they're securely stored
$credentials = ... # e.g. get from Key Vault
# Connect to Azure AD. This connection is only used by this job.
Connect-MsolService -Credential $credentials
# Do something with MSOnline...
}
# Wait for the job to complete, receive results, then clean up.
Receive-Job -Wait -Job $job -AutoRemoveJob
Based on my testing, this should cover your isolation needs. However, do keep in mind that you're spinning up a whole new PowerShell host instance for this, which might have unintended consequences (e.g. greater memory usage, more time to load).
While I'm at it, I'd like to suggest a tweak to your process to identify admins who have per-user MFA enabled (assuming you don't want to double-count admins who are members of multiple roles):
# Iterate over all admins of all roles, and check if they have per-user MFA enabled.
$admins = #{} # To keep track of which admins we've already seen
foreach ($role in Get-MsolRole) {
$roleMembers = Get-MsolRoleMember -All -RoleObjectId $role.ObjectId `#`
-MemberObjectTypes #("User")
foreach ($user in $roleMembers) {
if ($admins.ContainsKey($user.ObjectId)) {
# We've already seen this user, skip it.
} else {
$admins[$user.ObjectId] = $true # Mark as admin we've seen
# Determine if per-user MFA is enabled or enforced
$isMfaEnabledOrEnforced = $user.StrongAuthenticationRequirements.Count -gt 0
# Do something...
}
}
}