I am updating all employees in Azure AD fields to have the same data from bamboo HR
but when I try to update the mobile phone it shows me an error do anyone have solution?
I tried this code to update the job title and display name and its works
Update-AzADUser -UPNOrObjectId $UserPrincipalName -JobTitle $jobTitle
but there is nothing called -Mobilephone
That field does seem to be missing as an option on Update-AzADUser but there is a -Mobile parameter on Set-AzureADUser from the AzureAD module. Once you have that installed, try:
Set-AzureADUser -ObjectId $UserPrincipalName -JobTitle $jobTitle -Mobile $Mobile
-- https://learn.microsoft.com/en-us/powershell/module/azuread/set-azureaduser?view=azureadps-2.0
Related
I'm hoping to use the updated graph powershell commands to be able to pull more information on deleted users.
I'm trying to use:
Get-AzureADUser -Filter "aad.IsDeleted eq 'True'"
but it returns the error:
The child type 'aaad.IsDeleted' in a cast was not an entitity type.
Ho do I filter for deleted accounts, if possible, so that I can also do a select to include additional parameters / attributes?
I'm hoping to be able to know when an account was deleted, a description, etc.
Moving some users to cloud only so we need to move them in AD to a container that is excluded from AD Connect. Then need to use a script to undelete them and validate licenses are still in use.
I know with
get-MsolUser -ReturnDeletedUsers
works, however I haven't been able to figure out how to return additional values / parameters / attributes.
It doesn't appear that Get-AzureADUser or Get-AzADUser have a way of filtering or returning deleted users. You can't even use -Filter as the property is not returned from the API call.
You can however workaround this slightly and call the API directly.
$result = Invoke-AzRestMethod -Uri 'https://graph.microsoft.com/beta/directory/deleteditems/microsoft.graph.user'
$jsonOutput = $result.content | ConvertFrom-Json
$jsonOutput.value | Select-Object id, displayName, mail, deletedDateTime
There are a couple of examples on github where people have written functions to assist with making those calls:
https://github.com/Azure/GuardrailsSolutionAccelerator/blob/0f3f4994c03d8e47d7d67bd790ba3b290f37560a/src/GUARDRAIL%202%20MANAGEMENT%20OF%20ADMINISTRATIVE%20PRIVILEGES/Audit/Check-DeletedAndDisabledUsers.psm1
and
https://github.com/Panzerbjrn/AzureGraphApiHelper/blob/4cd2dcd1067bdabd349b044f1760bb958d54179d/AzureGraphApiHelper/Functions/Get-AGDeletedUsers.ps1
• You can surely get all the details of the deleted Azure AD user accounts from your tenant through the below command. Also, you can use filter and attributes as shown below along with this command for sorting out specific details for a particular deleted user account: -
Command: -
Get-MsolUser -ReturnDeletedUsers -MaxResults 50 -EnabledFilter All | Export-Csv -Path C:\Users\v-kartikb\Downloads\Reatapp\delete4.csv ’
Output: -
Similarly, if you want to get any information regarding a specific user or search a user ID based on the search string, then please refer to the below commands: -
Get-MsolUser -ReturnDeletedUsers | FL UserPrincipalName,ObjectID
Get-MsolUser –ReturnDeletedUsers –SearchString <User UPN>| FLUserPrincipalName,ObjectID
Also, do ensure that you will have to sign into Microsoft Office 365 service for executing the above commands successfully by executing the below command successfully: -
Connect-MsolService
Also, you can get the details of any deleted user if you have the object ID with you by executing the below Azure AD command through powershell: -
Connect-AzureAD
Get-AzureADMSDeletedDirectoryObject -Id <ObjectID>
Output: -
Please find the below link for more details regarding the above commands: -
http://ajaxtechinc.com/question/manage-delete-users-office-365-recycle-bin/
This can be accomplished using the graph api and the Azure CLI for auth
$deletedUsers = az rest `
--method "GET" `
--url "https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.user" `
--headers "Content-Type=application/json" | ConvertFrom-Json
I'm looking some Azure SQL security alerts for a "login from a domain not seen in 60 days", however it's listed in the following format (not actual identifier)
f96bd1cf-beb7-4e82-89cc-3d7e76f1cf3c#1ed9389a-f140-4cfd-9f02-c5a6a78c2770
How would I resolve this to an actual readable username?
thanks in advance
You can try PowerShell commandlet to get ObjectId details, use Get-AzureADObjectByObjectId and Get-AzureADUserCreatedObject -ObjectId as below:
In your case
f96bd1cf-beb7-4e82-89cc-3d7e76f1cf3c#1ed9389a-f140-4cfd-9f02-c5a6a78c2770
: the first part is the id and second is tenant
Your Tenant ID should appear under Basic information.
Further Get-AzureADUserCreatedObject cmdlet gets objects created by a user in Azure Active Directory (AD)
I am trying to get a list of users' emails from o365 using graph API. I am able to get the complete list using following API https://graph.microsoft.com/v1.0/users?$select=mail
The problem is o365 contains multiple domains and I want to list users from specific domains only.
Is there a way to do this?
You do not specify a domain. The service will determine the domain based on the access token that is provided with the request.
You can fetch this using an advanced Graph query filter. Please refer microsoft documentation https://learn.microsoft.com/en-us/graph/aad-advanced-queries
Use the header ConsistencyLevel and its value as eventual and pass the filter endsWith(mail,' your domain name') in your API call.
Refere the image
Sadly the endsWith query-filter ist not supported yet. But there is a way around it, it's not so elegant since we're first getting all the users and then reselect the ones with the specific domain:
Connect-MgGraph -Scopes "User.Read.All"
$DisabledDomainUsers = Get-MgUser -Filter 'accountEnabled eq false' -All | Where-Object {$_.Mail -like "*#domain.ch"}
The following Modules are needed to use the commands above:
Install-Module Microsoft.Graph -Scope CurrentUser
Install-Module Microsoft.Graph.Users -Scope CurrentUser
I am running an Azure Powershell task in Azure DevOps.
Inside the script I use the following command
Get-AzureRmADUser -UserPrincipalName $adusernameNewPermission
But my Release pipeline fails with following error code
##[error]Value cannot be null.
Parameter name: token
First I thought that the command didn't have the right context or enough permission so I've added the defaultprofile.
Get-AzureRmADUser -DefaultProfile (Get-AzureRmContext) -UserPrincipalName $adusernameNewPermission
The GetAzureRmContext did go to the right context if I print the output of that command.
The command itself didn't had any problem when running locally (with my own user account) So the only reason I think its heading is that the service connection doesn't have the right to perform that action. But my user account has the least permissions on the tenant whilst the service connnection in azure devops has much more permissions.
It's driving me crazy where the problem lays with this one. Which token does it mean ? No reasonable error message :(
Does someone encounter the same problem or knows what I am missing ?
PS: the $adusernameNewPermission variable works like I said the exact same code runs perfectly on my local machine with the only difference being the user that is logged in.
Did you try using Get-azureaduser instead? This is a command that requires the function to be authenticated against Azure AD.
$azurePassword = ConvertTo-SecureString $env:client_secret -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($env:clientid , $azurePassword)
Connect-AzAccount -Credential $psCred -TenantId $env:tenantid -ServicePrincipal
If you're using the Script Type of "Script File Path," check that you're not trying to pass in any arguments (such as -token).
I'd try 2 things to get back to basics. This will let you know if it is actually the AzDO Service Principal or not and the type of object to use in the pipeline.
Test the functionality of the command in its simplest form and run it with the account as a string:
Get-AzureRmADUser -UserPrincipalName "achahbar#stankoverflow.com"
#OR
$UPN = "achahbar#stankoverflow.com"
Get-AzureRmADUser -UserPrincipalName $UPN
Assuming this works and depending on what your variable contains you simply need to pass the the UPN/Email object into the command:
Get-AzureRmADUser -UserPrincipalName $adusernameNewPermission.UPN
If this doesn't work pdate your task to Version 4 (Preview) and update your commands to Get-AzADUser and test step 1. again
I fixed this issue by changing the service connection in Azure DevOps that was created with a managed identity. I created a new service connection with a service principal and this doesn't gave me any errors about the value token. Hope any person who looks for this issue in the future got an answer by this.
Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error
Property value cannot be deleted unless it is disabled first.
When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools:
After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too.
How can I remove an appRole without having to delete and recreate the entire application?
Update
I've raised the following bug.
This bug is fixed now. All you have to do is set isEnabled to false and save. Then you can delete the role and save again. A Work-around is not necessary.
To Delete the Application Role:
Go to application Manifest.
App Role you want to delete, change the value of isEnabled to false.
Save the manifest.
Delete the that approle.
Again save it.
Until this gets fixed, there two options to work around this issue:
Using Azure AD PowerShell, you can disable and then remove the app role. Here's a sample script that would achieve this:
$appId = "83d7d56d-6e64-4791-b8e8-9a8da8dd957e"
$appRoleValue = "app-role-value" # i.e. the scope
Connect-AzureAD
# Disable the AppRole
$app = Get-AzureADApplication -Filter "appId eq '$appId'"
($app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }).IsEnabled = $false
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles
# Remove the AppRole
$toRemove = $app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }
$app.AppRoles.Remove($toRemove) | Out-Null
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles
An alternative option is to user the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role's isEnabled attribute to false. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).
It seems a bug in new portal . The save operation doesn't save isEnabled to false on server side . Any feedback , you could post to here .
Currently , you could use Azure AD classic portal to modify the app roles in manifest(download the manifest and then upload manifest that changed) . Delete app roles in classic portal works fine in my environment . Please let me know if it helps.
I have had the same error message Property value cannot be deleted unless it is disabled first. because I have created the scope on one page page and tried to add it manually in the Manifest on another web page. Little I knew the manifest was updated automatically and I just needed to reload it.
You cannot delete the assigned roles which are enabled, you first have to set the flag isEnable to false and save the manifest for the roles which you want to delete like this -->"isEnabled": false in the manifest and now try to delete the whole appRoles part.
This is a two-step process but works.
Navigate to your Application
Go to App Roles
Click on the app role display name
Untick the checkbox to disable the Role
Go back to the manifest and make changes to the appRoles section as you need
Save and it should be updated