I need to find all the groups owned by an user. I can see all the groups the user is member of, but to find the owner I have to go one by one.
On the MS doc, it seems it's possible to filter by "User type" but I don't have that option in the search box. Maybe I miss a permission myself?
Or there is another way of doing it?
To find all the Azure AD groups owned by a specific user, you can make use of below PowerShell cmdlet:
Get-AzureADUserOwnedObject -ObjectId xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx | Select-Object ObjectID, ObjectType, DisplayName
I tried to reproduce the same in my environment and got the groups owned by that user successfully like below:
Alternatively, you can also make use of Microsoft Graph Explorer.
Query:
GET https://graph.microsoft.com/v1.0/users/user_object_id/ownedObjects?$select=displayName,ID
Response:
Reference:
Get-AzureADUserOwnedObject (AzureAD) | Microsoft Docs
List ownedObjects - Microsoft Graph v1.0 | Microsoft Docs
Related
Within Azure, we set up our OATH2.0 credentials in AAD with three separate AppRegistrations.
I will be referring to these below.
1: Client : this is the main registration.
2: Read: This one holds the AppRole 'Read'
3: Write: This one holds the AppRole 'Write'
Here's some pictures to clearify:
3 Registrations
enter image description here
AppRole inside Read:
enter image description here
enter image description here
I am trying to automate adding these last two as APIpermissions to the first one with powershell.
I have found this command:
Add-AzADAppPermission and took a good look at the documentation here:https://learn.microsoft.com/en-us/powershell/module/az.resources/add-azadapppermission?view=azps-9.3.0
However, Either I am missing something, or this maybe cannot be done with custom appregistrations?
I keep getting the message
"Resource does not exist or one of its queried reference-property objects are not present."
I have checked that I am on the correct Tenant, and I have sufficient rights.
There are four parameters to consider, some more clear to me then others.
APIid: Which I assume, based on the documentation, should be Client.AppId
ApplicationId: Could be ObjectId/ ApplicationId from Read, but perhaps it's from it's corresponding ServicePrincipal (External Application)?, the documentation is not very clear on this one.
ObjectId: Can replace ApplicationId, but I have the exact same question. the documentation does not specify anything other then "The unique identifier in Azure AD."
PermissionId: The documentation says but in the examples they use Guids. I have seen other examples with Strings like "User.Read", so I figure this could be my DisplayName from the appRole inside my Read / Write AppRegistrations.
I've looked for other examples beside the documentation, but so far I've found only examples regarding Built-in appRoles in MsGraph.
The fact that the message is twofold (either it is not there OR something is missing) does not help either.
Bottom line is, I can't figure out which Guid goes where.
I have tried numerous combinations of parameters and AAD Guids, be it ObjectIds and AppIds from both AppRegistrations and their respective Service Principles.
I tried to reproduce the same in my environment and got the same error as below:
Note that: By using Add-AzADAppPermission, one can add the API permissions to the Application, but it is not possible to add
custom roles as API permissions.
Add-AzADAppPermission -ObjectId ObjectID -ApiId APIIdofthepermissions -PermissionId GUIDofAPIPermission
I am trying to add Group.Read.All Microsoft Graph API permission like below:
Add-AzADAppPermission -ObjectId ObjectID -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 5f8c59db-677d-491f-a6b8-5f174b11ec1d
I'm hoping to use the updated graph powershell commands to be able to pull more information on deleted users.
I'm trying to use:
Get-AzureADUser -Filter "aad.IsDeleted eq 'True'"
but it returns the error:
The child type 'aaad.IsDeleted' in a cast was not an entitity type.
Ho do I filter for deleted accounts, if possible, so that I can also do a select to include additional parameters / attributes?
I'm hoping to be able to know when an account was deleted, a description, etc.
Moving some users to cloud only so we need to move them in AD to a container that is excluded from AD Connect. Then need to use a script to undelete them and validate licenses are still in use.
I know with
get-MsolUser -ReturnDeletedUsers
works, however I haven't been able to figure out how to return additional values / parameters / attributes.
It doesn't appear that Get-AzureADUser or Get-AzADUser have a way of filtering or returning deleted users. You can't even use -Filter as the property is not returned from the API call.
You can however workaround this slightly and call the API directly.
$result = Invoke-AzRestMethod -Uri 'https://graph.microsoft.com/beta/directory/deleteditems/microsoft.graph.user'
$jsonOutput = $result.content | ConvertFrom-Json
$jsonOutput.value | Select-Object id, displayName, mail, deletedDateTime
There are a couple of examples on github where people have written functions to assist with making those calls:
https://github.com/Azure/GuardrailsSolutionAccelerator/blob/0f3f4994c03d8e47d7d67bd790ba3b290f37560a/src/GUARDRAIL%202%20MANAGEMENT%20OF%20ADMINISTRATIVE%20PRIVILEGES/Audit/Check-DeletedAndDisabledUsers.psm1
and
https://github.com/Panzerbjrn/AzureGraphApiHelper/blob/4cd2dcd1067bdabd349b044f1760bb958d54179d/AzureGraphApiHelper/Functions/Get-AGDeletedUsers.ps1
• You can surely get all the details of the deleted Azure AD user accounts from your tenant through the below command. Also, you can use filter and attributes as shown below along with this command for sorting out specific details for a particular deleted user account: -
Command: -
Get-MsolUser -ReturnDeletedUsers -MaxResults 50 -EnabledFilter All | Export-Csv -Path C:\Users\v-kartikb\Downloads\Reatapp\delete4.csv ’
Output: -
Similarly, if you want to get any information regarding a specific user or search a user ID based on the search string, then please refer to the below commands: -
Get-MsolUser -ReturnDeletedUsers | FL UserPrincipalName,ObjectID
Get-MsolUser –ReturnDeletedUsers –SearchString <User UPN>| FLUserPrincipalName,ObjectID
Also, do ensure that you will have to sign into Microsoft Office 365 service for executing the above commands successfully by executing the below command successfully: -
Connect-MsolService
Also, you can get the details of any deleted user if you have the object ID with you by executing the below Azure AD command through powershell: -
Connect-AzureAD
Get-AzureADMSDeletedDirectoryObject -Id <ObjectID>
Output: -
Please find the below link for more details regarding the above commands: -
http://ajaxtechinc.com/question/manage-delete-users-office-365-recycle-bin/
This can be accomplished using the graph api and the Azure CLI for auth
$deletedUsers = az rest `
--method "GET" `
--url "https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.user" `
--headers "Content-Type=application/json" | ConvertFrom-Json
I need to add the Sites.FullControl.All api permission in an app registration via powershell, but i can't find the id . already have find the id of various api like AllSites.FullControl with the command
`$svcSharePoint = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Office 365 SharePoint Online" }
$svcSharePoint.Oauth2Permissions | FT ID, Value
`
Any Ideas?
This is what I'm expecting.
I tested in my environment. I'm able to retrieve the IDs of Application permissions successfully like below:
Please note that Sites.FullControl.All is an Application Permission not Delegated Permission.
Using below cmdlet, you will only get a list of delegated permissions IDs.
$svcSharePoint.Oauth2Permissions | FT ID, Value
To get a list of application permissions IDs, you have to make use of below cmdlet:
$svcSharePoint.AppRoles | FT ID, Value
The ID of Sites.FullControl.All permission is 678536fe-1083-478a-9c59-b99265e6b0d3
I'm looking some Azure SQL security alerts for a "login from a domain not seen in 60 days", however it's listed in the following format (not actual identifier)
f96bd1cf-beb7-4e82-89cc-3d7e76f1cf3c#1ed9389a-f140-4cfd-9f02-c5a6a78c2770
How would I resolve this to an actual readable username?
thanks in advance
You can try PowerShell commandlet to get ObjectId details, use Get-AzureADObjectByObjectId and Get-AzureADUserCreatedObject -ObjectId as below:
In your case
f96bd1cf-beb7-4e82-89cc-3d7e76f1cf3c#1ed9389a-f140-4cfd-9f02-c5a6a78c2770
: the first part is the id and second is tenant
Your Tenant ID should appear under Basic information.
Further Get-AzureADUserCreatedObject cmdlet gets objects created by a user in Azure Active Directory (AD)
I'm trying to do simple thing here - I want to grant Reader permissions for AppInsights resource in Azure Portal. So I created a security group called Devs. It has members in it (if that's important).
Now, I go to AppInsights resource => Access Control => Add, and look at this:
It can't find this group! Why is that?
Thanks to Azure Support, here's what happened - I log in to Azure Portal with an external user (user#outlook.com for example). Even though this user is a Global Admin he's not a Member of the tenant. So, either you log in with a user who's a member (#tenant.onmicrosoft.com) or you convert your user to be a Member (now, that requires you to log in as a Member admin). Here's the PowerShell script on how to convert:
Install-Module MSOnline
Connect-MsolService
Set-MsolUser -UserPrincipalName user_outlook.com#EXT##tenant.onmicrosoft.com -UserType Member
# just to check if you became a Member user
Get-MsolUser -UserPrincipalName user_outlook.com#EXT##tenant.onmicrosoft.com | select usertype