Remove Role assignment using powershell in azure - azure

when im trying to remove role assignment for a storage account using azure automation account
Remove-AzRoleAssignment -SignInName "john#example.com" -RoleDefinitionName "Storage File Data SMB Share Contributor" -Scope "/subscriptions/000-8888-7777/resourceGroups/$resourcegroup/providers/Microsoft.Storage/storageAccounts/$storageaccount"
using above command getting
Cannot find principle using specified options

Email you provide seem to be not correct SigninName.
If you have access to Azure Active Directory you may check User Principal Name for this user and try it instead. In case of my private subscription it did end with onmicrosoft.com. If you use User Principal Name you should get results you expect.

The error "Cannot find principle using specified options" usually occurs if you don't have the required privileges.
Make sure to run as an Administrator and login with Admin credentials to Azure AD.
I tried in my environment and got the same error when the role is missing with incorrect sign-in name like below:
Please check whether the role you are trying to remove is existing or not in the scope like below:
Get-AzRoleAssignment -SignInName "UPN" | FL DisplayName, RoleDefinationName, Scope
Ensure to give correct UPN (User Principal Name) of the user.
Make use of the above response to run the below command:
Remove-AzRoleAssignment -SignInName "UPN" -RoleDefinitionName "Storage File Data SMB Share Contributor" -Scope "Your_Scope"
Please recheck the scope you are providing.

Related

Unable to assign a role to user assigned identity through Azure Run books

By using the below command, trying to assign a role to the managed identity using PowerShell runbook(5.1 Runtime version).
$roleAssignment = New-AzRoleAssignment -ObjectId 'xxxx-xxxx-xxxx-xxxx' -Scope '/subscriptions/xxxx-xxxx-xxxx/resourceGroups/xxxxxxxxx' -RoleDefinitionName 'Contributor'
When we execute the runbook we ran into the below error.
Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.
But, When executed the same command from local PowerShell ISE we are able to assign the role with out any fail.
How to make runbook to assign the role to the user assigned identity.
Can any one help me solve this.
Unable to assign a role to user assigned identity through Azure Run books (1).html
Unable to assign a role to user assigned identity through Azure Run books
Exception of type ‘Microsoft.Rest.Azure.CloudException’ was thrown.
To resolve the above error, I would suggest you try to follow the below workaround that worked for me: -
Go to Azure AD --> App registrations --> Select your app --> API Permissions --> Add permission --> Microsoft Graph (You can select any Azure resource for which you want to grant permissions for) --> Application Permissions --> Directory --> Directory.Read.All
Then grant admin consent for the selected permissions for that particular resource.
Here, you can select other services which you are using, also in ‘Request API Permissions’ other than Microsoft Graph, you can use other APIs that you are working since the process is same as shown in the below snapshot: -

managed identity for this assignment does not have the appropriate permissions to remediate these resources. Edit Assignment page and re-save it

I have a requirement of creating policy assignment from policy initiative and do remediation. I can create assignment using the below command.
$newRgAssignment = New-AzPolicyAssignment -Name $assigName -PolicySetDefinition $policySet -PolicyParameterObject $Params -AssignIdentity -Location 'westus' -scope $rgscope -DisplayName $assigName
In this I can create assignment successfully. while trying to remediation manually in I can see the below error message in azure portal .
The managed identity for this assignment does not have the appropriate permissions to remediate these resources. To add these permissions, go to the Edit Assignment page for this Policy and re-save it.
I tried creating a policy assignment by passing SystemAssigned identity type but ran into same problem.
I have left with only one option that is UserAssigned identity type. To pass this parameter we need to get the assigned user identity . To get the user identity I used the below commands
Set-AzContext -Subscription 'XYZ-123-ABC'
$UserAssignedIdentity = Get-AzUserAssignedIdentity
But no use.
Can any one help me on this issue. Any help can be appriciated.
Thank you.
TenantId 'xxxx-xxxx-xxxx-xxxx' contains more than one active
subscription. First one will be selected for further use. To select
another subscription, use Set-AzContext. This is not any error. Its a
warning. Get-AzUserAssignedIdentity command returning null.
We have tried with below cmd after installing module Az.ManagedSericeIdentity and can able to get the results.
Warning you might receive but after Set-AzContext -Subscription 'XYZ-123-ABC'
it will be logged into the correct subscription you wanted to.
After successfully login type $UserAssignedIdentity even if you have user role to that subscription.
For more information please refer the below links:-
MS DOC| Get-AzUserAssignedIdentity
SO THREAD .

New-AzKeyVault - The provided information does not map to an AD object id

I am trying to add a Keyvault with PowerShell. I am always getting below two warnings while creating this. Though the vault is getting created successfully but, but want to understand how can I elminiate this warnings?
New-AzKeyVault -VaultName "kvxxxxxxxxxxx" `
-ResourceGroupName "RG-xxxx" -Location "South Central US"
WARNING: The provided information does not map to an AD object id.
WARNING: Access policy is not set. No user or application have access permission to use this vault. This can happen if the vault was created by a service principal. Please use Set-AzKeyVaultAccessPolicy to set access policies.
I can reproduce your issue on my side. The two WARNINGs were caused by your account is a Personal Account/Microsoft account(e.g. outlook, hotmail account) in your Azure AD tenant, your user type is Guest.
Actually you can just ignore them, or use the -WarningAction Ignore parameter as mentioned in the comment.
When using a work account/member user type to create a keyvault, it will add the account which used to create the keyvault to the access policy of the keyvault automatically. In your case, you could use the command Set-AzKeyVaultAccessPolicy to set the access policy after creating the keyvault.

Azure AD App API Permissions - Where to get the id of the permission being granted

I'm trying to grant API Permissions on an App registration programatically using terraform.
I dont know how to get the id of the permission that i want to grant. I've tried copy and paste of a permission used elsewhere from the manifest file, but it doesnt look to be that simple.
This description of the setting is from the Terraform documentation.
id - (Required) The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes.
Does anyone know how to get the permission guids that are used here? are they specific to an app registration? I'm guessing so.
The id in the terraform is not that in your screenshot, in your screenshot, it is the consent displayname of the permission, not the id, it just happens to be a guid.
To get the id, you could use the AzureAD powershell as below.
For example, get the id of the xxx-nex-kv-access API delegated permission like your screenshot.
1.Find the service principal.
Get-AzureADServicePrincipal -SearchString "xxx-nex-kv-access"
The command will list all the service principals related to xxx-nex-kv-access, make sure which one you need, then copy the ObjectId and AppId of it. (If there is no result, you can use Get-AzureADServicePrincipal with no parameter to list all the service principal and find the one you need.)
2.Use the ObjectId to get the delegated permission.
$sp = Get-AzureADServicePrincipal -ObjectId "<ObjectId>"
$sp.Oauth2Permissions | select Id,AdminConsentDisplayName,Value
The Id is that you want, in the terraform, specify that like below.
required_resource_access {
resource_app_id = "<AppId>"
resource_access {
id = "<Id>"
type = "Scope"
}
}
Besides, you should notice the type property has two vaules, Scope and Role, you should know the Scope is Delegated permission and Role is Application permission.
So if you want to add the Application permission permission, you need to use the command as below, then in the terraform, use type = "Role".
$sp = Get-AzureADServicePrincipal -ObjectId "<ObjectId>"
$sp.AppRoles | select Id,DisplayName,Value

Azure AD - no groups listed when setting Access Control in the portal

I'm trying to do simple thing here - I want to grant Reader permissions for AppInsights resource in Azure Portal. So I created a security group called Devs. It has members in it (if that's important).
Now, I go to AppInsights resource => Access Control => Add, and look at this:
It can't find this group! Why is that?
Thanks to Azure Support, here's what happened - I log in to Azure Portal with an external user (user#outlook.com for example). Even though this user is a Global Admin he's not a Member of the tenant. So, either you log in with a user who's a member (#tenant.onmicrosoft.com) or you convert your user to be a Member (now, that requires you to log in as a Member admin). Here's the PowerShell script on how to convert:
Install-Module MSOnline
Connect-MsolService
Set-MsolUser -UserPrincipalName user_outlook.com#EXT##tenant.onmicrosoft.com -UserType Member
# just to check if you became a Member user
Get-MsolUser -UserPrincipalName user_outlook.com#EXT##tenant.onmicrosoft.com | select usertype

Resources