I'm having an issue with the timing around creating a new Azure AD security group and using that group for SharePoint Online folder access.
Using New-PnPAzureADGroup i'm creating the security group, then using Set-PnPListPermission and Set-PnPFolderPermission i'm setting the security group with the required permission for that List or Folder.
It seems that Set-PnPListPermission & Set-PnPFolderPermission are running too quickly after the creation of the group as it reports
Set-PnPListPermission : The specified user XXXX123_SP could not be found.
The strange thing is, once the group has been created I can immediately run Get-PnPAzureADGroup and retrieve the group. I can also manually run the same command a little later and it completes successfully.
I assume the groups take time before they're available in SharePoint, what's the best practice approach to check and wait for these groups before applying them in SharePoint?
Thanks in Advance
You could try to use following PnP PowerShell commands:
Set-PnPListPermission -Identity '$LibraryName' -User 'c:0t.c|tenant|$AdGroupID' -AddRole 'Read'
I replaced -Group with -User in the PnP PowerShell command. Then executed successfully with on error message.
I've encountered this issue, except with external users rather than AD Groups but I think the root is the same. The object can be immediately queried from AD but takes times to become resolvable in SharePoint.
I doubt you'll find a documented best practice as this is a bit of an advanced use case. In my case I seem to recall it taking between 5 and 30 seconds to resolve. What I did was loop 10 times with a Thread.Sleep and break out when it succeeds. Event then you'd get occasional failures - you just log them and move on and let support staff deal with it.
Not my proudest coding moment but it (mostly) got the job done.
$condition = $false
do{
try {
Set-PnPListPermission [-ErrorAction Stop]
Set-PnpFolderPermission [-ErrorAction Stop]
$condition = $true
}
catch {}
}
until{$condition}
Related
I've created a solution that will auto-tag all resources in Azure when they're created using the "Creator", "Date", and "Time." These work perfectly if someone creates from the web interface. Unfortunately, I use Terraform to create resources and would like it to take the terraform appid and convert it to the name using the following command.
(Get-AzADServicePrincipal -ApplicationId "123456-4564-464651651").DisplayName
Unfortunately, I get the following error, basically saying i don't have privileges to do it. Is there a list that lets me know which roles correspond to which command i need to run? I only want to allow privileges to map Service Principle App ID display name (and nothing more).
[Error] ERROR: [Authorization_RequestDenied] : Insufficient privileges to complete the operation.Exception :Type : System.ExceptionMessage : [Authorization_RequestDenied] : Insufficient privileges to complete the operation.HResult : -2146233088CategoryInfo : InvalidOperation: ({ ConsistencyLevel …ect = , Expand = }:<>f__AnonymousType5`7) [Get-AzADServicePrincipal_List], ExceptionFullyQualifiedErrorId
The solution is based on this link using Event triggers https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/tagging-azure-resources-with-a-creator/ba-p/1479819
You should you at least Application.Read.All permission , Please see the doc for more info - https://learn.microsoft.com/en-us/graph/api/serviceprincipal-get?view=graph-rest-1.0&tabs=http
Hope this helps
Thanks
Context:
I'm creating a Electron React Application. I'm building it for my colleagues.
This app will give you a simple to use UI. You can do different things for which you normally would need powershell.
Example: Gui asks you for a user you want to access and another user that it should grant access too.
I'm then passing everything we need to powershell-node (a package that handles powershell with node) and it will (in this example) grant Full Access Permissions to the user specified.
The Problem
We are using a different account to fire exchange and powershell commands since we don't have rights with our personal logon. So normally I would create a pssession to our ex server like this:
$Connection = #{
ConfigurationName = 'Microsoft.Exchange'
ConnectionUri = 'http://ourserver/powershell'
Authentication = 'Kerberos'
Credential = Get-Credential}
$Ex2010Session = New-PSSession #Connection
Import-PSSession $Ex2010Session -AllowClobber | Out-Null
Normally this would work and give me the commandlet add-mailboxpermission.
Also the command itself works on a normal powershell because I open it with my Admin account (run as). And that's the point:
In my script I do exactly this but then afterwards I run the Add-Mailboxpermission command with all required parameters.
Of course it won't work because I opened my electron app with my normal account. Also there is not -Credential parameter on the Add-MailboxPermission command.
A possible solution;
The first idea that comes into my mind is, to just open the app with the adm account. While possible I'm aspire for a better solution.
What have I tried
The next idea I got is "Why don't I just send the command to the server via invoke-command like this:
Invoke-Command -Session $Ex2010Session -ScriptBlock {
Add-MailboxPermission -Identity $Identity -AccessRights 'FullAccess' -user
$User -automapping $Automapping
}
Unfortunately when I try to run this I get this error message:
variable that cannot be referenced in restricted language mode or a Data section is being referenced. Variables that
can be referenced include the following: $PSCulture, $PSUICulture, $true, $false, and $null.
I don't have any access to our ex infrastructure and therefore can't try to fix it on these side of problems (language mode).
So there I am, having no idea how to solve this problem. I hope you guys have any ideas how to fix it, that would be very neat.
Little Screenshot of the app:
I have created thing , certificates , policy and attached them successfully using python.
And i have founded a idea that instead of creating a policy for every new thing that is created , we can create a thing group and create a policy for that group and adding the thing to it and then share that group policy to every new thing we created.
I didn't have any idea on how to implement my idea and i keeps on searching for a reference to do that still i didn't find any usefull links or guides.If you know anything post that
Hi everyone after a long search i find the solution.
def add_thing_to_thing_group():
client = boto3.client('iot')
thing_group_name ='your thing group name'
thing_group_arn ='your thing group arn'
thing_name ='your thing name'
thing_arn ='your thing arn'
client.add_thing_to_thing_group(
thingGroupName= thing_group_name,
thingGroupArn= thing_group_arn,
thingName= thing_name,
thingArn= thing_arn
)
need boto3 package
thing group arn and thing arn are available in aws iot console
I have a Sharepoint Library, which I have a Powershell script dropping files into for processing. The Powershell script reaches out to Active Directory, and returns Group Membership information. The script then creates a folder for the group owner (if it doesn't exist) in my Library, using the group owners' name, and drops a .CSV of all the users contained in the specific group into that folder.
The need here, is to grant 'Read' permissions only to the owner of the group, which will be the name of the folder we are working in. Ideally the folder would be hidden, however I understand that there are limitations when working with Sharepoint.
For example:
John Doe, User: jdoe would be able to access Z:/jdoe/IT.csv but not
Z:/someuser/HR.csv
I have my Sharepoint Library mapped to Z:/ currently, to make my life easier for Powershell.
I executed get-command Module Microsoft.SharePoint.PowerShell | ft name and ran through the list of Sharepoint Commands.
I then stumbled across the Grant-SPObjectSecurity Cmdlet, which I assume is what I would want to use on the Powershell side to, when the folder is being created, apply Sharepoint permissions only to the user for which the folder is being created for.
The process from start to finish is: Powershell Script 'Get_Group_Members' executes, reading a text file containing an Active Directory Group name, per line. For each group found, the script identifies the owner of the group, creates a folder named with the owners AD name, and puts a .CSV file in the folder listing all members of the group. Then, I (for now anyway) manually initiate the next Script 'Import_CSV' which pulls all the information into a Sharepoint list for an unrelated process.
Hope that helps understand what's happening. Am I right in assuming I should handle this on the Powershell side, as opposed to the Sharepoint side? If so, am I headin' in the right direction with Grant -SPObjectSecurity?
Thanks!
Update:
Following the link I provided in a comment below, here is what I came up with:
function GrantUserpermission($strOwnerName)
{
[Microsoft.SharePoint.SPUserCollection]$spusers=[Microsoft.SharePoint.SPUserCollection]$web.SiteUsers
[Microsoft.SharePoint.SPUser]$spuser=$spusers[$strOwnerName]
"Strowner name: " + $strOwnerName
# Get the SPWeb object and save it to a variable
$web = Get-SPWeb -identity $WebURL
if ($strOwnerName -ne $null)
{
$sproleass=new-object Microsoft.SharePoint.SPRoleAssignment([Microsoft.SharePoint.SPPrincipal]$spuser)
$folder.BreakRoleInheritance("true")
$sproleass.RoleDefinitionBindings.Add($web.RoleDefinitions["Contribute"])
$folder.RoleAssignments.Add($sproleass);
Write-Host "Permission provided for user ", $strOwnerName
}
else
{
Write-Host "User ""$userName"" was not found in this web!"
}
}
And here, are the error(s) associated with my code:
Full code can be found here: http://pastebin.com/iBpj6V1U
Update #2
#apply permissions to folder
"Strowner name: " + $strOwnerName
function GrantUserpermission($strOwnerName)
{
$web = Get-SPWeb -identity $WebURL
[Microsoft.SharePoint.SPUser]$spuser=$web.EnsureUser($strOwnerName)
"Strowner name in Function: " + $strOwnerName
Updated code #2: http://pastebin.com/DzP1hVce
I ended up realizing, that if I am using Powershell to get information to a .CSV, and then ultimately to Sharepoint, that it doesn't make sense to actually waste time with files, and tap directly into Sharepoint via Powershell.
Here's the code I had used to accomplish this: http://pastebin.com/xRyvXLCB
Special thanks to #TheMadTechnician
Overview
I am observing a really strange behaviour with code which attempts to retrieve the TermStore from the TaxonomySession. The code looks like this:
using (SPSite mySite = new SPSite(url))
{
TaxonomySession session = new TaxonomySession(mySite);
// Get all the TermStores associated with the provided site.
TermStoreCollection stores = session.TermStores;
Console.WriteLine(stores.Count);
Here is the issue:
The above code does not return any TermStores, i.e. the count is zero
If I run the following PowerShell script from the same command prompt, I get 1 TermStore in the count.
$site = new-object Microsoft.SharePoint.SPSite("https://mysite")
$session = new-object Microsoft.SharePoint.Taxonomy.TaxonomySession($site)
$session.TermStores.Count
I have tried the following:
My Managed Metadata Application Proxy is a part of the default proxy group
The administrator for the Managed Metadata Service is configured correctly
The permissions for the Managed Metadata Service are configured correctly
The Managed Metadata application pool is running under the farm account
Modifying the code above to run under elevated privileges
The weird thing is that the first block of code above DOES NOT retrieve any TermStore(s) when compiled as an executable and invoked from a command window, which is running under the farm credentials. IN THE SAME window, I can copy and paste the second block of the equivalent PowerShell scripts and have it run!
Also, this issue is only happening on our Production environment. The same executable ran successfully on our DEV, TEST and Pre Prod environments.
Any help at this stage will be much appreciated.
We encountered exactly the same issue in our test environment. But, our development servers are working as expected. My colleague was able to narrow down the issue and resolve it by updating hotfix available in Microsoft support.
The following are the details of the hotfix and information he could come across while researching on that particular issue.
Support download link
For additional information:
http://chrisforbesblogs.net/2009/12/02/the-managed-metadata-service-or-connection-is-currently-not-available
http://expectedexception.wordpress.com/2011/06/15/the-managed-metadata-service-or-connection-is-currently-not-available-the-application-pool-or-managed-metadata-web-service-may-not-have-been-started-please-contact-your-administrator/
Please consult your system administrator before updating any hotfix to servers. Hope this help you to fix the issue in your production environment.