Is there still really no way to automate joining a Windows device to Azure AD via Powershell? I've looked and tried just about everything. The only methods I know of are below.
Self-service: Windows OOBE or Settings
Bulk enrollment
Windows Autopilot
Currently, there is no powershell script/commandlet that can auto join with AAD.
Apart from three method which you have mentioned there is also one more method i.e., Group Policy you can make use of it.
You can also view this to decide how to plan for Azure AD
Reference: https://learn.microsoft.com/en-us/answers/questions/261596/add-computer-to-azure-ad-step-by-step.html
Related
Currently setup with a hybrid Azure AD. Most of our devices are still joined to the local AD servers, with a few newer devices having been onboarded via Azure AD instead of local AD.
I've been searching for a while now but there doesn't seem to be many good resources for the move away from hybrid, other then: Manually unjoin and rejoin every device.
Hoping that I am missing something here and there is a way to do this via a script or other means?
Any suggestions or links are greatly appreciated.
AFAIK, currently there is no way to automate migrating from hybrid Azure AD devices to Full cloud.
You cannot change a hybrid joined device to full cloud without first
removing from the domain and joining to Azure.
You can find the similar scenario in this Microsoft Q&A by Sander Berkouwer that confirms the above.
You have to manually unjoin and rejoin every device. Before removing the devices, make sure to check the state of them using dsregcmd /status.
If DomainJoined is 'YES', unjoin the devices by following the below steps:
Make sure to turn off automatic registration before removing hybrid Azure AD devices.
Run command prompt as an administrator and execute the below command as a script to unjoin several devices in bulk: dsregcmd.exe /debug /leave
Please check the below links that can give you some pointers.
Migration from Hybrid to AAD by sikumars-msft - Microsoft Q&A
Convert hybrid AAD devices to full AAD joined - Azure Forum (spiceworks.com)
There are some default settings for devices in Azure AD:
- Users may join devices to Azure AD (All-Selected-none)
- Additional local administrators on Azure AD joined devices (Selected-None)
- Require Multi-Factor Auth to join devices
an so on.
I am not able to find any solution to do this PROGRAMMATICALLY.
I went thru all MS Graph (also beta), tried PowerShell - Azure AD, Exchange Online, but without any result.
Only Msol has cmdlet Set-MsolDeviceRegistratioinServicePolicy, which does the job. But not whole job - I can't find how to set users/groups which can be selected.
And anyway, does MS Graph have this functionality?
MS Graph doesn't have this functionality yet. All the operations of Device are list here. Currently we can manage device identity using the Azure portal. You can send your feedback regarding this at the bottom of this link. Hope it helps.
I'm looking to manage certain settings of Azure via Azure Powershell from C#. I need to manage subscriptions for many many customers programmatically.
I want to ensure that anytime I open a PowerShell session to deal with particular customer's subscription, nothing of that session is left over in registry, certificate store, etc.
I have management certificates available to me as encrypted byte arrays. I can save them on the hard drive if needed.
I am also happy to call Powershell cmdlets not thru Powershell session but directly thru referencing objects in the .DLL
I would prefre to avoid the use of Management API directly in certain scenarios which is why I'd like to do so via Powershell
Is this possible? If so, how do I avoid using the certificate store? Ideally, I would prefer to just have a way to call into the cmdlet from C# without going thru Powershell session
You should start using Azure Active Directory credentials instead of X.509 certificates. Both the Azure Service Management (ASM) and Azure Resource Manager (ARM) mode of Azure PowerShell supports AAD while certificate authentication can only be used for ASM. Using AAD credentials means you NEVER need to use certificates of X.509 certificates, and be subject to the management difficulties they impose. You would need to be added as a co-admin to your clients subscriptions for ASM support (and the production portal) and provided an appropriate role for ARM support (and the preview portal). However, your customers could restrict your ARM and preview portal access with RBAC.
PowerShell has one cmdlet called clear-azureprofile ... And it clears all connections ... If you really want to be sure you better also clear the IE cookies and start a new PoSh session after both actions (so best to do it at the end of each session)... I agree with Neil btw: Stay clear from the certs... Aim for AAD
BUT ... Why don't you take a look at the management libraries(MAML? It's the basis for all you don't need to call REST and you can avoid PowerShell (that also uses MAML.) it's downloadable as nuget package
Find it here http://www.nuget.org/packages/Microsoft.WindowsAzure.Management.Libraries
And find info on it here http://azure.microsoft.com/en-us/updates/management-libraries-for-net-release-announcement/ and here http://www.bradygaster.com/post/getting-started-with-the-windows-azure-management-libraries
Hope this helps!
Only automated way is with a AAD account for the subscription. Be aware, the token expires in 12 hours. See June's fantastic blog post.
http://www.sapien.com/blog/2014/10/23/saving-passwords-for-add-azureaccount/
I know how to add a co-administrator via the portal, but need a way to add it via PowerShell.
I need this method as I have lost access to the login id, but have the publish setting file so can administrator my virtual machines.
Unfortunately you can't. Azure PowerShell Cmdlets are essentially wrapper over Azure Service Management API and currently the API does not expose any method to add co-admins programmatically.
Azure have rolled out Roll Based Access Control which will allow you to automate the adding of new admins to your Azure Subscription. Intro here: https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/
You would add a new user as an Owner at the Subscription scope. These operations are available using both PowerShell and REST
I am trying to figure out how to create a windows azure active directory group and/or role from the web portal. Am I missing something obvious here or? I can create users, and assign them to the 2 built in roles, but how do I create a new role? or group?
Admittedly I haven't tried this yet, but the PowerShell extensions should be able to do this:
http://technet.microsoft.com/en-us/library/jj151815.aspx
Look under "Manage group and role membership" for details on the relevant commands.
I would also assume that the Graph API could handle it. I too was hoping that the Azure Management Portal would let us do it in their GUI.
Seems the way to add groups, etc is via the graph api or as suggested above by PS scripts. The graph api is amazingly powerful, albeit not as convenient as if this funcitonality lived within the Azure portal.
Basically you have 2 options:
create app roles and assign security groups to them (AAD Premium is
required)
enable security groups as claims (AAD Free is enough)
Follow this official manual: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps