Can some one help to get the details of all users from Azure for their Role assignement with -ExpandPrincipalGroups.
I have tried for one user and it is working fine but when i run the query for all azusers then it gives an error.
Here is the command I am trying:
$user = (Get-AzADUser).UserPrincipalname
Get-AzRoleAssignment -SignInName $user -ExpandPrincipalGroups | Select-Object DisplayName,RoleDefinitionName, Scope
Get-AzRoleAssignment -SignInName $user -ExpandPrincipalGroups | Select-Object DisplayName,RoleDefinitionName, Scope
Get-AzRoleAssignment : Cannot find principal using the specified options
At line:1 char:1
+ Get-AzRoleAssignment -SignInName $user -ExpandPrincipalGroups | Selec ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzRoleAssignment], KeyNotFoundException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand
welcome back suri,
you need to pass the parameter SignInName of the command Get-AzRoleAssignment as string not a list
Get-AzRoleAssignment
-SignInName <String>
-ResourceGroupName <String>
[-RoleDefinitionName <String>]
[-IncludeClassicAdministrators]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
so this could be handled as follow
(Get-AzADUser).UserPrincipalname | % { Get-AzRoleAssignment -SignInName $_ | Select-Object DisplayName,RoleDefinitionName,Scope}
DisplayName RoleDefinitionName Scope
----------- ------------------ -----
Mahmoud Moawad Owner /subscriptions/XXXXX-XXXX-XXXXX-XXXX-XXXX
Mahmoud Moawad User Access Administrator /
Related
Been trying to create a Powershell script to achieve the following.
Check which users have a specific license assigned
assign these users to a specific security group.
Get-MsolUser | Where-Object {($_.licenses).AccountSkuId -match "DEVELOPERPACK_E5"} | Add-AzureADGroupMember -ObjectID c1ec272d-e0d2-496c-ba65-602e7d822c75
The first part of the script runs okay Get-MsolUser | Where-Object {($_.licenses).AccountSkuId -match "DEVELOPERPACK_E5"} which returns the users that have the license, however when trying to pipe results to "AddAzureADGroupMember" an error occurs.`
Error:
At line:1 char:1
+ Get-MsolUser | Where-Object {($_.licenses).AccountSkuId -match "DEVEL ...
+ ~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Microsoft.Onlin...omation.GetUser:GetUser) [Get-MsolUser], PipelineStoppedException
+ FullyQualifiedErrorId : System.Management.Automation.PipelineStoppedException: The pipeline has been stopped.
at System.Management.Automation.CommandProcessor.ProcessRecord()
at System.Management.Automation.CommandProcessorBase.DoExecute()
at System.Management.Automation.Internal.Pipe.AddToPipe(Object obj)
at System.Management.Automation.Internal.Pipe.AddItems(Object objects)
at System.Security.SecurityContext.Run(SecurityContext securityContext, ContextCallback callback, Object state)
at System.Management.Automation.MshCommandRuntime.WriteObject(Object sendToPipeline, Boolean enumerateCollection)
at System.Management.Automation.Cmdlet.WriteObject(Object sendToPipeline, Boolean enumerateCollection)
at Microsoft.Online.Administration.Automation.MsolCmdlet.ProcessList(SearchDefinition searchDefinition, Int32 maxResultsSize) in X:\bt\1067178\repo\src\dev\PowerShell.V1\modules\psmodule\Cmdlets\MsolCmdlet.cs:line 372,Microsoft.Online.Administration.Automation.G
etUser
Add-AzureADGroupMember : Error occurred while executing AddGroupMember
Code: Request_BadRequest
Message: Invalid object identifier 'Microsoft.Online.Administration.User'.
RequestId: be0ee2c5-44e0-41f3-a9e2-f8396980cf6b
DateTimeStamp: Fri, 22 Oct 2021 10:37:21 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:86
+ ... PACK_E5"} | Add-AzureADGroupMember -ObjectId c1ec272d-e0d2-496c-ba65- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-AzureADGroupMember], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.AddGroupMember```
The reason you are getting the error is you are not using the refobjectiD .
You can try to use the below cmdlt with foreach to achieve your requirement
Get-AzureADUser | Where-Object {($_.AssignedLicenses).SkuId -match "*******"} | ForEach-Object { Add-AzureADGroupMember -ObjectID ****** -RefObjectId $_.ObjectId}
Here is my output screenshots:
Managed to get this done with below, appreciate all help with this.
$Users = (Get-MsolUser | Where-Object {($_.licenses).AccountSkuId -match "DEVELOPERPACK_E5"}) | select -expand ObjectId
foreach ($User in $Users) {
Add-AzureADGroupMember -ObjectId 'c1eXXX2d-XXX2-496c-ba65-6XXXXXXXX5' -RefObjectId ($user)
}
I was trying to set the password for an Azure user to not expire forever. In the process I tried below commands
Get-AzADUser -ObjectId <valid Azure user> | Select-Object UserprincipalName,#{
>> N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}
>> }
UserPrincipalName PasswordNeverExpires
----------------- --------------------
<valid Azure user> False
To set PasswordNeverExpires to True, I executed below command
Set-AzADUser -ObjectId <valid Azure user> -PasswordPolicies DisablePasswordExpiration
But it throws an error as below:
Update-AzADUser : A parameter cannot be found that matches parameter name 'PasswordPolicies'.
At line:1 char:51
+ ... ADUser -ObjectId <valid Azure user> -PasswordPolicies Disable ...
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Update-AzADUser], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Azure.Commands.ActiveDirectory.UpdateAzureADUserCommand
Can someone help me on this issue please.
Thanks,
Sri Ram.
Az Powershell doesn't provide the setting password policy feature.
Use Azure AD Powershell instead.
Set-AzureADUser -ObjectId <user ID> -PasswordPolicies DisablePasswordExpiration
If you are concerned about having to log in to Azure AD Powershell again, you can connect a session using an existing token associated with the active azure context.
For example:
# login
Connect-AzAccount -Tenant {your tenant}
# perform other Azure operations...
$currentAzureContext = Get-AzContext
$tenantId = $currentAzureContext.Tenant.Id
$accountId = $currentAzureContext.Account.Id
Connect-AzureAD -TenantId $tenantId -AccountId $accountId
Then you can run Set-AzureADUser cmd.
I want to make a powershell script that would list me Users list from Azure AD and all Enterprise application assigned to every user from the list.
I have tried to set ForEach-Object loop to iterate each object I would get from Get-AzureADUser
This code works:
$UserId = (Get-AzureADUser -Top 1).ObjectId
Get-AzureADUserAppRoleAssignment -ObjectId $UserId
I 'm trying to loop and iterate for every single output:
$UserId = (Get-AzureADUser).ObjectId | ForEach-Object {
Get-AzureADUserAppRoleAssignment -ObjectId $UserId}
Here is the error message:
Get-AzureADUserAppRoleAssignment : Cannot convert 'System.Object[]' to the type 'System.String' required by parameter 'ObjectId'. Specified method is not supported.
At line:1 char:44
+ Get-AzureADUserAppRoleAssignment -ObjectId $UserID
+ ~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-AzureADUserAppRoleAssignment], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgument,Microsoft.Open.AzureAD16.PowerShell.GetUserAppRoleAssignments
You may create the loop for Get-AzureADUserAppRoleAssignment by these commands below:
$UserId = (Get-AzureADUser).ObjectId
foreach ($eachUserId in $UserId)
{
Get-AzureADUserAppRoleAssignment -ObjectId $eachUserId
}
I'm trying to tag all my running VMs from azure with tags from a CSV file but my PowerShell script is failing when being run from VSCode PowerShell core terminal.
I double-checked and I have set the correct active subscription (we have multiple tenants and subscriptions), but the output says that it can't find my resource groups (they are there for sure).
Enable-AzureRmAlias
$csv = import-csv "C:\Users\popes\Desktop\Jedox\Powershell scripts\Tagging\Tagging.csv"
$csv | ForEach-Object {
# Retrieve existing tags
$tags = (Get-AzResource -ResourceGroupName $_.RG -ResourceType "Microsoft.Compute/virtualMachines" -Name $_.VM).Tags
# Define new value pairs from CSV
$newTags = #{
company = $_.Company
dns = $_.DNS
type = $_.Type
CN = $_.CN
}
# Add new tags to existing set (overwrite conflicting tag names)
foreach($CN in $newTags.Keys){
$tags[$_] = $newTags[$_]
}
# Update resource with new tag set
Set-AzResource -ResourceGroupName $_.RG -Name $_.VM -Tag $tags -ResourceType "Microsoft.Compute/virtualMachines"
}
The output:
Get-AzResource : Resource group 'machine774_rg' could not be found.
At line:3 char:14
+ ... $tags = (Get-AzResource -ResourceGroupName $_.RG -ResourceType "Mi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzResource], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet
Cannot index into a null array.
At line:15 char:9
+ $tags[$_] = $newTags[$_]
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : NullArray
Try to use Clear-AzContext, then login with specific tenant and subscription, Connect-AzAccount -Tenant "xxxx-xxxx-xxxx-xxxx" -SubscriptionId "yyyy-yyyy-yyyy-yyyy".
I have been trying to find a way to bulk add users to a group from a variable.
I create my variables.
Test my variables. And then when I use them, the system interprets them in a way I didn't expect. Has anyone figured out how to best automate this process?
PS C:\WINDOWS\system32> $user = get-MsolUser | Select ObjectID
PS C:\WINDOWS\system32> $user
ObjectId
--------
97232511-7ea5-4f26-9372-************
baa75007-e0fc-4265-b17c-************
PS C:\WINDOWS\system32> $group = get-MsolGroup -ObjectId 776da14a-9c10-4dd1-b880-************ | Select ObjectID
PS C:\WINDOWS\system32> $group
ObjectId
--------
776da14a-9c10-4dd1-b880-************
PS C:\WINDOWS\system32> Add-MsolGroupMember -GroupObjectID $group -GroupMemberType User -GroupMemberObjectId $user
Add-MsolGroupMember : Cannot bind parameter 'GroupObjectId'. Cannot convert the "#{ObjectId=776da14a-9c10-4dd1-b880-d0646d49e926}"
value of type "Selected.Microsoft.Online.Administration.Group" to type "System.Guid".
At line:1 char:36
+ Add-MsolGroupMember -GroupObjectID $group -GroupMemberType User -Grou ...
+ ~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Add-MsolGroupMember], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.Online.Administration.Automation.AddGroupMember
PS C:\WINDOWS\system32>
Try this while selecting a group and then pass it to the Add-MsolGroupMember cmdlet.
$group = get-MsolGroup -ObjectId 776da14a-9c10-4dd1-b880-************ | Select-Object -ExpandProperty ObjectID
Alternative to answer provided.
$group = get-MsolGroup -ObjectId 776da14a-9c10-4dd1-b880-************
$users = get-MsolUser
foreach($user in $users){
Add-MsolGroupMember -GroupObjectID $group.objectId -GroupMemberType User -GroupMemberObjectId $user.objectId
}
Because you're returning multiple users you'll want to foreach them as the cmdlet only accepts one argument for the -GroupMemberObjectId. Also with your current set up getting the group is obsolete since you already know the object id you could achieve the same with.
$groupObjectId = "776da14a-9c10-4dd1-b880-************"
$users = get-MsolUser
foreach($user in $users){
Add-MsolGroupMember -GroupObjectID $groupObjectId -GroupMemberType User -GroupMemberObjectId $user.objectId
}