Currently, we are using Service account to refresh the Azure Analysis Service Tabular model using the Azure Automation account and now planning to move to Service principal
Below are the steps I followed to do the required setup:
Create a Run as accounts from the Automation Account screen
The above step created a Service Principal in Azure Active Directory and using this I created a Client Secret. After this, I picked up the below values from the Service Principal:
Application (client) ID
Object ID
Directory (tenant) ID
Client Secret ID
Then, I have created a Credential in the Automation Account page using the <Application (client) ID> and <in the Azure Automation account
Username: <Application (client) ID>
Password:
Edited the Automation account Runbook to fetch the Service Principal credentials and then refresh the Azure Analysis Service. Below is the script:
#Tls 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
#Base Values
$databaseName = "Reporting-Tabular"
$server = "asazure://.asazure.windows.net/AASServer"
#Get Creds
$Credential = Get-AutomationPSCredential -Name 'service-principal'
Write-Output "Credential Obtained, invoking refresh"
Invoke-ProcessASDatabase -DatabaseName $databaseName -RefreshType "Full" -Server $server - ServicePrincipal -Credential $Credential
Write-Output "Done!"*
Added the app:<Application (client) ID>#<Directory (tenant) ID> to the Azure Analysis Services admin list using SSMS
I am getting the below error when I test the run book using the Test pane in the Automation account:
Unable to obtain authentication token using the credentials provided.
Please help how to resolve this issue.
in the Automation Credential password try pasting app registration's secret value instead of secret id.
Related
Wrote the below script to get the MFA status for all admins.
Works well. But I want to run this using the credential of a service principal and looks like Connect-MsolService does not have an option to do that.
Alternatively, Connect-AzAccount has the option to do that but in Az Powershell I dont find a way to get the MFA details of the users.
Is there a way to get the MFA details of the user using service principal?
Connect-MsolService
$output_file_location = "c:\temp\azure_admins_mfa_status_"+$(get-date -f yyyy-MM-dd-HH-mm-ss)+".csv"
$admin_roles = "Company Administrator","Billing Administrator","Conditional Access Administrator","Exchange Service administrator","Helpdesk administrator","Password administrator","Security administrator","Sharepoint Service administrator"
# Gets all the members in the admin roles in the roles list above
# Gets the MFA status for each member
# Appends the below data points to a file specified in the $output_file_location variable
# DisplayName,E-mail,Role,MFA-Requirements, MFA-Methods, MFA-MethodsDefault
function get-mfs-status
{
foreach ($roleName in $admin_roles)
{
write-output $roleName
$members = Get-MsolRoleMember -RoleObjectId $(Get-MsolRole -RoleName $roleName).ObjectId
#write-output $members
foreach ($member in $members)
{
write-output $member.EmailAddress
}
foreach ($member in $members)
{
write-output $member
Get-MsolUser -UserPrincipalName $member.EmailAddress | select DisplayName, `
#{N='E-mail';E={$_.userPrincipalName}}, `
#{N='Role';E={$roleName}}, `
#{N='MFA-Requirements';E={(($_).StrongAuthenticationRequirements.state)}}, `
#{N='MFA-Methods';E={(($_).StrongAuthenticationMethods.MethodType)}}, `
#{N='MFA-MethodsDefault';E={($_.StrongAuthenticationMethods | where isdefault -eq 'true').MethodType}} `
| select DisplayName,E-mail,Role, MFA-Requirements, MFA-Methods, MFA-MethodsDefault| Export-Csv $output_file_location -Append `
}
}
}
get-mfs-status
• No, you cannot retrieve the MFA details of the users in an Azure AD using service principal through powershell because service principal is generated for an instance of Azure resource, not an identity which has already been assigned an Azure AD role regarding the scope that has been defined with it. Thus, as an identity though of an Azure AD administrator has the scope of the whole subscription which hosts multiple tenants of your organization, has been defined with some roles and assignments pertaining to that scope. You can create a service principal with that ID logged in to Azure Powershell for the scope of your signed in ID but cannot retrieve the MFA status of users in Azure AD because when you pass the service principal in a variable to pass it as a credential and log in to the Microsoft 365 online, it cannot actuate them to the identity credentials and M365 doesn’t consider it.
Also, to get the status of MFA details of the users, you must connect to MS Online, you cannot retrieve it through Azure AD. Even if you convert the service principal secret in plain text and pass it as a credential to connect to M365, it doesn’t consider it nor it actuates the credentials.
• Instead, if you log into Azure/M365 using your actual credentials, i.e., ID and password, you will be able to retrieve the details provided you have the required role assignments and access.
Reference link for service principal usage: - https://learn.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-6.6.0
It's beta but how about that:
https://learn.microsoft.com/en-us/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&tabs=http
so the background as follows:
for installation and deployment process we need to modify a customer created App Registration.
but we get not the right Application.ReadWriteAll but we could get Application.ReadWrite.OwnedBy.
I know that if creating an Graph Api Call (excecuted with Postman) as shown below it worked, because Creator is automatically the Owner.
.
HTTP-Post Request:
https://graph.microsoft.com/v1.0/applications
with body:
{
"displayName": "AppRegName"
}
But I need to solution with standard tool like azure portal or powershell and I found no way to assign or remove a service principal as owner to an App Registration.
Is there a way to to do this with powershell?
The authentifiaction with an service principal i dont't know how I can do it?
I think after I can create an App Registration with
$appRegistration = New-AzADApplication -DisplayName "AppRegCreatebyPS"
but I very unexperinced in using powershell.
So how I can tell powershell to use the service principal authentitification for creating App Registrations?
A short extra question:
Can I remove later the owner role for the service principal and how can I do it?
Thanks for all Readers And I hope someone can give me a hint.
You can create App registration, Service Principal for App registration, Add application owner and remove application owner all from PowerShell AzureAD module.
Command to install Azure AD module in PowerShell:
Install-Module AzureAD
You can use the below commands :
#Connect to Azure AD
Connect-AzureAD
#Create Azure AD app Registration
$appRegistration = New-AzureADApplication -DisplayName "AppRegCreatebyPS"
# Create A service Principal for the above app Registration
New-AzureADServicePrincipal -AccountEnabled $true -AppId $appRegistration.AppId -AppRoleAssignmentRequired $true -DisplayName $appRegistration.DisplayName
# get objectid for the service principal
$serviceprincipal= Get-AzureADServicePrincipal -Filter "DisplayName eq 'AppRegCreatebyPS'"
#Get the old app registration for whom you want set owner
$oldappregistration = Get-AzureADApplication -Filter "DisplayName eq 'Postman'"
#add service principal to the application owner of old app registration
Add-AzureADApplicationOwner -ObjectId $oldappregistration.ObjectId -RefObjectId $serviceprincipal.ObjectId
# verify the owner for the old app registration
Get-AzureADApplicationOwner -ObjectId $oldappregistration.ObjectId
#remove the owner for the old app registration
Remove-AzureADApplicationOwner -ObjectId $oldappregistration.ObjectId -OwnerId $serviceprincipal.ObjectId
Reference:
Cmdlts for Azure AD module reference
This can be done like below from bash or windows subsystem linux.
Login to your Azure account
az login
Execute below command
az ad app owner add --id AAAA --owner-object-id AAAA
--id(Application id) , --owner-object-id (Owners object id)
Ref : https://learn.microsoft.com/en-us/cli/azure/ad/app/owner?view=azure-cli-latest
Using powershell commands i want to reset the Service Principal client secret.
I followed the below steps from the article https://learn.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-5.8.0
but it didnot reset the password
Remove-AzADSpCredential -DisplayName ServicePrincipalName
$newCredential = New-AzADSpCredential -ServicePrincipalName ServicePrincipalName
can you tell what i am doing wrong. I just want to reset the secret and have new one
I executed the above command and then i went to the app registration of that service principal and there i went to certificates & secrets i see it has not createed new secret.
Using bash i am able to reset the password by executing the below command but i want it to be done using powershell command
az ad sp credential reset --name
I went to the app registration of that service principal and there I went to certificates & secrets I see it has not created new secret.
Well, actually the command New-AzADSpCredential did create a new secret for you.
Firstly, you need to know the relationship between App Registration(AD App) and Service principal, see Application and service principal objects in Azure Active Directory.
In short, the service principal is the local representation for the AD App in a specific tenant. When you create the secret for the service principal, it will not appear in the Certificates & secrets blade, you can just get it with Get-AzADSpCredential.
If you want to reset the secret that you can find in the portal, you need to reset the sceret for the AD App(i.e. App Registration) via Remove-AzADAppCredential and New-AzADAppCredential.
You could refer to the sample below, it resets a secret with value ce96a0ed-5ae8-4a5a-9b3c-630da9ea3023, it is valid for one year, you can find it in the portal.
$obj = (Get-AzADApplication -DisplayName joyappv2).ObjectId
Remove-AzADAppCredential -ObjectId $obj -Force
$azurePassword = ConvertTo-SecureString "ce96a0ed-5ae8-4a5a-9b3c-630da9ea3023" -AsPlainText -Force
$date = Get-Date
$newCredential = New-AzADAppCredential -ObjectId $obj -Password $azurePassword -StartDate $date -EndDate $date.AddYears(1)
Note: You could not get the secret value again after creating it, so please store it when creating.
Is there any option to sign-in to Azure portal using clientID, client Secret, Tenant ID and /or subscription ID? Most of the samples I saw are using AD or SAML
No, you can't.
If you get the sign in url of the azure portal, you will find it uses this flow to authorize.
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
client_id=c44b4083-3bb0-49c1-b47d-974e53cbdf3c&
response_mode=form_post&
response_type=code+id_token&
scope=https%3a%2f%2fmanagement.core.windows.net%2f%2fuser_impersonation+openid+email+profile&
state=OpenIdConnect.AuthenticationProperties%3d5sSBWCgxO8uzYlVgeWTBnBpO_3udn25WSlg2P5mZjzotjbc0u3aiZfTvDwyVNboeIldUVKig-KNmc_LiG_a2LI4dySYHViQ1bEQgXUt1c7PbCQ4Nqg-VOu9nsnSwTZ4i15w_0XeNah_PvG8B0TgQI5D-AlN4lhNrwtjN8ATClowc38Ifdu7h8BweU3sGvxlvYxtBG3-VzwSty-jaDbz3CRTUFmm0jTTKOGPrHsGu3q6-R9pDKFqvZk50Cd6AstdLe4qpcTRxFlkb114JxGW0BzZKIy__sIbqkHm_WeMnaFBGuQaTcGv4e7EizLxbZUc_jpqopZRCw7sfv-eaxHrD_ZoaXzNtylfoVnfcrnK0cbvh1TopnOcY166ZFW4uQlFu73De9SPMKMVr53gaUJTfR_pdJBQ_hS51L4quMf_noP4x5szhQ314hxgwoJBnw7R_8vhBKF6jplZmhqf3Hrsp4nEyzjjbyocCoXF9qxJjLkY&
nonce=637188980051547113.OTZkOTdlYjctODJiNS00M2E1LWFjZWUtM2FlMTUyYmJmOTc0ZWUxOWQ1OTYtNTBhOC00ZTc0LWFmMGYtNDkwYTA3ODJkZmEx&
redirect_uri=https%3a%2f%2fportal.azure.com%2fsignin%2findex%2f%3ffeature.refreshtokenbinding%3dtrue%26feature.snivalidation%3dtrue%26feature.usemsallogin%3dtrue&site_id=501430&client-request-id=c171ca99-bd9c-4a38-aaa0-a9344d273131&x-client-SKU=ID_NET&x-client-ver=1.0.40306.1554
Actually the azure portal is an AD App registered in azure ad, so you need the user account to login.
If you want to use the service principal(i.e. the clientID you mentioned) to do operations on the azure resources, you could use the Azure powershell, CLI, REST API.
Samples:
1.Use the service principal to login Azure powershell
$passwd = ConvertTo-SecureString <use a secure password here> -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential('service principal name/id', $passwd)
Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant $tenantId
2.Use the service principal to login Azure CLI
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant contoso.onmicrosoft.com
3.Use the client credential flow to get the token, then use it to call the REST API, see this link.
Accidentally Deleted Azure Multi-factor Auth client Service principal via power shell, how to restore it?
You could try to run the PowerShell script to restore it, the PowerShell script was created when you installed NPS extension for Azure MFA.
Get-AzureADServicePrincipal | Where-Object { $_.appid -match '981f26a1-7f43-403b-a875-f8b09b8cd720' } # did not show Azure Multi-factor auth client in list.
created new service principal for Azure Multi-factor auth client from below command.
new-AzureADServicePrincipal -AppId 981f26a1-7f43-403b-a875-f8b09b8cd720
set-AzureADServicePrincipal -AppId 981f26a1-7f43-403b-a875-f8b09b8cd720 -ObjectId b9ffe563-20b2-4ada-98f0-665cd878581c -AccountEnabled $true # object id obtained from above command
Now I am able to view the service principal when I search with object ID.