How do I turn on self-service password reset through the Azure AD portal? I cannot find it in the portal?
You can only turn on or turn off the feature with MSOnline module, but other settings must be managed over Portal for now:
Set-MsolCompanySettings -SelfServePasswordResetEnabled $True
From Set-MsolCompanySettings documentation
There is Get-AzureADDirectorySettingTemplate in AzureADPreview module, so may be more settings will be available for configuration over PowerShell but there is nothing related to Self-Service Password Reset at the moment.
Enabling SSPR for a OU or group in azure is currently not supported by Powershell cmdlets. The Enablement of SSPR feature is only supported via Azure Portal.
We can reset password for one user only using powershell.
Command : Set-AzureADUserPassword -ObjectId "object-id" -Password $password.
I found an existing idea on this matter in feedback forum for azure. You can upvote the feedback in azure forum and share your additional feedback there for visibility.
Reference:
Azure Feedback SSPR
Related
I want to remove a tenant from Azure portal.
All Enterprise applications should be deleted before the tenant removing:
There are two options how Enterprise applications could be removed:
From the Azure portal. Go to the application you want to delete, click "Properties", click "Delete" button. This option is not available as "Delete" button is disabled.
Using PowerShell commands with Azure Cloud Shell. This option is not available because it states "No valid subscription found. You need an Azure subscription to use Azure Cloud Shell".
I don't want to activate an Azure subscription just for the removing tenant.
But all options are useless in this case.
Any alternative approach?
You should be able to delete the enterprise application in the portal, make sure you logged in to the portal with the Global admin account.
If this still not work, try to use powershell in local(not in cloud shell).
1.Install the AzureAD module.
Install-Module -Name AzureAD
2.Login with Global admin account.
Connect-AzureAD -TenantId <TenantId>
3.Delete the enterprise application.
Remove-AzureADServicePrincipal -ObjectId <app objectid got from the portal>
How can I upload custom policies via power shell?
Azure AD B2C now supports PowerShell cmdlets
Azure AD Preview module documentation
See medium blog
Quick Start
Launch Power Shell and try below commands
> Install-Module -Name AzureADPreview
> Connect-AzureAd -tenantId <yourtenantname> -accountId <yourAlias#contoso.com>
> Get-AzureADMSTrustFrameworkPolicy
> Get-AzureADMSTrustFrameworkPolicy -Id B2C_1A_signup_signin -OutputFilePath C:\B2C_1A_signup_signin.xml
> New-AzureADMSTrustFrameworkPolicy -InputFilePath C:\B2C_1A_signup_signin.xml
> Set-AzureADMSTrustFrameworkPolicy -Id B2C_1A_signup_signin -InputFilePath C:\B2C_1A_signup_signin.xml
You cant.
Well, you used to be able to if you had an advanced policy with the B2C powershell tools but ever since they moved from B2C to Identity Experience Framework they have disabled it.
I presume when they go back to ARM templates then they will re-enable it.
Azure AD B2C currently does not support any programmatic policy management, including Graph, PowerShell or ARM templates.
You can support this ask and keep track of it (i.e. get notified when there's a preview available) for voting for it in the Azure AD B2C feedback forum: Programmatically Manage B2C Policies
I am able to execute Runbooks within my Azure tenant/subscription, but would like to use a single Azure Automation Account in my tenant to execute Runbooks against other tenants and their subscriptions.
I have found this article for running against multiple subscriptions, but is it possible to have a centralized Azure Automation Account in one tenant that can connect and execute against other tenants and their subscriptions?
https://blogs.technet.microsoft.com/knightly/2017/05/26/using-azure-automation-with-multiple-subscriptions/
Based on my knowledge, if your account is a Auzre AD account, it is possible. Also, your account is Microsoft account, you also could create a Azure AD account. More information about how to create a new Azure AD user please refer to this link.
You could create a credential and store your account and password in it.
You can retrieve the credential in a runbook using the Get-AutomationPSCredential activity and then use it with Add-AzureRmAccount to connect to your Azure subscription. The following commands work for me.
$cred = Get-AutomationPSCredential –Name "shuitest"
Add-AzureRmAccount –Credential $cred
Select-AzureRmSubscription –SubscriptionName "Your Subscription Name"
More information about this, you could refer to this link.
If you want to login multiple tenants in one runbook, you need to sign in separately and execute your PowerShell cmdlets.
So i stumbled upon this article which offers a guidance how to do what you want:
https://blogs.technet.microsoft.com/knightly/2017/05/26/using-azure-automation-with-multiple-subscriptions/
basically what I said, get appId and grant it permissions to perform actions on other subs
I was struggling with the same issue today, specifically how to authenticate cross-tenant. I solved the authentication part of it by having an Azure Automation Account in both of my tenants, both with a RunAs Account.
By default these will be called AzureRunAsConnection
Tenant01 is my main Tenant that holds the Automation Account that does all the work.
Tenant02 is "passive".
Use this script to export the certificate of Tenant02
import the certificate into Tenant01
in Tenant01 add an additional RunAs connection (e.g."AzureRunAsConnection02") and enter the ApplicationId, TenantId, CertificateThumbprint, SubscriptionId of the RunAs account from Tenant02
with identical RunAs accounts and certificates in both tenants you should now be able to switch between your Tenants in your runbook with:
Get-AutomationConnection -Name AzureRunAsConnection
Get-AutomationConnection -Name AzureRunAsConnection02
etc...
I want to run a template on Microsoft Azure using ansible script. For that I have to set the client_id, secret and tenant_id. I am not sure where can I find it on Microsoft Azure?
Well, for that you have to create an Azure AD Application and use that as an Identity. Here's how you do it: https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-service-principal-portal/
I see no point I
in typing all of the article here.
So the clientID is the ID of an application you can look up on the portal. Secret is what you create (that is visible only when you create it, after that you can't look it up). And the tenantID is the tenantID of your Azure AD
please be sure what client_id orother things you want.
If you asking about get in connection with Azure account then it provides 2 things:
Azure Publish setting file and your subscription id.
So you can check for subscription_id (under settings on Azure portal)
HTH
I'm trying to deploy a build to Azure WebApp.
In Azure (http://manage.windowsazure.com) I linked the web app to my Visual Studio Online(VSTS) account.
In VSTS I've created a release definition with a single task (Azure Web App Deployment); the task is configured to use the endpoint defined in the administration module. The service endpoint is configured to use credentials. The credential is using a Microsoft account.
The release is failing with the below error:
2015-12-02T18:17:35.4422685Z AzurePSCmdletsVersion= 0.9.8.1
2015-12-02T18:17:35.5692677Z Get-ServiceEndpoint -Name foo -Context Microsoft.TeamFoundation.DistributedTask.Agent.Worker.Common.TaskContext
2015-12-02T18:19:07.5877546Z Username= ********
2015-12-02T18:19:07.5887893Z azureSubscriptionId= foo-foo-foo-foo-foo
2015-12-02T18:19:07.5907904Z azureSubscriptionName= Pay-As-You-Go
2015-12-02T18:19:07.6278127Z Add-AzureAccount -Credential $psCredential
2015-12-02T18:19:09.7755541Z ##[error]-Credential parameter can only be used with Organization ID credentials. For more information, please refer to http://go.microsoft.com/fwlink/?linkid=331007&clcid=0x409 for more information about the difference between an organizational account and a Microsoft account.
2015-12-02T18:19:09.9664413Z ##[error]There was an error with the Azure credentials used for deployment.
How can I setup the release to use a Microsoft account for Azure credential?
There isn't any way to use a Microsoft Account Credential to connect to Azure from VSO service endpoint for now. You need to use an Organization account. If you don't have one, you can use "Certificate Based" authentication to connect to Azure easily. Click this link to get your subscription file and then paste the certification string in the subscription file into VSO "Management Certificate" area.
Add-AzureAccount cmdlet, uses Azure Active Directory (Azure AD) authentication access tokens and Azure AD uses Organizational Accounts.
Microsoft account credentials, formerly known as LiveIDs will not work in Azure AD authentication scenarios.
This is reported here as a suggestion and by design as of now:
https://github.com/Azure/azure-powershell/issues/477