I'm reviewing Azure Automation, but I couldn't find out if it is possible to run a PowerShell script whenever a new user is added to Active Directory? The scenario I'm researching is whenever a new Office365 account is added through admin.microsoft.com then I want to configure some email preferences for this user. I have my PowerShell script tested already (so these preferences should be set correctly), but now I'm trying to find out how exactly this script should be executed right after account is added.
Thanks,
You can inspect the Azure AD Audit logs for new user creation. You can export the Diagnostic Settings (logs) to Azure Monitor (see doc).
The following is an idea but I never tried it myself:
In Azure Monitor -> Logs you can find for example this query:
Modify it according to your needs and create an alert rule. In the alert rule, you can set up an action group that triggers your automation account with the PowerShell script.
Related
Log files for my sample application is getting created in the following folder in azure portal
D:/home/LogFiles/sample_application/sample_application.log
sample_application.log can be both edited and deleted.
Is there a way in azure portal to trigger an email alert when someone tries to modify or delete the log file??
• Yes, you can surely configure an alert using the Azure Monitor regarding the deletion of the log file from the App service through the kudu console or by some other means. For this purpose, you will have to create an alert rule from the Azure Monitor alerts pane with the condition ‘ AppServiceFileAuditLogs | where OperationName == “Delete” and Path == “D:/home/LogFiles/sample_application/sample_application.log” ’ with the action of sending an alert to the email id as registered with this alert rule. Please find the link below on how to create an alert rule through Azure Monitor: -
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-activity-log
Also find the below snapshot below for reference: -
Also, ensure that condition is selected as ‘Custom Log Search’ for as below: -
Please find the link below for detailed instructions on implementing the integration between Azure app service and Azure monitor: -
https://azure.github.io/AppService/2019/11/01/App-Service-Integration-with-Azure-Monitor.html
I have ADsync on a dc and I am trying to get it to pull the usagelocation from a users attributes, but it fails to populate, I have added the locale GB to msExchUsageLocation and also added a rule to the synchronization rules editor to obtain this information from the attribute and point it at the usagelocation, but still it shows blank. The only way to update the Usagelocation is to user the following ps script ;
Set-MsolUser -userprincipalname -User#domain.com -UsageLocation GB
I have a script that updates each users ad profile using csv, and wanted to incorporate the usagelocation in that, however as it stands, the ps script is the only way to update this.
Any Ideas would be greatly appreciated.
Azure AD's usageLocation syncs with On-prem AD's msExchUsageLocation by default. You can populate that attribute on prem and it'll sync up. Use two letter country codes in AD and Azure will translate them when you look at the user's profile.
How to select an Azure AD user account on an Azure AD joined device?
I've just run into this problem and solved it using these steps:
Create your task as normal in Task Scheduler. In security options select any local user.
Export the task into an xml file
Delete the task from Task Scheduler
Open cmd line and run whoami /user - if you want to run the task as a different user to the currently logged in one, you'll have to adjust this accordingly
Open the exported task xml file, modify the <Principals> section:
<Principals>
<Principal id="Author">
<UserId>PUT THE USER ID HERE</UserId>
...
Save the edited xml file. Import it into Task Scheduler
Task Scheduler will display AzureAD\Username even though you aren't able to choose AzureAD when selecting locations. See example image here
Open a CMD and type:
whoami
This wil show your azuread\username
Usually this is azuread\firstmiddellastname
That is the username that you are looking for.
You should use the azure ad account that you used to make the azure ad joined device. To find the azure ad user, you could open the Azure Portal, you could see all the user in the Azure Active Directory.
I'm trying to come up with a combination of Custom Role and PowerShell script that will constrain an AD members capabilities to the following (for a particular web app):
1) Require an interactive login to an AD account
2) Perform a download of a Publish Profile, but only in Filezilla format
The purpose is to provide a "deployer" role with the ability to upload code changes, but not see connection strings, which are visible in Web Deploy publish settings.
I see the necessary level of control in Powershell for downloading only the FileZilla3 FTP Publishing data, and I got that to work, example:
Get-AzureRmWebAppPublishingProfile -Name test-app -ResourceGroupName test_Group -Format FileZilla3 -OutputFile S:\test.xml
I understand the pattern for creating a Custom Role, and for adding actions to it. These look like the actions I might need:
Microsoft.Web/sites/publishxml/Action
microsoft.web/sites/publishxml/read
However, I don't see another level of detail within those actions for constraining the action to only Filezilla3 format.
Question: is there a way to create a Custom Role specification that would allow an AD member to download publish settings, but only in FileZilla3 format?
From the official docs, there is no ways to create a Custom Role you want. For the details, please read here.
How to remove an orphaned Application in an Azure Directory?
I have a second (non-Default) directory that I was using to test the AD Connect app, and having finished with it, want to delete.
I have been able to remove the users both with the Management Portal and remove-msoluser, but am unable to delete the directory as it has one Application registered - "Office 365 Management APIs"
In the management console, this Application looks a little weird - there are no options to do anything on its dashboard and just checking, this Application is also installed in my Default Directory and looks the same - maybe it cannot be removed?
Have tried removing the App using the Remove-msolservice cmdlet, and tried the whole-hog approach as per Method 5 in https://support.microsoft.com/en-au/kb/2967860/en-us - seems to run through ok, but the Application is still listed, and when deleting the Directory I still get the error -
Directory has one or more applications that were added by a user or administrator
I had the same problem. When performed the steps below, I could delete the Azure Active Directory tenant:
Log in to Azure and create a new user with Global Admin permissions in the AAD you're trying to delete.
Open the Azure Active Directory Module for Windows PowerShell and execute the following:
Connect-MsolService (Log in with #onmicrosoft global admin account you created)
Get-MsolServicePrincipal | Remove-MsolServicePrincipal (This will generate errors but it's ok)
Log in to https://manage.windowsazure.com as the service admin
Delete already created #onmicrosoft.com Global Admin user
Delete the AAD now
You check the sites below as well:
http://blogs.msdn.com/b/dstfs/archive/2015/05/27/trouble-deleting-azure-active-directory-aad-due-to-quot-visual-studio-online-quot-item-in-aad-quot-applications-quot-list.aspx
or here:
https://www.opsgility.com/blog/deleting-azure-ad-applications
You must run the following cmdlets after running the remove cmdlets:
Get-MsolServicePrincipal | Set-MsolServicePrincipal -AccountEnabled $False
then delete the temporary global admin account (if any) and you should be able to delete the directory.
More information about this issue: https://support.microsoft.com/en-us/kb/3112170
This article helps me to delete Azure AD I created with old Windows Azure Portal (manage.windowsazure.com):
https://blogs.msdn.microsoft.com/ericgolpe/2015/04/30/walkthrough-of-deleting-an-azure-ad-tenant/
In a nutshell:
Create a new user under the AD you intend to delete.
User must have Global Admin role.
You will get temporary password for this user. Once login to Azure Portal with this user, you will need to create a permanent password.
Use this credential, you will remove Azure AD's applications using Azure AD PowerShell
Then, go back to Azure AD you intend to delete (using your credential, not the newly created user), delete the user you just created.
Only after doing all these will you be able to delete the Azure AD.