There are two types of groups in Azure Active Directory:
Security
Microsoft365
I can create a new Security group using Azure CLI and az ad group create --display-name TEST.
How do I create a new Microsoft365 group using Azure CLI?
Is it possible?
If not, which CLI can I use to script this?
Just found the answer. Apparently there is an Office365 CLI found here.
The command to create a new Azure Active Directory Microsoft 365 Group is:
m365 aad o365group add [options]
Related
I am trying to create an application using the Azure App service.
However, it shows the above error: unrecognized arguments:
The command that I use is --> az ad app create --available-to-other-tenants --display-name "rrwebappbot" --password "Password#1212"
For the command : az ad app create
The error says that the given argument " --available-to-other-tenants" shouldnt be used as argument for the command. You should use valid arguments.
I followed the Microsoft-Documentation,Plaese check the correct command as given below.
Example:
az ad app create --display-name rithwikapp
You can use other arguments that are mentioned in the Microsoft Document I provided.
When creating an application, there are four different types
Accounts in this organizational directory only
Accounts in any organizational directory
Accounts in any organizational directory and personal Microsoft accounts
Personal Microsoft accounts
From there, can see you want Accounts in any organizational directory.
According to the documentation, it's possible to see the command should include the parameter --sign-in-audience set to AzureADMultipleOrgs
So, your command should be something like
az ad app create --display-name rrwebappbot --sign-in-audience AzureADMultipleOrgs
I am configuring Harness Cost Management report for my Azure Dev subscription and getting the below error while creating the service principle.
When using this permission, the backing application of the service principal being created must in the local tenant
Used below command to create Service Principle.
az ad sp create --id 0211763d-24fb-4d63-865d-xxxxxxxxx
Here is the Harness link I am following for this setup
https://docs.harness.io/article/7idbmchsim-set-up-cost-visibility-for-azure
How can I resolve this issue?
To resolve the above issue ,You may refer the below workaround
Make sure that CCM has been enabled properly as shown in the given DOC.
After enabling CCM, it takes about 24 hours for the data to be
available for viewing and analysis.
Also make sure that you have the Application Administrator role assigned for your Azure AD and select the correct subscription where you need to create .
As you are using az ad sp create --id 0211763d-24fb-4d63-865d-xxxxxxxxx instead of that use below cmdlts to create Service principle .
az ad sp create --id 00000000-0000-0000-0000-000000000000
For more information please refer this Blogpost, & refer this SO THREAD for similar error.
Hi I'm trying to use the Azure CLI command logged in a service principal
az ad sp list
and I get the error message Insufficient privileges to complete the operation.
The service principal is owner of the subscription and has been assigned Delegated API Permission Directory.Read.All for both Microsoft Graph and Azure Active Directory Graph.
I have a similar setup on another Azure tenant where the same command will give me a list of SP's with the same API permissions. What's missing.
Apparently giving an SP the 'Owner' role is not enough. You have the give it the 'Directory Readers' role. This is not possible using the Azure CLI or Portal though. You have to use the Azure AD Graph API, easiest way to do this is using https://graphexplorer.azurewebsites.net/.
Now, the steps to add give the SP the Directory Readers role are a bit long to explain here, I found them here: https://lnx.azurewebsites.net/directory-roles-for-azure-ad-service-principal/
I would like to add an Azure app as member of the Azure Group. I am owner of the Group but when I click on Add-->Member , it only lists individual users and there is no option for adding an app:-
I am not trying to provide access to the SG so it can access the app (for that I will have to go to the specific app page) rather I am trying to make the app as the 'member' of an Azure group that I already own. But I just don't see an option for doing that.
If your group is an Office group, it does not support to add the service principal as a member(i.e. the MSI of your datafactory, which is essentially a service principal created by azure automatically in general, see this link).
If you want to add the service principal to the group, you need to use the Security group, see this link.
If your User type is member, but you are not able to create the Security group, the UsersPermissionToCreateGroupsEnabled setting should be set with false in your Azure AD tenant.
See To restrict the default permissions for member users:
For more details, refer to this link.
You need to run this command first from powershell to create the managed identity
Set-AzDataFactoryV2 -ResourceGroupName <resourceGroupName> -Name <dataFactoryName> -Location <region>
https://learn.microsoft.com/en-us/azure/data-factory/data-factory-service-identity
I have Azure Pipeline setup with Azure CLI task
I am using Service Connection. In az cli task I want to retrieve current Service Connection details (like appId name objectId etc..) which I am using to run this task.
az ad sp show required id parameter, which will not work in my case. I want to know that id dynamically
Is there any way to get current SP details?
You can now use a checkbox to expose the service principal id, secret and tenant in the Azure CLI script.
You can get your current session context with
az account show
and then simply get some extra details on the service principal
az ad sp show --id <guid>
and application
az ad app show --id <guid>
I found Service principle is in Azure Active Directory. And i cannot add them to azure devops service connection. What i can add is Azure subscription or azure resource group.
Not sure show how did you add your applications to azure service connection.
If you want to get the connection details. You can try az accout show for azure subscription, or az group show --name for azure resource group
Ran into this same issue, and found out the simplest possible way to get the SP Id in Azure Cli task in the pipeline:
First, define in the task addSpnToEnvironment like this:
- task: AzureCLI#2
continueOnError: true
inputs:
addSpnToEnvironment: true
scriptLocation: inlineScript
After that, you can get the SP Id from $env:servicePrincipalId and use it like this:
az deployment group create ... --parameters SPId=$env:servicePrincipalId
Combine with Adam Marczak's solution with python in one liner,
az ad sp show --id $(az account show| python -c 'import json,sys;print json.load(sys.stdin)["user"]["name"]')