We have an application which uses Azure B2C and Azure Active Directory.
Problem: User A wants to set his specific email address. But this is not possible because User B already used this email address before. User B has a proxyaddresses entry for this email, although User B does not use the emailadress anymore.
We tried to remove the smtp entry in proxaddresses for User B:
Azure Portal --> Values for ProxyAddresses are not editable
Windows Powershell
Connect-AzureAD -TenantId <TenantID>
$User = Get-AzureADUser -ObjectId "<ObjectIDUserB>"
$User.ProxyAddresses //Displays all proxyaddresses(smtpEntries)
$User.ProxyAddresses.Remove("<smtpEntry>")
Set-AzureADUser -ObjectId "<ObjectIDUserB>" //But then there is no parameter for ProxyAddresses to update
Are we missing something here or is there another way to remove a proxyadress entry for a user in azure ad?
Not sure if AAD Powershell can make it. But there is a quick way to do this.
You can log into O365 admin center with an admin account.
Find the User B and click on it. After the user details open, click on Manage username and email.
Then you can click on "···" -> Delete alias to remove the smtp proxaddress.
ProxyAddresses attribute for a unlicensed cloud-only user is read only unfortunately. There is a hacky workaround that will remove unwanted proxyAddresses for a cloud only unlicensed user though. Those steps are:
Soft-delete the user with the bad proxyAddress. Example: user#domain.com
Create a dummy user dummy#tenant.onmicrosoft.com and update this dummy user's mail attribute with the SAME email that you want to remove from the user soft-deleted in step 1.
Using the MSOnline powershell module run the following cmds:
Connect-MsolService
Restore-MsolUser -UserPrincipalName user#domain.com -AutoReconcileProxyConflicts
Confirm from Azure AD portal that the proxyAddress proxyaddresstoremove#domain.com has now been removed from user#domain.com account. From Azure AD portal, you may now delete dummy#tenant.onmicrosoft.com.
NOTE: This process is ONLY needed for a unlicensed cloud-only user. If user is a M365 liensed user you can use the M365 admin portal to remove the alias mentioned in another answer. If the user is a synchronized user from on-prem AD, then on-prem AD is the source of authority and you can update proxyAddress there and sync to AAD.
There is a very simple answer, I fought this for hours today. Simply run a powershell script to add the "smtp" address back to the account that you are showing it was on, then run a powershell to remove it. We had never AD Synced this account... only thing I can think of is when it was removed a while back from Exchange, it got hung up in Azure.
Add:
Set-Mailbox account#domain.com -EmailAddresses #{add="smtpaddress#domain.com"}
then Remove:
Set-Mailbox Account#domain.com -Emailaddresses #{remove="smtpaddress#domain.com"}
Related
I need to add external users to my subscription. Each user would get access to only one resource group, which is created for him.
From the portal, I can do it manually and it would recognize that the user is new and would get an email.
However, New-AzRoleAssignment gives me an error, saying that The provided information does not map to an AD object id.
Does Powershell allow to 'force' invite a user or I need to New-AzureADMSInvitation first?
You need to invite the user to the AAD tenant first via the portal or New-AzureADMSInvitation as you mentioned first, New-AzRoleAssignment will not do that for you.
I am looking to automate adding a user to an Azure AD group when he/she enrolls into MFA using the http://aka.ms/mfasetup wizard.
When: User enrolls into MFA
Action: Add user to Azure AD Security Group "0000_People_with_MFA"
I looked at Microsoft Power Automate but there does not appear to be any triggers from Azure AD. I can perhaps use a webhook or something to call a PowerShell script running on Azure Functions, but there needs to be some way of capturing this event.
Alternatively I can run something from Azure Functions to query AAD every 10 or 15 minutes to add users, but I do not know how to go about that approach either. In pseudo-code it would look something like this:
for (let user of query("SELECT userPrincipalName FROM users WHERE mfaEnabled = 1"))
addToAADGroup("0000_People_with_MFA", user)
Any ideas on how this can be accomplished?
You can use these PowerShell cmdlets to get list of users with MFA Enabled:
Install-Module MSOnline If the module is not installed already.
Connect-MsolService Login with Global Admin account.
Get-MsolUser -All | select DisplayName,BlockCredential,UserPrincipalName,#{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_.StrongAuthenticationRequirements.State} else { "Disabled"}}} To get a list of users with MFA Enabled
Then you can use Add-AzureADGroupMember to add the users to the group. You can also add the users to a CSV file and bulk add them to a group. (See also.)
I would also recommend checking out the Graph API, where you can query a list of user registration details. https://learn.microsoft.com/en-us/graph/api/resources/credentialuserregistrationdetails?view=graph-rest-beta
A users password was changed in AD,a user was also removed from the AD group that is connected to a SharePoint group that assigns permissions.
Somehow the users account was deleted from the UserInformationList not long after.. AD Isn't supposed to delete users from this the user information list, does anyone know how this could have happened?
I failed to reproduce your issue. When I changed the password and removed the account from the AD group which is connected to a SP group, the account still exists in the UserInformationList after a few hours. So the steps you mentioned do not necessarily lead to this result. Please retry with other accounts and share more details. In theory, even though an account is deleted from AD, it won't disappear from the UserInformationList.
You could use the following cmd in Powershell to fix the wrong data in UserInformationList.
$login= "TestUser"
$site= "http://yourdomain.contoso.com"
Set-SPUser -Identity $login -web $site -SyncFromAD
I'm trying to change the user principal name on my Azure AD user using a PowerShell command Set-MsolUserPrincipalName that I found in the Microsoft documentation here. This works fine and changes the user principal name, but it also changes the email property to the same value as well.
Example command:
Set-MsolUserPrincipalName -UserPrincipalName "davidc#contoso.com" -NewUserPrincipalName "davidchew#contoso.com"
Is there another way to change the user principal name without affecting the email of the user?
There is no way to change the user principal name without affecting the email of the user. The mail property is read-only, and the principal name should map to the user's email name.
It is now possible to change the user principal name in Azure AD without changing the email for the user and without changing the on-premises user principal name. It appears they are both managed separately now. At the time of my writing this, you can pull up the user in Azure AD and Edit the properties and go to the Identity tab where you will see user principal name and under the On-premises tab there is a separate non-editable user principal name which remains unaffected when making changes to the other.
A customer made me a co-administrator of his Azure subscription. However, I am unable to edit his Active Directory, ie add/edit users, create applications, etc.
Why can't I access that? I'm thinking perhaps the Subscription is owned by the AD and not the other way around.
What do each of the role levels in AD allow? There's
Global Admin
Billing Admin
Service Admin
User Admin
Password Admin
I believe the primary reason for this error is because when a co-admin with Microsoft account is added to a subscription, it gets added into the subscription AD as Guest user type. In order for you to get access to that AD so that you can perform the operations on the AD, you user type needs to be changed to Member from Guest. I had exact same issue with one of the users of our product and the steps described below solved the problem.
To change the user type, one would need to use AD PowerShell Cmdlets. The process is rather convoluted and needs to be done by your customer.
First, check with your customer if they themselves are using Microsoft Account for signing in into the portal. If they are, then they would need to create a user in their Azure AD. Please see this thread for why this is needed: PowerShell - Connecting to Azure Active Directory using Microsoft Account.
Next, they would need to sign in using this user account because one would need to change user password on the 1st login.
Install AD Modules. You may find these links useful for that purpose: https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx#bkmk_installmodule, http://www.microsoft.com/en-us/download/details.aspx?id=41950 (Please choose 64 bit version) and http://go.microsoft.com/fwlink/p/?linkid=236297.
Launch PowerShell and execute the following commands:
.
$cred = Get-Credential #In the window that shows up, please specify the local AD user credentials.
connect-msolservice -Credential $cred
(Get-MsolUser -SearchString "your microsoft account email address").UserType #This should output "Guest". If it doesn’t, please stop and do not proceed further as there might be some other issue.
(Get-MsolUser -SearchString "your microsoft account email address") | Set-MsolUser -UserType Member
(Get-MsolUser -SearchString "your microsoft account email address").UserType #This should now output "Member"
If somehow the problem still persists, ask your customer to login into the portal, delete your user record from AD users list and add it again. That should also take care of this problem.
The answer was that I needed to be set up as a Global Administrator in the Azure AD domain.
Both answers above seem to be correct in it's own way.
As a starter subscription administrator does not automatically make you an Azure AD administrator. You'd need explicit role grant on the target Azure AD.
Second aspect is the type of the account used. If it's in current Azure AD or Microsoft Live account all is well.
In case that account is part of an external Azure AD, by default user type is "Guest"(can login, but cannot control event if assigned "Global admin"). Therefore PowerShell commands highlighted above should be executed to change user type to "Member".
Some more helpful info can be found here (it is mentioned as a Visual Studio Team Services issue, but actually applies to most Azure related services).