I have an issue deleting an Azure Lock, at the resource group level. I am doing it from an Azure Runbook.
I authenticate fine (I am able to Get details of whatever I want). Here's the code for that:
# Ensures you do not inherit an AzureRMContext in your runbook
Disable-AzContextAutosave –Scope Process
"Logging in to Azure..."
$connection = Get-AutomationConnection -Name AzureRunAsConnection
Connect-AzAccount -ServicePrincipal -Tenant $connection.TenantID -ApplicationId $connection.ApplicationID -CertificateThumbprint $connection.CertificateThumbprint
And if I do, say, Get-AzResource -ResourceGroupName $RG, I get the info I need. But the problem is that I actually need to delete some resources of that resource group, and it has a lock.
When I Remove-AzResourceLock -LockId $getAzureLock.LockId -Force, I am thrown this:
Remove-AzResourceLock : AuthorizationFailed : The client XX with object id XX does not have authorization to perform action 'Microsoft.Authorization/locks/delete' over scope '/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Authorization/locks/resourceDellock' or the scope is invalid. If access was recently granted, please refresh your credentials.
FYI, I've redacted the subscription/object id information.
For the life of me, I am not able to get around it. The application is added as a Contributor at the subscription level, from Access Control (IAM).
I have tried so many things, that I am just to tired to write down! I am sorry. The last 4 hours I've been reading and trying stuffs. So pardon me!
Please, help me get around this..
As per the documentation, only Owner and User Access Administrator built-in roles have the permission to delete a lock and not the Contributor role.
Deletes the management lock of a resource or any level below the
resource. To delete management locks, you must have access to
Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions.
Of the built-in roles, only Owner and User Access Administrator are
granted those actions.
So your solution would be to either grant Owner/User Access Administrator role to your service principal or create a custom role and grant appropriate permissions on Microsoft.Authorization/* actions.
Related
we had an azure tenant.
we opened a new one, and passed our users to the new tenant and then added our users to the old tenants as guests.
Passing means that we deleted our users from the first tenant, then we migrated the domain to the new tenant and we created the users with the same properties in the new tenant.
since then every time we try to connect to azure using powershell with the commend Connect-azaccount -TenantId we get the following error:
Unable to acquire token for tenant '***' with error 'SharedTokenCacheCredential authentication unavailable. No account matching the specified username: *** tenantId: *** was found in the cache.'
does someone knows hoe to fix this?
thank you
we have tried every thing we found online.
we tries clear-azcontext, deleting the certificated from our machines, deleting powershell and reinstalling, etc...
Unable to acquire token for tenant xxx with error SharedTokenCacheCredential authentication unavailable. No account matching the specified username: xxx tenantId: xxx was found in the cache
The error usually occurs if the user is not present in the tenant you are trying to sign-in.
To check the error in detail, you can try debugging like below:
$DebugPreference = "Continue"
Connect-AzAccount -TenantID XXXX
Based on the debug details, you can check which Tenant is the user being connected to or any user details.
Try to connect with Subscription ID like below:
Connect-AzAccount -Subscription SubscriptionID -TenantId TenantID
Check if the user is having MFA enabled and try connecting with Global Admin account. And it might be the scenario where the account might be still cached in the local machine, so try if it works in another machine.
You can also make use of Device Authentication like below:
Connect-AzAccount -Tenant TenantID -UseDeviceAuthentication
Open the browser and enter the code:
Make sure to install the Az module like below:
Initially clear the cache and try to install by setting execution policy
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Install-Module Az
Import-Module Az
Update-Module -Name Az
Check whether the user account in the Tenant has required permissions to the subscription.
Try to select the Context in PowerShell:
Get-AzContext -ListAvailable
Select-AzContext -Name Name
Or you can set context to the SubscriptionID by including TenantID:
Set-AzContext -Subscription $subscription -Tenant $tenantId | Out-null
If still the issue persists, it might be some environment problem while migrating the domain.
For me the problem seemed to be related to using a "legacy" account (or whatever they're called). Making and using a new account seemed to resolve the issue for me.
I have a requirement of creating policy assignment from policy initiative and do remediation. I can create assignment using the below command.
$newRgAssignment = New-AzPolicyAssignment -Name $assigName -PolicySetDefinition $policySet -PolicyParameterObject $Params -AssignIdentity -Location 'westus' -scope $rgscope -DisplayName $assigName
In this I can create assignment successfully. while trying to remediation manually in I can see the below error message in azure portal .
The managed identity for this assignment does not have the appropriate permissions to remediate these resources. To add these permissions, go to the Edit Assignment page for this Policy and re-save it.
I tried creating a policy assignment by passing SystemAssigned identity type but ran into same problem.
I have left with only one option that is UserAssigned identity type. To pass this parameter we need to get the assigned user identity . To get the user identity I used the below commands
Set-AzContext -Subscription 'XYZ-123-ABC'
$UserAssignedIdentity = Get-AzUserAssignedIdentity
But no use.
Can any one help me on this issue. Any help can be appriciated.
Thank you.
TenantId 'xxxx-xxxx-xxxx-xxxx' contains more than one active
subscription. First one will be selected for further use. To select
another subscription, use Set-AzContext. This is not any error. Its a
warning. Get-AzUserAssignedIdentity command returning null.
We have tried with below cmd after installing module Az.ManagedSericeIdentity and can able to get the results.
Warning you might receive but after Set-AzContext -Subscription 'XYZ-123-ABC'
it will be logged into the correct subscription you wanted to.
After successfully login type $UserAssignedIdentity even if you have user role to that subscription.
For more information please refer the below links:-
MS DOC| Get-AzUserAssignedIdentity
SO THREAD .
I've written a powershell script that allows me to query azure for my azure ad policies like this:
Connect-AzureAD
$currentpolicy = Get-AzureADPolicy -All $true | ?{$_.Type -eq 'B2BManagementPolicy'} | select -First 1
$currentpolicy
$newPolicyValue = #("{`"B2BManagementPolicy`":{`"InvitationsAllowedAndBlockedDomainsPolicy`":{`"AllowedDomains`": [`"a.com`",`"b.org`",`"c.org`",`"d.com`"],`"BlockedDomains`": []}}}")
}
#update existing. This works. tested.
Set-AzureADPolicy -Definition $newPolicyValue -Id $currentpolicy.Id
This works because I'm signing in with an account that's got "owner" / global admin permissions. Now we wnat to try to figure out the specific permissions that are needed and just assign those to a new AD app registration.
I've created a service principal with a cert, and I changed my code like this:
Connect-AzureAD -TenantId $tid -ApplicationId $appid -CertificateThumbprint $thumb
$currentpolicy = Get-AzureADPolicy -All $true | ?{$_.Type -eq 'B2BManagementPolicy'} | select -First 1
$currentpolicy
I didn't add any specific permissions yet, and so when I run my script, I see the following error:
Get-AzureADPolicy : Error occurred while executing GetPolicies
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
InnerError:
RequestId: d88cd5d5-f8c9-4a4d-928b-986e0d5c25eb
DateTimeStamp: Thu, 16 Jun 2022 19:06:45 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At C:\Users\me\Documents\src\test\setPolicy.ps1:4 char:18
+ $currentpolicy = Get-AzureADPolicy -All $true | ?{$_.Type -eq 'B2BMan ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADPolicy], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.GetPolicy
Ideally, we want to use MS Graph permissions to do this. So i've been poking around in Azure, under the "API Permissions" for this application registration, but so far I haven't figured out which permission I need to add.
PS I know that the AzureADPreview and AzureAD is going away. But so far, it's the only way that I can automate these tasks. I have another stack question open about how to get this entire thing working via Graph
EDIT 1
I've tried the following permissions and none of them work so far...
EDIT 2
I've granted Policy.Read.All and now I can read the policies. Now it fails trying to update the existing policy.
It'd be nice to know specificially which read permission is needed so I don't have to grant all.
As far as write permissions, I've granted everything that comes up when I search for "policy" but none of them allow me to write!
EDIT 3
I've added the policy.readwrite.applicationconfiguration but that doesn't allow me to write. I'm still get the insufficient privleges error when I try to call Set-AzureADPolicy.
I don't know if you have found an answer, but as this is one of the first results that came up, I will add my findings.
I could get nowhere from giving specific permissions to the Service Principal but adding the Security Administrator role to the app did the trick. I didn't want to give the service principal so much access, but I tried a lot of roles and permission combinations, and none were sufficient.
Apparently, the documentation states that the least privileged role that is able to configure B2B external collaboration settings is the Global Administrator. Although for this case specifically, of changing the B2BManagementPolicy via PowerShell with a service principal, the Security Administration role was enough in my testing.
Looking at the actions that this role can perform I suspect it's because it has access to microsoft.directory/policies/basic/update, but I can't be sure.
Note: When adding a role to an App registration in Azure AD you need to search for its name when selecting the members, as they don't show by default.
Thanks for reaching out , with the help you read access , you will only able to get the data ,if you want to add or update you should have write permission as well , please add permission Policy.ReadWrite.ApplicationConfiguration and try again .
ref doc - https://learn.microsoft.com/en-us/graph/api/tenantappmanagementpolicy-update?view=graph-rest-beta&tabs=http
Edit 2
Update policy is available for PowerShell 2.0 preview
To update you need to use
Set-AzureADPolicy -ObjectId -DisplayName
To learn more about Set-AzureADPolicy, please checkout - https://learn.microsoft.com/en-us/powershell/module/azuread/set-azureadpolicy?view=azureadps-2.0-preview&viewFallbackFrom=azureadps-2.0
Thanks
when im trying to remove role assignment for a storage account using azure automation account
Remove-AzRoleAssignment -SignInName "john#example.com" -RoleDefinitionName "Storage File Data SMB Share Contributor" -Scope "/subscriptions/000-8888-7777/resourceGroups/$resourcegroup/providers/Microsoft.Storage/storageAccounts/$storageaccount"
using above command getting
Cannot find principle using specified options
Email you provide seem to be not correct SigninName.
If you have access to Azure Active Directory you may check User Principal Name for this user and try it instead. In case of my private subscription it did end with onmicrosoft.com. If you use User Principal Name you should get results you expect.
The error "Cannot find principle using specified options" usually occurs if you don't have the required privileges.
Make sure to run as an Administrator and login with Admin credentials to Azure AD.
I tried in my environment and got the same error when the role is missing with incorrect sign-in name like below:
Please check whether the role you are trying to remove is existing or not in the scope like below:
Get-AzRoleAssignment -SignInName "UPN" | FL DisplayName, RoleDefinationName, Scope
Ensure to give correct UPN (User Principal Name) of the user.
Make use of the above response to run the below command:
Remove-AzRoleAssignment -SignInName "UPN" -RoleDefinitionName "Storage File Data SMB Share Contributor" -Scope "Your_Scope"
Please recheck the scope you are providing.
I did see this q/a: Connect-AzAccount without prompt
But when I tried the accepted answer, I get the following error:
[6/12/2020 12:36:20 AM] ERROR: Connect-AzAccount : Username + Password authentication is not supported in PowerShell Core. Please use device code authentication for interactive log in, or Service Principal authentication for script log in.
So I went to example 3 of the Connect-AzAccount documentation which specifies the "Service Principal" authentication method, so I mix the two because the suggested vanilla Get-Credential triggers another interactive session. So here's the script now:
$User = "myemail#gmail.com"
$PWord = ConvertTo-SecureString -String "**********" -AsPlainText -Force
$tenant = "f*********************************"
$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User,$PWord
# $Credential = Get-Credential
Connect-AzAccount -Credential $Credential -Tenant $tenant -ServicePrincipal
which brings my next error: [6/12/2020 12:45:45 AM] ERROR: Connect-AzAccount : AADSTS700016: Application with identifier 'myemail' was not found in the directory 'f*********************************'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
I'm really confused at this point because all I have done at this point in Azure is:
Create a new Azure account
Provision an Azure API Management instance through the UI (which btw, takes like 20 minutes)
Try the above code to connect to Azure inside of a Powershell Azure Function locally.
I think something is wrong with the information I've provided or how I've configured something.
$User is the email I signed up to Azure with.
$PWord is my Azure password
$tenant is the first thing I saw when I opened Azure AD:
What's wrong with how I'm trying to connect to Azure through Powershell Core?
Based on Example 3, it asks for entering your application ID for the username and service principal secret as the password.
So you need to create a service principal at first. And then use its application ID and client secret as the credential.
$User = "{application id}"
$PWord = ConvertTo-SecureString -String "{client secret}" -AsPlainText -Force
I don't like Azure documentation. It gives off a very different vibe from GCP and feels much less beginner friendly.
With that said, they did have some kind of write-up that addresses my issue of creating a service principal and using it to authenticate.
I actually ended up just finding a video (and I never do this) because I wanted to skip past all the technical jargon and just create the darn service principal.
It's not even intuitive - it's like Microsoft could have added a button in AZ AD or IAM that said "Create Service Principal" but no, you have to go to a bunch of other pages that say nothing about service principals. You'll see:
In Azure Portal, navigate to the App Registrations page in Azure Active Directory. What an "app registration" has to do with a service principal, I couldn't tell you. I also couldn't tell you what a service principal is, but I'd imagine it has something to do with service accounts.
Make a New Registration and give it some sort of name to describe what the scope of this service principal will entail. Like normal service account naming conventions. I don't think the account type matters but I chose Multitenant. Redirect URL has nothing to do with service principals, and honestly makes it all the more confusing. I would never associate service accounts with any kind of redirect url, but here we are.
You're going to arrive at a page with Display Name (the name of the service principal you gave it in step 2), Application (client) ID (this is actually your service account username, which is imo non-intuitive), and Object ID (I have no idea what this is but I never needed to use it.
Guess what, you have only created 1/3 of your service account. It doesn't even have a password yet. Within your created app registration, there's a Certificates & Secrets page. On that page, you want to add a new client secret. For my description I just put my service principal "display name". I don't think that was necessary because this client secret is within the scope of the app registration, so even if I named it "poop" I could reasonably assume what it was for. Azure will generate a nuanced client secret and display it, but not warn you that this is the only time you will be able to see the key. Copy it. This is, in normal people talk, your service principal password.
For the last step, you need to get out of dodge, I mean Azure AD. Navigate to your Subscriptions page and click on your active subcription. For some reason IAM is here, so click on that. At this point, your service principal has a username and password, but no actual permissions - you have to configure that manually too. Click Add -> Add Role Assignment. For role, you should do your research but if it's not serious Contributor is probably a safe bet. It has read/write but it doesn't supersede Owner. Make sure you're assigning access to a service principal, and search for its display name. Save.
With all of that done, Connect-AzAccount finally worked.