I have created new Azure AAD Application with Multi-tenant enabled. But i Couldn't find App in another tenant ID. When i try to create a Service Principal of above App ID in another Tenant.It is failing with error "New-AzureRmADServicePrincipal : When using this permission, the backing application of the service principal being created must in the local tenant" . Has anyone experience such issue.
$StartDate = [DateTime]::UtcNow
$EndDate = [DateTime]::UtcNow.AddYears(3)
$secureString = convertto-securestring "XXXXXXXXX" -asplaintext -force
New-AzureRmADServicePrincipal -ApplicationId "XXXXXXXXXX" -Password $secureString -StartDate $StartDate -EndDate $EndDate
I fixed my question using following PS command
Connect-AzureAD -TenantId '<TargetTenant>'
New-AzureADServicePrincipal -AppId 'ThirdPartyAppID'
I couldn't reproduce this error. New-AzureRmADServicePrincipal -ApplicationId "XXXXXXXXXX" works fine for me to create the enterprise app in another tenant.
If you want to add the multi-tenant app into another tenant, there is another way. You can have a try with the admin consent.
I assume that your app is registered in tenant_x and want to add it into tenant_y.
You can redirect the user to the Microsoft identity platform admin consent endpoint.
GET https://login.microsoftonline.com/{tenant_y}/v2.0/adminconsent?
client_id={client id}
&state=12345
&redirect_uri={redirect_uri}
&scope=
https://graph.microsoft.com/calendars.read
https://graph.microsoft.com/mail.send
Access it in a broswer and log in with an admin account of tenant_y to do the admin consent. After that the app will be added into tenant_y.
Related
I am currently logging int Azure using
az login -u -p ""
The issue is that the email is MFA and a verification code is needed to be entered in.
This login process is used for CICD. Is there a way I can automate this process without having to enter the verification code
Thank you for your valuable suggestion and for directing in the right direction, #fmarz10.
Service principals with various forms of credentials, such as passwords, secret keys, and certificates, can be used to do this.
After adding the role you can automate login using
$azureAplicationId ="Your Azure AD Application Id"
$azureTenantId= "Your Tenant Id"
$azurePassword = ConvertTo-SecureString "strong password" -AsPlainText -Force
$psCred = New-Object >System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
Add-AzureRmAccount -Credential $psCred -TenantId $azureTenantId ->ServicePrincipal
REFERENCES
Azure Service Principals
Sign in with Azure PowerShell
Azure Provisioning - Without manual login
Using powershell commands i want to reset the Service Principal client secret.
I followed the below steps from the article https://learn.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-5.8.0
but it didnot reset the password
Remove-AzADSpCredential -DisplayName ServicePrincipalName
$newCredential = New-AzADSpCredential -ServicePrincipalName ServicePrincipalName
can you tell what i am doing wrong. I just want to reset the secret and have new one
I executed the above command and then i went to the app registration of that service principal and there i went to certificates & secrets i see it has not createed new secret.
Using bash i am able to reset the password by executing the below command but i want it to be done using powershell command
az ad sp credential reset --name
I went to the app registration of that service principal and there I went to certificates & secrets I see it has not created new secret.
Well, actually the command New-AzADSpCredential did create a new secret for you.
Firstly, you need to know the relationship between App Registration(AD App) and Service principal, see Application and service principal objects in Azure Active Directory.
In short, the service principal is the local representation for the AD App in a specific tenant. When you create the secret for the service principal, it will not appear in the Certificates & secrets blade, you can just get it with Get-AzADSpCredential.
If you want to reset the secret that you can find in the portal, you need to reset the sceret for the AD App(i.e. App Registration) via Remove-AzADAppCredential and New-AzADAppCredential.
You could refer to the sample below, it resets a secret with value ce96a0ed-5ae8-4a5a-9b3c-630da9ea3023, it is valid for one year, you can find it in the portal.
$obj = (Get-AzADApplication -DisplayName joyappv2).ObjectId
Remove-AzADAppCredential -ObjectId $obj -Force
$azurePassword = ConvertTo-SecureString "ce96a0ed-5ae8-4a5a-9b3c-630da9ea3023" -AsPlainText -Force
$date = Get-Date
$newCredential = New-AzADAppCredential -ObjectId $obj -Password $azurePassword -StartDate $date -EndDate $date.AddYears(1)
Note: You could not get the secret value again after creating it, so please store it when creating.
Is there any option to sign-in to Azure portal using clientID, client Secret, Tenant ID and /or subscription ID? Most of the samples I saw are using AD or SAML
No, you can't.
If you get the sign in url of the azure portal, you will find it uses this flow to authorize.
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
client_id=c44b4083-3bb0-49c1-b47d-974e53cbdf3c&
response_mode=form_post&
response_type=code+id_token&
scope=https%3a%2f%2fmanagement.core.windows.net%2f%2fuser_impersonation+openid+email+profile&
state=OpenIdConnect.AuthenticationProperties%3d5sSBWCgxO8uzYlVgeWTBnBpO_3udn25WSlg2P5mZjzotjbc0u3aiZfTvDwyVNboeIldUVKig-KNmc_LiG_a2LI4dySYHViQ1bEQgXUt1c7PbCQ4Nqg-VOu9nsnSwTZ4i15w_0XeNah_PvG8B0TgQI5D-AlN4lhNrwtjN8ATClowc38Ifdu7h8BweU3sGvxlvYxtBG3-VzwSty-jaDbz3CRTUFmm0jTTKOGPrHsGu3q6-R9pDKFqvZk50Cd6AstdLe4qpcTRxFlkb114JxGW0BzZKIy__sIbqkHm_WeMnaFBGuQaTcGv4e7EizLxbZUc_jpqopZRCw7sfv-eaxHrD_ZoaXzNtylfoVnfcrnK0cbvh1TopnOcY166ZFW4uQlFu73De9SPMKMVr53gaUJTfR_pdJBQ_hS51L4quMf_noP4x5szhQ314hxgwoJBnw7R_8vhBKF6jplZmhqf3Hrsp4nEyzjjbyocCoXF9qxJjLkY&
nonce=637188980051547113.OTZkOTdlYjctODJiNS00M2E1LWFjZWUtM2FlMTUyYmJmOTc0ZWUxOWQ1OTYtNTBhOC00ZTc0LWFmMGYtNDkwYTA3ODJkZmEx&
redirect_uri=https%3a%2f%2fportal.azure.com%2fsignin%2findex%2f%3ffeature.refreshtokenbinding%3dtrue%26feature.snivalidation%3dtrue%26feature.usemsallogin%3dtrue&site_id=501430&client-request-id=c171ca99-bd9c-4a38-aaa0-a9344d273131&x-client-SKU=ID_NET&x-client-ver=1.0.40306.1554
Actually the azure portal is an AD App registered in azure ad, so you need the user account to login.
If you want to use the service principal(i.e. the clientID you mentioned) to do operations on the azure resources, you could use the Azure powershell, CLI, REST API.
Samples:
1.Use the service principal to login Azure powershell
$passwd = ConvertTo-SecureString <use a secure password here> -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential('service principal name/id', $passwd)
Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant $tenantId
2.Use the service principal to login Azure CLI
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant contoso.onmicrosoft.com
3.Use the client credential flow to get the token, then use it to call the REST API, see this link.
I have a PowerShell script that logs into Azure subscription with the command Connect-AzAccount using user's credentials.
The code is the following:
$userPassword='password'
$userName="username"
$tenantId="########-####-####-####-############"
$subscriptionId="########-####-####-####-############"
$azureSecpassword = $userPassword | ConvertTo-SecureString -asPlainText -Force
$azureCredential = New-Object System.Management.Automation.PSCredential($userName, $azureSecpassword)
Connect-AzAccount -Credential $azureCredential -Tenant $tenantId -SubscriptionId $subscriptionId
The code above works without any user interaction.
Few days ago the customer enabled the multi-factor authentication for the users.
How can I keep a fully automated login process (without user interactions) with the multi-factor authentication?
Best Regards.
This is a common question. Unfortunately, the answer is No. If the account is MFA-enabled, you could just login with an interactive way.
In such a case, we choose to use the service principal to login with non-interactive in general.
$azureAplicationId ="Azure AD Application Id"
$azureTenantId= "Your Tenant Id"
$azurePassword = ConvertTo-SecureString "client secret" -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
Connect-AzAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal
Reference - Sign in with a service principal.
If you must log in as a user, there might be 2 optional approaches.
1. If you will run the script locally or in a specific PC
You can Persist Azure user credentials. You can enable auto save, or manually save the context to a file, and then use it in another PS session.
If you enabled auto save, then you can directly get the context as following:
Get-AzContext
# If you have more than one contexts, you can choose one by specifing the name
Get-AzContext -Name 'CSP Azure (e5b0****-****-****-****-5e5f****4c68) - jack#h****a.onmicrosoft.com'
If you want to manually do it, here is the sample:
# Interactively log for one time
Connect-AzAccount
# Save the context
Save-AzContext -Path D:\ctx.dat
And in another PS session, you can:
Import-AzContext -Path D:\ctx.dat
2. Use refresh token to acquire token, and connect to Azure
You can get the refresh token from the auto saved Azure context (usually at C:\Users\<UserName>\.Azure\TokenCache.dat).
Open the dat file with notepad, and you will get the refresh token:
Then you can get a new token in PowerShell with that refresh token, and connect to Azure:
Clear-AzContext
$tenantId = "e4c9ab4e-****-****-****-230b****57fb"
$subscriptionId = "e5b0fcfa-****-****-****-5e5f****4c68"
$refreshToken = 'AQABAAAAAAAP0****a lot of characters here*****0A9FWoB8mvDtoWRJHBVO7GJzodLKYmNIAA'
$url = "https://login.microsoftonline.com/" + $tenantId + "/oauth2/token"
$body = "grant_type=refresh_token&refresh_token=" + $refreshToken
$response = Invoke-RestMethod $url -Method POST -Body $body
$AccessToken = $response.access_token
Connect-AzAccount -AccountId "the user id, jack#h****a.onmicrosoft.com" -AccessToken $AccessToken -Tenant $tenantId -SubscriptionId $subscriptionId
How can I keep a fully automated login process (without user interactions) with the multi-factor authentication?
You can't do this with a user account--that's the whole point of multi-factor authentication.
Instead, Azure AD supports authenticating with a service principal (instead of a user principal, like you're doing currently), and Azure supports granting access to Azure resources to service principals.
MFA requirements (and other conditional access policies) do not apply to service principals (often referred to as an Azure AD "app"), and service principals support more secure methods of authentication for automation scenarios (e.g. public/private key pairs).
So, what you should do:
Ensure the machine running this script is secure. Anyone with access to the machine has the same amount of access as the script.
Create an application identity and associate credentials with it.
Note: It is strongly recommend you use certificate-based authentication for your service principal, instead of password-based. It is a very insecure practice to have any kind of secret stored in a PowerShell script!
Grant the service principal the minimum level of access to Azure resources, to allow it to complete the required task.
Update your script to use the app's identity (service principal) instead of the user's identity. It's even simpler than using a user account:
$tenantId = "########-####-####-####-############"
$subscriptionId = "########-####-####-####-############"
$appId = "########-####-####-####-############"
$thumbprint= "##############"
Connect-AzAccount -ServicePrincipal -TenantId $tenantId -ApplicationId $appId -CertificateThumbprint $thumbprint
Note: If this script is running on a VM in Azure, you should forget step 2, and simply enable a managed identity and use that.
In an application, I'm currently using PowerShell and MSOnline module (Connect-MsolService and Get-MsolUser) to get a list of AD users. A global admin provides his username and password and the application is able to get a list of all users under that tenant.
That works fine... As long as the password is not an app password. When an app password is used then the following is what the global admin gets to see:
Authentication Error: Bad username or password
My question is: Is there any other method, which uses PowerShell, but doesn't have to, to get the list of users in AD, but which works with app password? I know of Graph API, but that's not a fit for the project right now.
If I understand you correctly, you want to use the AD App and its password(secret) to list the users.
You could use the Az powershell module to do that, login with the service principal and list users via Get-AzADUser. Also, make sure your AD App(service principal) has the admin role like User administrator or Global administrator.
$azureAplicationId ="<AD App Application id>"
$azureTenantId= "<tenant id>"
$azurePassword = ConvertTo-SecureString "<password>" -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
Connect-AzAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal
Get-AzADUser
Update:
Currently, use app password of MFA enabled user to connect MSOL powershell is not supported, for more details see this link.
App passwords are NOT supported, simply use Connect-MsolService without any parameter to trigger the ADAL dialog and complete the 2FA challenge as normal.