Confused regarding "guest" and "user" type in Azure .
Although i am given Global Admin role but my user type is Guest. So do i have right to execute powershell cmdlets . Because when i fire "Connect-AzureRmAccount" it shows only Account and Environment no azure subscription or id.
Connect-AzureRmAccount
Account : MyEmail
SubscriptionName :
SubscriptionId :
TenantId :
Environment : AzureCloud
I want to execute powershell cmdlets can i do it as guest . My company has csp account.
Yes, you can. Make sure your account has an RBAC role in the subscription, then use the command as below. If not, you need to add your account to the subscription firstly, ask the Owner of the subscription to navigate to the subscription in the portal > Access control (IAM) > Click Add > Add role assignment > add your account as a role(e.g. Owner, Contributor), more details see this link.
Connect-AzAccount -Tenant "<tenant id>" -Subscription "<subscription id>"
Note : In my sample I use the new Az command Connect-AzAccount, the old Connect-AzureRmAccount is also the same.
guest is user from other directory and user is user from same directory.
For example your ad domain is xyz.onmicrosoft.com then user1#onmicrsoft.com will be user and user2#anything.com will be guest user
Related
I cannot add Microsoft.Azure.Cdn service principal to Key Vault access policies.
I have run the following command in PowerShell.
New-AzureRmADServicePrincipal -ApplicationId "xxxxxx-xxxx-xxxx-xxxx-xxxxxxx"
I got the following result.
Secret: System.Security.SecureString
ServicePrincipalNames : {xxxxxx-xxxx-xxxx-xxxx-xxxxxxx,
https://microsoft.onmicrosoft.com/yyyyyyy-yyyy-yyyy-yyyy-yyyyyyyy}
ApplicationId: xxxxxx-xxxx-xxxx-xxxx-xxxxxxx
DisplayName: Microsoft.Azure.Cdn
Id: zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzz
AdfsId:
Type: ServicePrincipal
Then I went to the Access Policies of the Key Vault to add the principal there but I can't find it in the list.
Update
When I try to add it I get this result.
But when I do the following that was suggested in a comment:
"First, navigate to the Azure Active Directory in the portal -> Enterprise applications -> filter with All applications -> search for the ApplicationId in your result, make sure the service principal is existing."
Then I get no result.
First, navigate to the Azure Active Directory in the portal -> Enterprise applications -> filter with All applications -> search for the ApplicationId in your result, make sure the service principal is existing.
In the Add access policy page, search for the Id in your result(i.e. the Object ID of the SP), it should work.
Or you could use Set-AzureRmKeyVaultAccessPolicy to add a service principal to the access policy, the -ObjectId is the Id in your result.
Sample:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ObjectId 34595082-9346-41b6-8d6b-295a2808b8db -PermissionsToSecrets Get,Set
Update:
Follow the steps as below.
Navigate to your keyvault in the portal -> copy the Directory ID and Subscription ID.
Login with Connect-AzureRmAccount -TenantId "<Directory ID>" -Subscription "<Subscription ID>", use the two properties above.
If you already logged in, just use Set-AzureRmContext -Tenant "<Directory ID>" -SubscriptionId "<Subscription ID>".
Then use the New-AzureRmADServicePrincipal -ApplicationId "xxxxxx-xxxx-xxxx-xxxx-xxxxxxx" to create the service principal, when you create it successfully, navigate to the access polices in your keyvault to try to add it again.
Another way to solve this problem is by using the Azure CLI.
First check you are working with the right subscription by following below steps:
Login to Azure
az login
Get a list of your subscriptions
az account list --output table
Set a subscription from the list to be the current active one
az account set --subscription "<SUBSCRIPTION_NAME>"
Now copy the Service Principal ID shown in the blue box when you enable the "Custom Domain HTTPS" option
Create the Service Principal using that id
az ad sp create --id "d4631ece-daab-479b-be77-ccb713491fc0"
Go to your "KeyVault/Access Policies" and Add a new Access Policy
Grant "Get" and "List" permissions for the "Secret" and Select the Principal recently created
Do not forget to save your changes
You are done! You can now enable your "Custom Domain HTTPS" option and use your KeyVault.
We need to assign the 'User Administrator' role to an already existing service principal to allow updating the password on the users of the b2c tenant.
Using the MSOnline module as described in
B2C Graph API - insufficient permissions even when Directory.ReadWrite.All is enabled
seems to be outdated and doesn't work for us (In powershell core / cloud powershell we only get errors about missing files or assemblies)
Is there a some new way to do that?
What we tried to do is to connect to azure using the right subscription and the b2c tenant set (it complains that the b2c tenant does not have a subscription but one can override that with a cmdline switch: az login --tenant B2C-TENANT-ID --allow-no-subscriptions).
We can see the service principal that is in the b2c tenant and we can get a list of roles (az role definition list --subscription SUBSCRIPTION-ID). But the 'User Administrator' role you can see in the 'Roles and administrators' panel of the Active Directory blade is not a part of these roles. The roles that are printed out are only the roles that are defined in the subscription itself.
Trying to assign the 'User Administrator' role (az role assignment create) yields an error that the role doesnt exist.
Ok so we found a solution - using powershell the following steps were required:
Install-Module AzureAD
Connect-AzureAD -TenantId TENANT-ID
Get-AzureADServicePrincipal -> look for Service principal ObjectId
Get-AzureADDirectoryRole -> look for Helpdesk Administrator
Add-AzureADDireectoryRoleMember -ObjectId ROLE-ID -RefObjectId SERVICE-PRINCIPAL-OID
I'm trying to create a Azure function to provisioning different kind of sites.
I've created a App in Azure AD and granted the app sharepoint and graph.
When connecting to the site I use a certificate but I'm unable to create new sites.
New-PnPTenantSite -Url $url -Title $LinkTitle -Description $description -Template "STS#0" -Owner $username -TimeZone 4 -Lcid 1044 -Force
error:
New-PnPTenantSite : The remote server returned an error: (401) Unauthorized
it returns site and lists if I use get-pnplist and get-pnpsite ..
Connect using this command:
Connect-PnPOnline -CertificatePath .\certkeyname.pfx -Tenant 'xxx.onmicrosoft.com' -ClientId 'xxxx-xxx-xx-xx-xxxxxxx' -Url 'https://xxx.sharepoint.com'
answer is in this post
Azure AD application with Global Administrator rights
You can elevate the level of access an Application has in your tenant by adding the service principal of that application to the Company Administrator Directory Role. This will give the Application the same level of permissions as the Company Administrator, who can do anything. You can follow these same instructions for any type of Directory Role depending on the level of access you want to give to this application.
Note that this will only affect the access your app has in your tenant.
Also you must already be a Company Administrator of the tenant to follow these instructions.
In order to make the change, you will need to install the Azure Active Directory PowerShell Module.
Once you have the module installed, authenticate to your tenant with your Administrator Account:
Connect-MSOLService
Then we need to get the Object ID of both the Service Principal we want to elevate, and the Company Administrator Role for your tenant.
Search for Service Principal by App ID GUID:
$sp = Get-MsolServicePrincipal -AppPrincipalId
Search for Directory Role by Name
$role = Get-MsolRole -RoleName "Company Administrator"
Now we can use the Add-MsolRoleMember command to add this role to the service principal.
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal ->RoleMemberObjectId $sp.ObjectId
To check everything is working, lets get back all the members of the Company >Administrator role:
Get-MsolRoleMember -RoleObjectId $role.ObjectId
You should see your application in that list, where RoleMemberType is ServicePrincipal >and DisplayName is the name of your application.
Now your application should be able to perform any Graph API calls that the Company >Administrator could do, all without a user signed-in, using the Client Credential Flow.
I'm trying to do simple thing here - I want to grant Reader permissions for AppInsights resource in Azure Portal. So I created a security group called Devs. It has members in it (if that's important).
Now, I go to AppInsights resource => Access Control => Add, and look at this:
It can't find this group! Why is that?
Thanks to Azure Support, here's what happened - I log in to Azure Portal with an external user (user#outlook.com for example). Even though this user is a Global Admin he's not a Member of the tenant. So, either you log in with a user who's a member (#tenant.onmicrosoft.com) or you convert your user to be a Member (now, that requires you to log in as a Member admin). Here's the PowerShell script on how to convert:
Install-Module MSOnline
Connect-MsolService
Set-MsolUser -UserPrincipalName user_outlook.com#EXT##tenant.onmicrosoft.com -UserType Member
# just to check if you became a Member user
Get-MsolUser -UserPrincipalName user_outlook.com#EXT##tenant.onmicrosoft.com | select usertype
I have custom AAD and I added my company account to the AAD. I made the company account owner of the subscription and administrator of the AAD.
When I want to create new Team Project, the deployment fails with message:
VS850006: AAD guest users are not allowed to be account owners. Please
use a non-guest AAD user. AAD guest user sign-in address:
daniel.turan#accenture.com (Code: OrganizationBadRequestException)
It was working yesterday before I made myself AAD administrator. WTF?
You are probably a guest in the AAD that backs VSTS. By default AAD guests cannot search the AAD.
You could check your user type on Azure Portal.Azure Active Directory-->All Users--><your user>-->profile
f the UserType is GUEST, you can make this user a MEMBER by executing
Set-Msoluser -UserPrincipalName <your ID> -usertype member
More information about this please refer to this [blog]
Update:
If your account is a Microsoft account, you could use Azure AD Power Shell 2.0 to change user type.
Connect-Azuread -TenantID "****************"
Get-azureaduser -ObjectID "99f1721e-42ae-4056-9c14-30976aa1608b"|Set-AzureADUser -UserType "member"
(https://blogs.msdn.microsoft.com/dstfs/2015/12/23/issues-with-azure-active-directory-guest-users-in-aad-backed-visual-studio-team-services-accounts/).
I had the same issues and these were the powershell commands that helped:
Install-Module AzureAD
Install-Module MSOnline
Import-Module AzureAD
Import-Module MSOnline
$AzureAdCred = Get-Credential
Connect-AzureAD -Credential $AzureAdCred
Connect-MSolService -Credential $AzureAdCred
Set-MsolUser -ObjectId <your-account-id> -UserType Member
I could not connect immediately but after waiting for a few hours (8 in my case) connecting the account worked.
If you want to make sure that the object-id you are using is the correct user you want to alter you can use the following command:
Get-MsolUser -ObjectId <your-account-id>