I need to find which principal has modified or created a given principal.
We can have the list of modified principals using the Microsoft Graph Api:
https://graph.microsoft.com/beta/servicePrincipals/delta
I want to find the creator of this modification/creation for each modified principal
Thank you in advance for your help
Here is how you can get the information of the owner of service principle
$ServicePrincipalId = (Get-AzureADServicePrincipal -Top 1).ObjectId
Get-AzureADServicePrincipalOwner -ObjectId $ServicePrincipalId
The Get-AzureADServicePrincipalOwner cmdlet gets the owners of a service principal in Azure Active Directory (AD).
result would be something like below
Here is how you can get more details on this.
https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadserviceprincipalowner?view=azureadps-2.0
Hope it helps.
Related
when im trying to remove role assignment for a storage account using azure automation account
Remove-AzRoleAssignment -SignInName "john#example.com" -RoleDefinitionName "Storage File Data SMB Share Contributor" -Scope "/subscriptions/000-8888-7777/resourceGroups/$resourcegroup/providers/Microsoft.Storage/storageAccounts/$storageaccount"
using above command getting
Cannot find principle using specified options
Email you provide seem to be not correct SigninName.
If you have access to Azure Active Directory you may check User Principal Name for this user and try it instead. In case of my private subscription it did end with onmicrosoft.com. If you use User Principal Name you should get results you expect.
The error "Cannot find principle using specified options" usually occurs if you don't have the required privileges.
Make sure to run as an Administrator and login with Admin credentials to Azure AD.
I tried in my environment and got the same error when the role is missing with incorrect sign-in name like below:
Please check whether the role you are trying to remove is existing or not in the scope like below:
Get-AzRoleAssignment -SignInName "UPN" | FL DisplayName, RoleDefinationName, Scope
Ensure to give correct UPN (User Principal Name) of the user.
Make use of the above response to run the below command:
Remove-AzRoleAssignment -SignInName "UPN" -RoleDefinitionName "Storage File Data SMB Share Contributor" -Scope "Your_Scope"
Please recheck the scope you are providing.
I'm looking some Azure SQL security alerts for a "login from a domain not seen in 60 days", however it's listed in the following format (not actual identifier)
f96bd1cf-beb7-4e82-89cc-3d7e76f1cf3c#1ed9389a-f140-4cfd-9f02-c5a6a78c2770
How would I resolve this to an actual readable username?
thanks in advance
You can try PowerShell commandlet to get ObjectId details, use Get-AzureADObjectByObjectId and Get-AzureADUserCreatedObject -ObjectId as below:
In your case
f96bd1cf-beb7-4e82-89cc-3d7e76f1cf3c#1ed9389a-f140-4cfd-9f02-c5a6a78c2770
: the first part is the id and second is tenant
Your Tenant ID should appear under Basic information.
Further Get-AzureADUserCreatedObject cmdlet gets objects created by a user in Azure Active Directory (AD)
I can't find a way to view all the group memberships of a service principal in Azure. I can of course see the service principal in the list of "Direct Members" from the perspective of the group.
For example:
myGroup123 has members -> Rob, John, and servicePrincipal9
If I look at "servicePrincipal9", I can't see that it is a member of "myGroup123"
Is there a way to find this info in the Portal? Via powershell? Via CLI?
Get the group membership of a group for a service principal
$Groups = New-Object Microsoft.Open.AzureAD.Model.GroupIdsForMembershipCheck
$Groups.GroupIds = (Get-AzureADGroup -Top 1).ObjectId
$SPId = (Get-AzureADServicePrincipal -Top 1).ObjectId
Select-AzureADGroupIdsServicePrincipalIsMemberOf -ObjectId $SPId -GroupIdsForMembershipCheck $Groups
OdataMetadata Value
------------- -----
https://graph.windows.net/85b5ff1e-0402-400c-9e3c-0f9e965325d1/$metadata#Collection(Edm.String) {093fc0e2-1d6e-4a1b-9bf8-effa0196f1f7}
Kindly go through the document and check if it helps.
Get the groups and directory roles that this servicePrincipal is a member of. This operation is transitive and will include all groups that this service principal is a nested member of from the following document
Get the groups and directory roles that this servicePrincipal is a direct member of. This operation is not transitive. Check this document
Powershell approach via a MSFT support engineer:
Get-AzureADServicePrincipalMembership -ObjectId <String> [-All <Boolean>]
Documentation: https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadserviceprincipalmembership?view=azureadps-2.0
We are attempting to delete a user within Azure B2C by using the Graph API, but have had no luck up to this point. Documentation here suggests that it is possible:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/users-operations#DeleteUser
We currently have no issues when it comes to creating/updating users, but when attempting a delete operation we get the following error:
Authorization_RequestDenied - Insufficient privileges to complete the operation.
I'm aware there are limitations to using the Graph API with B2C, but the documentation out there suggests this should not be one of them.
If you want to have enough privileges to Delete Users, you need to assign Company Administrators Role to your Service principal. You can refer to this document to do that.
Use AAD Powershell to Connect AAD:
Connect-AzureAD
Get the Role of Company Administrator:
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}
Assign the role to your SP:
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $yoursp.ObjectId
Try to Get a new token and use it in the head to Delete the user again. Here is my result:
I'm trying to do simple thing here - I want to grant Reader permissions for AppInsights resource in Azure Portal. So I created a security group called Devs. It has members in it (if that's important).
Now, I go to AppInsights resource => Access Control => Add, and look at this:
It can't find this group! Why is that?
Thanks to Azure Support, here's what happened - I log in to Azure Portal with an external user (user#outlook.com for example). Even though this user is a Global Admin he's not a Member of the tenant. So, either you log in with a user who's a member (#tenant.onmicrosoft.com) or you convert your user to be a Member (now, that requires you to log in as a Member admin). Here's the PowerShell script on how to convert:
Install-Module MSOnline
Connect-MsolService
Set-MsolUser -UserPrincipalName user_outlook.com#EXT##tenant.onmicrosoft.com -UserType Member
# just to check if you became a Member user
Get-MsolUser -UserPrincipalName user_outlook.com#EXT##tenant.onmicrosoft.com | select usertype