How to select an Azure AD user account on an Azure AD joined device?
I've just run into this problem and solved it using these steps:
Create your task as normal in Task Scheduler. In security options select any local user.
Export the task into an xml file
Delete the task from Task Scheduler
Open cmd line and run whoami /user - if you want to run the task as a different user to the currently logged in one, you'll have to adjust this accordingly
Open the exported task xml file, modify the <Principals> section:
<Principals>
<Principal id="Author">
<UserId>PUT THE USER ID HERE</UserId>
...
Save the edited xml file. Import it into Task Scheduler
Task Scheduler will display AzureAD\Username even though you aren't able to choose AzureAD when selecting locations. See example image here
Open a CMD and type:
whoami
This wil show your azuread\username
Usually this is azuread\firstmiddellastname
That is the username that you are looking for.
You should use the azure ad account that you used to make the azure ad joined device. To find the azure ad user, you could open the Azure Portal, you could see all the user in the Azure Active Directory.
Related
I'm reviewing Azure Automation, but I couldn't find out if it is possible to run a PowerShell script whenever a new user is added to Active Directory? The scenario I'm researching is whenever a new Office365 account is added through admin.microsoft.com then I want to configure some email preferences for this user. I have my PowerShell script tested already (so these preferences should be set correctly), but now I'm trying to find out how exactly this script should be executed right after account is added.
Thanks,
You can inspect the Azure AD Audit logs for new user creation. You can export the Diagnostic Settings (logs) to Azure Monitor (see doc).
The following is an idea but I never tried it myself:
In Azure Monitor -> Logs you can find for example this query:
Modify it according to your needs and create an alert rule. In the alert rule, you can set up an action group that triggers your automation account with the PowerShell script.
After a successful build using a hosted VS2017 agent, I'm trying to deploy on-prem using an local hosted agent which was setup using a domain account which should have sufficient permissions as it is in the local admin group. As I was digging around on this issue elsewhere, one user re-installed their agent using NTATHORITY\SYSTEM and it worked.
I d'ont really need to create or stop\start the website, just deploy the recent build artifact.
What permissions should I check or should I use another task?
019-04-06T21:03:10.3898646Z ERROR ( message:Configuration error
2019-04-06T21:03:10.3899503Z
2019-04-06T21:03:10.3899791Z Filename: redirection.config
2019-04-06T21:03:10.3900026Z 2019-04-06T21:03:10.3900293Z Line
Number: 0 2019-04-06T21:03:10.3900530Z 2019-04-06T21:03:10.3900852Z
Description: Cannot read configuration file due to insufficient
permissions 2019-04-06T21:03:10.3901076Z 2019-04-06T21:03:10.3901333Z
. ) 2019-04-06T21:03:10.8135484Z ##[error]Process 'appcmd.exe' exited
with code '5'.
An agent is running under a user. The error means that your user doesn't have permissions to read/modify the redirection.config file that is necessary to manage IIS.
You have multiple options to solve this.
Change the user were the agent is running under. In example: NTATHORITY\SYSTEM
Give permissions to the user were your agent is running under to the folder C:\Windows\System32\inetsrv\config. If you want to create app pools or websites etc, modify permissions are of course needed.
When we install Azure agent as a service(In Windows, search for 'Services' and look for something like Azure Pipelines Agent..), by default it is logged on as 'Network Service'. Change it to 'Local System' and the pipeline should be able to run IIS related tasks/commands.
Trying to run Kubernetes on Azure, I'm stuck on ./azure-login.js -u <your_username>.
I'm getting the following:
[aii#localhost azure]$ ./azure-login.js -u aii#aii_domain.com
info: Executing command login
Password: ********
+ Authenticating...
error: Interactive login is required. Use 'azure login' to interactively login.
info: Error information has been recorded to /home/aii/.azure/azure.err
error: login command failed
More info:
[aii#localhost azure]$ azure --version
0.10.0 (node: 4.3.1)
BTW, my account is BizSpark Plus if it matter..
Add the following commands first:
azure account download
it will guide you to download .publishsettings file from browser which you should use for:
azure account import <downloaded file>
azure account set <"name of your subscription">
Azure login only works from a work or school id, which really means an AAD object (identity). If you have a Microsoft account, you can only "connect" with the azure account import command that takes a .publishsettings file that you have to download. (it's a cert file)
This is actually a feature of Azure, although I think we don't communicate well here. Turns out that everyone has a default Azure Active Directory domain that they get for free.
At a larger level, Azure has two management APIs:
1. Service management, which can be used with either work ids or Microsoft account ids, and
2. Resource management, which is the new stuff and can be used only with work or school ids, and that works only with the azure login functionality.
I'm trying to run a SharePoint Warm-up PowerShell script (spbestwarmup) from a Scheduled Task under/as a certain service account (also run when user is not logged on). This script tries to get elevated rights and outputs some logging to the Windows 'Application' Event Log.
I already tried everything mentioned in this SO answer here: How to run a PowerShell script from a batch file
The only way I got it to work was by pointing the scheduled task to a .bat file with the following content:
powershell -command "& 'D:\SPBestWarmUp.ps1' "
which triggers the PowerShell script file. AND I had to add the service account to the local built-in 'Administrators' user group on my SharePoint server.
This last action, adding the user to the 'Administrators' group isn't allowed in my customers IT infrastructure, because of security reasons. They use, rightfully off-course, the law of least privilege. So my question is:
What MINIMAL rights/privileges/policies etc. does a service account need in this case? So I don't need to assign local Administrator rights to it.
How to remove an orphaned Application in an Azure Directory?
I have a second (non-Default) directory that I was using to test the AD Connect app, and having finished with it, want to delete.
I have been able to remove the users both with the Management Portal and remove-msoluser, but am unable to delete the directory as it has one Application registered - "Office 365 Management APIs"
In the management console, this Application looks a little weird - there are no options to do anything on its dashboard and just checking, this Application is also installed in my Default Directory and looks the same - maybe it cannot be removed?
Have tried removing the App using the Remove-msolservice cmdlet, and tried the whole-hog approach as per Method 5 in https://support.microsoft.com/en-au/kb/2967860/en-us - seems to run through ok, but the Application is still listed, and when deleting the Directory I still get the error -
Directory has one or more applications that were added by a user or administrator
I had the same problem. When performed the steps below, I could delete the Azure Active Directory tenant:
Log in to Azure and create a new user with Global Admin permissions in the AAD you're trying to delete.
Open the Azure Active Directory Module for Windows PowerShell and execute the following:
Connect-MsolService (Log in with #onmicrosoft global admin account you created)
Get-MsolServicePrincipal | Remove-MsolServicePrincipal (This will generate errors but it's ok)
Log in to https://manage.windowsazure.com as the service admin
Delete already created #onmicrosoft.com Global Admin user
Delete the AAD now
You check the sites below as well:
http://blogs.msdn.com/b/dstfs/archive/2015/05/27/trouble-deleting-azure-active-directory-aad-due-to-quot-visual-studio-online-quot-item-in-aad-quot-applications-quot-list.aspx
or here:
https://www.opsgility.com/blog/deleting-azure-ad-applications
You must run the following cmdlets after running the remove cmdlets:
Get-MsolServicePrincipal | Set-MsolServicePrincipal -AccountEnabled $False
then delete the temporary global admin account (if any) and you should be able to delete the directory.
More information about this issue: https://support.microsoft.com/en-us/kb/3112170
This article helps me to delete Azure AD I created with old Windows Azure Portal (manage.windowsazure.com):
https://blogs.msdn.microsoft.com/ericgolpe/2015/04/30/walkthrough-of-deleting-an-azure-ad-tenant/
In a nutshell:
Create a new user under the AD you intend to delete.
User must have Global Admin role.
You will get temporary password for this user. Once login to Azure Portal with this user, you will need to create a permanent password.
Use this credential, you will remove Azure AD's applications using Azure AD PowerShell
Then, go back to Azure AD you intend to delete (using your credential, not the newly created user), delete the user you just created.
Only after doing all these will you be able to delete the Azure AD.