I created a workflow that provisions O365 groups via an azure function app which runs powershell (based off this code on github). I noticed that the default site collection administrators are the owners of the created group. Most of the time i just want users to be able to invite more people to group but not create subsites etc..
For now I always have to change administrators manually. Is there any way to change the site collection administrators via powershell (or any other language) in an azure function?
I already tried to just execute Connect-SPOService and Set-SPOUser in the function but there is no such cmdlet in the context of the function.
Goal would be a to have some code/function to change site collection administrators via the microsoft graph api or some other means. Maybe it is possible to add the missing cmdlets where the function can access it?
To use PowerShell modules within an Azure Function, you'll need to upload your modules to your function app, either by bundling them with your deployment or using Kudu. The answers to this question from Francisco and myself could be helpful to you.
Related
I have created a Function App which hosts PowerShell scripts and its main purpose is to add new users to Azure AD.
I want to get this onto a Web App with a simple GUI such as; First Name, Sure name, and E-mail address and a submit button.
I want to know what the simplest way to achieve this would be? And if it is possible to do.
Thank you for your help!
You could use an Azure Static WebApp to host your form and then have it call the Azure Function to submit the form.
Azure statis webapp docs here:
https://learn.microsoft.com/en-us/azure/static-web-apps/getting-started?tabs=vanilla-javascript
Adding an API here:
https://learn.microsoft.com/en-us/azure/static-web-apps/add-api?tabs=vanilla-javascript
Granted this is all in javascript but the front end would need to be in html/js anyway.
Other alternatives are something like PowerShell Universal if you wanted everything to be in PowerShell.
https://ironmansoftware.com/powershell-universal
I've heard good things about it but never actually used it myself
Can someone confirm that changing a Work Item Type (WIT) definition is not possible in Azure Devops Online?
I have tried comparing On-premises vs Hosted here
Can someone confirm that changing a Work Item Type (WIT) definition is
not possible in Azure Devops Online?
We can't change the WIT in hosted templates like Basic,Agile...processes. But we can create inherited process from Basic,Agile... and change the WIT in them(inherited ones).
In Azure Devops Service(online), we can navigate to Process related settings in Organzation Settings=>Boards=>Process, there exists several hosted templates like Basic, Agile,Scrum...
If current organization is created in Service online, these WITs in those hosted processes can not be modified. See:
We need to right-click ... and choose create inherited process and the inherited process is something we can use to change WIT, see:
In addition: If your current organization is migrated from tfs's collection, you can change the WIT by modifying the xml.
I was going through the Powershell support to the Azure, and while looking into the cmdlets provided by Azure PowerShell i did not found any reference for the command by which i can create new directory under my subscription.
May be I am missing something.
Can anyone tell me the exact way to achieve this programmatically (using pwoershell)?
Thanks.
We do not expose the ability to create new directories via our REST APIs or PowerShell Module.
I believe this ability is only available through our Portals, in a non-automated fashion.
Can you go into more details about your scenario, where you would need to create multiple directories in an automated fashion?
I have two additional AD I have created in addition to the one which is associated to the subscription. I want to delete those but my attempt fails with the message "Directory has one or more applications that were added by a user or administrator"
I can see below two common application in both directories, where I don't see a delete button.
Office 365 management apis
Visual Studio Team Services
How can I delete this AD?
Thanks,
Shiju
I ran into the same issue. The only solution I was able to find was to step into PowerShell and get it done. You can find the steps in these two posts:
https://social.msdn.microsoft.com/Forums/en-US/afbfb7b3-92c9-4af6-9128-ba96795de5a6/not-able-to-delete-b2c-tenant
https://social.msdn.microsoft.com/Forums/en-US/e041555c-aa36-4369-bbb9-1f23ae317304/how-to-remove-active-directory-from-windows-azure
The main gist is that you need to have a global admin account which is a direct member of the directory. You can't use your Microsoft/subscription account even though it may have been granted global admin permissions. You then connect using these credentials in PowerShell, find the Service Principals (aka Applications) which exist, and remove them. You can then drop the Admin account for the directory and delete the directory itself.
I also wrote a blog page on how to delete an active directory tenant. I have updated the process to use the new portal and the newer AzureAD PowerShell cmdlets.
https://blog.nicholasrogoff.com/2017/01/20/how-to-delete-an-azure-active-directory-add-tenant/
Is it possible to create a user with permissions of both a local administrator and NETWORK SERVICE?
I've got a Sharepoint timer job which runs stsadm for which it needs local administrator permissions. On the other hand temer jobs are also used by other services which need NETWORK SERVICE permissions and those to sets of permissions only overlap, so I need a user with the "sum" of the permissions to run OWSTIMER under.
(I know that most of the operations you can perform with stsadm sharepoint administration API can be used, by in my case it is the operation which moves a site collection between content databases for which there seems to be no API equivalent).
I recommend always using domain accounts - SharePoint works best on servers connected to an Active Directory server. For production environments a best practice is using a least privilege account. I always create the following domain account dedicated to SharePoint services:
DOM\spservice
You do not need to grant any special privileges to this account as SharePoint will automatically do this for you when you specify the account during setup.
I can't help you with the user permissions (Lars hit the important points), but I wanted to share some information that may be of use.
You mentioned that you're trying to move site collections between content databases and haven't found an API the can be leveraged. Have you looked into SharePoint's Content Deployment API (also know as the PRIME API) to see if it can assist? The types of which I'm speaking are located in the Microsoft.SharePoint.Deployment namespace, and they provide you with mechanisms to export (via SPExport) site collections as CAB files and then import them (via SPImport).
SharePoint leverages types in this namespace for its own content deployment paths and jobs (in MOSS); it's also the API that is leveraged by the STSADM.EXE executable for export (STSADM.EXE -o export) and complementary import operations. For that matter, it's also used by SharePoint Designer for it's site "backup" and "restore" operations.
For an example of how this API can be leveraged, check out the SharePoint Content Deployment Wizard tool on CodePlex (http://www.codeplex.com/SPDeploymentWizard).
I hope this gives you a potential alternative to shelling out to a command line in your timer job!