When adding/updating AAD user with ARM template/resources.explorer, why does a Basic user also get created?
This is the payload:
{
"apiVersion": "2017-03-01",
"type": "users",
"name": "user1",
"properties": {
"firstName": "FirstName",
"lastName": "LastName",
"email": "[parameters('user1Email')]",
"state": "active",
"identities": [
{
"provider": "Aad",
"id": "[parameters('user1UserId')]"
}
]
}
}
As you can see i do not include the
{
"provider": "Basic",
"id": "basic.userg#basic.com"
}
I don't want to create Basic Auth, I only want Azure AD.
When creating AD user from the developer portal we don't get this behaviour, but with ARM it also creates Basic.
The only way I see at the moment is to do a second PATCH (!) request with same payload but no Basic identity.
Related
When I make requests to the Microsoft Graph API's invite endpoint to create secure (email-based) sharing links for a specific collection of emails that are external to our organization, the response does not contain the requested sharing link for certain email addresses. When I look at the SharePoint site UI to see how the permissions are listed for the item, the email address with issue (RealEmail) shows up differently from the one that does return a sharing link through the API (TestEmail). Both RealEmail and TestEmail are marked as external users, but it seems that the RealEmail external user is recognized as an actual external or guest user account, rather than just being an email unknown to SharePoint, like TestEmail.
Here's the request I made on Microsoft Graph Explorer:
POST https://graph.microsoft.com/v1.0/sites/{site-id}/drives/{drive-id}/items/{item-id}/invite
{
"requireSignIn": true,
"sendInvitation": false,
"roles": [
"read"
],
"recipients": [
{
"email": "RealEmail#example.com"
},
{
"email": "TestEmail#example.com"
}
]
}
And this was the response (with real data removed):
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(permission)",
"value": [
{
"#odata.type": "#microsoft.graph.permission",
"id": "removed",
"roles": [
"read"
],
"grantedTo": {
"user": {
"email": "RealEmail#example.com",
"id": "removed",
"displayName": "RealFirstName RealLastName"
}
}
},
{
"#odata.type": "#microsoft.graph.permission",
"roles": [
"read"
],
"grantedToIdentities": [
{
"user": {
"email": "TestEmail#example.com"
}
}
],
"invitation": {
"signInRequired": true
},
"link": {
"type": "view",
"webUrl": "removed"
}
}
]
}
This is what the Manage Access UI looks like (with real data removed)
I can't see any docs about this, only for User and Groups.
The target app has Users with PermissionSets which grants permissions (obviously), with an Schema like this:
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "5ac6643a62513c08d6c21516",
"userName": "foo.bar#myapp.com",
"name": {
"givenName": "Foo",
"familyName": "Bar"
},
"emails": [
{
"primary": true,
"type": "work",
"value": "foo.bar#myapp.com"
}
],
"UserType": "user",
"PermissionSets": [
"5aff2aa36c3b5ea72975db35"
],
"active": false,
"meta": {
"resourceType": "User"
}
}
I want to grant them using Multi-Value list Parameter with rules. Does it mean I need /PermissionSets API endpoint which PUTs and GETs the PermissionSet to the user? Because I can't see any PermissionSet when I try to setup the parameter.
Many thanks in advance.
I have the Azure AD users that are synced from my on-premises AD.
When I updated the user's properties (such as displayName, department, and so on), some users succeeded in updating, but some users failed to update.
In Azure AD, the audit logs of the update successful user and the failed user are as follows.
////////////////// update success user
{
"id": "Directory_xxxxxxx_112926480",
"category": "UserManagement",
"correlationId": "xxxxx",
"result": "success",
"resultReason": "",
"activityDisplayName": "Update user",
"activityDateTime": "2022-02-07T07:03:44.6467812Z",
"loggedByService": "Core Directory",
"operationType": "Update",
"initiatedBy": {
"user": null,
"app": {
"appId": null,
"displayName": "xxxx",
"servicePrincipalId": "xxxx",
"servicePrincipalName": null
}
},
"targetResources": [
{
"id": "xxxx",
"displayName": null,
"type": "User",
"userPrincipalName": "xxxx#xxxx",
"groupType": null,
"modifiedProperties": [
{
"displayName": "Included Updated Properties",
"oldValue": null,
"newValue": "\"\""
},
{
"displayName": "TargetId.UserType",
"oldValue": null,
"newValue": "\"Member\""
}
]
}
],
"additionalDetails": [
{
"key": "UserType",
"value": "Member"
},
{
"key": "User-Agent",
"value": "Apache CXF 3.2.14"
}
]
},
////////////////// update fail user
{
"id": "Directory_xxxx_118537500",
"category": "UserManagement",
"correlationId": "xxxx",
"result": "failure",
"resultReason": "Microsoft.Online.Workflows.PropertyUpdateNotAllowedException",
"activityDisplayName": "Update user",
"activityDateTime": "2022-02-07T07:03:04.9716261Z",
"loggedByService": "Core Directory",
"operationType": "Update",
"initiatedBy": {
"user": null,
"app": {
"appId": null,
"displayName": "xxxx",
"servicePrincipalId": "xxxx",
"servicePrincipalName": null
}
},
"targetResources": [
{
"id": "xxxx",
"displayName": null,
"type": "User",
"userPrincipalName": "xxxx#xxx",
"groupType": null,
"modifiedProperties": [
{
"displayName": "MethodExecutionResult.",
"oldValue": null,
"newValue": "\"Microsoft.Online.Workflows.PropertyUpdateNotAllowedException\""
},
{
"displayName": "TargetId.UserType",
"oldValue": null,
"newValue": "\"Member\""
}
]
}
],
"additionalDetails": [
{
"key": "UserType",
"value": "Member"
},
{
"key": "User-Agent",
"value": "Apache CXF 3.2.14"
}
]
},
Could you tell why the results are so different?
Any help would be appreciated.
Some user details are failed to update because of the error:
Microsoft.Online.Workflows.PropertyUpdateNotAllowedException
The above error usually occurs for many reasons like:
There may be some attributes that violate formatting requirements which restrict characters and character length of attribute values.
The attributes that require unique values may have duplicate attribute values in existing user account (on-prem AD).
May be the user principal name (UPN) was changed after the initial synchronization and must be updated manually.
Some attributes may match exclusion rules for directory synchronization.
The domain value that's used by AD DS attributes hasn't been verified.
To resolve this error, please check the below workarounds if they are helpful:
Use the IdFix DirSync Error Remediation Tool to check for duplicates, missing attributes, and rule violations.
Update AD DS attributes to remove duplicates, rule violations, and scoping exclusions.
Make sure the user properties can’t contain accent characters and the size of displayName, department etc… are under the maximum limits.
For more information in detail, go through below references.
References:
One or more objects don't sync when the Azure Active Directory Sync tool is used - Active Directory | Microsoft Docs
Troubleshoot directory synchronization errors with event 6941 - Office 365 | Microsoft Docs
I'm going around in circles since few days. I would like to link, via ARM Template, my resource "microsoft.insights/actionGroups" to a resource "Microsoft.Automation/automationAccounts/webhooks"
The webhook and the action group are both created via ARM Template. The problem is that when creating the webhook nothing can keep the uri produced by ARM. Then on my resource group the "automationRunbookReceivers" property requests the "serviceUri" parameter which is mandatory. If I refer to my webhook via the resource the uri I get is empty ...
resourceId ('Microsoft.Automation / automationAccounts / webhooks', parameters ('AzureAutomationName'), 'RunBookName')
how could I automate this process?
This is the templates I've used to generate my resources :
{
"name": "[concat(variables('automationAccountName'), '/WebHookName')]",
"type": "Microsoft.Automation/automationAccounts/webhooks",
"apiVersion": "2015-10-31",
"dependsOn": [
"[concat('Microsoft.Automation/automationAccounts/', variables('automationAccountName'), '/runbooks/', 'RunBookName')]"
],
"properties": {
"isEnabled": "true",
"expiryTime": "2026-11-20",
"runbook": {
"name": "RunBookName"
}
}
},
{
"name": "[variables('ActionGroupName')]",
"type": "microsoft.insights/actionGroups",
"apiVersion": "2019-06-01",
"location": "Global",
"tags": {
"displayName": "ActionGroupName"
},
"properties": {
"groupShortName": "[variables('ActionGroupShortName')]",
"enabled": true,
"automationRunbookReceivers": [
{
"name": "MyRunBookReceiver",
"automationAccountId": "[resourceId('microsoft.insights/components', parameters('AzureTelemetryName'))]",
"runbookName": "RunBookName",
"webhookResourceId": "[resourceId('Microsoft.Automation/automationAccounts/webhooks', parameters('AzureAutomationName'), 'WebHookName')]",
"isGlobalRunbook": false,
"serviceUri": "listCallbackURL? resourceId? reference? other? ?????????"
}
]
}
}
I desperately need help!
Thank you!
[reference(resourceId('Microsoft.Automation/automationAccounts/webhooks', parameters('AzureAutomationName'), 'WebHookName'), '2015-10-31')].uri
return empty string
As far as I know, we only can see the url of webhook when we create it. You can use Powershell to create it and you can see url of outputs
#bit is correct - the webhook URI is only retrievable at the time of webhook creation and the property is nulled thereafter. Since you're creating both the actionGroup and the webhook in the same template, though, the deployment happens synchronously and you can refer to the webhook's URI using its .uri property.
The official Microsoft documentation has an example: https://learn.microsoft.com/en-us/azure/automation/automation-webhooks#create-runbook-and-webhook-with-arm-template
Your ARM template could be modified as follows:
{
"name": "[concat(variables('automationAccountName'), '/WebHookName')]",
"type": "Microsoft.Automation/automationAccounts/webhooks",
"apiVersion": "2015-10-31",
"dependsOn": [
"[concat('Microsoft.Automation/automationAccounts/', variables('automationAccountName'), '/runbooks/', 'RunBookName')]"
],
"properties": {
"isEnabled": "true",
"expiryTime": "2026-11-20",
"runbook": {
"name": "RunBookName"
}
}
},
{
"name": "[variables('ActionGroupName')]",
"type": "microsoft.insights/actionGroups",
"apiVersion": "2019-06-01",
"location": "Global",
"tags": {
"displayName": "ActionGroupName"
},
"properties": {
"groupShortName": "[variables('ActionGroupShortName')]",
"enabled": true,
"automationRunbookReceivers": [
{
"name": "MyRunBookReceiver",
"automationAccountId": "[resourceId('microsoft.insights/components', parameters('AzureTelemetryName'))]",
"runbookName": "RunBookName",
"webhookResourceId": "[resourceId('Microsoft.Automation/automationAccounts/webhooks', parameters('AzureAutomationName'), 'WebHookName')]",
"isGlobalRunbook": false,
"serviceUri": "[reference(concat(variables('automationAccountName'), '/WebHookName')).uri]"
}
]
}
}
As an aside, that Microsoft doc uses an "outputs": { } object to emit the webhook URI. That's a really bad idea because the plaintext value of the URI will be recorded in the resource group deployment metadata. If you need to create the webhook and its clients asynchronously, one solution is to store the webhook URI in a Key Vault secret in the template that creates the webhook, and then consume the Key Vault secret value when deploying the webhook client.
I'm trying to provision a bot resource in Azure with two connection (an Azure Active Directory V2 and a sharepoint Online) using ARM template (see bellow).
I was able to make it work for AADv2 successfully, and everything works fine.
I was able to make it work when I provision the resource manually.
Sadly, you can't export the templates for a bot resource...And I can't succeed to make it work for Sharepoint online, and the only parameter I don't know what to set is the Service Provider Id, as I was able to test setting the other manually.
When i use the same as AADv2, the connection provisionned is AADv2 (30dd229c-58e3-4a48-bdfd-91ec48eb906c)...
My template to provision this resources is:
{
"name": "[concat(parameters('botId'),'/',parameters('SharepointConnectionName'))]",
"type": "Microsoft.BotService/botServices/Connections",
"apiVersion": "2017-12-01",
"location": "global",
"tags": {},
"sku": {
"name": "[parameters('sku')]"
},
"kind": "[parameters('kind')]",
"properties": {
"clientId": "[parameters('SharepointConnectionClientId')]",
"clientSecret": "[parameters('SharepointConnectionClientSecret')]",
"scopes": "[parameters('SharepointConnectionScopes')]",
"serviceProviderId": "[parameters('SharepointConnectionServiceProviderId')]",
"serviceProviderDisplayName": "[parameters('SharepointConnectionServiceProviderDisplayName')]",
"parameters": [
{
"key": "tenantId",
"value": "[parameters('SharepointConnectionTenantID')]"
},
{
"key": "clientId",
"value": "[parameters('SharepointConnectionClientId')]"
},
{
"key": "clientSecret",
"value": "[parameters('SharepointConnectionClientSecret')]"
},
{
"key": "GrantType",
"value": "[parameters('SharepointConnectionGrantType')]"
},
{
"key": "LoginURL",
"value": "[parameters('SharepointConnectionLoginURL')]"
},
{
"key": "DiscoveryURL",
"value": "[parameters('SharepointConnectionDiscoveryURL')]"
},
{
"key": "ResourceURL",
"value": "[parameters('SharepointConnectionResourceURL')]"
},
{
"key": "Capability",
"value": "[parameters('SharepointConnectionCapabilityURL')]"
}
]
},
"dependsOn": [
"[concat('Microsoft.BotService/botServices/', parameters('botId'))]"
]
}
Can you try using 307d995f-f1ce-4918-bd3f-037685e9d241?
I created two SharePoint Online connections using the browser/UI and after creating, I used Resource Explorer to show what I had created. Both use 307d995f-f1ce-4918-bd3f-037685e9d241 as the serviceProviderId when serviceProviderDisplayName is SharePoint Online.