Couldn't find exactly what I was looking for in the forum...
I was testing AD Sync with a virtual domain controller. I have since deleted the virtual domain controller and need to remove the users from Azure AD. How is that done? "Delete Users" is not allowable when the user is from a local AD. Also, how do I turn off AD Sync in Azure?
"Delete Users" is not allowable when the user is from a local AD
For the on-premise synced objects, you could not manage or remove from the Azure AD.
If you want to remove the synced users and turn off the AD Sync, you could follow this way:
Install the Azure Active Directory Module for Windows PowerShell.
Connect to Azure AD by using Windows PowerShell.
Disable directory synchronization. To do this, type the cmdlet Set-MsolDirSyncEnabled –EnableDirSync $false, and then press Enter.
Check that directory synchronization was fully disabled by using the Windows PowerShell. To do this, run the cmdlet periodically:(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled.
This cmdlet will return True or False. Continue to run this cmdlet periodically until it returns False, and then go to the next step.
Try to update an object by using Windows PowerShell or by using the cloud service portal. By this step, you could remove the synced users.
For the details, you could read here.
My question was in two parts.
1) Disable directory sync. This is answered by #SunnySun-MSFT above.
2) Remove local AD users from Azure AD. For this MSFT support got back to me with a working solution.
Open powershell as admin
Install-msolservice (provide global admin credentials)
Get-msoluser -all -synchronized (display all local users synched with Azure)
Get-msoluser -all -synchronized | remove-msoluser -force (delete synched users)
Related
I'm currently trying to enable VM Login on a Windows 2019 Server with Azure AD Credentials. For this I have followed the Microsoft Documentation: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows
I have tried by creating a new user as type "member" in my Azure AD. Then I have created a Windows Server 2019 VM with "Login with Azure AD" enabled as shown in the documentation. Afterwards I have given the "Virtual Machine Administrator Login" Role to the new User. Then I have tried to login to the VM using the new user credentials. Unfortunately it didn't work. I encounter the "Your Credentials did not work" error message.
With the local user I can login to the VM. I have tried to de- and reinstall the "Microsoft.Azure.ActiveDirectory.AADLoginForWindows" Extension. I have checked the VM with the command: "dsregcmd/status", whether th VM is really Azure AD joined.
Has someone done it before and know why it doesn't work? What have I done wrong?
Best regards!
I tried to reproduce the same in my environment and added successfully
I have added user and created VM with Windows Server 2019 enabled Login with Azure AD. While creating azure vm make sure to give username and password same as azure ad user Credentials.
Verify whether you have added AADLoginForWindows Extension in Azure as below:
Downloaded RDP file and tried to login it shows me an error. To resolve this issue, use different account use "\" try to login as below.
<VMname>\Username or localhost\username and password
Make sure you are using the correct credentials When RDP VM using Azure AD credentials, in order to log in, you can also reset your password try logging in if still error appears.
Once RDP has opened try to Join a Windows 10 Device to Azure AD and on your Windows 10 Azure VM -> system properties -> remote setting -> uncheck Allow connections only from computers as below:
To add azure ad user to RDP user group Run the command prompt as administrator like blow:
net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
Account should be AzureAD\USERNAME#DOMAIN.onmicrosoft.com type.
To confirm the Azure AD user has been added run this Get-LocalGroupMember -Name "Remote Desktop users" in powershell .
And then, I modify the azure vm RDP file. If you modify this file in before u will get an error, Click Download RDP File -> right click open with notepad file and try to add like below and save
address:s:IPADDRESS:3389
prompt for credentials:i:0
authentication level:i:2
enablecredsspsupport:i:0
username:s:USERNAME#DOMAIN.onmicrosoft.com
domain:s:AzureAD
And try to connect with this RDP file. make sure you need to use AzureAD\username#domain.onmicrosoft.com. if you are enter only the Azure AD user account without the domain it may cause an error.
Reference: Assign Azure roles using the Azure portal - Azure RBAC | Microsoft Learn
I have the free developer E5 subscription and have setup a tenancy, created users etc. I have tried creating a second directory that I am planning to use to test the Azure AD Connect tool on a local server. I can switch between the tenants on the Azure Portal with the "Switch tenant" button however can't seem to figure it out with the Powershell cmdlets.
Connect-AzureAD
Set-AzContext -TenantId "My new tenant/directory"
Following these two commands is where the confusion starts. The first commands lists the users from the first directory and the second command shows the users from the directory I have switched too.
Get-AzureAdUser (Shows the first directory, not the one switched too)
Get-AzAdUser (Shows the users of the directory switched too)
Not sure if there is something I am missing here?
Thats because those are commands from 2 different modules:
First one are from AzureAD which is a module designed for tasks within AzureAD
Ths second one are from Az With is designed to handle most, if not all of Azure's resources. The AD functionality is mostly for the module to handle lookups of azure ad objects when checking rbac and assigning access, and not really created to manage AzureAD in any meaningful way (even tho you can do some tasks).
For your task you can use the az module easliy if you just want to look up the users, but if you need to actually administer azure ad i suggest you go for azuread.
To connect to a specified tenant with azuread use connect-azuread -tenantId 'tenant id'. I also think it support that you use domain name aswell
I want to remove a tenant from Azure portal.
All Enterprise applications should be deleted before the tenant removing:
There are two options how Enterprise applications could be removed:
From the Azure portal. Go to the application you want to delete, click "Properties", click "Delete" button. This option is not available as "Delete" button is disabled.
Using PowerShell commands with Azure Cloud Shell. This option is not available because it states "No valid subscription found. You need an Azure subscription to use Azure Cloud Shell".
I don't want to activate an Azure subscription just for the removing tenant.
But all options are useless in this case.
Any alternative approach?
You should be able to delete the enterprise application in the portal, make sure you logged in to the portal with the Global admin account.
If this still not work, try to use powershell in local(not in cloud shell).
1.Install the AzureAD module.
Install-Module -Name AzureAD
2.Login with Global admin account.
Connect-AzureAD -TenantId <TenantId>
3.Delete the enterprise application.
Remove-AzureADServicePrincipal -ObjectId <app objectid got from the portal>
I have a service principal that I use for automation. It has the Directory.Read.All permission in Microsoft Graph for our Azure Active Directory.
It cannot run the Set-AzSqlServerActiveDirectoryAdministrator command. The error I get is:
Cannot find the Azure Active Directory object 'My-AD-Group'.
Please make sure that the user or group you are authorizing is
registered in the current subscription's Azure Active directory.
If I run this same command as myself, it runs just fine.
Clearly my Service Principal needs more than the Directory.Read.All permission. Yet I cannot find any documentation that lists exactly what API Permissions my Service Principal would need to successfully run this command.
Does anyone know how I can discover exactly what API permissions would be required to run a particular Azure PowerShell command that involves accessing Azure Active Directory?
As an aside, I'm not tied to PowerShell. I cannot get this command to work with the az cli either. I'm open to methods using az that would get me this answer.
You need to give the Directory.Read.All(Application permission) of Azure AD Graph API not the Microsoft Graph API. Also make sure the service principal has the permission of the sql server(e.g. the service principal is the Owner of the subscription or the sql server), then it will work fine.
If you want to add the service principal as a role of the subscription or sql server, navigate to the subscription or the sql server in the portal -> Access control (IAM) -> Add -> Add role assignment -> search your service principal with name and add it as a role(e.g. Owner) -> Save, more details here.
Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName "<ResourceGroupName>" -ServerName "<ServerName>" -DisplayName "group1" -ObjectId "64d1b8xxxxx4ffbd"
Does anyone know how I can discover exactly what API permissions would be required to run a particular Azure PowerShell command that involves accessing Azure Active Directory?
The Azure PowerShell essentially calls the different APIs, to get the permissions of the APIs, you could catch the request via Fiddler, then look into the official API doc for the permissions.
I have a load of Azure Powershell deployment scripts that are triggered by the build server after the completion of a build which work perfectly - I use the Import-AzurePublishSettingsFile (which is securely stored locally) to log into Azure unattended.
I now need to extend these to include management of Sql Azure Servers, Elastic Pools and Databases.
These, however, are part of the Azure Resource Manager cmdlets which have a different method of authentication.
I've found these articles:
Authenticating a Service Principal with Azure Resource Manager
Using Azure PowerShell with Azure Resource Manager
Using Windows Azure Active Directory to Authenticate the Management Libraries)
but all appear to require you to enter your credentials at some stage at the process. The second link above explicitly states:
The AzureResourceManager module requires Add-AzureAccount. A Publish Settings file is not sufficient.
I've tried (just to see what happens) switching to the Resource Manager with Switch-AzureMode -Name AzureResourceManager and then just executing one of the cmdlets, such as Get-AzureResourceGroup -Name "blah" but I just get an error of
Get-AzureResourceGroup : AuthenticationFailed: Authentication failed. The 'Authorization' header is not present or provided in an invalid format.
I am quite happy to set up an AD Application, manually, once, through the portal and then provide my scripts with the relevant Application ID or whatever is required. I just need it to be unattended so that my build can deploy!
Can anyone tell me how I go about making an unattended script to use these Azure Resource Manager cmdlets through Powershell?
This post gives full details of how to do this. Basically you embed your powershell scripts with the username and password of your AD user.
Unattended authentication to Azure Management APIs with Azure Active Directory
But be aware that if, like me, you wish to combine calls to the AzureResourceManager and AzureServiceManagement modes (using Switch-AzureMode) then you must use Add-AzureAccount -Credential <credentials> and also Remove-AzureAccount -Name <username> otherwise some of the AzureServiceManagement mode cmdlets cease to work.