AAD guest users are not allowed to be account owners - azure

I have custom AAD and I added my company account to the AAD. I made the company account owner of the subscription and administrator of the AAD.
When I want to create new Team Project, the deployment fails with message:
VS850006: AAD guest users are not allowed to be account owners. Please
use a non-guest AAD user. AAD guest user sign-in address:
daniel.turan#accenture.com (Code: OrganizationBadRequestException)
It was working yesterday before I made myself AAD administrator. WTF?

You are probably a guest in the AAD that backs VSTS. By default AAD guests cannot search the AAD.
You could check your user type on Azure Portal.Azure Active Directory-->All Users--><your user>-->profile
f the UserType is GUEST, you can make this user a MEMBER by executing
Set-Msoluser -UserPrincipalName <your ID> -usertype member
More information about this please refer to this [blog]
Update:
If your account is a Microsoft account, you could use Azure AD Power Shell 2.0 to change user type.
Connect-Azuread -TenantID "****************"
Get-azureaduser -ObjectID "99f1721e-42ae-4056-9c14-30976aa1608b"|Set-AzureADUser -UserType "member"
(https://blogs.msdn.microsoft.com/dstfs/2015/12/23/issues-with-azure-active-directory-guest-users-in-aad-backed-visual-studio-team-services-accounts/).

I had the same issues and these were the powershell commands that helped:
Install-Module AzureAD
Install-Module MSOnline
Import-Module AzureAD
Import-Module MSOnline
$AzureAdCred = Get-Credential
Connect-AzureAD -Credential $AzureAdCred
Connect-MSolService -Credential $AzureAdCred
Set-MsolUser -ObjectId <your-account-id> -UserType Member
I could not connect immediately but after waiting for a few hours (8 in my case) connecting the account worked.
If you want to make sure that the object-id you are using is the correct user you want to alter you can use the following command:
Get-MsolUser -ObjectId <your-account-id>

Related

unable to authenticate to azure using powershell

we had an azure tenant.
we opened a new one, and passed our users to the new tenant and then added our users to the old tenants as guests.
Passing means that we deleted our users from the first tenant, then we migrated the domain to the new tenant and we created the users with the same properties in the new tenant.
since then every time we try to connect to azure using powershell with the commend Connect-azaccount -TenantId we get the following error:
Unable to acquire token for tenant '***' with error 'SharedTokenCacheCredential authentication unavailable. No account matching the specified username: *** tenantId: *** was found in the cache.'
does someone knows hoe to fix this?
thank you
we have tried every thing we found online.
we tries clear-azcontext, deleting the certificated from our machines, deleting powershell and reinstalling, etc...
Unable to acquire token for tenant xxx with error SharedTokenCacheCredential authentication unavailable. No account matching the specified username: xxx tenantId: xxx was found in the cache
The error usually occurs if the user is not present in the tenant you are trying to sign-in.
To check the error in detail, you can try debugging like below:
$DebugPreference = "Continue"
Connect-AzAccount -TenantID XXXX
Based on the debug details, you can check which Tenant is the user being connected to or any user details.
Try to connect with Subscription ID like below:
Connect-AzAccount -Subscription SubscriptionID -TenantId TenantID
Check if the user is having MFA enabled and try connecting with Global Admin account. And it might be the scenario where the account might be still cached in the local machine, so try if it works in another machine.
You can also make use of Device Authentication like below:
Connect-AzAccount -Tenant TenantID -UseDeviceAuthentication
Open the browser and enter the code:
Make sure to install the Az module like below:
Initially clear the cache and try to install by setting execution policy
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Install-Module Az
Import-Module Az
Update-Module -Name Az
Check whether the user account in the Tenant has required permissions to the subscription.
Try to select the Context in PowerShell:
Get-AzContext -ListAvailable
Select-AzContext -Name Name
Or you can set context to the SubscriptionID by including TenantID:
Set-AzContext -Subscription $subscription -Tenant $tenantId | Out-null
If still the issue persists, it might be some environment problem while migrating the domain.
For me the problem seemed to be related to using a "legacy" account (or whatever they're called). Making and using a new account seemed to resolve the issue for me.

Method to get list of AD users using application password

In an application, I'm currently using PowerShell and MSOnline module (Connect-MsolService and Get-MsolUser) to get a list of AD users. A global admin provides his username and password and the application is able to get a list of all users under that tenant.
That works fine... As long as the password is not an app password. When an app password is used then the following is what the global admin gets to see:
Authentication Error: Bad username or password
My question is: Is there any other method, which uses PowerShell, but doesn't have to, to get the list of users in AD, but which works with app password? I know of Graph API, but that's not a fit for the project right now.
If I understand you correctly, you want to use the AD App and its password(secret) to list the users.
You could use the Az powershell module to do that, login with the service principal and list users via Get-AzADUser. Also, make sure your AD App(service principal) has the admin role like User administrator or Global administrator.
$azureAplicationId ="<AD App Application id>"
$azureTenantId= "<tenant id>"
$azurePassword = ConvertTo-SecureString "<password>" -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
Connect-AzAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal
Get-AzADUser
Update:
Currently, use app password of MFA enabled user to connect MSOL powershell is not supported, for more details see this link.
App passwords are NOT supported, simply use Connect-MsolService without any parameter to trigger the ADAL dialog and complete the 2FA challenge as normal.

Guest Vs User for Powershell commands execution

Confused regarding "guest" and "user" type in Azure .
Although i am given Global Admin role but my user type is Guest. So do i have right to execute powershell cmdlets . Because when i fire "Connect-AzureRmAccount" it shows only Account and Environment no azure subscription or id.
Connect-AzureRmAccount
Account : MyEmail
SubscriptionName :
SubscriptionId :
TenantId :
Environment : AzureCloud
I want to execute powershell cmdlets can i do it as guest . My company has csp account.
Yes, you can. Make sure your account has an RBAC role in the subscription, then use the command as below. If not, you need to add your account to the subscription firstly, ask the Owner of the subscription to navigate to the subscription in the portal > Access control (IAM) > Click Add > Add role assignment > add your account as a role(e.g. Owner, Contributor), more details see this link.
Connect-AzAccount -Tenant "<tenant id>" -Subscription "<subscription id>"
Note : In my sample I use the new Az command Connect-AzAccount, the old Connect-AzureRmAccount is also the same.
guest is user from other directory and user is user from same directory.
For example your ad domain is xyz.onmicrosoft.com then user1#onmicrsoft.com will be user and user2#anything.com will be guest user

How to find out who the Global Administrator is for a directory to which I belong

I have checked in every possible area in the classic Azure portal but I can't seem to find the "Global Administrator" for the directory to which I belong.
Is there a way to find this out in the portal?
You should be able to look up the company administrators in your tenant by making two queries to the AAD or Microsoft Graph API.
The first query will allow you to identify the objectId of the "Company Administrator" role in your tenant.
https://graph.windows.net/<tenant>/directoryRoles
Then you need to find the directoryRole where "roleTemplateId": "62e90394-69f5-4237-9190-012177145e10", and save the objectId.
Next you can query the members of that directoryRole using the following:
https://graph.windows.net/<tenant>/directoryRoles/<objectId>/members
Try it all out using the Graph Explorer, and it's demo Tenant:
Query 1
Query 2
Let me know if this helps!
Global Administrators are also called Company Administrators. The following PowerShell script can help you print out all your Company Administrators. The Install-Module is included in case you do not already have the AzureAD PS Module installed.
# Install-Module AzureAD
Connect-AzureAD -TenantID [Your Tenant ID]
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser
Currently there's no way on the portal, however using PowerShell, enter the following code:
Connect-MsolService #to connect to your Azure tenant
Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Company Administrator").ObjectId

Running New-AzureRmResourceGroupDeployment from within a Function App

I need to wire up a stateless worker ad-hoc to perform a long running job based off a user action that self destructs when its done. I am trying to run New-AzureRmResourceGroupDeployment from within a PoSh Function App and cannot figure out how to authenticate to Azure from within the PoSh script.
I tried this:
$accountName = "myID#mydomain.com"
$pwd = ConvertTo-SecureString "password" -AsPlainText -Force
$cred = new-object PSCredential($accountName, $pwd)
Add-AzureRmAccount -Credential $cred
New-AzureResourceGroupDeployment -ResourceGroupName yadda yadda
And I get an error message that I need to use an Organization ID (which I am, our Azure AD is federated and we use AD Sync (and SiteMinder w/o WS-* if that matters)):
Add-AzureRmAccount : -Credential parameter can only be used with Organization ID credentials. For more information, please refer to http://go.microsoft.com/fwlink/?linkid=331007&clcid=0x409 for more information about the difference between an organizational account and a Microsoft account.
I tried "Login-AzureRMAccount -Credential $cred" with similar results.
If I do the Add- or Login- cmdlets from a PoSh window on my local machine (which is member joined to AD) with the -Credential flag I get a similar error. If I run the cmdlets without the credential I am prompted for credentials through an interactive ID/PW window (I do not have to enter my password once I type in my ID).
Does anyone know how I can do the authentication? I would be okay with authenticating like above, some sort of pass through credential from our web layer, or even an Option C I don't know about.
You will need to use service principal for authentication. A sample with instructions can be found here.
Azure Function role like permissions to Stop Azure Virtual Machines
For that you would need to use Service Principal auth. I don't think there is any sense of copypasting Azure Doc's to this answer, just consult this document:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal

Resources