How can I upload custom policies via power shell?
Azure AD B2C now supports PowerShell cmdlets
Azure AD Preview module documentation
See medium blog
Quick Start
Launch Power Shell and try below commands
> Install-Module -Name AzureADPreview
> Connect-AzureAd -tenantId <yourtenantname> -accountId <yourAlias#contoso.com>
> Get-AzureADMSTrustFrameworkPolicy
> Get-AzureADMSTrustFrameworkPolicy -Id B2C_1A_signup_signin -OutputFilePath C:\B2C_1A_signup_signin.xml
> New-AzureADMSTrustFrameworkPolicy -InputFilePath C:\B2C_1A_signup_signin.xml
> Set-AzureADMSTrustFrameworkPolicy -Id B2C_1A_signup_signin -InputFilePath C:\B2C_1A_signup_signin.xml
You cant.
Well, you used to be able to if you had an advanced policy with the B2C powershell tools but ever since they moved from B2C to Identity Experience Framework they have disabled it.
I presume when they go back to ARM templates then they will re-enable it.
Azure AD B2C currently does not support any programmatic policy management, including Graph, PowerShell or ARM templates.
You can support this ask and keep track of it (i.e. get notified when there's a preview available) for voting for it in the Azure AD B2C feedback forum: Programmatically Manage B2C Policies
Related
How do I turn on self-service password reset through the Azure AD portal? I cannot find it in the portal?
You can only turn on or turn off the feature with MSOnline module, but other settings must be managed over Portal for now:
Set-MsolCompanySettings -SelfServePasswordResetEnabled $True
From Set-MsolCompanySettings documentation
There is Get-AzureADDirectorySettingTemplate in AzureADPreview module, so may be more settings will be available for configuration over PowerShell but there is nothing related to Self-Service Password Reset at the moment.
Enabling SSPR for a OU or group in azure is currently not supported by Powershell cmdlets. The Enablement of SSPR feature is only supported via Azure Portal.
We can reset password for one user only using powershell.
Command : Set-AzureADUserPassword -ObjectId "object-id" -Password $password.
I found an existing idea on this matter in feedback forum for azure. You can upvote the feedback in azure forum and share your additional feedback there for visibility.
Reference:
Azure Feedback SSPR
I want to remove a tenant from Azure portal.
All Enterprise applications should be deleted before the tenant removing:
There are two options how Enterprise applications could be removed:
From the Azure portal. Go to the application you want to delete, click "Properties", click "Delete" button. This option is not available as "Delete" button is disabled.
Using PowerShell commands with Azure Cloud Shell. This option is not available because it states "No valid subscription found. You need an Azure subscription to use Azure Cloud Shell".
I don't want to activate an Azure subscription just for the removing tenant.
But all options are useless in this case.
Any alternative approach?
You should be able to delete the enterprise application in the portal, make sure you logged in to the portal with the Global admin account.
If this still not work, try to use powershell in local(not in cloud shell).
1.Install the AzureAD module.
Install-Module -Name AzureAD
2.Login with Global admin account.
Connect-AzureAD -TenantId <TenantId>
3.Delete the enterprise application.
Remove-AzureADServicePrincipal -ObjectId <app objectid got from the portal>
I have an Azure AD tenant which is not associated to a subscription. When I login from the Azure portal I am able see and get to it using "switch directories".
When I log in from PowerShell, I do not see it, it only shows my subscription not by Azure AD tenant.
How do I connect to the Azure AD tenant which has no subscription?
Neither the Azure AD PowerShell nor the Azure PowerShell modules require that the tenant have an Azure subscription in order to connect.
If you are using the Azure AD PowerShell module, you simply connect:
Connect-AzureAD
If you are using a user account which is a member of multiple tenants, it's best to be explicit about which tenant you'd like to connect to:
Connect-AzureAD -TenantId "{other-tenant-id}"
For registering and managing apps in Azure AD I recommend using the Azure AD PowerShell module. However, if you need/want to use the Azure PowerShell module instead, the process is very similar:
Connect-AzAccount
And, if you need to be explicit:
Connect-AzAccount -TenantId "{other-tenant-id}"
I'm trying to deploy a build to Azure WebApp.
In Azure (http://manage.windowsazure.com) I linked the web app to my Visual Studio Online(VSTS) account.
In VSTS I've created a release definition with a single task (Azure Web App Deployment); the task is configured to use the endpoint defined in the administration module. The service endpoint is configured to use credentials. The credential is using a Microsoft account.
The release is failing with the below error:
2015-12-02T18:17:35.4422685Z AzurePSCmdletsVersion= 0.9.8.1
2015-12-02T18:17:35.5692677Z Get-ServiceEndpoint -Name foo -Context Microsoft.TeamFoundation.DistributedTask.Agent.Worker.Common.TaskContext
2015-12-02T18:19:07.5877546Z Username= ********
2015-12-02T18:19:07.5887893Z azureSubscriptionId= foo-foo-foo-foo-foo
2015-12-02T18:19:07.5907904Z azureSubscriptionName= Pay-As-You-Go
2015-12-02T18:19:07.6278127Z Add-AzureAccount -Credential $psCredential
2015-12-02T18:19:09.7755541Z ##[error]-Credential parameter can only be used with Organization ID credentials. For more information, please refer to http://go.microsoft.com/fwlink/?linkid=331007&clcid=0x409 for more information about the difference between an organizational account and a Microsoft account.
2015-12-02T18:19:09.9664413Z ##[error]There was an error with the Azure credentials used for deployment.
How can I setup the release to use a Microsoft account for Azure credential?
There isn't any way to use a Microsoft Account Credential to connect to Azure from VSO service endpoint for now. You need to use an Organization account. If you don't have one, you can use "Certificate Based" authentication to connect to Azure easily. Click this link to get your subscription file and then paste the certification string in the subscription file into VSO "Management Certificate" area.
Add-AzureAccount cmdlet, uses Azure Active Directory (Azure AD) authentication access tokens and Azure AD uses Organizational Accounts.
Microsoft account credentials, formerly known as LiveIDs will not work in Azure AD authentication scenarios.
This is reported here as a suggestion and by design as of now:
https://github.com/Azure/azure-powershell/issues/477
I have a load of Azure Powershell deployment scripts that are triggered by the build server after the completion of a build which work perfectly - I use the Import-AzurePublishSettingsFile (which is securely stored locally) to log into Azure unattended.
I now need to extend these to include management of Sql Azure Servers, Elastic Pools and Databases.
These, however, are part of the Azure Resource Manager cmdlets which have a different method of authentication.
I've found these articles:
Authenticating a Service Principal with Azure Resource Manager
Using Azure PowerShell with Azure Resource Manager
Using Windows Azure Active Directory to Authenticate the Management Libraries)
but all appear to require you to enter your credentials at some stage at the process. The second link above explicitly states:
The AzureResourceManager module requires Add-AzureAccount. A Publish Settings file is not sufficient.
I've tried (just to see what happens) switching to the Resource Manager with Switch-AzureMode -Name AzureResourceManager and then just executing one of the cmdlets, such as Get-AzureResourceGroup -Name "blah" but I just get an error of
Get-AzureResourceGroup : AuthenticationFailed: Authentication failed. The 'Authorization' header is not present or provided in an invalid format.
I am quite happy to set up an AD Application, manually, once, through the portal and then provide my scripts with the relevant Application ID or whatever is required. I just need it to be unattended so that my build can deploy!
Can anyone tell me how I go about making an unattended script to use these Azure Resource Manager cmdlets through Powershell?
This post gives full details of how to do this. Basically you embed your powershell scripts with the username and password of your AD user.
Unattended authentication to Azure Management APIs with Azure Active Directory
But be aware that if, like me, you wish to combine calls to the AzureResourceManager and AzureServiceManagement modes (using Switch-AzureMode) then you must use Add-AzureAccount -Credential <credentials> and also Remove-AzureAccount -Name <username> otherwise some of the AzureServiceManagement mode cmdlets cease to work.