How to delete a group permanently? - powershell

I have been trying to permanently delete a group from 0365 via PowerShell by using AppRegistration but I keep getting Insufficient Permissions.
I can delete the group with Remove-PnPMicrosoft365Group or Remove-MgGroup and after these commands, the group is moved to deleted items. But when I try to delete the deleted group permanently, I always get insufficient permissions. Both Remove-MgDirectoryDeletedItem and Remove-PnPDeletedMicrosoft365Group did not work for me:
I also tried directly from Graph explorer but I received the same error although I consented all possible permissions.
By the way, I can permanently delete the deleted group from Azure Portal.
Any ideas ?
Thx

Just in case if anybody needs help for such requirement, there are two options:
Give the app registration "Company Admin (Global Admin as of today)" as described here : https://konstantinvlasenko.wordpress.com/2016/12/22/microsoft-graph-api-insufficient-privileges-to-delete-a-group/
But this option will not work later than July 2023 because Microsoft is deprecating MSOL.
App Registration usage is not possible for permanently deleting directory objects : https://learn.microsoft.com/en-us/graph/api/directory-deleteditems-delete?view=graph-rest-1.0&tabs=http
So you will need to use MSGraph with user authentication.
Just fyi, when you try to permanently delete O365 group from Graph Explorer, you will need to consent to Directory.AccessAsUser.All
Regards,

Related

Connecting Excel to a Azure Devops Query

I can not see my queries using Excel Team plugin. I get an error enter image description here
TF8001:An error occurred while accessing the work item database. Contact the administrator
Please use the administrator account to check these:
First, please check whether the current query allows your account to access it.
click on the Shared query-->Security
Make sure that the related options are allowed.
Second, make sure that your account has access to the current work item.
Project Settings--> Project configuration
Finally if you execute the query to tfs work item database, you should contact your Administrator to add permission for your account.

Azure Devpos Server 2019 : How to correctly manage user role

I'am recently installed Azure DevOps Server 2019 in on-premises server.
However, i'am so confused : How i can set the security and the user permission in the server, such as : Deny user to view author project in the same collection , create custom group not in the azure devops default groups ...
I ask for idea to implement that
Thank you
According to Azure DevOps permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
Deny user to view author project in the same collection.
Assume you were talking about team project. In your scenario, the simplest way is not add that user to your team project. People without team project collection admin permission will not be able to see those projects which they are not added in.
If you already add users in the team project and want the user not be able to see some info such as repo/build/work items in the project .
You need to evidently deny those users for viewing some project repositories/builds/ work items.
As how to create group, you could directly click New Group in the right top corner of the page from Project Settings-- Permission
More details about how are permissions and groups defined, suggest you go through our official doc here-- About permissions and groups
Besides, you could also manage user permission with the help of command line. The tfssecurity command line tool allows us to manage permissions for Azure DevOps groups and users. We could use it in a PowerShell script to grant access to projects that already exists.

How to get access to an Azure DevOpps Organization

I cannot create a new organization named ''OnLineO'', as this name already exists.
I'm about sure it's me who created it a few time ago, but none of my logons run.
Must I send an email to Visual Studio Marketplace (VSMarketplace#microsoft.com) as stated in this post : Recovering access to an organization ?
Through the query, I found that your organization:"OnLineO" has been backed up to AAD:"OnLineO".
Please go to azure DevOps profile page,switch to OnLineO domain and try to login. Please do this in the new incognito window of browser. Note that your login account also needs to be backed up to AAD.
If you still cannot log in, please provide vsid as shown below. Pay attention to the processing of personal privacy information.
Sorry for the delay. If organization OnLineO is backed up to AAD "OnLineO", this is a great info, but I don't understand what it means... ?
On my DevOps profile page in an Invited session in Chrome (more isolated than incognito in other browsers), I am switched to OnLineO
DevOps profile page
It's when I try to create OnLineO as a New Organization that I get this message :
New Organization

Azure DevOps - permissions issue with deployment groups

Does anyone know where I can set the permission to manage deployment groups in Azure DevOps.
If i click on "deployment groups" in the menu shown here:
I am receiving this message when i click on a deployment group.
The error message states:
You do not have permissions to register targets. Contact your release
manager to grant permission
I am a member of both project administrators and build administrators groups.
I can reproduce your problem and solve it with the following permission settings.
Click Manage in the Deployment pool
If you get this error you do not have permission to manage this deployment pool's roles to prevent you from modifying permissions in Security. You need to be added to Project Collection Administrators group in organization setting permissions. If you can't be added to the PCA group, you can let the users in the PCA group help you modify it.
Set the user's Role to Administrator in Security, click Save Changes.
After this setting, you will not receive the error message:You do not have permissions to register targets. Contact your release manager to grant permission when you enter the Deployment groups.
This access is not required as I was able to fix this without changing org level access to others and indeed such access is not made to share with all.

Get Azure subscription details of client

I want to get details of Azure Subscription of my client. But I do not want to ask for special permission from client.
What I need is the bare minimum things from my client so that I can login from powershell or rest api and read status of runbook jobs.
If i login from admin account of the subscription than I can easily get those details. But you understand it is not possible to have admin account credential of my client.
Please suggest some workaround.
What you need to do is create a user in Azure Active Directory and grant that user specific rights using either the Azure Portal or PowerShell\Cli\SDK.
Say read all, or read properties of desired automation account. If you would want like a super minumim, you would need to create a custom role first.
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-custom-roles/
If your client placed specific resources within a Resource Group, they may grant you permissions on just that Resource Group (including read-only permissions). This would allow you to have access to needed resources, without having access to other areas of their subscription.