I hope someone can help..
I have a registered application (TestApp3), with which I connect successfully using:
Connect-AzureAD -TenantId $tenant -CertificateThumbprint $thumb -ApplicationId $applicationID
Now once connected, I need to assign users to a different application (TestApp2).
If I use the following command (when connected as Global Admin)
Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Application administrator"}).Objectid -RefObjectId $sp.ObjectId
This will grant the App Admin role to the application TestApp3.
So, the following will work when connected as TestApp3:
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectID -PrincipalId $user.ObjectID -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)
This will add a user to the list of assigned users for the servicePrincipal TestApp2.
However, its 'scoped' across the tenant. How do I configure it so TestApp3 can only assign users for the specific app TestApp2?
Thanks..
//A
How do I configure it so TestApp3 can only assign users for the
specific app TestApp2?
According to this microsoft document assign app owners
Similar to application administrator, an owner has capability to
manage many or all azure ad configuration aspects but for a
specific organization application (appl registration or enterprise
application.) they are assigned to.
They can do user assignments, SSO configuration and provisioning. Owner can even add /remove other owners and can manage the applications that they own only.
Add an owner using powershell cmds.
Connect-AzureAD
Add-AzureADApplicationOwner -ObjectId xxxxxx-xxxx-xxxx3-xxx -RefObjectId xxxx-xxxx-xxx-xxxx-xxxxxxxx
ObjectId > object id of the application
References:
assign-application-owners- Azure AD | Microsoft Docs
Add Azure AD Application as owner of another AD Application –
LockTar’s Blog
Related
we have an Azure App Registration and run a PowerShell-Script from a Azure RunBook to sync users from AAD to SharePoint User Profile Store.
The App has approved consent to read users by graph from aad and read/write to SharePoint User-Profiles:
The PowerShell-Script connects to graph and pnponline by App which is working fine.
$serviePrincipalName = 'ZZZ-SPOScript'
$servicePrincipalConnection=Get-AutomationConnection -Name $serviePrincipalName
Connect-MgGraph -TenantId $servicePrincipalConnection.TenantId -ClientId $servicePrincipalConnection.ApplicationID -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
Connect-PnPOnline -Url "https://ourtenant-admin.sharepoint.com" -Tenant $servicePrincipalConnection.TenantId -ClientId $servicePrincipalConnection.ApplicationID -Thumbprint $servicePrincipalConnection.CertificateThumbprint
We can get all users from aad:
$users = Get-MgUser -All -Property "Id,mail,UserPrincipalName,extension_b8fc35d8e8ec45e689d332303177957a_ZZZ_townCode,extension_b8fc35d8e8ec45e689d332303177957a_ZZZ_costNumber,extension_b8fc35d8e8ec45e689d332303177957a_employeeID,extension_b8fc35d8e8ec45e689d332303177957a_employeeNumber,extension_b8fc35d8e8ec45e689d332303177957a_ZZZ_title,extension_b8fc35d8e8ec45e689d332303177957a_ZZZ_office,extension_b8fc35d8e8ec45e689d332303177957a_extensionAttribute6,extension_b8fc35d8e8ec45e689d332303177957a_extensionAttribute7"
We iterate over all users:
foreach($user in $users) {...
But when we try to get the user profile properties from SharePoint by calling
$fldValue = (Get-PnPUserProfileProperty -Account $user.UserPrincipalName).UserProfileProperties."ZZZ-CostNumber";
we get Current user is not a tenant administrator.
Our Service Principal ZZZ-SPOScript which runs the Script within the RunBook is of course not a tenant admin (and will never be).
So, we added an App Permission entry for the Azure App Registration by /_layouts/15/AppInv.aspx
with following Permissions to elevate to FullControl
<AppPermissionRequests>
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>
But still we get Current user is not a tenant administrator. if the Scripts is trying to call
Get-PnPUserProfileProperty
Are we missing something or can this be a bug in pnponline?
Additional finding: As stated here we should add Full Control permissions for the social features.
So, I upated the permissions to
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
But still same error.
Looks like there is simply a typo in the very first string:
$serviePrincipalName = 'ZZZ-SPOScript'
The correct one should be
$servicePrincipalName = 'ZZZ-SPOScript'
I am using devops build pipeline (yaml script) to provide access to the objects. The keyvault access permission is working where as the role assignment is not working. Please help.
Write-Host "The daf id is - " $ObjId
working command
Set-AzKeyVaultAccessPolicy -VaultName "$(KVName)" -ObjectId "$ObjId" -PermissionsToSecrets get,list,set -PermissionsToKeys get,list -PermissionsToCertificates get,list -BypassObjectIdValidation
NOT working command
New-AzRoleAssignment -ObjectId "$ObjId" -Scope "/subscriptions/52765179-b8e9-7b3c-a1ff-d32646hdd3a/resourceGroups/rg-DataPlatform/providers/Microsoft.Storage/storageAccounts/dsstore" -RoleDefinitionName "Contributor"
Error Details
When using New-AzRoleAssignment, it will also call the AAD Graph API to verify the object in your AAD tenant.
To solve the issue, navigate to the AAD App of your service connection, add the Application permission Directory.Read.All of Azure Active Directory Graph like below.
Note: Not Microsoft Graph and not Delegated permission.
Here is a similar issue I answered before for your reference.
I am working on proofing out if there is a way to automate a Global administrator's Azure AD access for other User role accounts in the same tenant to grant access to OneDrive.
If you navigate to portal.office.com and then click on a user's name, that will bring up some settings for that user. The setting I am referring to is under the dropdown for OneDrive Settings, (see attached image).
Is there a way to automate this process via some PowerShell cmdlet?
Solved
I found an article that shows how to run PowerShell commands via the SharePoint Online Management Shell
Tutorial link has the section for Prerequisites for setup: Easy Manage Multiple Office 365 Tenants with Windows PowerShell
Actual PowerShell commands:
$site = Get-SPOSite -Identity https://mydemo-my.sharepoint.com/personal/sarad_mydemo_onmicrosoft_com
Set-SPOUser -Site $site.Url -LoginName admin#mydemo.onmicrosoft.com -IsSiteCollectionAdmin $true
Tutorial: How to Get Administrative Access to the OneDrive for Business Environment for a User
I have "external user" from TenantA AD added to TenantB in Azure and added as "owner" to one of B subscriptions.
How can I connect with PowerShell using that external user to TenantB subscription?
Login-AzureRmAccount/Add-AzureRmAccount while using external users' UPN in -Credential and specifying tenantId/subscriptionId of TenantB gives me error:
add-azurermaccount : The provided account <...> does not have access to subscription ID "<...>". Please try logging in with
different credentials or a different subscription ID.**
Looking at Get-MsolUser output of TenantB, I can see external user from tenantA in the following form:
PS C:\> get-msoluser
UserPrincipalName DisplayName isLicensed
----------------- ----------- ----------
<username>_tenantA.onmicrosoft.com#EXT##tenantB.onmicrosoft.com <..> False
I would start with clearing the cached credentials using:
Get-AzureAccount | ForEach-Object { Remove-AzureAccount $_.ID -Force }
Then use Login-AzureRmAccount and enter the credentials for TenantA. You should be able to switch the subscription using.
Select-AzureRmSubscription -SubscriptionName
How do you set the Reply URL for a service principal with powershell.
The following doesn't commands don't add anything to that field when I check on the management portal.
$aa = new-AzureADApplication -DisplayName "Name" -HomePage "addr" -IdentifierUris "addr"
new-AzureADServicePrincipal -ApplicationId $aa.ApplicationId
..... setting up the roles and etc.
The IdentifierUris seem to only fill the APP ID URI. It takes an array but when I do something like this, azure responds with an internal error:
Either
$arr = #("addr1","addr2")
New-AzureAdApplication -IdentifierUris $arr
or
New-AzureAdApplication -IdentifierUris (,$arr)
or
New-AzureAdApplication -IdentifierUris #("addr1","addr2")
Is it possible to set this field through powershell?
I don't know of a way to do it with the Azure PowerShell modules, but you can do it with the Set-MsolServicePrincipal cmdlet in the Azure AD (aka MSOnline) module. Reply URLs can be managed via the Addresses collection.
Example (from https://gist.github.com/rytmis/4178996):
$addresses = $principal.Addresses
$addresses.Add((New-MsolServicePrincipalAddresses -Address http://localhost:81))
$addresses.Add((New-MsolServicePrincipalAddresses -Address http://my-deployment-endpoint.cloudapp.net))
Set-MsolServicePrincipal -AppPrincipalId $appPrincipalId -Addresses $addresses
Edit (some background info)
Applications and Service Principals are separate but related entities. (This article explains the relationship between the two).
When you create an application via the Azure AD portal, it creates both the application and the service principal. To get the same result from PowerShell, you have to create both objects.
# Create the application object
$azureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" `
-HomePage "<https://YourApplicationHomePage>" `
-IdentifierUris "<https://YouApplicationUri>"
# Create the corresponding service principal
New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId
Application/Service Principal combinations created this way should show up in the portal, and can be used the same way as those created in the portal.