I am doing some tests to manage Azure AD users and groups with Powershell.
Unfortunately, i have an issue when i try to create an user. Here my code :
#Specifies the user's password profile.
$PasswordProfile=New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = "xxxx"
#Create a AzureAD user account
PS C:\Windows\system32> New-AzureADUser -DisplayName "Power SHELL"
-GivenName "Power" -SurName "SHELL"
-UserPrincipalName power.shell#xxxx.xx -UsageLocation FR
-MailNickName Power Shell -PasswordProfile $PasswordProfile
-AccountEnabled $true
When I validate the PasswordProfile, I have this error message :
New-AzureADUser: Failed to bind parameter 'PasswordProfile'. Cannot convert value '$PasswordProfile' of type 'System.String to type “Microsoft.Open.AzureAD.Model.PasswordProfile”.
I look in a lot of forum but i can't find any solution to make it works.
Thanks for your help.
Geoffrey
I could create the user successfully with the commands you have provided and as per microsoftDocs:
Result:
I could reproduce the issue with error:
Cannot bind parameter 'PasswordProfile'.
" value of type "System.String" to type "Microsoft.Open.AzureAD.Model.PasswordProfile".
when i actually placed quotes around $PasswordProfile like below
New-AzureADUser -DisplayName "xxx" -GivenName "xx" -SurName "xx" -UserPrincipalName xxxx.onmicrosoft.com -UsageLocation US -MailNickName navy -PasswordProfile "$PasswordProfile" -AccountEnabled $true
So please try by placing $PasswordProfile in quotes in your case to resolve the issue.
-PasswordProfile "$PasswordProfile"
similar case here : Cannot convert 'System.Object[]' to the type .. | techcommunity.microsoft.com
Please make sure password is valid and check if string as input type for Parameter somehting like here
or
Try this way:
$PasswordProfile = New-Object -TypeName
Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = "Ixxxxxxxk"
$params = #{
AccountEnabled = $true
DisplayName = "xxxn"
PasswordProfile = $PasswordProfile
UserPrincipalName = "xxx#xxxxxx.onmicrosoft.com"
MailNickName = "xxxxx"
}
New-AzureADUser #params
References:
set-azureaduserlicense-cannot-bind-parameter-assignedlicenses
Related
$credential = Get-Credential
Connect-MicrosoftTeams -Credential $credential
Connect-AzureAD -Credential $credential
Connect-MsolService -Credential $credential
Connect-PnPOnline -Url "https://domain.sharepoint.com/sites/user"
#---------------------------------Call queue
$Util2 = Get-PnPListItem -List "2"
foreach ($temp2 in $Util2) {
$CQNom = $temp2['CQ_nom']
$CQMail = $temp2['CQ_Compte_de_ressource']
$CQNum = $temp2['Tel_sda']
# Your config
$cqName = $CQNom
# Create resource account of call queue type
$cqRaParams = #{
UserPrincipalName = $CQMail
# ID taken from cmdlet documentation
ApplicationId = '11cd3e2e-fccb-42ad-ad00-878b93575e07'
DisplayName = "RA_$cqName"
}
$newCqRa = New-CsOnlineApplicationInstance #cqRaParams
$User = Get-AzureADUser -ObjectId $newCqRa.ObjectId
Set-AzureADUser -ObjectId $User.ObjectId -UsageLocation US
$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
$License.SkuId = "440eaaa8-b3e0-484b-a8be-62870b9ba70a"
$LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$LicensesToAssign.AddLicenses = $License
Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $LicensesToAssign
Set-CsOnlineApplicationInstance -Identity $newCqRa.ObjectId -OnpremPHONENUMBER $CQNum }
I have a problem with my program. I am creating a call queue for several users who are stored in a Sharepoint list. At the point where I have to assign them phone numbers it shows me an error. Someone can help me ?
The application endpoint was not found in Active Directory.
+ CategoryInfo : NotSpecified: (:) [Set-CsOnlineApplicationInstance], ApplicationInstanceManagementException
+ FullyQualifiedErrorId : Microsoft.Rtc.Management.Hosted.PlatformService.ApplicationInstance.ApplicationInstanceManagementException,Microsoft.Rtc.Management.Hosted.PlatformService.ApplicationInstance.SetCsOnlineApplicationInstanceCmdlet
+ PSComputerName : api.interfaces.records.teams.microsoft.com
A note: when I run this program on a single user it works normally.
enter image description here
enter image description here
We just checked it at our end and we were able to assign the phone numbers to the users. Can you just try with the following command to update the user details.
$personList = #{upn='sip:uset1#contoso.com';phoneNumber='tel:+14250000000'},#{upn='sip:uset2#contoso.com';phoneNumber='tel:+14250000001'}
Foreach($item in $personList)
{
Set-CsUser -Identity $item.upn -EnterpriseVoiceEnabled $true -HostedVoiceMail $true -OnPremLineURI $item.phoneNumber
}
I have a script that creates new users that can be used for different operations.
Param(
[Parameter(Mandatory=$True,Position=1)]
[string]$GivenName, #=givenName
[Parameter(Mandatory=$True,Position=2)]
[string]$Name, # =sn
[Parameter(Mandatory=$True,Position=9)]
[string]$ADuser,
[Parameter(Mandatory=$True,Position=4)]
[string]$Description, #=title
[Parameter(Mandatory=$True,Position=4)]
[string]$AdministrationUser,
[Parameter(Mandatory=$True,Position=4)]
[string]$SamAccManager
)
after these parameters I have a new-user -name and so on, But I want to user the last Parameter SamAccManager to be added to the adminDisplayName, so I can search who is in charge of that AD user as there will be users that have no logon rights, will be used only for test purposes.
new-aduser -name $DisplayName -DisplayName $DisplayName -Description $Description -GivenName $GivenName -Surname $Name -SamAccountName $usr -UserPrincipalName $UserPrincipalName -Path $OU_AD
How Can I integrate to add that info into that specific adminDisplayName field? for example, I want to add in the last section code -admindisplayname $samaccmanager , but I can not do that as it is an invalid parameter. Any ideas?
First thing I noticed is that you add duplicate values for Position to the parameters. Also, there is a parameter you do not seem to use: $AdministrationUser and personally, I would change the param names for some of them so it becomes much clearer what they stand for.
The code below uses Splatting to feed the parameters to the New-ADUser cmdlet. This is a nice readable and maintainable way of calling on cmdlets with lots of properties.
Param(
[Parameter(Mandatory=$True,Position=0)]
[string]$GivenName, # =givenName
[Parameter(Mandatory=$True,Position=1)]
[string]$SurName, # =SurName
[Parameter(Mandatory=$True,Position=2)]
[string]$AccountName, # =SamAccountName
[Parameter(Mandatory=$True,Position=3)]
[string]$Description, # =title
[Parameter(Mandatory=$True,Position=4)]
[string]$OU, #= distinguishedName of the OU
[Parameter(Mandatory=$True,Position=5)]
[string]$SamAccManager #= AdminDisplayName
)
# create a hashtable for the New-ADUser parameters
$userParams = #{
Name = "$GivenName $SurName"
DisplayName = "$GivenName $SurName"
Description = $Description
GivenName = $GivenName
Surname = $SurName
SamAccountName = $AccountName
UserPrincipalName = "$AccountName#yourdomain.com"
Path = $OU
# add the AdminDisplayName attribute as hashtable
OtherAttributes = #{AdminDisplayName = $SamAccManager}
}
# create the user by splatting the parameters
New-ADUser #userParams
Of course, you can also set the AdminDisplayName property after creating the user by using
Set-ADuser -Identity $AccountName -Add #{AdminDisplayName = $SamAccManager}
I'm trying to create a local user in an Azure AD B2C directory which can be used for authentication immediately after creation.
Connect-AzureAD -TenantId $targetB2cTenant
$passwordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$passwordProfile.Password = "Test-User-Password-Here"
$userName = "TestUser#MyTestB2CTenant.onmicrosoft.com"
$signInNames = #(
(New-Object `
Microsoft.Open.AzureAD.Model.SignInName `
-Property #{Type = "userName"; Value = $userName})
)
$newUser = New-AzureADUser -AccountEnabled $True -DisplayName "testpowershellusercreation" -PasswordProfile $passwordProfile -SignInNames $signInNames -CreationType "LocalAccount"
Disconnect-AzureAD
From reading the documentation I need to specify the CreationType parameter as "LocalAccount":
https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureaduser?view=azureadps-2.0
Creating a B2C user with MFA that can immediately login
However when I run the powershell code I receive the following error:
New-AzureADUser : Error occurred while executing NewUser
Code: Request_BadRequest
Message: One or more properties contains invalid values.
This error message is not present when I remove the -CreationType parameter.
What is the correct way to create a local account in a B2C directory using Powershell?
A sign-in name of type "userName" can't contain the '#' character in the value property.
i.e. You can't set it to an email address.
You might want to also set the following parameters for the new user:
$passwordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$passwordProfile.ForceChangePasswordNextLogin = $False
$passwordProfile.Password = "<Password>"
$newUser = New-AzureADUser ... -PasswordPolicies "DisablePasswordExpiration"
I think you could also change the type of sign-in name from "userName" to "email", to work around this issue and allow users to continue using their foreign domain email addresses as login, if required.
$signInNames = (
(New-Object `
Microsoft.Open.AzureAD.Model.SignInName `
-Property #{Type = "email"; Value = "pstesta#fsdfsd.com"})
)
I have a small problem with the New-ADUser command in powershell.
I'm trying to create a bunch of users from a file, and I can't seem to do it right.
I do create the accounts, but when I try to log into them, it tells me that the "connection method used isn't authorized" (I am sorry if the message isn't exact, the system I'm using isn't in english)
I am using a straight out of the box AD installed on a Windows Server 2012 R2. Everything was left as default for the moment.
The command I'm using is :
for ($i = $BeginLoopAt; $i -le $EndLoopAt; $i++) {
$Id = $WorkSheet.cells.Item($i, 1).text
$FirstName = $WorkSheet.cells.Item($i, 2).text
$LastName = $WorkSheet.cells.Item($i, 3).text
$Country = $WorkSheet.cells.Item($i, 4).text
$Location = $WorkSheet.cells.Item($i, 5).text
$Department = $WorkSheet.cells.Item($i, 6).text
$AccountName = ($FirstName.Substring(0, 1) + $LastName).ToLower()
New-ADUser -Name "$AccountName" -EmployeeID $Id -Country $County -City $Location -Department $Department -GivenName $FirstName -Surname $LastName -Path "$UserPath" -ChangePasswordAtLogon $true -Enabled $true -accountPassword (ConvertTo-SecureString -AsPlainText "Azerty01" -Force) -passThru
Seeing the error, I believed that the error was coming from the fact that I didn't add a -AuthType, but after trying with both options from -AuthType, error wouldn't go away.
It event prints the following error if I choose -AuthType Basic
New-ADUser : The username is not provided. Specify username in ClientCredentials.
At C:\Users\Administrateur\Desktop\script.ps1:132 char:5
+ New-ADUser -Name "$AccountName" -EmployeeID $Id -Country $County -City $Loca ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-ADUser], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser
Well, Basic AuthType seems to be for SSL login, which isn't what *I want
There is close to no difference between properties of users created with Powershell and users created through GUI. (None that I have seen)
But the users created through GUI can log in, while those created by powershell can't.
What did I miss?
Thanks in advance!
EDIT :
After some tests, i realized that, as a matter of fact, i couldn't log in with ANY account created after the AD was installed... Kinda failed before, I thought i created a user named User3 because other names were taken, and I tested with User2 that was there before AD installation...
Meaning, I can only log in accounts that existed before AD DS was installed, and I absolutely don't know why.
Change the line: -ChangePasswordAtLogon $true to -ChangePasswordAtLogon 0
You must specify at least a SAMAccountName (using the -SamAccountName option) before you can login since this is the pre-windows2000 login name which is used in a lot of places in AD (it's also used in some default environment variables of users like %username%).
See https://technet.microsoft.com/en-us/library/ee617253.aspx for the documentation on New-ADUser.
Below is my Powershell script -
Import-Module ActiveDirectory
$objOU=[ADSI]“LDAP://OU=Service,OU=Accounts,DC=xyz,DC=com”;
$dataSource=import-csv “add_user2.csv”;
foreach($dataRecord in $datasource)
{
$cn=$dataRecord.FirstName + ” ” + $dataRecord.LastName
$sAMAccountName=$dataRecord.FirstName + “.” + $dataRecord.LastName
$givenName=$dataRecord.FirstName
$sn=$dataRecord.LastName
$displayName=$sn + “, ” + $givenName
$userPrincipalName=$sAMAccountName + “#test.com”;
#Additional Attributes
$objUser=$objOU.Create(“user”,”CN=”+$cn)
$objUser.Put(“sAMAccountName”,$sAMAccountName)
$objUser.Put(“userPrincipalName”,$userPrincipalName)
$objUser.Put(“displayName”,$displayName)
$objUser.Put(“givenName”,$givenName)
$objUser.Put(“sn”,$sn)
#Place the additional attributes into the record
$objUser.Put("PasswordNeverExpires", $true)
$objUser.SetInfo()
}
I am trying to set the values of an ActiveDirectory user, using the above script. The problem I am facing is I am not able set the "PasswordNeverExpires" attribute under Account Options in Account tab to True.
My input file "add_user1.csv" looks like -
FirstName LastName
Test Account1
Will appreciate all help.
Regards.
Another thing you could use to get around having to fiddle with the UserAccountControl property is to use the PasswordNeverExpires parameter of Set-ADUser.
$objUser | Set-ADUser -PasswordNeverExpires
In fact, you could replace a lot of that code by using New-ADUser
Import-Module ActiveDirectory
$dataSource=import-csv “add_user2.csv”;
foreach($dataRecord in $datasource)
{
$cn=$dataRecord.FirstName + ” ” + $dataRecord.LastName
$sAMAccountName=$dataRecord.FirstName + “.” + $dataRecord.LastName
$givenName=$dataRecord.FirstName
$sn=$dataRecord.LastName
$displayName=$sn + “, ” + $givenName
$userPrincipalName=$sAMAccountName + “#test.com”;
New-ADUser $cn -SamAccountName $sAMAccountName -GivenName $givenName `
-Surname $sn -DisplayName $displayName -UserPrincipalName $userPrincipalName `
-PasswordNeverExpires $true -Path "OU=Service,OU=Accounts,DC=rjfdev,DC=com"
}
There is no PasswordNeverExpires property. If you run Get-Member on $objUser you will see this. These properties are controlled by UserAccountControl. For more information look here.
This blog article details how to set the password never expires attribute to true:
Setting "Password never expire" attribute on user object
This property unlike many other properties of AD object are contained in bitmask
attribute UserAccountControl
(not related in any way with User Account Control feature of Windows).
To set it you need to retrieve current value of this attribute and use binary OR
operation (-bor) to calculate new value.
$User = [ADSI]"LDAP://cn=Gusev,ou=Users,ou=Lab,dc=contoso,dc=com"
$UAC = $User.UserAccountControl[0] -bor 65536
$User.Put("userAccountControl",$UAC)
$User.SetInfo()
Your script needs to be modified as such:
$objUser.SetInfo()
#Place the additional attributes into the record
$UAC = $objUser.UserAccountControl[0] -bor 65536
$objUser.Put("userAccountControl",$UAC)
$objUser.SetInfo()
Without running SetInfo() twice the script will throw an error.