I would like to do a validation of members who have an "Active assignment" role in Azure AD. Is there a way to know if the role was granted by a group or directly? How could I get the information into my script? Thank you for your help
connect-azuread
$roles = Get-AzureADDirectoryRole | select objectid, displayname
ForEach($role in $roles){
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | select #{n="Azure role";e={$role.DisplayName}}, displayname
}
You found the easiest solution using powershell.I check with Ms graph it is bit difficult than powershell. I also removed one of the statement from your code which is not required .
I tested in my environment working fine for me.
connect-azuread
$roles = Get-AzureADDirectoryRole
ForEach($role in $roles){
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | select #{n="Azure role";e={$role.DisplayName}}, displayname
}
output:
Related
The education institution, I am helping, uses the Moodle Plugin Microsoft 0365 Integration which I believe uses the latest MgGraph v1.0 to create Microsoft 365 Teams Groups.
The Moodle plugin creates Microsoft 365 Teams Groups but some Settings can not be updated on the Admin Exchange Center after its creation, It returns an Error.
The property to be set being
The error received is not really helping
This Microsoft 365 Teams Group uses the HiddenMembership Visibility since MS Teams Classes can also be used and for privacy reasons this visibility is used. Unfortunately, the PHP code created by the Moodle MS Plugin adds more security features that prevents the groups from sending emails to each other since the above property can not be updated.
To get more information about the error, I tried to use MgGraph to set the Setting programmatically
$params = #{
AutoSubscribeNewMembers = $true
}
Update-MgGroup -GroupId $groupid -BodyParameter $params
Than I go the below error:
AutoSubscribeNewMembers parameter can't be true when SubscriptionEnabled
is set to false on the group.
Looking all around, I finally found where the SubscriptionEnabled value is set.
((get-MgGroup -GroupId $groupid).AdditionalProperties).resourceBehaviorOptions
Outputs :
SubscriptionDisabled
SharePointMemberReadonly
CalendarMemberReadOnly
WelcomeEmailDisabled
SubscribeNewGroupMembers
HideGroupInOutlook
ConnectorsDisabled
AllowOnlyMembersToPost
I tried to remove that value from the Group's AdditionalProperties.resourceBehaviorOptions but get this error.
$resourceBehaviorOptionsParams = #{
"SubscriptionDisabled" = "false";
}
$additionalParams = #{
resourceBehaviorOptions = $resourceBehaviorOptionsParams
}
Update-MgGroup -GroupId $groupid -AdditionalProperties $additionalParams
Error
An unexpected 'StartObject' node was found for property named 'resourceBehaviorOptions' when
| reading from the JSON reader. A 'StartArray' node was expected.
How can I remove the SubscriptionDisabled Option from the resourceBehaviorOptions section ?
I tried to reproduce the same in my environment and got same error like below
The error usually occurs if you don't have proper license like
Exchange Online or the subscription is disabled on that teams group.
When I ran the same MgGraph commands as you to know more about error, I got same response like below:
Connect-MgGraph
$groupid = "f2210ee6-451a-496b-8b39-c2xxxxxxxf"
$params = #{
AutoSubscribeNewMembers = $true
}
Update-MgGroup -GroupId $groupid -BodyParameter $params
Response:
When I tried the same script as you to remove the SubscriptionDisabled Option, I got same error like below:
$groupid = "f2210ee6-451a-496b-8b39-c289xxxxxdaf"
$resourceBehaviorOptionsParams = #{
"SubscriptionDisabled" = "false";
}
$additionalParams = #{
resourceBehaviorOptions = $resourceBehaviorOptionsParams
}
Update-MgGroup -GroupId $groupid -AdditionalProperties $additionalParams
Response:
To resolve the error, you can enable subscription for that teams group using below Exchange Online commands:
Connect-ExchangeOnline
Set-UnifiedGroup -Identity "Devi Team" -SubscriptionEnabled:$true
Response:
After enabling the subscription, I ran below command to enable AutoSubscribeNewMembers like this:
Set-UnifiedGroup -Identity "Devi Team" -AutoSubscribeNewMembers:$true
Response:
When I checked the same in Exchange Admin Center, option enabled successfully like below:
You can also enable "Allow external senders to email this group" option if needed from Portal like this after enabling subscription:
I am trying to understand the correct PowerShell command to remove one or more users which have a role granted to them which is scoped over the members of an Administrative Unit.
For example, a Help Desk Employee that is empowered with Authentication Administrator over an AU that contains all the staff at their office location.
It would appear that the correct way to do this using Azure AD Powershell would be to use Remove-AzureADMSScopedRoleMembership but I cannot find any documentation on what inputs are desired for this command or if this is even the right method to reach the desired outcome.
Documentation: https://learn.microsoft.com/en-us/powershell/module/azuread/remove-azureadmsscopedrolemembership?view=azureadps-2.0
Iterations I have tried:
Remove-AzureADMSScopedRoleMembership -id "Object ID of user with scoped role" -ScopedRoleMembershipId "/administrativeUnits/ObjectId of AU"
Remove-AzureADMSScopedRoleMembership : Error occurred while executing RemoveMSScopedRoleMembership
Code: BadRequest
Message: Resource not found for the segment
Remove-AzureADMSScopedRoleMembership -id "Object ID of AU with scoped roles" -ScopedRoleMembershipId "Object ID of user with scoped role"
Remove-AzureADMSScopedRoleMembership : Error occurred while executing RemoveMSScopedRoleMembership
Code: BadRequest
I have reproduced in my environment and got expected results as below and followed Microsoft-Document:
Firstly, I have added a scopedrole as below:
Connect-AzureAD
$User = Get-AzureADUser -SearchString "Display Name of User"
$Role = Get-AzureADDirectoryRole | Where-Object -Property DisplayName -EQ -Value "User Administrator"
$RoleMember = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo
$Unit = Get-AzureADAdministrativeUnit | Where-Object -Property DisplayName -Eq -Value Test
$RoleMember.ObjectId = $User.ObjectID
Add-AzureADScopedRoleMembership -ObjectId $unit.ObjectId -RoleObjectId $Role.ObjectId -RoleMemberInfo $RoleMember
I have taken ScopedRoleMembershipId from microsoft Graph api using below request:
https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-unit-id}/scopedRoleMembers
Then used below command to remove user and I followed Microsoft-Document:
Remove-AzureADScopedRoleMembership -ObjectId $unit.ObjectId -ScopedRoleMembershipId "08ovlLXBT0CMQ7kJaZRJU"
Try to follow the above process user will be removed as mine got.
I'm trying to return a list of users within a certain Azure AD Role, say Application Administrators, for example.
I'm running the cmdlet Get-MgDirectoryRoleMember from the Microsoft.Graph SDK module (the SDK being new to me), but running into an error for every role I try to query.
Get-MgDirectoryRoleMember -DirectoryRoleId "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"
But it returns (for any role ID):
Get-MgDirectoryRoleMember : Resource '9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3' does not exist or one of its queried reference-property objects are not present.
At line:1 char:1
+ Get-MgDirectoryRoleMember -DirectoryRoleId "9b895d92-2cd3-44c7-9d02-a ...
The Role ID of "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3" is universal for the Application Administrator, as is shown in the docs here for App Admin Template ID. So I know that it's a correct ID for that role template.
My only other thought is permission based, checking the required roles for this command by using Find-MgGraphCommand -command Get-MGDirectoryRoleMember | Select -First 1 -ExpandProperty Permissions
I find that RoleManagement.Read.Directory should be all that is required according to this corresponding description it returns:
Allows the app to read the role-based access control (RBAC) settings for your company's directory, on your behalf. This includes reading directory role templates, directory roles and memberships.
Any direction would be much appreciated, thank you!
EDIT: This really turned into a question on the difference between Get-MGDirectoryRole and Get-MGDirectoryRoleTemplate. My last comment on scottwtang's answer clarifies the difference with a link to Microsoft documentation.
The documentation you linked contains the role template ID, the cmdlet Get-MgDirectoryRoleMember requires the role ID.
You can get the role ID using Get-MgDirectoryRole. See the object output below with the 2 different Ids.
DeletedDateTime :
Description : Can create and manage all aspects of app registrations and enterprise apps.
DisplayName : Application Administrator
Id : b68e3c0d-282b-4914-bd21-f1e11f4562a0
Members :
RoleTemplateId : 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3
ScopedMembers :
AdditionalProperties : {}
Example
You can first use Get-MgDirectoryRole to get the role ID, and then feed it into Get-MgDirectoryRoleMember
$roleName = "Application Administrator"
# Get the directory role
$adminRole = Get-MgDirectoryRole -Filter "DisplayName eq '$RoleName'"
# Get all role assignments
Get-MgDirectoryRoleMember -DirectoryRoleId $adminRole.Id
Note, if the admin role hasn't been activated (the role has not ever been assigned), Get-MgDirectoryRole will fail, so you need to activate the role first.
$roleName = "Application Administrator"
# Get the directory role
$adminRole = Get-MgDirectoryRole -Filter "DisplayName eq '$RoleName'"
# If the role hasn't been activated, we need to get the role template ID to first activate the role
if ($adminRole -eq $null)
{
$adminRoleTemplate = Get-MgDirectoryRoleTemplate | where {$_.DisplayName -eq $RoleName}
$adminRole = New-MgDirectoryRole -RoleTemplateId $adminRoleTemplate.Id
}
# Get all role assignments
Get-MgDirectoryRoleMember -DirectoryRoleId $adminRole.Id
I hope someone can help..
I have a registered application (TestApp3), with which I connect successfully using:
Connect-AzureAD -TenantId $tenant -CertificateThumbprint $thumb -ApplicationId $applicationID
Now once connected, I need to assign users to a different application (TestApp2).
If I use the following command (when connected as Global Admin)
Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Application administrator"}).Objectid -RefObjectId $sp.ObjectId
This will grant the App Admin role to the application TestApp3.
So, the following will work when connected as TestApp3:
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectID -PrincipalId $user.ObjectID -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)
This will add a user to the list of assigned users for the servicePrincipal TestApp2.
However, its 'scoped' across the tenant. How do I configure it so TestApp3 can only assign users for the specific app TestApp2?
Thanks..
//A
How do I configure it so TestApp3 can only assign users for the
specific app TestApp2?
According to this microsoft document assign app owners
Similar to application administrator, an owner has capability to
manage many or all azure ad configuration aspects but for a
specific organization application (appl registration or enterprise
application.) they are assigned to.
They can do user assignments, SSO configuration and provisioning. Owner can even add /remove other owners and can manage the applications that they own only.
Add an owner using powershell cmds.
Connect-AzureAD
Add-AzureADApplicationOwner -ObjectId xxxxxx-xxxx-xxxx3-xxx -RefObjectId xxxx-xxxx-xxx-xxxx-xxxxxxxx
ObjectId > object id of the application
References:
assign-application-owners- Azure AD | Microsoft Docs
Add Azure AD Application as owner of another AD Application –
LockTar’s Blog
The user is a member of the AD security group "Domain\Sql Admins", and the security group "Domain\Sql Admins" is a member of the local Administrators group on a Windows Server.
I have tried the following PowerShell script:
$u = "Username"; net localgroup administrators | Where {$_ -match $u}
This script will only return the user if it is added directly to the admin group. Do I have to cycle through all of the groups in the admin group until I find my user? Or is there another way?
Check out this article, by Boe Prox on the Microsoft Hey Scripting Guy blog. He describes how to check if the user is a local administrator or not.
http://blogs.technet.com/b/heyscriptingguy/archive/2011/05/11/check-for-admin-credentials-in-a-powershell-script.aspx
This article points to a Test-IsAdmin function that was posted onto the TechNet Gallery.
http://gallery.technet.microsoft.com/scriptcenter/1b5df952-9e10-470f-ad7c-dc2bdc2ac946
The function contains the following code, which returns $true or $false.
([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
PowerShell 5.1 (Windows Server 2016) contains Get-LocalGroupMember cmdlet.
$user = "$env:COMPUTERNAME\$env:USERNAME"
$group = 'Administrators'
$isInGroup = (Get-LocalGroupMember $group).Name -contains $user
Using the SID:
([Security.Principal.WindowsIdentity]::GetCurrent().Groups | Select-String 'S-1-5-32-544')
Or using a "Well-known" security identifier name:
([Security.Principal.WindowsIdentity]::GetCurrent().Groups.IsWellKnown('BuiltinAdministratorsSid') -eq $true)
if you want to get all the SIDs and their names, please check this page: https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
If you happen to be using the PowerShell Community Extension you can use the Test-UserGroupMembership command e.g.:
Test-UserGroupMembership Administrators