I currently have a Powershell script that is run when users are being terminated and one of the commands is Set-MsolUser -UserPrincipalName $UPN -BlockCredential $true. Given that Microsoft is retiring the MSOnline module later this year (as stated here), I have been migrating several of our scripts to use the Graph Powershell module.
I know that Microsoft created new cmdlets for Graph that are supposed to mimic the cmdlets for MSOnline, and the corresponding cmdlet is Update-MgUser, but in the documentation I do not see any parameter for -BlockCredential.
I was just wondering what the Graph equivalent for Set-MsolUser -BlockCredential $true might be. I would like to get away from MSOnline not only because it is being retired but also because I need it to run in Powershell 7.
Related
I'm trying to implement a fairly simple PowerShell query, hosted in Azure Automation, to manage External Identities
I've set up a System Managed Identity and have successfully connected using Connect-AzAccount -Identity
But when I run it, it says You must call the Connect-AzureAD cmdlet before calling any other cmdlets
The next cmdlet is Get-AzureADPolicy, which I think triggered the above message
Following this blog, I tried this:
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext -ErrorAction Stop
Connect-AzureAD -TenantId $AzureContext.Tenant.TenantId -AccountId $AzureContext.Account.Id
and I get this: Unable to find an entry point named 'GetPerAdapterInfo' in DLL 'iphlpapi.dll'
Am not at all sure now what to do; any help appreciated
PS: I'm aware there are quite few related questions, but I have not been able to find an answer to this particular query ...
I was having the same issue and I resolved it by using the below commands. I have added comments to underline what each statement is meant for.
# Ensures you do not inherit an AzContext in your runbook. Out-Null is used to disable any output from this Cmdlet.
Disable-AzContextAutosave -Scope Process | Out-Null
# Connect to Azure with system-assigned managed identity.
$AzureContext = (Connect-AzAccount -Identity).context
# set and store context. Out-Null is used to disable any output from this Cmdlet.
Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext | Out-Null
With help from M/S support, I can now clarify the issue. The core point is that it is not possible to authenticate for AzureAD (with Connect-AzureAD) using Managed Identity; a Run As account must be used, at least currently
Further, for our use case, the Run As account had to have "Global Admin" role; "Owner" was not sufficient
It is of course possible to use Managed Identity for managing other Azure Resources (using Connect-AzAccount)
I'm trying to authenticate to my Intune tenant using Powershell & the AzureAD module. In Windows Powershell (5.1) it works, but in Powershell 7 the same code returns null. I get the login prompt, enter my credentials, and respond to the MFA prompt on my phone. Any ideas on what's happening?
$Resource = "https://graph.microsoft.com"
$ClientID = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$RedirectUri = "urn:ietf:wg:oauth:2.0:oob"
# $PlatformParams has PromptBehavior set to Always
$Authority = "https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/v2.0/token"
$AuthenticationContext = New-Object -TypeName "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $Authority -ErrorAction Stop
$AuthenticationResult = ($AuthenticationContext.AcquireTokenAsync($Resource, $ClientID, $RedirectUri, $PlatformParams)).Result
$AuthenticationResult is null in Powershell 7, but contains the expected data in Powershell 5.1.
Powershell 6/7 (aka cross-platform core) encourages you to use new Az modules based on CLI. For AAD, refer this and get access token reference.
If you still insist to use the legacy AzureAD module for some reason, consider running in compatibility mode (though I don't see reason to stick to the legacy once since you already seem to got into the new powershell). People have written blog post about that (Disclaimer: Haven't tried myself).
Also in your example code, I see you are anyway not using any powershell cmdlet, but ADAL objects. That is another thing I recommend you to avoid (though not directly related to this problem). ADAL is deprecated and replaced by MSAL. Powershell module MSAL.PS.
Example using MSAL.PS:
Install-Module -Name MSAL.PS
Get-MsalToken -ClientId 'd1ddf0e4-d672-4dae-b554-9d5bdfd93547' -TenantId 'mytenant.onmicrosoft.com' -Scopes 'https://graph.microsoft.com/.default'
In the GUI of Azure it is really easy to do this you simply create a new office 365 group and set dynamic Rules but it seems difficult to do via powershell closest i can get is using the following Powershell line. it seems to error out on the Group types portion. I can't seem to get it to create a group with both types, My guess is am just not formatting it correctly. I am using the AzureADPreview module at version 2.0.2.85 since the normal AzureAD module does not work at all for this.
New-AzureADMSGroup -DisplayName "name" -Description "description" -MailEnabled $True -MailNickName "MailName" -SecurityEnabled $True -GroupTypes 'Unified, DynamicMembership' -MembershipRule '(user.userPrincipalName -contains "somafeasokdfalksjfjlkads")' -MembershipRuleProcessingState $true
give me the error
Code: Request_BadRequest
Message: Invalid value specified for property 'groupTypes' of resource 'Group'.
GUI Creation
Powershell Get
https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureadmsgroup?view=azureadps-2.0
The gist is I am trying to find a powershell way to get a Azure group like the second photo. Ie both dynamic and unified.
I figured out a work around you can create the group just as unified then use a script microsoft posted
https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-change-type
I had to modify it to get it to work but basically i ran the following
$knowngoodgroup = 'INSERTGUID'
$BadGroup = 'INSERTGUID'
$memberRule = 'INSERTMEMBERRULE'
[System.Collections.ArrayList]$groupTypes = (Get-AzureAdMsGroup -Id $knowngoodgroup).GroupTypes
Set-AzureAdMsGroup -Id $BadGroup -GroupTypes $groupTypes.ToArray() -MembershipRuleProcessingState "On" -MembershipRule $memberrule
my guess is they will fix this in the future.
I want to be able to set an email forward in Exchange Powershell O365
I'm trying
Set-Mailbox -Identity emailaddress -DeliverToMailboxAndForward $true -ForwardingSMTPAddress forwardingaddress
but getting
A parameter cannot be found that matches parameter name
'DeliverToMailboxAndForward'.
Do I need to load a snap-in? I can't find any help about this.
You forgot your $'s my friend
Set-Mailbox -Identity $emailaddress -DeliverToMailboxAndForward $true -ForwardingSMTPAddress $forwardingaddress
Also something to look out for when using Exchange Online PSSession (and maybe regular Exchange PSSession) is that it uses the JEA functionality of PowerShell. JEA is Just Enough Administration it actually looks at what roles the account used to connect to the PowerShell Session has and it ONLY gives you the commands that account has the roles to do. I'm not sure if it goes to the level of removing parameters from functions you only have partial access to do. For the missing Cmdlet part though I ran into this while beating my head against the wall writing a batch migration utility come to find out SysAdmin never gave me the permission to do batch migration. As soon as They gave me the permission and I imported the PSSession again BAM Cmdlet was there.
Hope that helps.
New to powershell and I'm guessing this exists but I cannot find. I am looking for a powershell command that will show me the account being used to run a Windows Service? I am first as going to check it is running, then make sure it is running using the correct AD account. I have the following so far...
$serviceName = '<my service name>'
If (Get-Service $serviceName -ErrorAction SilentlyContinue) {
If ((Get-Service $serviceName).Status -eq 'Running') {
$status = "$serviceName found and is running."
} Else {
$status = "$serviceName found, but it is not running."
}
#Here is where I should check Log On As name
} Else {
$status = "$serviceName not found."
}
write-host "Status: $status`n"
pause
Most of my searches lead me to Get-WmiObject, but I did not find what I was looking for. Thanks in advance for any help.
(Get-WmiObject Win32_Service -Filter "Name='$serviceName'").StartName. (Yes, the name of this property is rather counter-intuitive, but the docs don't lie).
You could also use the more recent CIM cmdlets. Which is which is really where MS wants and is directing folsk to use.
Get-CimInstance -ClassName CIM_Service | Select-Object Name, StartMode, StartName
What is CIM and Why Should I Use It in PowerShell?
https://blogs.technet.microsoft.com/heyscriptingguy/2014/01/27/what-is-cim-and-why-should-i-use-it-in-powershell
Update for WMI
In Windows PowerShell 4.0 and Windows PowerShell 3.0, Microsoft offered an updated method for interacting with WMI: the CIMCmdlets module for Windows PowerShell. With this new Windows PowerShell module release, Microsoft also released an entirely new Application Programming Interface (API) for Windows called Management Infrastructure (MI).
The new MI API more closely aligns to the DMTF standards, as laid out on MSDN in Why Use MI? MI allows software developers and hardware manufacturers to expose information, and it allows IT professionals to interact with hardware, using standards-based mechanisms. As this technology continues to evolve, I believe that we will see more cross-platform integration between Microsoft Windows and competing platforms.
Should I use CIM or WMI with Windows PowerShell?
https://blogs.technet.microsoft.com/heyscriptingguy/2016/02/08/should-i-use-cim-or-wmi-with-windows-powershell
Get-WmiObject is one of the original PowerShell cmdlets. (As a quick quiz, how many of the 137 original cmdlets can you name?). It was enhanced in PowerShell 2.0 when the other WMI cmdlets were introduced. In PowerShell 1.0, Get-WmiObject was the only cmdlet with the option to access another system.
The big drawback to the WMI cmdlets is that they use DCOM to access remote machines. DCOM isn’t firewall friendly, can be blocked by networking equipment, and gives some arcane errors when things go wrong.
The CIM cmdlets appeared in PowerShell 3.0 as part of the new API for working with CIM classes, which is more standards based. The CIM cmdlets were overshadowed by PowerShell workflows, but they are (to my mind) the most important thing to come out of that release.
The other major CIM-related advance was the introduction of CDXML, which enables a CIM class to be wrapped in some simple XML and published as a PowerShell module. This is how over 60% of the cmdlets in Windows 8 and later are produced.
With Powershell 7, you can retrieve the logon as user like this:
(Get-Service $serviceName).username