We Keep Coding

PowerShell Script Issue New-EXOPSSession : unknown_user_type: Unknown User Type

Running the following Powershell script to try to connect to Gov Azure AD:
Add-Type -Path ".\Source\Binaries\Microsoft\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
Import-Module ".\Source\Binaries\Microsoft\Microsoft.Exchange.Management.ExoPowershellModule.dll"
$username = "email#businessdomain.onmicrosoft.us"
$password = ConvertTo-SecureString "testemailpassword" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ($username, $password)
$connectionURI = "https://ps.compliance.protection.office365.us/powershell-liveid/"
New-EXOPSSession -ConnectionUri $connectionURI -Credential $cred
But seeing this error come back
New-EXOPSSession : unknown_user_type: Unknown User Type
At line:9 char:1
+ New-EXOPSSession -ConnectionUri $connectionURI -Credential $cred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-ExoPSSession], AdalException
+ FullyQualifiedErrorId : Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException,Microsoft.Exchange.Management.E
xoPowershellSnapin.NewExoPSSession
I am able to run this similar script for a non-government environment (https://ps.compliance.protection.outlook.com/powershell-liveid/ as my URI) and see that I successfully connect without error

Please make sure the credentials (username and password )provided are correct and not having any special characters in them while using in the script and make sure to use latest microsoft exchange online module of v2 .
Try to get the credential first , then pass them in the connection segment.
$cred=get-credential
Connect-ExchangeOnline -Credential $cred -ShowProgress $true
$connectionURI = "https://ps.compliance.protection.office365.us/powershell-liveid/"
New-EXOPSSession -ConnectionUri $connectionURI -Credential $cred -ShowProgress $true
Or please try to use command as for non mfa account by using credential and dont credentials for mfa enabled account
$UserCredential = Get-Credential
Connect-IPPSSession -Credential $UserCredential
Or something like this SO refrence
Note: If ExchangeEnvironmentName is used, ConnectionUri parameter is
not required.
Use the stored variable name ($UserCredential) for this parameter .
• You can try below command which connects to Exchange Online PowerShell in a Microsoft GCC High organization:
Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true -ExchangeEnvironmentName O365USGovGCCHigh
In case, if the account you are using has MFA enabled use
userprincipal name.
Example:
Connect-ExchangeOnline -UserPrincipalName lxxra#xxxxxairlines.us -ExchangeEnvironmentName O365USGovGCCHigh
To connect to Microsoft 365 DoD organization replace environment name with O365USGovDoD to this Connect-ExchangeOnline -UserPrincipalName xxxx#contoso.com -ShowProgress $true
Give your user name correctly and Microsoft authenticator will authenticate if mfa enabled.
References:
Connect to Exchange Online PowerShell | Microsoft Docs
addazureaccount-unknownusertype | social.msdn.microsoft.com

How to request a certificate from a CA on a remote machine using PowerShell?

I am trying to invoke a PowerShell command on a remote computer. I'd like to request a certificate from an in-house CA. If I run the following command directly on the remote PC the operation is successful:
Get-Certificate -Template 1.3.6.1.4.1.311.21.8.9612972.3074733.7357589.1249582.14248002.117.5480590.5436517 -Credential $cred -Url ldap: -CertStoreLocation Cert:\LocalMachine\My
When I run the following command from a remote computer on the same domain I get the WIN32: 87 error shown below. I have googled the error extensively and cannot figure out the issue (fyi.. I have mitigated the double hop issue earlier in my script by using Enable-WSManCredSSP).
$user = 'ABCCOmpany\<password>' #We are using the local machine's Administrator account
$password = ConvertTo-SecureString '<password>' -asplaintext -force
$credential = New-Object -typename System.Management.Automation.PSCredential -ArgumentList $user, $password
$RequestAndReceiveCertificateSuccessful = Invoke-Command -Session $s -ScriptBlock{param($cred) Get-Certificate -Template 1.3.6.1.4.1.311.21.8.9612972.3074733.7357589.1249582.14248002.117.5480590.5436517 -Credential $cred -Url ldap: -CertStoreLocation Cert:\LocalMachine\My} -ArgumentList $credential
Error:
The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
+ CategoryInfo : NotSpecified: (:) [Get-Certificate], Exception
+ FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.GetCertificateCommand
+ PSComputerName : Agent3

Why does Azure Powershell script think I'm not logged-in?

I'm building an Azure Powershell script to add a DB firewall rule.
I first of all login using Add-AzureRmAccount:
$userName = "j---#s---.--"
$securePassword = ConvertTo-SecureString -String "---------" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($userName, $securePassword)
Add-AzureRmAccount -Credential $cred
This returns the following, which I assume means that I have successfully logged-in:
Environment : AzureCloud
Account : j---#s---.--
TenantId : [GUID]
SubscriptionId : [GUID]
SubscriptionName : Visual Studio Ultimate mit MSDN
CurrentStorageAccount :
At this stage I can query for my subscription:
Get-AzureRmSubscription –SubscriptionName "Visual Studio Ultimate mit MSDN" | Select-AzureRmSubscription
Which returns
Account : j---#s---.--
Environment : AzureCloud
Subscription : [GUID]
Tenant : [GUID]
So far, so good.
However, whenever the script calls anything at the resource-group level, such as
Find-AzureRmResource -ResourceNameContains "-----NorthEurope"
then it responds with
Run Login-AzureRmAccount to login.
The exception detail is
+ CategoryInfo : InvalidOperation: (:) [Find-AzureRmResource], PSInvalidOperationException
+ FullyQualifiedErrorId : InvalidOperation,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.FindAzureResourceCmdlet
Which doesn't help me at all.
I've even explicitly called
Login-AzureRmAccount $cred
prior to the Find-AzureRmResource call, but this makes no difference.
Of course, what I'm ultimately looking to do is call
New-AzureRmSqlServerFirewallRule -ResourceGroupName "-----NorthEurope" `
-ServerName "-----.database.windows.net" `
-FirewallRuleName "test1" `
-StartIpAddress "-.-.-.-" `
-EndIpAddress "-.-.-.-"
But that encounters the same exception.
Can anyone explain why I keep getting asked to run Login-AzureRmAccount after I've apparently successfully added the account?
Solution
What got it working for me, as #Tomer alluded to in the comments, was to forcefully re-get all AzureRm modules.

office 365 powershell login with service principal or OAuth2

I can find information about how to create Service Principals for Office365 with Powershell - but I can't find any how to login with them in Powershell. Is this not possible? I am currently using this code, that works with my Admin account but not with service credentials (that work with Azure) :
$AdminName = "application-id"
$Pass = ConvertTo-SecureString "application-key" -AsPlainText –Force
$Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminName, $Pass
# Azure Login working
#$tenantId = "tenant-id"
#Add-AzureRmAccount -Credential $Cred -ServicePrincipal -TenantId $tenantId
# MSOnline / Office365-Login not working
Import-Module MSOnline
Connect-MsolService -Credential $Cred
The error I get at the "Connect-MsolService" is :
Connect-MsolService : Unable to authenticate your credentials. Make
sure that your user name is in the format: <username>#<domain>. If
this issue persists, contact Support.
Connect-MsolService -Credential $Cred
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
FullyQualifiedErrorId : 0x80048862,Microsoft.Online.Administration.Automation.ConnectMsolService

Running Set-AzureRmAppServicePlan from Automation script (RunBook)

I'm trying to run Set-AzureRmAppServicePlan from automation runbook but getting
Set-AzureRmAppServicePlan : Run Login-AzureRmAccount to login. At
line:20 char:1
+ Set-AzureRmAppServicePlan -ResourceGroupName "...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Set-AzureRMAppServicePlan], PSInvalidOperationException
+ FullyQualifiedErrorId : InvalidOperation,Microsoft.Azure.Commands.WebApps.Cmdlets.AppServicePlans.SetAzureAppServicePlanCmdlet
Note that actual runbook authentication using Automation Credential is successful.
And I can run this script from local powershell using
Login-AzureRmAccount
Add-AzureRmAccount
Set-AzureRmAppServicePlan...
Is it possible at all to run this from automation without interactive login?
Thanks
Pavel

figure it out.. pretty simple instead of
Add-AzureAccount - which is used in sample runbook Get-AzureVMTutorial created automatically
need to use
Add-AzureRmAccount
for use with Azure Resource Manager cmdlet requests like
Set-AzureRmAppServicePlan
Leaving question / answer here.. might still help someone

If you are not using MFA, pls see the following cmds, replace 'yourPassword', 'yourUserName', 'yourEnvironment', 'yourSubscriptionId', 'yourTenantId' with your own message and put it to your script then you can login without interactive page.
$userPassword = ConvertTo-SecureString -String "yourPassword" -AsPlainText -Force
$psCred = new-object -typename System.Management.Automation.PSCredential -argumentlist 'yourUserName', $userPassword
$credential = Get-Credential -Credential $psCred
add-azureRmAccount -EnvironmentName 'yourEnvironment' -credential $credential -subscriptionId 'yourSubscriptionId' -tenant 'yourTenantId'