we have an Azure App Registration and run a PowerShell-Script from a Azure RunBook to sync users from AAD to SharePoint User Profile Store.
The App has approved consent to read users by graph from aad and read/write to SharePoint User-Profiles:
The PowerShell-Script connects to graph and pnponline by App which is working fine.
$serviePrincipalName = 'ZZZ-SPOScript'
$servicePrincipalConnection=Get-AutomationConnection -Name $serviePrincipalName
Connect-MgGraph -TenantId $servicePrincipalConnection.TenantId -ClientId $servicePrincipalConnection.ApplicationID -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
Connect-PnPOnline -Url "https://ourtenant-admin.sharepoint.com" -Tenant $servicePrincipalConnection.TenantId -ClientId $servicePrincipalConnection.ApplicationID -Thumbprint $servicePrincipalConnection.CertificateThumbprint
We can get all users from aad:
$users = Get-MgUser -All -Property "Id,mail,UserPrincipalName,extension_b8fc35d8e8ec45e689d332303177957a_ZZZ_townCode,extension_b8fc35d8e8ec45e689d332303177957a_ZZZ_costNumber,extension_b8fc35d8e8ec45e689d332303177957a_employeeID,extension_b8fc35d8e8ec45e689d332303177957a_employeeNumber,extension_b8fc35d8e8ec45e689d332303177957a_ZZZ_title,extension_b8fc35d8e8ec45e689d332303177957a_ZZZ_office,extension_b8fc35d8e8ec45e689d332303177957a_extensionAttribute6,extension_b8fc35d8e8ec45e689d332303177957a_extensionAttribute7"
We iterate over all users:
foreach($user in $users) {...
But when we try to get the user profile properties from SharePoint by calling
$fldValue = (Get-PnPUserProfileProperty -Account $user.UserPrincipalName).UserProfileProperties."ZZZ-CostNumber";
we get Current user is not a tenant administrator.
Our Service Principal ZZZ-SPOScript which runs the Script within the RunBook is of course not a tenant admin (and will never be).
So, we added an App Permission entry for the Azure App Registration by /_layouts/15/AppInv.aspx
with following Permissions to elevate to FullControl
<AppPermissionRequests>
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>
But still we get Current user is not a tenant administrator. if the Scripts is trying to call
Get-PnPUserProfileProperty
Are we missing something or can this be a bug in pnponline?
Additional finding: As stated here we should add Full Control permissions for the social features.
So, I upated the permissions to
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
But still same error.
Looks like there is simply a typo in the very first string:
$serviePrincipalName = 'ZZZ-SPOScript'
The correct one should be
$servicePrincipalName = 'ZZZ-SPOScript'
Related
I hope someone can help..
I have a registered application (TestApp3), with which I connect successfully using:
Connect-AzureAD -TenantId $tenant -CertificateThumbprint $thumb -ApplicationId $applicationID
Now once connected, I need to assign users to a different application (TestApp2).
If I use the following command (when connected as Global Admin)
Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Application administrator"}).Objectid -RefObjectId $sp.ObjectId
This will grant the App Admin role to the application TestApp3.
So, the following will work when connected as TestApp3:
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectID -PrincipalId $user.ObjectID -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)
This will add a user to the list of assigned users for the servicePrincipal TestApp2.
However, its 'scoped' across the tenant. How do I configure it so TestApp3 can only assign users for the specific app TestApp2?
Thanks..
//A
How do I configure it so TestApp3 can only assign users for the
specific app TestApp2?
According to this microsoft document assign app owners
Similar to application administrator, an owner has capability to
manage many or all azure ad configuration aspects but for a
specific organization application (appl registration or enterprise
application.) they are assigned to.
They can do user assignments, SSO configuration and provisioning. Owner can even add /remove other owners and can manage the applications that they own only.
Add an owner using powershell cmds.
Connect-AzureAD
Add-AzureADApplicationOwner -ObjectId xxxxxx-xxxx-xxxx3-xxx -RefObjectId xxxx-xxxx-xxx-xxxx-xxxxxxxx
ObjectId > object id of the application
References:
assign-application-owners- Azure AD | Microsoft Docs
Add Azure AD Application as owner of another AD Application –
LockTar’s Blog
I would like to remove all permissions of a list item using PnP Powershell
I have tried this command:
Set-PnPListItemPermission -Identity $item.id -User 'user#contoso.com' -AddRole "Contribute"
However the user running the script/command was also added with Full Control permissions.
Is there any other way to remove all existing permissions for a list item using PnP Powershell ?
Thanks
I tested to connect to SharePoint Online site with a read permission user in PnP PowerShell and then run the Set-PnPListItemPermission command, it will throw Access Denied error instead of adding with Full Control Permissions:
In Summary, to set permssions for list item, it's expecetd to have the Full Control Permission on the site level for the user who is running the script. Otherwise, the Access Denied error will throw.
The Full Control permissions should be applied with the site group, in the list, try to break permission inheritance and remove the group:
# Provide credentials over here
$creds = (New-Object System.Management.Automation.PSCredential "<<UserName>>",(ConvertTo-SecureString "<<Password>>" -AsPlainText -Force))
# Provide URL of the Site over here
# If you do not wish to pass credentials hard coded then you can use: -Credentials (Get-Credential). This will prompt to enter credentials
Connect-PnPOnline -Url http://MyServer/sites/MySiteCollection -Credentials $creds
# Get Context
$clientContext = Get-PnPContext
$targetWeb = Get-PnPWeb
# Get the list object
$targetList = $targetWeb.Lists.GetByTitle("List Name")
# Load List object
$clientContext.Load($targetList)
$clientContext.ExecuteQuery()
# This method will work only if the role inheritence is broken(list has unique role assignments) on the list
$targetList.RoleAssignments.Groups.RemoveByLoginName("test Visitors")
$clientContext.ExecuteQuery()
Disconnect-PnPOnline
I have been given a task to setup a scheduled task which will run daily to pull down the list of allowed domains from SPO. This is not an issue if I use Connect-SPOService and Get-SPOTenant, like this:
Connect-SPOService –url https://xxxx-admin.sharepoint.com
Get-SPOTenant | select -ExpandProperty SharingAllowedDomainList > d:\allowedDomains.txt
The issue issue is that this has to be automated. There is also a requirement to use an ClientId and Secret in the script, rather than providing me with an account which bypasses MFA and has SP Admin rights.
Because of that, I've turned to SharePointPnP, which does allow you to connect with ClientId and Secret. I'm able to connect to connect with the following:
Connect-PnPOnline -url https://xxxx-admin.sharepoint.com -ClientId "xxxxx" -ClientSecret "xxxxx"
Where I'm struggling now is trying to how I can retrieve the SharingAllowedDomainList property through SharePointPnP, or if that is even possible?
#THTX,
Can you please have a try below pnp powershell cmdlet?
Get-PnPTenant
Get-PnPTenantSite
It has SharingAllowedDomainList property:
BR
This script creates a guest user invitation, but errors when trying to add that newly created user to a SharePoint Online site with the following error:
Add-SPOUser : The specified user janedoe#email.com could not be found.
$tenant = "companyname"
Connect-SPOService -url "https://$tenant-admin.sharepoint.com"
Connect-AzureAD -TenantDomain "$tenant.onmicrosoft.com"
New-AzureADMSInvitation -InvitedUserDisplayName "Jane Doe" -InvitedUserEmailAddress "janedoe#email.com" -InviteRedirectURL "https://$tenant.sharepoint.com/sites/client1" -SendInvitationMessage $true
Start-Sleep -s 60
Add-SPOUser -Group "Client Site 1 Visitors" –LoginName "janedoe#email.com" -Site "https://$tenant.sharepoint.com/sites/client1"
Disconnect-SPOService
Disconnect-AzureAD
How long does it take for Azure AD to populate that user into Office 365?
When trying to add the external user email (outside tenancy) to a SP group via the GUI, tabbing away shows the following error:
"Your organization's policies don't allow you to share with these users. Go to External Sharing in the Office 365 admin center to enable it."
To fix this and the PS script error, after the creation of your extranet SP site run the following PS command after connecting to SPO (only need to run ONCE before adding an external user to a site):
Set-SPOSite -identity https://companyname.sharepoint.com/sites/client1 -sharingcapability ExternalUserAndGuestSharing
Now the PS script will work without error. Start-Sleep is not necessary.
Is it somehow possible to create an Azure AD Application Key via PowerShell?
I could not really find any working solution. Currently I have this piece of code:
$appName = "myAppName"
$password = "myPassword"
$app = New-AzureRmADApplication -DisplayName $appName -HomePage "https://$appName" -IdentifierUris "https://$appName" -Password $password
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
New-AzureRmRoleAssignment -RoleDefinitionName "Data Factory Contributor" -ServicePrincipalName $app.ApplicationId
This all works fine so far but I also need to create a Key for the app for clients to actually access it. In the Azure portal this would be under MyDirectory --> App registrations --> myAppName --> Settings --> Keys
also I am not quite sure what the Password for the application is actually used for?!
OK, I found this blog post and it seems to solve my issue:
https://www.sabin.io/blog/adding-an-azure-active-directory-application-and-key-using-powershell/