Automated way to purge SPO User Profiles - powershell

As part of a clean up task, I'm looking for a way to programmatically purge deleted AAD accounts from the User Profile Manager in Sharepoint Online.
I was using the Sharepoint Powershell module (Microsoft.Online.SharePoint.PowerShell) to manually do it, using the Remove-SPOUserProfile commandlet, which worked perfectly if I was using it in an interactive session. But as soon as I tried implementing my script into Azure Automation I found that particular module falls back to Basic Authentication when using a PSCredential object in the Connect-SPOService statement. And Basic Auth is blocked at my Organisation (I can't see them allowing it just for me!)
I found the PnP Module (PnP.PowerShell), which does allow authentication via stored credentials. But it doesn't have an equivalent User Profile Remove cmdlet.
Finally, I tried resorting to pure REST API, and while I can get an existing user profile, I can't get a profile for an account that has been deleted (marked as 'Profiles Missing from Import' in the SPO ProfMngr.aspx page). This is because the SP.UserProfiles.PeopleManager/GetPropertiesFor(accountName=#v) API needs to have an exact match (eg i:0#.f|membership|vardhaman#siteurl.onmicrosoft.com), and when an AAD account is deleted the profile username gets DELETED-<GUID> appended to it.
So my questions are:
Am I right or wrong about the sharepoint module and stored creds? (IE, so the module can be used from Azure Automation with a service principal or service account)
Am I right or wrong about the PnP module and it is missing the similar Remove-SPOUserProfile?
With the REST API, how do you search for profiles, especially profiles "missing from import"?
Is there some way to predict what the DELETED-<GUID> will be for a given user? Because I was able to get a user profile if I looked up the full deleted name and supply that to my REST call.
The official documentation on this is light - the old traditional sharepoint APIs aren't being developed any more, in favour of MS Graph, but the Graph Documentation doesn't seem to cover my particular use case.
Any pointers appreciated
Update 1
Thanks #Michael Han_MSFT.
I was using a pre-release/nightly build (0.3.32) but looking at Release documentation so didn't realise remove profile was in there.
I'm still getting problems though:
Connect-PnPOnline `
-url "https://<tenantname>.sharepoint.com" `
-ClientId $ClientId `
-ClientSecret $ClientSecret
# $guest1 = Guest account's email address
$azureEmail = ($guest1 -replace "#", "_") + "#ext##<tenantname>.onmicrosoft.com"
Remove-PnPUserProfile `
-LoginName $azureEmail
Remove-PnPUserProfile : The remote server returned an error: (401) Unauthorized.
At line:11 char:1
+ Remove-PnPUserProfile `
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Remove-PnPUserProfile], WebException
+ FullyQualifiedErrorId : System.Net.WebException,PnP.PowerShell.Commands.UserProfiles.RemoveUserProf
ile
So I tweaked the URL:
Connect-PnPOnline `
-url "https://<tenantname>-admin.sharepoint.com" `
-ClientId $ClientId `
-ClientSecret $ClientSecret
$azureEmail = ($guest1 -replace "#", "_") + "#ext##azurediagovt.onmicrosoft.com"
Remove-PnPUserProfile `
-LoginName $azureEmail
Remove-PnPUserProfile :
At line:11 char:1
+ Remove-PnPUserProfile `
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (:) [Remove-PnPUserProfile], HttpRequestException
+ FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.UserProfiles.RemoveUserProfile
So you can see if I go to <tenantname> I get a 401, but if I go to <tenantname>-name the response is simply blank.
I was certain I had given my App the right permissions (Is there some way to review what permissions have been assigned?)
In AppInv.aspx I think had this permissions code (I was following a couple of blogs):
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/Tenant" Right="FullControl"/>
<AppPermissionRequest Scope="http://sharepoint/social/Tenant" Right="FullControl"/>
</AppPermissionRequests>
As a further test, I tried the PnP version of what I was doing in REST (Get-PnpUserProfileProperty) and got
Get-PnPUserProfileProperty : Current user is not a tenant administrator.
At line:1 char:1
+ Get-PnPUserProfileProperty -Connection $pnpctx -Account "scottdu#data ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (:) [Get-PnPUserProfileProperty], ServerException
+ FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.UserProfiles.GetUserProfileProperty
Which is strange, because REST would give me a results.d response.
At this stage, I could look at making the App Id a Sharepoint Service Admin (I already have approval to allow Azure Automation to have whatever rights it needs to solve this).
(Update 1a: Made no difference, unless there is a delay between assigning the role and the permissions taking affect).

AAD registered app can be used to connect PnpOnline and delete user profile. Please see my below steps:
(Main refer article: https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread)
Step1:Registering an Azure AD application in the Azure Active Directory tenant that is linked to your Office 365 tenant and grant permission
Use admin account to access https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps. Click “New registration” and create a name of your app.
Go to “API permissions” and click on the "Add a permission" button and grant SharePoint API permission.
Select needed permissions.
Admin need to consent for those permissions, after that in status column will show green.
Step2: Create a self signed certificate and connect with app
Go to this link(https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread#setting-up-an-azure-ad-app-for-app-only-access), copy the scripts and save as “Create-SelfSignedCertificate.ps1”.
Run below command with PowerShell. You will be asked to give a password to encrypt your private key, and both the .PFX file and .CER file will be exported to the current folder.
.\Create-SelfSignedCertificate.ps1 -CommonName "YourCompanyName"
-StartDate 2020-1-09 -EndDate 2022-10-01
Go to AAD app, click on "Certificates & secrets" in the left menu bar. Click on the "Upload certificate" button, select the .CER file you generated and upload it.
Step3: Connect pnp online and perform delete profile
$ Connect-PnPOnline -ClientId <$application client id as copied over
from the AAD app registration above> -CertificatePath '<$path to the
PFX file generated by the PowerShell script above>'
-CertificatePassword (ConvertTo-SecureString -AsPlainText "<$password assigned to the generated certificate pair above>" -Force) -Url
https://<$yourtenant>.sharepoint.com -Tenant
"<$tenantname>.onmicrosoft.com"
$Remove-PnPUserProfile -LoginName $UPN
For REST api way, I found this article noted REST for delete user profile is not implemented.
(https://learn.microsoft.com/en-us/sharepoint/dev/general-development/work-with-user-profiles-in-sharepoint)

You could try the command : Remove-PnPUserProfile
https://pnp.github.io/powershell/cmdlets/Remove-PnPUserProfile.html
You should install the prerelease version of PnP.PowerShell:
https://www.powershellgallery.com/packages/PnP.PowerShell/0.3.8-nightly
Update:
You could try to use tenant administrator account to connect the sharepoint admin site, then run the command Remove-PnPUserProfile. This works for me:

Related

Cannot export site template

I'm trying to get site template and getting error:
PS C:\Windows\system32> Get-PnPSiteTemplate -Out template.xml
Get-PnPSiteTemplate : GetAccessTokenAsync() called without an ACS token generator. Specify in AuthenticationManager constructor the authentication parameters
At line:1 char:1
Get-PnPSiteTemplate -Out template.xml
CategoryInfo : WriteError: (:) [Get-PnPSiteTemplate], ArgumentException
FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.Provisioning.Site.GetSiteTemplate
Version:
pnp.powershell 1.6.0
I had the same issue and after quite some time invested in troubleshooting, I've figured out that the export gets interrupted once it iterates over a list. It is not related to the site you're trying to export because it happened also on other, newly created sites.
It turned out that the problem was that the PNP Module requires Admin Consent since it can manipulate almost all components of O365.
Solution: Connect to the site with the following command:
Connect-PnPOnline -interactive -URL "Your Site Url"
Provide admin consent to PnP and then try to export the site template with:
Get-PnPSiteTemplate -Out "File Location" # Use handlers and other params if needed
If the prompt window doesn't show up, run the following command first:
register-pnpmanagementshellaccess # See notes before running this cmdlet
Note: Admin consent requires additional permissions and SharePoint Admin role is not enough! So either ask a Global Admin to consent for you or ask for additional AD permissions. If I'm not mistaken Application Administrator role should be the right choice.
This seems to have worked for me.
Get-PnPSiteTemplate -out template.xml -ExcludeHandlers Lists,ApplicationLifecycleManagement
It seems the lists and ALM sections need an ACS token generator and that fails with UseWebLogin.
This is what I got on version 1.7.10, but I have used 1.7.0 and 1.5.0 and seen the same issues. I don't know if the older versions have more problematic modules.
Method: I found this resolution by running Set-PnPTraceLog -on -logfile log.txt -Level Debug and Set-PnPTraceLog -off, then reviewing log file to see which module failed.
I may use the Export-PnPListToSiteTemplate and see how that goes in getting list XML for the template file.
I had the same issue with PnP.PowerShell 1.6.0. I was using Connect-PnPOnline command with -UseWebLogin flag because my account had multi factor authentication turned on.
My solution was to disable MFA for my user and connect without the "-UseWebLogin" flag. Then Get-PnPSiteTemplate command worked without any issues.
I'm not sure why this is happening, but I'll use this workaround for now :)

Powershell connecting to Sharepoint online using Active directory

To start, I am using Windows 7, I am a full adminstrator on this machine
I have tried other machines and ran as an administrator as well
I am only a sharepoint site collection admin
In powershell we connect to Sharepoint online. during this process, if I use Connect-PnPOnline -Url $masterSiteUrl -useweblogin, I get prompted for a username, however the next screen is blank and stays there.
when I do a view source of that page I get
d>Redirecting....myshn.net/certcheck" method="POST">
I do have scripting enabled and sometimes I get a certificate issue, I have clicked "Install Certificate" although I am not sure what it did, but it still doesnt work
Ive also tried -SPOManagementShell and -ClearTokenCache
and get the following error
Connect-PnPOnline : Parameter set cannot be resolved using the specified named parameters.
At line:1 char:1
+ Connect-PnPOnline -Url $masterSiteUrl -useweblogin -spoManagementShel ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Connect-PnPOnline], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,SharePointPnP.PowerShell.Commands.Base.ConnectOnline
See this:
Connect to all Office 365 services in a single Windows PowerShell
and this...
Connect to all Office 365 Services PowerShell - Supports MFA too
Using our All-in-One PowerShell script, you can connect to all Office
365 Services using a single cmdlet. It supports both MFA and non-MFA
account -Exchange Online -Azure AD -SharePoint Online -Skype for
Business Online -Security & Compliance Center -Teams
Download: ConnectO365Services.ps1
O365_Logon 1.1
O365 logon cmdlets to assist IT administrators. In this module, there
are several cmdlets that simplify the process of logging onto various
O365 components.

Move users from SFB on-perm to Teams\SFBO

Updated SFB-prem to CU9 but for some reason unable to move test user to Teams or SFBO. anyone facing this issue?
I tried to used PS commands and SFB admin portal but same results
$cred=Get-Credential
$url="https://admxxxx.online.lync.com/HostedMigration/hostedmigrationService.svc"
Move-CsUser -Identity teamstestuser02#xxx.com -Target sipfed.online.lync.com -Credential $cred -HostedMigrationOverrideUrl $url
Move-CsUser : Unable to connect to some of the servers in pool
"XXX.com" due to a Distributed Component Object Model (DCOM) error.
Verify that Front End service is running on servers in this pool. If
the pool is set up for load balancing, verify that load balancer is
configured correctly. At line:2 char:1
+ Move-CsUser -Identity teamstestuser02#XXXX.com -Target "sip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=TeamsTestUse...p,xx.xxcom:OCSADUser) [Move-CsUser],
MoveUserException
+ FullyQualifiedErrorId : MoveError,Microsoft.Rtc.Management.AD.Cmdlets.MoveOcsUserCmdlet
Have you run this on the FrontEnd Server itself?
I have hit and misses with Move-CsUser when it targets SkypeOnline
Potential mitigations I found:
-Run on FE
-Specify undocumented Switch -DomainController to point it at a writable DC
https://learn.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-between-on-premises-and-cloud should have all the juice you need, make sure that the user you are running this command as (i.E. logged into the FE) has CsServerAdministrator and the $Cred has Global Admin or User Admin + Skype For Business Admin
Hope that helps :)
I used -UseOAuth switch on the Frond End server and the issue resolved. Some users return errors for Rollback, and nothing works for these users until I used force switch, which they lost their contacts and meeting info.

Error Get-AzureKeyVaultSecret : Unable to retrieve service key for ServicePrincipal account

Using PowerShell, I can access my Azure KeyVault locally, provide the secret and return stored passwords. I can also do this from a VM I spin up. Additionally, I can access a single password from the KeyVault and use it to impersonate a user on a VSTS build agent, but I cannot access the remaining stored passwords. What gives?
Here's the message I receive:
[error]Get-AzureKeyVaultSecret : Unable to retrieve service key for
ServicePrincipal account
[hiddenaccountname]#[companyaccount].com. Please log in
again to supply the credentials for this service principal. In
PowerShell, execute Login-AzureRMAccount for Azure Resource Manager
cmdlets or Add-AzureAccount for service management cmdlets.
...
CategoryInfo : CloseError: (:) [Get-AzureKeyVaultSecret], KeyNotFoundException
FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret
Here's what my code looks like at this section:
Login-AzureRmAccount -Credential $AzureCredential -ServicePrincipal -TenantId [abunchofnumbers]
$Password = (Get-AzureKeyVaultSecret -VaultName "[nameOfVault]" -Name "[nameOfSecret]").SecretValueText
The login accepts the provided credentials and logs me in, but the Get-AzureKeyVaultSecret cmdlet fails, and only on VSTS during a build.
Any ideas, you strange and wonderful devs?
[Resolved - Follow up] My process involved one Powershell script to impersonate a user by using Login-AzureRmAccount and Get-AzureKeyVaultSecret to get the password for a user, then a 2nd Powershell script to log back in to AzureRmAccount to get more passwords from the KeyVault. I swapped the order of these two scripts and problem went away.

How to deploy to Azure with powershell?

I want to deploy my application to azure with powershell. So far I have created a certificate in the localmachine store, I'm not going to run the deploy script as me, uploaded the script to azure. The next step is to get access to the service on azure in powershell but there it fails. The script I have so far is:
$cert = Get-Item Cert:\LocalMachine\deploy\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Set-AzureSubscription -SubscriptionName $subscriptionName -SubscriptionId $subscriptionId -Certificate $cert
Select-AzureSubscription $subscriptionName
$service = Get-AzureService $azureId
It fails on the last row with the following message:
Get-AzureService : Communication could not be established. This could be due to an invalid subscription ID. Note that subscription IDs are case sensitive.
At F:\DeployTest\deploy.ps1:9 char:12
+ $service = Get-AzureService $azureId
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-AzureService], Exception
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Management.ServiceManagement.HostedServices.GetAzureServiceCommand
Get-AzureService : HTTP Status Code: AuthenticationFailed - HTTP Error Message: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.
Operation ID:
At F:\DeployTest\deploy.ps1:9 char:12
+ $service = Get-AzureService $azureId
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzureService], CommunicationException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Management.ServiceManagement.HostedServices.GetAzureServiceCommand
I really don't know what the problem is, the certificate I'm trying to use is uploaded so it feels like there is something fundamental I've missed.
Update: I did get it to work after downloading the .publishsettings-file and importing that instead of trying to use Set-AzureSubscription. I'm still a little bit confused though, shouldn't it be possible to use the method I tried above?
I finally found the problem, and of course it was a user problem. First when I was in the azure portal I didn't find where to upload the certificate, so I uploaded it to first place I found mentioning certificates. What I did found out was that this area was the wrong one, I uploaded the certificate to the certificate area under the cloud service I wanted to administrate, which is the wrong place.
The correct place to upload the certificate to is under settings in the admin portal of azure. So the code above works if the certificate is uploaded to the correct location.