I want to setup SSO between GSuite (as Identitiy provider "IdP") and Microsoft 365.
When I want to connect to Microsoft 365 through powershell, I use the following command:
Install-Module MSOnline
Import-Module MSOnline
$msolCred = get-credential
Connect-MsolService -credential $msolCred
When I run the last command, I'll receive the following empty Microsoft login screen:
I thought maybe it's because of onedrive and other windows 10 services, I have logged out everywhere but still doesn't work. If someone can guide me, it would be great.
I have solved the problem by decreasing security of internet options (from control panel) from high to medium.
Related
Been able to do it against Microsoft.PowerShell (5.1), but today I hit a known issue on 5.1 with remote Copy-Item so I installed PowerShell 7 on the remote server (checking "Enable Remoting" in the installer) and am trying to get it working.
$securePassword = ConvertTo-SecureString -AsPlainText -Force -String $Password
$credential = New-Object -TypeName system.management.automation.pscredential -ArgumentList $Username, $securePassword
$session = New-PSSession $targetMachineHostName -Credential $credential -ConfigurationName "Microsoft.PowerShell"
Enter-PSSession $session
Above works. But if I change ConfigurationName to "PowerShell.7.1.0" I get:
[myserver.com.au] Connecting to remote server myserver.com.au failed with
| the following error message : <f:WSManFault
| xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2689860592"
| Machine="myserver.com.au"><f:Message><f:ProviderFault provider="PowerShell.7.1.0"
| path="C:\Windows\system32\PowerShell\7.1.0\pwrshplugin.dll"></f:ProviderFault></f:Message></f:WSManFault> For more information, see the about_Remote_Troubleshooting Help topic.
On the remote server I've run enable ps remoting in a 7.1 powershell so if I run Get-PSSessionConfiguration it returns a bunch of configurations, including the following:
Name : PowerShell.7.1.0
PSVersion : 7.1
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
Management Users AccessAllowed
The dll the error refers to exists on the machine.
The user credentials I'm using are for a Local User on the remote machine that isn't an Administrator, but belongs to the Remote Management Users group.
Also worth noting from the remote machine itself (as a different Adminstrator local account, I can start a session to localhost).
After making the user an Administrator I was able to connect, but I'd gone to great lengths earlier to make non-Adminstrator possible on 5.1.
Out of interest, I tried giving the user Full Control to C:\Windows\system32\PowerShell\7.1.0 and then I could connect...
Still would love to know what's going on though and whether I'm doing the right thing or minimum permissions required.
It seems like the minimum security permissions to the folder are:
Read & Execute
List folder contents
Read
Write
Write is bizarre, but without it I get that error. I've assigned those permissions to the "Remote Management Users" group.
Docs here touch a little bit on v5.1 vs v7, and then link to here mentioning an install script so maybe something has fallen through the cracks.
I was getting the same error. I installed PowerShell 7 from Microsoft Store and then ran Enable-PSRemoting. I got this error so I uninstalled it and reinstalled it from WinGet which uses the MSI. That didn't work either. I tried running Enable-PSRemoting again, but nothing changed.
I ran Install-PowerShellRemoting.ps1 and it gave me two errors about things already existing and did not fix the problem. However, I was able to resolve the problem by doing the following:
Delete the PowerShell 7 plugins: Remove-Item 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\PowerShell.7','HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\PowerShell.7.1.1'.
Run Install-PowerShellRemoting.ps1 again.
I'm not sure what the difference was, but deleting and allowing the script to generate it again fixed it for me.
I've been trying to find a way to enter the username, password and token code for the Office 365 shell directly into the terminal and not have the normal secondary GUI window pop-up. Currently I have a basic script that logs in with:
Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA + "\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse).FullName | Where-Object {$_ -notmatch "_none_"} | Select-Object -First 1)
Connect-MSOLService
Import-PSSession (New-ExoPSSession -UserPrincipalName USER#domain.tld) -AllowClobber -DisableNameChecking
Is it even possible to use strictly the TUI over the GUI for entering credentials?
Don't guess at how to do X or Y. It will just lead you down a very frustrated path. Always look to the help files and online docs.
What you are trying to do is a common practice, these days, and fully documented from Microsoft and many other web resources. There are specific module to assist with this use case.
Connect to Exchange Online PowerShell using multi-factor authentication
Connect to Exchange Online PowerShell by using MFA
1.On your local computer, open the Exchange Online Remote PowerShell Module ( Microsoft Corporation > Microsoft Exchange Online Remote
PowerShell Module).
2.The command that you need to run uses the following syntax:
Connect-EXOPSSession -UserPrincipalName <UPN> [-ConnectionUri <ConnectionUri> -AzureADAuthorizationEndPointUri <AzureADUri>]
Connect to Office 365 PowerShell
Step 2: Connect to Azure AD for your Office 365 subscription
> To connect to Azure AD for your Office 365 subscription with an
account name and password or with multi-factor authentication (MFA),
run one of these commands from a Windows PowerShell command prompt (it
does not have to be elevated).
Exchange Online PowerShell Module has been around since circa 2016 from the MFA PowerShell team
There is even a script from the gallery, that specifically for EXO using MFA.
Connect to Exchange Online PowerShell using multi-factor authentication (MFA)
If you want to use multi-factor authentication (MFA) to connect to
Exchange Online PowerShell, you can't use the instructions at regular
Connect to Exchange Online PowerShell to use remote PowerShell to
connect to Exchange Online.
Download : MFA.ps1
Background:
It seems someone has set user-mailbox permissions using the O365 GUI (not exchange online GUI):
Issue:
This means I can't use the normal exchange-powershell method to check mailbox permissions... like we can if set using Exchange Online Admin Center GUI or Add-MailboxPermission:
Import-PSSession ( New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Authentication Basic -AllowRedirection -Credential (Get-Credential myname#myco.com ) )
Get-MailboxPermission SharedUser#myco.com
^^ This does not return the permissions set in O365 GUI. Only Exchange Online.
Question:
What is the correct commandlet to manage the permissions set using the O365 GUI ?
Previous work:
I have tried looking at the MSOL-User commandlets also, as these seem to use O365 rather than exchange online... but they don't have one relating to permissions.
Also I have previously checked mailboxfolderpermission.
More Clarifications:
StaffMember#myco.com can see SharedUser#myco.com's mailbox in outlook.
This is also represented in:
Office 365 control panel / GUI > Users > SharedUser > Mail Settings > Mailbox Permissions
These permissions do NOT seem to show in Exchange Admin Center or exchange powershell.
There are three types of permissions you can set over the mailbox: FullAccess, SendAs and SendOnBehalf. Each of them can be checked/managed using different cmdlets:
FullAccess (Read and manage in O365 GUI) can be viewed using Get-MailboxPermission and managed using Add-MailboxPermission/Remove-MailboxPermission
SendAs can be viewed using Get-RecipientPermission and managed using Add-RecipientPermission/Remove-RecipientPermission
SendOnBehalf can be viewed using Get-Mailbox and managed usingSet-Mailbox (parameter GrantSendOnBehalfTo)
Clarifying the question from comments:
Unfortunately Get-RecipientPermission says "applied to: Exchange online" and I am specifically talking about Office365 which seems to be a different set of cmdlets. Other-User had full access to shared-user's mailbox, yet Get-MailboxPermission shared-user showed nothing about the Other-User.
The fact that permissions can be set via O365 portal doesn't mean that the permissions are not set in Exchange Online. Office 365 user objects (the ones you can access via Get-MsolUser) cannot have FullAccess/SendAs/SendOnBehalf set on them, only mailboxes can have them.
When you set the permission (let's say you add Read and manage over shared-user to other-user) via O365 portal, the change should reflect on the Exchange Admin Center (when you check shared-user you'll see other-user in Full Access field) and in Get-MailboxPermission shared-user. Not sure what happened that you haven't seen these permissions but check these three first. It might be some delay in synchronization too.
I'm having a problem getting a PowerShell script which queries objects in a cloud-based Exchange resource to work in an Orchestrator runbook.
The PowerShell script (which works correctly from my desktop computer's command line and when stepping through it in ISE) sets up a remote management session to the cloud and looks like this:
try
{
$user = "username#domain.com"
$pword = convert-toSecureString -string "password" -asplaintext -force
$creds = new-object -typename system.management.automation.pscredential -argumentlist $user, $pword
$o365 = new-pssession -configurationname Microsoft.Exchange -connectionuri https://ps.outlook.com -credential $creds -authentication basic - allowredirection
import-pssession $o365 -allowclobber -prefix o365
get-o365Mailbox 'Doe, John'
}
catch
{
throw $_.exception
}
As I mentioned, it runs fine when I step through it in the editor on my desktop but when executed inside the Orchestrator runbook it fails on the "import-pssession" command (because the $o365 is never set).
I've taken the PowerShell script and run it manually on the actual runbook server and it works there as well as it does on my own desktop -- it's only when run inside of an Orchestrator runbook that it won't function. I only have a few weeks experience with Orchestrator and didn't know I'd run into a problem like this so quickly -- I am trying to run the script in a "Run .Net Script" activity with the language set to "Powershell," which I believe is the recommended method.
I've tried saving the script as a file on the runbook server and then used the "Run Program" activity to run PowerShell with this file (recommended by someone during my searching) and that doesn't work either.
Is the Orchestrator service account that's running the script a member of the Exchange RBAC role groups? If not, it won't be allowed to connect to those Exchange management sessions.
The problem turned out to be related to the client's firewall and proxy settings for the service account they set up to be used by Orchestrator. They (the clients) would not grant the service account Internet access as a matter of policy.
A couple of different solutions came up: One was installing the PowerShell integration pack from CodePlex and using that -- the CodePlex PowerShell activity allowed me to explicitly set the security context of the activity, which let me get around their firewall issue by running the activity under an account which did have Internet access.
The second solution was installing the Exchange Admin integration pack and configuring a connection to the cloud host. Using the "Run Exchange PowerShell Command" activity rather than the more generic "Run .NET script" activity also allowed the code to work as expected.
Orchestrator is still x86 and the commands in your script will only run in x64.
Test this in your x86 ISE and see the same failure.
My workaround is to call the script using the "Run Program" activity within the System activities list.:
Program execution
Computer = I always start with initialize activity and then subscribe to the computer here
Program path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parameters: full path to the .ps1 of your script
Working folder: c:\temp
I want to collect performance data from a Windows 2008 R2 Server with PowerShell.
For this task, I want to use a non admin account.
My problem is now, that I´m getting back a empty object ($WMIService).
There is no error message when I´m executing my script.
When I´m using a account with admin rights, everything is perfect.
So I think, permissions are missing for the non admin account.
How can I fix my problem?
My configuration for the WMIService account:
Enable remote WMI requests technet
Enable DCOM calls msdn
My script:
$ServiceCred = Get-Credential
$AdminCred= Get-Credential
$WMIService = Get-WmiObject -Class Win32_PerfFormattedData_PerfOS_Memory -ComputerName servername -Credential $ServiceCred
$WMIAdmin = Get-WmiObject -Class Win32_PerfFormattedData_PerfOS_Memory -ComputerName servername -Credential $AdminCred
$WMIService (Empty)
$WMIAdmin (Perfect)
You should set the appropriate permissions for your non admin account.
Solved! The user must also be in the Performance Monitor Users group.
My working configuartion:
Enable remote WMI requests technet
Enable DCOM calls msdn
Added account to the Performance Monitor Users group
Take a look a this guide, it may help. Make sure you enabled Remote Enable on your user configuration.