Powershell connecting to Sharepoint online using Active directory - powershell

To start, I am using Windows 7, I am a full adminstrator on this machine
I have tried other machines and ran as an administrator as well
I am only a sharepoint site collection admin
In powershell we connect to Sharepoint online. during this process, if I use Connect-PnPOnline -Url $masterSiteUrl -useweblogin, I get prompted for a username, however the next screen is blank and stays there.
when I do a view source of that page I get
d>Redirecting....myshn.net/certcheck" method="POST">
I do have scripting enabled and sometimes I get a certificate issue, I have clicked "Install Certificate" although I am not sure what it did, but it still doesnt work
Ive also tried -SPOManagementShell and -ClearTokenCache
and get the following error
Connect-PnPOnline : Parameter set cannot be resolved using the specified named parameters.
At line:1 char:1
+ Connect-PnPOnline -Url $masterSiteUrl -useweblogin -spoManagementShel ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Connect-PnPOnline], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,SharePointPnP.PowerShell.Commands.Base.ConnectOnline

See this:
Connect to all Office 365 services in a single Windows PowerShell
and this...
Connect to all Office 365 Services PowerShell - Supports MFA too
Using our All-in-One PowerShell script, you can connect to all Office
365 Services using a single cmdlet. It supports both MFA and non-MFA
account -Exchange Online -Azure AD -SharePoint Online -Skype for
Business Online -Security & Compliance Center -Teams
Download: ConnectO365Services.ps1
O365_Logon 1.1
O365 logon cmdlets to assist IT administrators. In this module, there
are several cmdlets that simplify the process of logging onto various
O365 components.

Related

Automated way to purge SPO User Profiles

As part of a clean up task, I'm looking for a way to programmatically purge deleted AAD accounts from the User Profile Manager in Sharepoint Online.
I was using the Sharepoint Powershell module (Microsoft.Online.SharePoint.PowerShell) to manually do it, using the Remove-SPOUserProfile commandlet, which worked perfectly if I was using it in an interactive session. But as soon as I tried implementing my script into Azure Automation I found that particular module falls back to Basic Authentication when using a PSCredential object in the Connect-SPOService statement. And Basic Auth is blocked at my Organisation (I can't see them allowing it just for me!)
I found the PnP Module (PnP.PowerShell), which does allow authentication via stored credentials. But it doesn't have an equivalent User Profile Remove cmdlet.
Finally, I tried resorting to pure REST API, and while I can get an existing user profile, I can't get a profile for an account that has been deleted (marked as 'Profiles Missing from Import' in the SPO ProfMngr.aspx page). This is because the SP.UserProfiles.PeopleManager/GetPropertiesFor(accountName=#v) API needs to have an exact match (eg i:0#.f|membership|vardhaman#siteurl.onmicrosoft.com), and when an AAD account is deleted the profile username gets DELETED-<GUID> appended to it.
So my questions are:
Am I right or wrong about the sharepoint module and stored creds? (IE, so the module can be used from Azure Automation with a service principal or service account)
Am I right or wrong about the PnP module and it is missing the similar Remove-SPOUserProfile?
With the REST API, how do you search for profiles, especially profiles "missing from import"?
Is there some way to predict what the DELETED-<GUID> will be for a given user? Because I was able to get a user profile if I looked up the full deleted name and supply that to my REST call.
The official documentation on this is light - the old traditional sharepoint APIs aren't being developed any more, in favour of MS Graph, but the Graph Documentation doesn't seem to cover my particular use case.
Any pointers appreciated
Update 1
Thanks #Michael Han_MSFT.
I was using a pre-release/nightly build (0.3.32) but looking at Release documentation so didn't realise remove profile was in there.
I'm still getting problems though:
Connect-PnPOnline `
-url "https://<tenantname>.sharepoint.com" `
-ClientId $ClientId `
-ClientSecret $ClientSecret
# $guest1 = Guest account's email address
$azureEmail = ($guest1 -replace "#", "_") + "#ext##<tenantname>.onmicrosoft.com"
Remove-PnPUserProfile `
-LoginName $azureEmail
Remove-PnPUserProfile : The remote server returned an error: (401) Unauthorized.
At line:11 char:1
+ Remove-PnPUserProfile `
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Remove-PnPUserProfile], WebException
+ FullyQualifiedErrorId : System.Net.WebException,PnP.PowerShell.Commands.UserProfiles.RemoveUserProf
ile
So I tweaked the URL:
Connect-PnPOnline `
-url "https://<tenantname>-admin.sharepoint.com" `
-ClientId $ClientId `
-ClientSecret $ClientSecret
$azureEmail = ($guest1 -replace "#", "_") + "#ext##azurediagovt.onmicrosoft.com"
Remove-PnPUserProfile `
-LoginName $azureEmail
Remove-PnPUserProfile :
At line:11 char:1
+ Remove-PnPUserProfile `
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (:) [Remove-PnPUserProfile], HttpRequestException
+ FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.UserProfiles.RemoveUserProfile
So you can see if I go to <tenantname> I get a 401, but if I go to <tenantname>-name the response is simply blank.
I was certain I had given my App the right permissions (Is there some way to review what permissions have been assigned?)
In AppInv.aspx I think had this permissions code (I was following a couple of blogs):
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/Tenant" Right="FullControl"/>
<AppPermissionRequest Scope="http://sharepoint/social/Tenant" Right="FullControl"/>
</AppPermissionRequests>
As a further test, I tried the PnP version of what I was doing in REST (Get-PnpUserProfileProperty) and got
Get-PnPUserProfileProperty : Current user is not a tenant administrator.
At line:1 char:1
+ Get-PnPUserProfileProperty -Connection $pnpctx -Account "scottdu#data ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (:) [Get-PnPUserProfileProperty], ServerException
+ FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.UserProfiles.GetUserProfileProperty
Which is strange, because REST would give me a results.d response.
At this stage, I could look at making the App Id a Sharepoint Service Admin (I already have approval to allow Azure Automation to have whatever rights it needs to solve this).
(Update 1a: Made no difference, unless there is a delay between assigning the role and the permissions taking affect).
AAD registered app can be used to connect PnpOnline and delete user profile. Please see my below steps:
(Main refer article: https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread)
Step1:Registering an Azure AD application in the Azure Active Directory tenant that is linked to your Office 365 tenant and grant permission
Use admin account to access https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps. Click “New registration” and create a name of your app.
Go to “API permissions” and click on the "Add a permission" button and grant SharePoint API permission.
Select needed permissions.
Admin need to consent for those permissions, after that in status column will show green.
Step2: Create a self signed certificate and connect with app
Go to this link(https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread#setting-up-an-azure-ad-app-for-app-only-access), copy the scripts and save as “Create-SelfSignedCertificate.ps1”.
Run below command with PowerShell. You will be asked to give a password to encrypt your private key, and both the .PFX file and .CER file will be exported to the current folder.
.\Create-SelfSignedCertificate.ps1 -CommonName "YourCompanyName"
-StartDate 2020-1-09 -EndDate 2022-10-01
Go to AAD app, click on "Certificates & secrets" in the left menu bar. Click on the "Upload certificate" button, select the .CER file you generated and upload it.
Step3: Connect pnp online and perform delete profile
$ Connect-PnPOnline -ClientId <$application client id as copied over
from the AAD app registration above> -CertificatePath '<$path to the
PFX file generated by the PowerShell script above>'
-CertificatePassword (ConvertTo-SecureString -AsPlainText "<$password assigned to the generated certificate pair above>" -Force) -Url
https://<$yourtenant>.sharepoint.com -Tenant
"<$tenantname>.onmicrosoft.com"
$Remove-PnPUserProfile -LoginName $UPN
For REST api way, I found this article noted REST for delete user profile is not implemented.
(https://learn.microsoft.com/en-us/sharepoint/dev/general-development/work-with-user-profiles-in-sharepoint)
You could try the command : Remove-PnPUserProfile
https://pnp.github.io/powershell/cmdlets/Remove-PnPUserProfile.html
You should install the prerelease version of PnP.PowerShell:
https://www.powershellgallery.com/packages/PnP.PowerShell/0.3.8-nightly
Update:
You could try to use tenant administrator account to connect the sharepoint admin site, then run the command Remove-PnPUserProfile. This works for me:

How to install Outlook Web Add-In to a Distribution Group in Exchange Server 2013?

I am trying to install a Outlook web add-in for a Distribution Group on Exchange Server 2013. I have created a group of users and in accordance with Install or remove add-ins for Outlook for your organization, I am trying to assign the app to only that group.
When I try to run the command from the Exchange PowerShell, it is unable to find the AppId of my Outlook Web Add-in.
[PS] C:\Windows\system32>$a = Get-DistributionGroupMember MyGroup-Users
[PS] C:\Windows\system32>Set-App -Identity badb297b-b8e8-41e1-9513-ff821c15189c -OrganizationApp -ProvidedTo SpecificUsers -UserList $a.Identity -DefaultStateForUser Enabled
The operation couldn't be performed because 'badb297b-b8e8-41e1-9513-ff821c15189c' couldn't be found.
+ CategoryInfo : NotSpecified: (:) [Set-App], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=WIN-MASKED,RequestId=207e8697-a42c-4460-af5e-fccfe027c8db,TimeStamp=7/6/201
8 10:59:33 AM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 291FF391,Microsoft.Exchange.Management.E
xtension.SetApp
+ PSComputerName : win-j0qd2spo6mv.mydomain.com
What I have tried
I have tried installing the app for all users in organisation before and after running these commands.
The guid is the one from the Id section in the XML manifest of Outlook Web Add-in. Am I supposed to use the same Id as AppId or it is something else?

WebDAV and Powershell and Windows - weird error and behaviour

We have a WebDAV site that runs on IIS. From PowerShell we try to download a folder info
Get-ChildItem \\webserver#SSL\davwwwroot\webdav\Folder1\Folder2 -Name
It says
'\\webserver#SSL\davwwwroot\webdav\Folder1\Folder2' because it does not exist.
At GetWebDAVFolderContents.ps1:33 char:10
+ $items = Get-ChildItem $url -Name
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (\\webserver#SSL\...der1\Folder2:String) [Get-ChildItem], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
The folder does exist. The very strange things: we start the File Explorer on that client PC, enter an URL like https://inside.mycompany.com/it/site which is a WebDAV site on our company's SharePoint site, then it asks for a login. After successful login to this site, the PowerShell script begins to work, drops no error anymore, and can download the Folder1\Folder2 info from our WebDAV site.
Why? How can I avoid to manually enter a login information to another site to get this script work? Is it because our WebDAV site is not correctly configured under the IIS?
It happens that a local service named "WebClient" is needed to be started. By default it is "manually" start with "trigger". It seems that the powershell way it won't trigger the service start, but the explorer thing will. As it remains started the powershell script suddenly works. The solution is to change the service start to automated, and 'till now it works.

How to get rid of error while creating ACS Namespace on Azure Service Bus with PS?

Short story: I get the following error when trying to create a namespace on Azure Service Bus using Azure Powershell (Run as Administrator):
PS C:> New-AzureSBNamespace -Name mynewnamespace2 -Location "East US"
-CreateACSNamespace $true -Namespac New-AzureSBNamespace : Object reference not set to an instance of an object. At line:1 char:1
+ New-AzureSBNamespace -Name mynewnamespace2 -Location "East US" -CreateACSNamespace $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureSBNamespace], NullReferenceException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceBus.NewAzureSBNamespaceCommand
Long story: I created a first namespace in Azure Service Bus to use Relay in buffered mode (namespace=mynewnamespace). It works great except when you want to transfer a larger set of data. For this there is the streamed mode and I found this handy example (https://code.msdn.microsoft.com/How-to-send-a-large-c36ab70e), changed appropriate settings for namespace and credentials and ran the server part from the project and I get the error
{"The remote name could not be resolved:
'mynewnamespace-sb.accesscontrol.windows.net'"}
because, of course, this ACS namespace does not exist. So I found out that I need to create the namespace the old fashioned way using PS, installed Azure CLI and run the commands below with the following result:
For a list of all Azure cmdlets type 'get-help azure'.
For a list of Windows Azure Pack cmdlets type 'Get-Command wapack'.
PS C:> azure login
info: Executing command login
|info: To sign in, use a web
browser to open the page https://aka.ms/devicelogin. Enter the code EE226448L to
authenticate. If you're signing in as an Azure AD application, use the
--username and --password parameters.
/info: Added subscription Visual Studio Enterprise with MSDN info: Setting subscription
"Visual Studio Enterprise with MSDN" as default
info: login command OK
PS C:> New-AzureSBNamespace -Name mynewnamespace2 -Location "East US" -CreateACSNamespace $true -NamespaceType Messaging
WARNING: Microsoft Azure PowerShell collects data about how users use
PowerShell cmdlets and some pro encounter. Microsoft uses this
information to improve our PowerShell cmdlets. Participation is volu
choose to participate your device automatically sends information to
Microsoft about how you use Azure Powershell.
If you choose to participate, you can stop at any time by using Azure
PowerShell as follows:
1. Use the Disable-AzureDataCollection cmdlet to turn the feature Off. The cmdlet can be found in the AzureResourceManager module To disable
data collection: PS > Disable-AzureDataCollection
If you choose to not participate, you can enable at any time by using
Azure PowerShell as follows:
1. Use the Enable-AzureDataCollection cmdlet to turn the feature On. The cmdlet can be found in the AzureResourceManager module To enable
data collection: PS > Enable-AzureDataCollection
Select Y to enable data collection [Y/N]: WARNING: You choose not to
participate in Microsoft Azure PowerShell data collection. WARNING:
The setting profile has been saved to the following path
'C:\Users\PDube\AppData\Roaming\Windows Azure Powershell\AzureDataCollectionProfile.json'.
New-AzureSBNamespace :
Object reference not set to an instance of an object. At line:1 char:1
+ New-AzureSBNamespace -Name mynewnamespace2 -Location "East US" -CreateACSNamespace $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureSBNamespace], NullReferenceException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceBus.NewAzureSBNamespaceCommand
I tried to create the new namespace using Azure CLI on 2 different computers, thinking the first install was corrupted, but I get the exact same error.
How can I fix this error?

Querying AD from Powershell

I'm new to Powershell and AD. I have troubles using AD module for PS. I get the following error using any command:
Get-ADDomain : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services
running.
At line:2 char:1
+ Get-ADDomain -Current LocalComputer
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (lon.intensive.int:ADDomain) [Get-ADDomain], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADDomain
What is interesting I'm able to use ADExplorer and see domain, users and all their attributes. How does ADExplorer differ from scripts in Powershell?
What operating system are your domain controllers? The AD cmdlets have to connect to a domain controller that's running Active Directory Web Services. This is automatic on Windows 2008 R2 and newer domain controllers, but on Windows 2008 and Windows 2003 you need to install it separately. Ideally, you've gotten rid of all of your Windows 2003 DCs because it's out of support. 2008 is getting pretty old too. But if you can't, then you should install ADWS on all of the downlevel DCs so that you can use the AD cmdlets.
You can use Get-ADDomainController-Discover -Service ADWS to find a DC running it. You could use the result of that call in the -Server parameter of the rest of the AD cmdlets (or use $PSDefaultParameterValues to set it once in the script). But if that doesn't return any DCs, then you need to install ADWS.