I am currently using O365 Graph API to create services for customers and realized that some of the capabilities that customers need, i.e. creating transport rules or accessing quarantined email information, are only available through PowerShell.
Can a vendor create transport rules or execute PowerShell commands for their customers? Similar to how vendors register their Azure AD application and request permissions, is there a way to run PowerShell command for customers by a vendor?
Documentation is not really helpful on this front.
When using Graph, I don't think you can, but if you want to do it with Powershell, if you're a Microsoft Partner, and have configured yourself as an advisor (delegated access permissions) for your clients (invite them to add you, or add yourself if you have their consent and global admin access to their tenancy).
Adding a partner to a tenant:
https://learn.microsoft.com/en-us/partner-center/customers_revoke_admin_privileges
See a bit of additional info here:
https://learn.microsoft.com/en-us/office365/enterprise/powershell/manage-office-365-tenants-with-windows-powershell-for-delegated-access-permissio
When running Powershell commands, you'll need to refer to the TenantID when running a command on the client's tenancy (rather than your own).
A simple example of this might be:
Get a list of TenantIDs:
Get-MsolPartnerContract -All | Select-Object TenantId
Get a list of mailboxes for one of the TenantIds listed above:
Get-Mailbox -TenantID "asddfsdfadfg-dsfgsdfg-sdfgsdfg-dsfgsdfg"
This relies on you having logged into the Powershell session with a user that has administrative 'Partner' permissions in your partner tenancy.
Hopefully that helps somewhat!
Related
I would like to run a one-off automated PowerShell task on my server but on behalf of other user/organization. For simplicity, this task should get list of inbound connectors (Get-InboundConnector).
Import-Module ExchangeOnlineManagement
# authentication step
Get-InboundConnector
As for authentication method, my thoughts is that I could use Connect-ExchangeOnline -Device (Device Based Log-In) in my script, somehow parse the unique code and send it to the user, once he enters the code in his browser and approves, the script will resume running.
What are other possible authentication methods that could work in this situation?
Can I create a PowerShell application in Azure that requests from the user permission to manage his Exchange Online account and then ask him (thru UI) to grant this application the required permissions so it can be used to run the PowerShell script using access tokens & refresh tokens?
Few notes:
Hardcoding user credentials is not an option (Connect-ExchangeOnline -InlineCredential is a no go)
I don't want to ask the user to start configuring things on his end (should be as lazy as possible for him)
REST API would be the best option (as far as I know it is not supported by Microsoft Graph)
I'm relatively new to the whole Microsoft environment and this has been tickling my brain for a while. What exactly is the difference between company users present, for example, in the Microsoft 365 admin center and on AzureAD for propery-editting purposes? Are they both synced together, do they serve different purposes? Most powershell scripts I find to retrieve, for example, all users and properties use cmdlets such as Get-AzureADuser, hence the question.
Thank you in advance!
They are the same.
The basic attributes of the users are stored in Azure AD and you can use Microsoft Graph to query them easily.
The difference between them is:
In O365 admin center, you can manage the access to resources under O365 subscriptions. For example: Exchange Online, SharePoint online, Teams Online and so on. But in Azure Portal, you can manage the access to resources under Azure subscription, such as Azure web app, Azure AD app registration, Azure VM, Azure security group and so on.
The company users indeed are Azure AD users. It's just called differently according to the environment (O365 or Azure AD).
Get-AzureADuser is under Azure AD PowerShell Module. You can also use Get-MsolUser which is under MSOnline PowerShell Module (it's old O365 Module) to get the users.
I want to access the
Azure Portal -> Azure Active Directory->User Settings
via a powershell commandlet.
Currently I have tried
Get-MsolCompanyInformation
which gives limited data about these settings. Not all settings access (true/false) comes up with this commandlet.
Can someone give the commandlet(s) by which I can get whether these settings are enabled/disabled for a tenant?
For now, there is no command to list those informations in msol powershell module and Azure AD powershell module v2.
As a workaround, we can use role to control those permission.
We can use Azure AD powershell V2 to list roles:Get-AzureADDirectoryRole.
Then we can use this command to list the members of this role: Get-AzureADDirectoryRoleMember.
To create role, we can list the role template with this commmand Get-AzureADDirectoryRoleTemplate
PS C:\Users> Get-AzureADDirectoryRoleTemplate
ObjectId DisplayName Description
-------- ----------- -----------
729827e3-9c14-49f7-bb1b-9608f156bbb8 Helpdesk Administrator Helpdesk Administrator has access to perform common helpdesk related tasks.
f023fd81-a637-4b56-95fd-791ac0226033 Service Support Administrator Service Support Administrator has access to perform common support tasks.
b0f54661-2d74-4c50-afa3-1ec803f12efe Billing Administrator Billing Administrator has access to perform common billing related tasks.
4ba39ca4-527c-499a-b93d-d9b492c50246 Partner Tier1 Support Allows ability to perform tier1 support tasks.
e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 Partner Tier2 Support Allows ability to perform tier2 support tasks.
88d8e3e3-8f55-4a1e-953a-9b9898b8876b Directory Readers Allows access to various read only tasks in the directory.
29232cdf-9323-42fd-ade2-1d097af3e4de Exchange Service Administrator Exchange Service Administrator.
75941009-915a-4869-abe7-691bff18279e Lync Service Administrator Lync Service Administrator.
fe930be7-5e62-47db-91af-98c3a49a38b1 User Account Administrator User Account Administrator has access to perform common user management related tasks.
9360feb5-f418-4baa-8175-e2a00bac4301 Directory Writers Allows access read tasks and a subset of write tasks in the directory.
62e90394-69f5-4237-9190-012177145e10 Company Administrator Company Administrator role has full access to perform any operation in the company scope.
a0b1b346-4d3e-4e8b-98f8-753987be4970 User Every user is implicitly considered to be a member of the User Role.
f28a1f50-f6e7-4571-818b-6a12f2af6b6c SharePoint Service Administrator SharePoint Service Administrator.
d405c6df-0af8-4e3b-95e4-4d06e542189e Device Users Device Users
9f06204d-73c1-4d4c-880a-6edb90606fd8 Device Administrators Device Administrators
9c094953-4995-41c8-84c8-3ebb9b32c93f Device Join Device Join
c34f683f-4d5a-4403-affd-6615e00e3a7f Workplace Device Join Workplace Device Join
17315797-102d-40b4-93e0-432062caca18 Compliance Administrator Compliance administrator.
d29b2b05-8046-44ba-8758-1e26182fcf32 Directory Synchronization Accounts Directory Synchronization Accounts
2b499bcd-da44-4968-8aec-78e1674fa64d Device Managers Allows access to read and edit device properties.
9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3 Application Administrator Application Administrator role has access to perform common application management related tasks.
cf1c38e5-3621-4004-a7cb-879624dced7c Application Developer Application Developer role has ability to create single-tenant applications.
5d6b6bb7-de71-4623-b4af-96380a352509 Security Reader Security Reader allows ability to read security information and reports.
194ae4cb-b126-40b2-bd5b-6091b380977d Security Administrator Security Administrator allows ability to read and manage security configuration and reports.
e8611ab8-c189-46e8-94e1-60213ab1f814 Privileged Role Administrator Privileged Role Administrator has access to perform common role management related tasks.
3a2c62db-5318-420d-8d74-23affee5d9d5 Intune Service Administrator Intune Service Administrator has full access in the Intune Service.
158c047a-c907-4556-b7ef-446551a6b5f7 Cloud Application Administrator Cloud Application Administrator has the ability to create applications and update all cloud properties of applications.
5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91 Customer LockBox Access Approver Customer LockBox Access Approver has approval access to user data requests.
44367163-eba1-44c3-98af-f5787879f96a CRM Service Administrator CRM Service Administrator has full access in the CRM Service.
a9ea8996-122f-4c74-9520-8edcd192826c Power BI Service Administrator Full access in the Power BI Service.
95e79109-95c0-4d8e-aee3-d01accf2d47b Guest Inviter Guest Inviter has access to invite guest users.
b1be1c3e-b65d-4f19-8427-f6fa0d97feb9 Conditional Access Administrator Allows management of all conditional access capabilities.
More information about Azure AD powershell V2, please refer to this link.
I'm trying to create a new Azure AD user via PowerShell.
I created a global admin in the portal:
I run Connect-MsolService without any issues.
However, running New-MsolUser -UserPrincipalName ... fails with insufficient permissions:
Any idea what is the issue?
If the login account for Connect-MsolService doesn't have sufficient permissions, for example, the account only has common user permissions, you might encounter the insufficient permissions problem.
However, if you create an account with Global administrator privileges in either new portal or classic portal, and use this account for login with Connect-MsolService, then you can create a new user by using the command 'New-MsolUser' successfully. Also, please note for the parameter '-UserPrincipalName', you must use the initial domain name for suffix, i.e. 'xxxxxx.onmicrosoft.com', or the customized domain verified in AzureAD.
Currently, there are two PowerShell modules for Azure AD: AzureAD and MSOnline.
MSOnline is the old module, which can still provide functionality that is not yet available in the AzureAD module. In future, the older MSOnline module will be deprecated when all of the functionality has been migrated to the newer module - AzureAD.
Therefore, it's encouraged to use the newer AzureAD module.
More details about Azure AD PowerShell, please refer to the following documentation.
https://learn.microsoft.com/en-us/powershell/azure/overview?view=azureadps-2.0
The helpdesk will be using a script I wrote to set out of office replies and to modify folder permissions but are running into permission issues using them. Is there any resource that would indicate what permissions each powershell command in the exchange cmdlet takes to be able to be ran? Failing that does anyone know the specific permissions needed to set OoO and modify folder permissions?
I did find this that gives specific roles needed to do various things but it's not quite what I'm looking for. These roles give access to far more than what we need.
EDIT: The Auto Reply role is all that is required to set allow use of the Set-MailboxAutoReplyConfiguration. Looking into the others still.
That seems to be as granular as the roles get.
If you want to restrict them further, you can set up one or more remote sessions they can connect to that use a delegated account that is an Exchange role member, and constrain the session to just being able to run your script.