Create Unified and Dynamic Membership Office 365 group Via Powershell in AzureAD - powershell

In the GUI of Azure it is really easy to do this you simply create a new office 365 group and set dynamic Rules but it seems difficult to do via powershell closest i can get is using the following Powershell line. it seems to error out on the Group types portion. I can't seem to get it to create a group with both types, My guess is am just not formatting it correctly. I am using the AzureADPreview module at version 2.0.2.85 since the normal AzureAD module does not work at all for this.
New-AzureADMSGroup -DisplayName "name" -Description "description" -MailEnabled $True -MailNickName "MailName" -SecurityEnabled $True -GroupTypes 'Unified, DynamicMembership' -MembershipRule '(user.userPrincipalName -contains "somafeasokdfalksjfjlkads")' -MembershipRuleProcessingState $true
give me the error
Code: Request_BadRequest
Message: Invalid value specified for property 'groupTypes' of resource 'Group'.
GUI Creation
Powershell Get
https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureadmsgroup?view=azureadps-2.0
The gist is I am trying to find a powershell way to get a Azure group like the second photo. Ie both dynamic and unified.

I figured out a work around you can create the group just as unified then use a script microsoft posted
https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-change-type
I had to modify it to get it to work but basically i ran the following
$knowngoodgroup = 'INSERTGUID'
$BadGroup = 'INSERTGUID'
$memberRule = 'INSERTMEMBERRULE'
[System.Collections.ArrayList]$groupTypes = (Get-AzureAdMsGroup -Id $knowngoodgroup).GroupTypes
Set-AzureAdMsGroup -Id $BadGroup -GroupTypes $groupTypes.ToArray() -MembershipRuleProcessingState "On" -MembershipRule $memberrule
my guess is they will fix this in the future.

Related

Is there an alternative way for Set-UnifiedGroup -UnifiedGroupWelcomeMessageEnabled?

A couple of years ago, we made a provisioning script which creates a unified group with PnPPowerShell. While there was no other way to disable the welcome message for new group members, we had to connect with Exchange and disable the welcome message with Exchange Online PowerShell using Set-UnifiedGroup -UnifiedGroupWelcomeMessageEnabled.
Due to changed requirements of the customer as a result of the status of the legacy auth at Microsoft, legacy authentication will no longer be available soon and should be disabled on our customer's environment asap.
And now the trouble begins. As we have an older environment with Exchange Online PowerShell V2 running on PowerShell 5, we can't connect with -ManagedIdentity but we would have to connect with a certificate to run the unattended script.
Now we encountered the next problem: according to this documentation at Microsoft Learn, the commandlet Set-UnifiedGroup will not work with app-only authentication for unattended scripts in Exchange Online PowerShell V2.
So we had a look into the MS Graph API documentation to update groups to find out if there is a property to achieve the disabling of the welcome messgae, but it seems that there is none.
Long story short, is there any way to update the group through an unattended script without legacy authentication, using Exchange Online PowerShell V2 on PowerShell 5? Upgrading PowerShell and the Exchange module would affect a bunch of other provisioning scripts where we are currently already able to connect with the -ManagedIdentity parameter.
It seems to me that resourceBehaviorOptions property on group resource object is what you are looking for.
It specifies the group behaviors that can be set for a Microsoft 365 group during creation. This can be set only as part of creation (POST) (New-MgGroup powershell cmdlet).
One of possible values for resourceBehaviorOptions is WelcomeEmailDisabled. If the value is specified then welcome emails are not sent to new members.
Example:
Import-Module Microsoft.Graph.Groups
$params = #{
Description = "My new group"
DisplayName = "Groupxxx"
GroupTypes = #(
"Unified"
)
MailEnabled = $true
MailNickname = "library"
SecurityEnabled = $false
ResourceBehaviorOptions = #(
"WelcomeEmailDisabled"
)
}
New-MgGroup -BodyParameter $params

Best way to authenticate an Azure Automation Powershell script

I'm trying to implement a fairly simple PowerShell query, hosted in Azure Automation, to manage External Identities
I've set up a System Managed Identity and have successfully connected using Connect-AzAccount -Identity
But when I run it, it says You must call the Connect-AzureAD cmdlet before calling any other cmdlets
The next cmdlet is Get-AzureADPolicy, which I think triggered the above message
Following this blog, I tried this:
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext -ErrorAction Stop
Connect-AzureAD -TenantId $AzureContext.Tenant.TenantId -AccountId $AzureContext.Account.Id
and I get this: Unable to find an entry point named 'GetPerAdapterInfo' in DLL 'iphlpapi.dll'
Am not at all sure now what to do; any help appreciated
PS: I'm aware there are quite few related questions, but I have not been able to find an answer to this particular query ...
I was having the same issue and I resolved it by using the below commands. I have added comments to underline what each statement is meant for.
# Ensures you do not inherit an AzContext in your runbook. Out-Null is used to disable any output from this Cmdlet.
Disable-AzContextAutosave -Scope Process | Out-Null
# Connect to Azure with system-assigned managed identity.
$AzureContext = (Connect-AzAccount -Identity).context
# set and store context. Out-Null is used to disable any output from this Cmdlet.
Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext | Out-Null
With help from M/S support, I can now clarify the issue. The core point is that it is not possible to authenticate for AzureAD (with Connect-AzureAD) using Managed Identity; a Run As account must be used, at least currently
Further, for our use case, the Run As account had to have "Global Admin" role; "Owner" was not sufficient
It is of course possible to use Managed Identity for managing other Azure Resources (using Connect-AzAccount)

Powershell Block Credential on MS Graph

I currently have a Powershell script that is run when users are being terminated and one of the commands is Set-MsolUser -UserPrincipalName $UPN -BlockCredential $true. Given that Microsoft is retiring the MSOnline module later this year (as stated here), I have been migrating several of our scripts to use the Graph Powershell module.
I know that Microsoft created new cmdlets for Graph that are supposed to mimic the cmdlets for MSOnline, and the corresponding cmdlet is Update-MgUser, but in the documentation I do not see any parameter for -BlockCredential.
I was just wondering what the Graph equivalent for Set-MsolUser -BlockCredential $true might be. I would like to get away from MSOnline not only because it is being retired but also because I need it to run in Powershell 7.

Error while setting the DenyAddAndCustomizePages property of tenant site using PnP Powershell

I am trying to set DenyAddAndCustomizePages property of my tenant site using the script below but it gives an error. What should be the alternative for using it with new PnP.Powershell module? Our project was running for several months with SharepointPnPPowershell But as this is now deprecated and not supported anymore, after installing PnP. Powershell we are seeing lots of issues.
Method invocation failed because [PnP.PowerShell.Commands.Model.SPOSite] does not contain a method named 'update'.
I tried to include Import-Module Microsoft.Online.SharePoint.PowerShell -Scope "Local" as described at the end of the article below but that did not work.
https://learn.microsoft.com/en-us/answers/questions/258967/problems-with-update-method-to-change-conditional.html
$site = Get-PnPTenantSite -Detailed -Url $Url
$site.DenyAddAndCustomizePages = "Disabled"
$site.Update() | Out-Null
I'm guessing you found the answer by now? If not, have you tried this?
Set-PnpTenantSite -Identity $siteUrl -DenyAddAndCustomizePages:$false | Out-Null
Tks.
Alex

azure AD powerShell edit manager

I have written a DotNet Forms applications which uses PowerShell automation to create and modify users in On-premise AD, On-premise Exchange, Azure AD and O365 to match records provided by HR. This has been in use by a customer for a few years and works fine.
The code makes use of the Azure Active Directory Module for Windows PowerShell (MSOnline - MSOL) to view and edit users in Azure AD. I originally used MSOL version 8073.4 but I've since upgraded to MSOL version 1.1.166.0
(see http://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-release-history.aspx)
For example I'd use the following PowerShell to modify a user's title:
Import-Module MSOnline
$Cred = Get-Credential
Connect-MSOLService -Credential $Cred
Set-MSOLUser -UserPrincipalName Santa#northpole.com -Title 'Deliverer of presents'
Everything was fine until I was asked to extend the code to update each Azure AD user's "Manager ID" attribute. Easy I thought! I just need to update the user's "Manager ID" field (which is the ObjectID of the manager's Azure AD account) just like I update the title.....
Er, no. I can't find any way to change the manager field. I've gone over and over the MSDN documentation and cannot find any method to do this:
So I looked at the new v2 Azure AD modules which are in preview at the moment (mentioned in the above release history URL) and can be downloaded from the PowerShell Gallery (search for "AzureADPreview").
These are ultimately going to replace the old MSOL cmdlets and look very similar to the existing Azure PowerShell modules (for creating VMs etc).
This does provide support for setting a user's "manager ID" via the command
Set-AzureADUserManager
and I've tried this and it works, so I thought I'd update my application to use the new v2 APIs instead of the v1 APIs (MSOL).
Unfortunately I found that the
Set-AzureADUser
command (used to set attributes like job title) is completely broken in v2.0.0.1 and fails with the error
"Exception has been thrown by the target of the invocation"
for any combination that I try. I've reported this to the developers via the PowerShell gallery.
Luckily I found that the previous version 1.1.167.0 of these modules works fine so I'm using that version and can now successfully create users, modify users, configure the user's "Manager ID" but I cannot work out how to set licenses (e.g. O365_BUSINESS_PREMIUM). The documentation for the command Set-AzureADUserLicense is pretty much non-existent and I've been unable to work out how to use it.
I think I need to do the following:
# Create an object which contains the individual license 'x' I want to add
# The available license SkuIDs can be read from Get-AzureADSubscribedSku
$MySingleLicenseToAdd = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
$MySingleLicenseToAdd.SkuID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
# Create a licenses object which is assigned the individual licenses I want to add or remove
$MyLicensesToAddOrRemove = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$MyLicensesToAddOrRemove.AddLicenses = $MySingleLicenseToAdd
$MyLicensesToAddOrRemove.RemoveLicenses = $Null
# Perform the license action against the specified user 'y'
Set-AzureADUserLicense -ObjectId 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyy' -AssignedLicenses $MyLicensesToAddOrRemove
but it fails on the second line of code saying that "SkuID" is a read-only field.
So I can't use the V1 (MSOL) APIs because I cannot find a way to update the user's "Manager ID" field.
I can't use the V2 APIs because I cannot find a way to assign licenses (and it's in preview so not a great idea to use in live)
My current plan is to go back to using the V1 APIs but then make use of the V2 APIs to update the "Manager ID" field only, but this is hardly an ideal solution (because I'll be signed into Azure twice with two different APIs) so I was wondering if anyone could provide any suggestions?
My preference would be to use the v1 (MSOL) APIs to update the
"Manager ID" field.
My second preference would be to use the v2 APIs and learn how to assign licenses.
My third preference is anything else ;)
I have read one article about using the REST APIs directly, but that was WAY heavy and I'd prefer to avoid and stick with an Azure PowerShell API if possible.
Sorry about the looooong question, but I was trying to provide some context as to why I'm trying to use the V2 APIs.
Update (23/09/2016):
AzureADPreview 2.0.0.2 was just released and it fixes the problem with Set-AzureADUser :) but unfortunately partially breaks Set-AzureADUserManager :(
Same problem with licenses with this new version
Here is an example of how you can use the Set-AzureADuserLicense cmdlet to set licenses for a user.
Please let me know if this clarifies.
# Get the License SkuId from a template user that we want to apply to the new user
$licensedUser = Get-AzureADUser -ObjectId "TemplateUser#contoso.com"
# Get the new User we want to apply the license too
$user = Get-AzureADUser -ObjectId "newuser#contoso.com"
# Create the new License object
$license = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
$license.SkuId = $licensedUser.AssignedLicenses.SkuId
# Create the Licenses Table and add the license from above
$licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$licenses.AddLicenses = $license
# Apply the license to the new user
Set-AzureADUserLicense -ObjectId $user.ObjectId -AssignedLicenses $licenses
Thanks for replying. Rob.
The code you supplied is the same as what I was trying (see the code in my original question) with the exception that you retrieve the SkuID from an existing user.
Since two new versions of AzureADPreview have since been released (2.0.0.7 and 2.0.0.17), this prompted me to try again with the new versions of AzureADPreview and also the original versions that were available when I originally posted.
My results are as follows:
2.0.0.1: Doesn't work. Read-Only error.
2.0.0.2: Doesn't work. Read-Only error.
2.0.0.7: Works
2.0.0.17: Works
So basically it was a fault in the original versions of AzureADPreview but Microsoft have since fixed it.
All working now.