I am trying to reset password of one Azure AD account by Set-AzureRMADUser cmdlets, but it throwing error "Set-AzureRmADUser : Property passwordProfile.password is invalid." COuld you please check?
Below is the code.
Set-AzureRmADUser -UserPrincipalName XXXX -Password (ConvertTo-SecureString -String "XXXXX" -Force –AsPlainText)
Below is the complete error.
Set-AzureRmADUser : Property passwordProfile.password is invalid.
At line:1 char:1
+ Set-AzureRmADUser -UserPrincipalName admin#mit1openlinkcloud.onmicros ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Update-AzureRmADUser], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ActiveDirectory.UpdateAzureADUserCommand
You could try the command below.
Set-AzureADUserPassword -ObjectId <ObjectId> -Password <Password>
Refer to the link.
Update:
It may caused by your SecureString format, the password must meet the tenant's password complexity requirements. Refer to Password policy in Azure AD. You could refer to my specific command, it works fine.
$Password = ConvertTo-SecureString -String "P#ssW0rD!" -Force –AsPlainText
Set-AzureADUserPassword -ObjectId "ce336193xxxxxxxx" -Password $Password
Try to login to azure portal use the new password, it works fine.
Besides, I suppose the error of your command that you post may caused by it too, you could check it.
Related
I have a seemingly simple script for importing a PFX into Azure Key Vault. The service principal I am using is set to the Key Vault contributor role and has the access policies Get, List, Update, Create and Import. I am using certificate authentication when connecting the service principal. However, I get a very unhelpful error:
Import-AzKeyVaultCertificate : Access denied.
At line:1 char:1
+ Import-AzKeyVaultCertificate -VaultName $keyVault -Name 'AzureAuth' - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Import-AzKeyVaultCertificate], CryptographicException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.ImportAzureKeyVaultCertificate
My Script:
$PFX = "$env:TEMP\cert-lab.pfx"
$tenantID = 'xxx'
$AppID = 'xxx'
$keyVault = 'LabKV'
$assetName = 'AzureCert'
$EncryptPass = 'PFXpassword123'
## Clear the authentication context
Clear-AzContext -Force
$PFXPass = ConvertTo-SecureString -String $EncryptPass -AsPlainText -Force
$pfxCert = Import-PfxCertificate -FilePath $PFX -CertStoreLocation Cert:\CurrentUser\My -Password $PFXPass -Exportable
$ctx = Connect-AzAccount -ServicePrincipal -Tenant $tenantID -CertificateThumbprint $pfxCert.Thumbprint -ApplicationId $AppID
Import-AzKeyVaultCertificate -VaultName $keyVault -Name $assetName -FilePath $PFX -Password $PFXPass -DefaultProfile $ctx
Interestingly, if I manually import the cert through the console, I can use the exact same code with Get-AzKeyVaultCertificate instead of Import-AzKeyVaultCertificate and successfully retrieve the certificate. This tells me that the Service Principal at least has access to retrieve certificates. I'm still at a loss as to what is causing the Import to fail.
So I ended up buying a support plan and opening a case with Microsoft. Even though I was able to directly import cert-lab.pfx and was able to verify its contents with OpenSSL, for whatever reason, Import-AzKeyVaultCertificate just did not like the file. They had me create a new file by exporting from my CAPI store to cert2.pfx. The import command worked flawlessly with the new file. I shrugged my shoulders, deleted the old file and decided to move on with my life.
I have a PowerShell v1 script, that is triggerd by a PLC. It should copy a file from the desktop of the embedded PC to a network path.
If I run the script manually it works just fine, but if the script is triggered by the PLC I will get the following error:
+ CategoryInfo : NotSpecified: (:) [Copy-Item], IOException
+ FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.CopyItemCommand
copy-item : The user name or password is incorrect.
Any tips, why I get this error, would be very much appreciated!
Thanks for your help #TheIncorrigible1 after reading your comment I found the problem!
The problem was, that the script started by the plc runs with another user than the manually started script.
So the workaround is to first start powershell with the correct credentials with another script. For example like so:
$usr = 'XXX'
$paswrd = 'XXX'
$securePassword = ConvertTo-SecureString $paswrd -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $usr, $securePassword
$args = "/path to your script"
Start-Process powershell.exe -Credential $credential -ArgumentList ("-file $args")
downside... password in plain text...
I have created a 'Free Trial' account with my personal email ID which is a Gmail ID. I'm getting the error :
Add-AzureRmAccount : Sequence contains no elements At line:1 char:1
+ Add-AzureRmAccount -Credential $cred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzureRmAccount], AadAuthenticationFailedException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.AddAzureRMAccountCommand
The code I'm running is
$username = "abc#gmail.com"
$password = "something"
$secpass = $password | ConvertTo-SecureString -AsPlainText -Force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secpass
Add-AzureRmAccount -Credential $cred
Are there certain type of accounts/subscriptions for which logging in like this is supposed to work?
Windows Live ID credentials cannot be used for a non-interactive login. This error message is described as part of this issue which has been raised because it needs improving.
I think you either need to use Login-AzureRmAccount to login interactively or create a Service Principal for login, per this guide: https://learn.microsoft.com/en-us/powershell/azure/authenticate-azureps?view=azurermps-4.2.0
Log in with a service principal
Service principals provide a way for you to create non-interactive
accounts that you can use to manipulate resources. Service principals
are like user accounts to which you can apply rules using Azure Active
Directory. By granting the minimum permissions needed to a service
principal, you can ensure your automation scripts are even more
secure.
If you don't already have a service principal, create one.
Log in with the service principal:
Login-AzureRmAccount -ServicePrincipal -ApplicationId "http://my-app" -Credential $pscredential -TenantId $tenantid
I'm trying to run Set-AzureRmAppServicePlan from automation runbook but getting
Set-AzureRmAppServicePlan : Run Login-AzureRmAccount to login. At
line:20 char:1
+ Set-AzureRmAppServicePlan -ResourceGroupName "...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Set-AzureRMAppServicePlan], PSInvalidOperationException
+ FullyQualifiedErrorId : InvalidOperation,Microsoft.Azure.Commands.WebApps.Cmdlets.AppServicePlans.SetAzureAppServicePlanCmdlet
Note that actual runbook authentication using Automation Credential is successful.
And I can run this script from local powershell using
Login-AzureRmAccount
Add-AzureRmAccount
Set-AzureRmAppServicePlan...
Is it possible at all to run this from automation without interactive login?
Thanks
Pavel
figure it out.. pretty simple instead of
Add-AzureAccount - which is used in sample runbook Get-AzureVMTutorial created automatically
need to use
Add-AzureRmAccount
for use with Azure Resource Manager cmdlet requests like
Set-AzureRmAppServicePlan
Leaving question / answer here.. might still help someone
If you are not using MFA, pls see the following cmds, replace 'yourPassword', 'yourUserName', 'yourEnvironment', 'yourSubscriptionId', 'yourTenantId' with your own message and put it to your script then you can login without interactive page.
$userPassword = ConvertTo-SecureString -String "yourPassword" -AsPlainText -Force
$psCred = new-object -typename System.Management.Automation.PSCredential -argumentlist 'yourUserName', $userPassword
$credential = Get-Credential -Credential $psCred
add-azureRmAccount -EnvironmentName 'yourEnvironment' -credential $credential -subscriptionId 'yourSubscriptionId' -tenant 'yourTenantId'
I need to store credential in powershell to be used several times. Here on StackOverflow there are a lot of example, so I took one
$tmpCred = Get-Credential
$tmpCred.Password | ConvertFrom-SecureString | Set-Content "pwd.dat"
$password = Get-Content "pwd.dat" | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PsCredential "myDomain\myUser", $password
Get-ADUser -Credential $credential
Unfortunately I get this error and I can't find a solution
Get-ADUser : The server has rejected the client credentials.
At line:5 char:11
+ Get-ADUser <<<< "xxx" -Credential $credential
+ CategoryInfo : NotSpecified: (xxx:ADUser) [Get-ADUser], AuthenticationException
+ FullyQualifiedErrorId : The server has rejected the client credentials.,Microsoft.ActiveDirectory.Management.Commands.GetADUser
I can't see anything obviously wrong with your code, I'm guessing that this is just an example of how you are using it as you mention you need to use it in several places. Just to check that it really is the storing of the secure string failing you could check using the following, which should prove that the credentials worked before being persisted to disk:
Get-ADUser -Credential $tmpCred
One option would be to pass around the credentials rather than a file or securestring, using the type [System.Management.Automation.PSCredential] which is returned from your call to Get-Credentials and stored in the variable $tmpCred.
You could also temporarily add a call to the method GetNetworkCredentials() to ensure that your password has been decrypted correctly, the following will show the username and password (unencrypted):
$tmpCred.GetNetworkCredential().Username
$tmpCred.GetNetworkCredential().Password
Hope that helps...