I'm trying to use powershell to get info about my default ad. The first thing I do is sign on using my global admin account through the Connect-AzureAD cmdlet:
Connect-AzureAD
After running this command, I get something that looks like this:
Account Environment TenantId TenantDomain
------- ----------- -------- ------------
xxxyyyxcxx#hotmail.com AzureCloud zzz-xxxx-yyyyyyy
Now, whenever I try to run any command, I get an error saying that I'm not authorized to do that. For instance, If try to get all the groups, I get the following:
Get-AzureADGroup : Error occurred while executing GetGroups
Code: Authentication_Unauthorized
Message: User was not found
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
Am I missing something?
Thanks.
Luis
The reason for your error is: the cmdlet Get-AzureADGroup has no tenant specified, so the connection was established to a domain, where user has no admin privileges.
To ensure connection to expected AAD domain, the tenant ID must specified in call to Connect-AzureAD cmdlet. You could use the following cmdlet to login your tenant ID.
Connect-Azuread -TenantID <your tenantid>
You could get your users's tenantID with Get-AzureRmSubscription.
More information please refer to this blog.
Related
I have been given a task to setup a scheduled task which will run daily to pull down the list of allowed domains from SPO. This is not an issue if I use Connect-SPOService and Get-SPOTenant, like this:
Connect-SPOService –url https://xxxx-admin.sharepoint.com
Get-SPOTenant | select -ExpandProperty SharingAllowedDomainList > d:\allowedDomains.txt
The issue issue is that this has to be automated. There is also a requirement to use an ClientId and Secret in the script, rather than providing me with an account which bypasses MFA and has SP Admin rights.
Because of that, I've turned to SharePointPnP, which does allow you to connect with ClientId and Secret. I'm able to connect to connect with the following:
Connect-PnPOnline -url https://xxxx-admin.sharepoint.com -ClientId "xxxxx" -ClientSecret "xxxxx"
Where I'm struggling now is trying to how I can retrieve the SharingAllowedDomainList property through SharePointPnP, or if that is even possible?
#THTX,
Can you please have a try below pnp powershell cmdlet?
Get-PnPTenant
Get-PnPTenantSite
It has SharingAllowedDomainList property:
BR
I am trying to create a team with the new Teams Powershell. Looks like everything is working, until I try to use my service account instead of my own.
The code below is working, if I replace the $credential line and use my own credentials. If I use the automation account, then I got this:
New-Team : Error occurred while executing
Code: InvalidAuthenticationToken
Message: Access token validation failure.
I tried searching for this error message, but I only found Graph API samples, that happen behind the scenes of the Teams PowerShell. I also tried other scripts, like PnP, they all work fine with the same automation account. Is this a bug in the Teams API self or can I do something on my side?
$credential = Get-AutomationPSCredential -Name 'provisioning'
$connection = Connect-MicrosoftTeams -Credential $credential
$t = Get-Team -DisplayName "TEST"
Assuming your service account has proper privileges to create channel.
Reference: https://learn.microsoft.com/en-us/graph/api/team-put-teams?view=graph-rest-1.0
If you reckon you have proper privileges to create teams and channels then make sure you give full scope to the service account
Connect-PnPOnline -Scopes "Group.ReadWrite.All"
Hope it will give you some idea to solve the error. Thanks
Using PowerShell, I can access my Azure KeyVault locally, provide the secret and return stored passwords. I can also do this from a VM I spin up. Additionally, I can access a single password from the KeyVault and use it to impersonate a user on a VSTS build agent, but I cannot access the remaining stored passwords. What gives?
Here's the message I receive:
[error]Get-AzureKeyVaultSecret : Unable to retrieve service key for
ServicePrincipal account
[hiddenaccountname]#[companyaccount].com. Please log in
again to supply the credentials for this service principal. In
PowerShell, execute Login-AzureRMAccount for Azure Resource Manager
cmdlets or Add-AzureAccount for service management cmdlets.
...
CategoryInfo : CloseError: (:) [Get-AzureKeyVaultSecret], KeyNotFoundException
FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret
Here's what my code looks like at this section:
Login-AzureRmAccount -Credential $AzureCredential -ServicePrincipal -TenantId [abunchofnumbers]
$Password = (Get-AzureKeyVaultSecret -VaultName "[nameOfVault]" -Name "[nameOfSecret]").SecretValueText
The login accepts the provided credentials and logs me in, but the Get-AzureKeyVaultSecret cmdlet fails, and only on VSTS during a build.
Any ideas, you strange and wonderful devs?
[Resolved - Follow up] My process involved one Powershell script to impersonate a user by using Login-AzureRmAccount and Get-AzureKeyVaultSecret to get the password for a user, then a 2nd Powershell script to log back in to AzureRmAccount to get more passwords from the KeyVault. I swapped the order of these two scripts and problem went away.
I am attempting to explore the features of the Azure Active Directory V2 PowerShell Module
I have an Azure Account, and I have set up an Active Directory with multiple users.
My first goal is simple: show me the list of users.
So I type:
Connect-AzureAD
I am presented with a dialog and type in my user account and password. It returns on object of type Microsoft.Open.Azure.AD.CommonLibrary.PSAzureContext.
I then type
Get-AzureADUser
And the error is:
Get-AzureADUser : Error occurred while executing GetUsers
Code: Authentication_Unauthorized
Message: User was not found
HttpStatusCode: Forbidden
I am still able to list the users using the Azure RM Powershell module. The following code works:
Add-AzureRmAccount
Get-AzureRmADUser
What do I do to get Get-AzureADUser to work?
The cmdlet Connect-AzureAD establishes connection to ADD domian, after we login successed a confirmation will display:
PS C:\windows\system32> connect-azuread
Account Environment Tenant
------- ----------- ------
jasontest1#xxxxxx.onmicrosoft.com AzureCloud xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
The connection can be vaildated with this cmdlet Get-AzureADDomain, if the user is connected to AAD domain, where he has management privileges - the information about the domain will be displayed:
PS C:\windows\system32> get-azureaddomain
Name AvailabilityStatus AuthenticationType
---- ------------------ ------------------
hcl.com Managed
msgamestudios.com Managed
foobar.local Managed
multimap.com Managed
skypestaytogether.com Managed
insightsquarterly.com.au Managed
calanit.onmicrosoft.com Federated
msft.ccsctp.net Managed
ruffiangames.com Managed
xn--m1bg0b0byewac1j8b.com Managed
VoicesforInnovation.org Managed
shaanximic.com Managed
www.yunnanmic.com Managed
wsmbela.pss.com Managed
fornax.off Managed
api.staging.yammer.com Managed
codenauts.net Managed
acompli.com Managed
testdomains.co Managed
microsoft.hr Managed
Bayportali.mmdservice.com Managed
contoso.com Managed
api.swrepository.com Managed
Equivio.com Managed
sunshine.am Managed
microsoftaffiliates.com Managed
If user has no admin privileges, we will get the error same as you.
Get-AzureADDomain : Error occurred while executing GetDomains
Code: Authentication_Unauthorized
Message: User was not found
HttpStatusCode: Forbidden
The reason is that, the cmdlet GetAzureADDomian has no tenant specified, so the connection was established to a domian, where user has no admin privileges.
To ensure connection to expected AAD domian, the tenant ID must specified in call to Connect-AzureAD cmdlet.
PS C:\windows\system32> Connect-AzureAD -TenantId
As already answered here, please use:
PS C:\windows\system32> Connect-AzureAD -TenantId {YOUR_TENANT_ID}
Example:
PS C:\windows\system32> Connect-AzureAD -TenantId ce1af0ab-ae35-4f60-8f2d-944444444444
It's a common mistake to use TenantId we get when executing Connect-AzureAd, like following:
But use the TenantId from Azure Portal --> Azure Active Directory --> Properties --> Directory Id.
The Directory Id = TenantId.
I have "external user" from TenantA AD added to TenantB in Azure and added as "owner" to one of B subscriptions.
How can I connect with PowerShell using that external user to TenantB subscription?
Login-AzureRmAccount/Add-AzureRmAccount while using external users' UPN in -Credential and specifying tenantId/subscriptionId of TenantB gives me error:
add-azurermaccount : The provided account <...> does not have access to subscription ID "<...>". Please try logging in with
different credentials or a different subscription ID.**
Looking at Get-MsolUser output of TenantB, I can see external user from tenantA in the following form:
PS C:\> get-msoluser
UserPrincipalName DisplayName isLicensed
----------------- ----------- ----------
<username>_tenantA.onmicrosoft.com#EXT##tenantB.onmicrosoft.com <..> False
I would start with clearing the cached credentials using:
Get-AzureAccount | ForEach-Object { Remove-AzureAccount $_.ID -Force }
Then use Login-AzureRmAccount and enter the credentials for TenantA. You should be able to switch the subscription using.
Select-AzureRmSubscription -SubscriptionName