I want to access the
Azure Portal -> Azure Active Directory->User Settings
via a powershell commandlet.
Currently I have tried
Get-MsolCompanyInformation
which gives limited data about these settings. Not all settings access (true/false) comes up with this commandlet.
Can someone give the commandlet(s) by which I can get whether these settings are enabled/disabled for a tenant?
For now, there is no command to list those informations in msol powershell module and Azure AD powershell module v2.
As a workaround, we can use role to control those permission.
We can use Azure AD powershell V2 to list roles:Get-AzureADDirectoryRole.
Then we can use this command to list the members of this role: Get-AzureADDirectoryRoleMember.
To create role, we can list the role template with this commmand Get-AzureADDirectoryRoleTemplate
PS C:\Users> Get-AzureADDirectoryRoleTemplate
ObjectId DisplayName Description
-------- ----------- -----------
729827e3-9c14-49f7-bb1b-9608f156bbb8 Helpdesk Administrator Helpdesk Administrator has access to perform common helpdesk related tasks.
f023fd81-a637-4b56-95fd-791ac0226033 Service Support Administrator Service Support Administrator has access to perform common support tasks.
b0f54661-2d74-4c50-afa3-1ec803f12efe Billing Administrator Billing Administrator has access to perform common billing related tasks.
4ba39ca4-527c-499a-b93d-d9b492c50246 Partner Tier1 Support Allows ability to perform tier1 support tasks.
e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 Partner Tier2 Support Allows ability to perform tier2 support tasks.
88d8e3e3-8f55-4a1e-953a-9b9898b8876b Directory Readers Allows access to various read only tasks in the directory.
29232cdf-9323-42fd-ade2-1d097af3e4de Exchange Service Administrator Exchange Service Administrator.
75941009-915a-4869-abe7-691bff18279e Lync Service Administrator Lync Service Administrator.
fe930be7-5e62-47db-91af-98c3a49a38b1 User Account Administrator User Account Administrator has access to perform common user management related tasks.
9360feb5-f418-4baa-8175-e2a00bac4301 Directory Writers Allows access read tasks and a subset of write tasks in the directory.
62e90394-69f5-4237-9190-012177145e10 Company Administrator Company Administrator role has full access to perform any operation in the company scope.
a0b1b346-4d3e-4e8b-98f8-753987be4970 User Every user is implicitly considered to be a member of the User Role.
f28a1f50-f6e7-4571-818b-6a12f2af6b6c SharePoint Service Administrator SharePoint Service Administrator.
d405c6df-0af8-4e3b-95e4-4d06e542189e Device Users Device Users
9f06204d-73c1-4d4c-880a-6edb90606fd8 Device Administrators Device Administrators
9c094953-4995-41c8-84c8-3ebb9b32c93f Device Join Device Join
c34f683f-4d5a-4403-affd-6615e00e3a7f Workplace Device Join Workplace Device Join
17315797-102d-40b4-93e0-432062caca18 Compliance Administrator Compliance administrator.
d29b2b05-8046-44ba-8758-1e26182fcf32 Directory Synchronization Accounts Directory Synchronization Accounts
2b499bcd-da44-4968-8aec-78e1674fa64d Device Managers Allows access to read and edit device properties.
9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3 Application Administrator Application Administrator role has access to perform common application management related tasks.
cf1c38e5-3621-4004-a7cb-879624dced7c Application Developer Application Developer role has ability to create single-tenant applications.
5d6b6bb7-de71-4623-b4af-96380a352509 Security Reader Security Reader allows ability to read security information and reports.
194ae4cb-b126-40b2-bd5b-6091b380977d Security Administrator Security Administrator allows ability to read and manage security configuration and reports.
e8611ab8-c189-46e8-94e1-60213ab1f814 Privileged Role Administrator Privileged Role Administrator has access to perform common role management related tasks.
3a2c62db-5318-420d-8d74-23affee5d9d5 Intune Service Administrator Intune Service Administrator has full access in the Intune Service.
158c047a-c907-4556-b7ef-446551a6b5f7 Cloud Application Administrator Cloud Application Administrator has the ability to create applications and update all cloud properties of applications.
5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91 Customer LockBox Access Approver Customer LockBox Access Approver has approval access to user data requests.
44367163-eba1-44c3-98af-f5787879f96a CRM Service Administrator CRM Service Administrator has full access in the CRM Service.
a9ea8996-122f-4c74-9520-8edcd192826c Power BI Service Administrator Full access in the Power BI Service.
95e79109-95c0-4d8e-aee3-d01accf2d47b Guest Inviter Guest Inviter has access to invite guest users.
b1be1c3e-b65d-4f19-8427-f6fa0d97feb9 Conditional Access Administrator Allows management of all conditional access capabilities.
More information about Azure AD powershell V2, please refer to this link.
Related
we are using admin accounts as admin account have most of the rights to execute and access files from the all locations so uipath automation runs smoothly.
admin account : CORP\ADM-FR-SFAKHORI
sefrvice account : SVC-FR-S2DCAUTO
we conenct our production using admin account , and now need is there to run more automations and we dont have free slots for admin accounts to run / admin account is occupied with existing automation.
Team provided us service account instead admin account to connect our vm and to run automations.
to login certain applications via servcie account is possible which we are doing currenly also but can we run automations using servcie account?
we are using task scheduler and for now our vm is not able to connect with service account as servcie account deoent have logon accesss.
my question is if team provides logon access to servcie account then can we execute our scripts without any issue ? or can we ask for admin account to the team ?
we are using ateended named user license.
Please help us on same.
i tried by connecting using service account to vm but it is just connecting and disconnecting.
so we are not sure if team provides us login access then also we can able to accseess/execute or not.
so we want that surety .
enter image description here
I cannot assign a capacity Id to a workspace via Powershell commands, logged in with a service principal.
$workspace = Get-PowerBIWorkspace -name 'XXX-XX-XXXX-XXX'
$workspaceId = $workspace.Id
echo $workspaceId
Set-PowerBIWorkspace -Id $workspaceId -Scope "Organization" -CapacityId "XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX"
error message:
Set-PowerBIWorkspace: Operation returned an invalid status code 'Unauthorized'
I have taken the following steps:
I have created a service principal and assigned it to a security group in Azure AD.
I Manually added this security group in the admin Portal in PowerBi service to allow service principals to interact with service (under developer settings).
I have been able to (using PowerShell) login with the service principal and create a workspace.I can get all workspaces etc...
However, when I try to set a workspace capacity Id (assign it to a premium capacity) I get an unauthorized error.
I suspect I cannot do this because to perform this action, I have to go under Admin Portal Settings > Workspaces (I need Admin Rights to PowerBi service), hence I'm trying to find a way to grant these admin permissions to the service principal.
Besides this, I have:
Assigned that same service principal in the security group to be
workspace admin
Assign PowerBi administrator role in AAD to that service principal
But nothing worked.
Is there a way to perform these actions? Or is it a limitation of Service Principals?
Thank you,
Joao
The admin APIs in general cannot be used when authenticating with service principal. Recently, they made it possible to use some of them, but not all. For example take a look at Announcing new Admin APIs and Service Principal authentication to make for better tenant metadata scanning and Enable service principal authentication for read-only admin APIs, where you can see the list of supported APIs.
To assign a capacity to a workspace, UpdateGroupsAsAdmin API is used, which is currently not listed as a supported API, and is documented only for "normal" authentication:
Permissions
The user must have administrator rights (such as Office 365 Global Administrator or Power BI Service Administrator).
while for other APIs (GetGroupsAsAdmin, PostWorkspaceInfo) is explicitly documented that they can be used with a service principal:
Permissions
The user must have administrator rights (such as Microsoft 365 Global Administrator or Power BI Service Administrator) or authenticate using a service principal.
So either you have to wait for Microsoft to implement authentication with service principal (and there is no guarantee they will do that), or you will have to change the authentication (to use AAD account).
I am currently using O365 Graph API to create services for customers and realized that some of the capabilities that customers need, i.e. creating transport rules or accessing quarantined email information, are only available through PowerShell.
Can a vendor create transport rules or execute PowerShell commands for their customers? Similar to how vendors register their Azure AD application and request permissions, is there a way to run PowerShell command for customers by a vendor?
Documentation is not really helpful on this front.
When using Graph, I don't think you can, but if you want to do it with Powershell, if you're a Microsoft Partner, and have configured yourself as an advisor (delegated access permissions) for your clients (invite them to add you, or add yourself if you have their consent and global admin access to their tenancy).
Adding a partner to a tenant:
https://learn.microsoft.com/en-us/partner-center/customers_revoke_admin_privileges
See a bit of additional info here:
https://learn.microsoft.com/en-us/office365/enterprise/powershell/manage-office-365-tenants-with-windows-powershell-for-delegated-access-permissio
When running Powershell commands, you'll need to refer to the TenantID when running a command on the client's tenancy (rather than your own).
A simple example of this might be:
Get a list of TenantIDs:
Get-MsolPartnerContract -All | Select-Object TenantId
Get a list of mailboxes for one of the TenantIds listed above:
Get-Mailbox -TenantID "asddfsdfadfg-dsfgsdfg-sdfgsdfg-dsfgsdfg"
This relies on you having logged into the Powershell session with a user that has administrative 'Partner' permissions in your partner tenancy.
Hopefully that helps somewhat!
I've manually created an Azure Active Directory tenant in the Azure Portal. The portal, however, doesn't present an interface where I can grant permission to other principals to own OR contribute to the AAD. For instance, adding users OR applications. Is that intentional? Or is this permissible via Powershell only. If so, what Powershell commands enable this programmatically? Thanks
In the new Azure portal you have the option to use Role Based Access (RBAC). I want to give a user rights to startup and shutdown a virtual machine in Azure. I also don't want that is it possible for this user to create new VM's in Azure so I don't want to make this user Administrator. I gave the user the required rights in the new Azure portal (owner for: the VM, Cloud Service and storage).
When I open PowerShell with the user that has rights on Azure. I first execute the command Add-AzureAccount. After this I execute the following command: Start-AzureVM -ServiceName "MyVM" -Name "MyVM". Then I receive the following error: ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.
When I perform this scenario for a Subscription Administrator everything works fine.
Is the described scenario supported by the Azure PowerShell cmdlets? What are possible alternatives?
Thanks in advance
Unfortunately, RBAC through Powershell is currently only available for ARM-resources, i.e. non-"classic" resources in the preview portal, and users needs to have accounts in the Azure AD tenant associated with the subscription. Federated Microsoft accounts will won't work.