I am attempting to explore the features of the Azure Active Directory V2 PowerShell Module
I have an Azure Account, and I have set up an Active Directory with multiple users.
My first goal is simple: show me the list of users.
So I type:
Connect-AzureAD
I am presented with a dialog and type in my user account and password. It returns on object of type Microsoft.Open.Azure.AD.CommonLibrary.PSAzureContext.
I then type
Get-AzureADUser
And the error is:
Get-AzureADUser : Error occurred while executing GetUsers
Code: Authentication_Unauthorized
Message: User was not found
HttpStatusCode: Forbidden
I am still able to list the users using the Azure RM Powershell module. The following code works:
Add-AzureRmAccount
Get-AzureRmADUser
What do I do to get Get-AzureADUser to work?
The cmdlet Connect-AzureAD establishes connection to ADD domian, after we login successed a confirmation will display:
PS C:\windows\system32> connect-azuread
Account Environment Tenant
------- ----------- ------
jasontest1#xxxxxx.onmicrosoft.com AzureCloud xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
The connection can be vaildated with this cmdlet Get-AzureADDomain, if the user is connected to AAD domain, where he has management privileges - the information about the domain will be displayed:
PS C:\windows\system32> get-azureaddomain
Name AvailabilityStatus AuthenticationType
---- ------------------ ------------------
hcl.com Managed
msgamestudios.com Managed
foobar.local Managed
multimap.com Managed
skypestaytogether.com Managed
insightsquarterly.com.au Managed
calanit.onmicrosoft.com Federated
msft.ccsctp.net Managed
ruffiangames.com Managed
xn--m1bg0b0byewac1j8b.com Managed
VoicesforInnovation.org Managed
shaanximic.com Managed
www.yunnanmic.com Managed
wsmbela.pss.com Managed
fornax.off Managed
api.staging.yammer.com Managed
codenauts.net Managed
acompli.com Managed
testdomains.co Managed
microsoft.hr Managed
Bayportali.mmdservice.com Managed
contoso.com Managed
api.swrepository.com Managed
Equivio.com Managed
sunshine.am Managed
microsoftaffiliates.com Managed
If user has no admin privileges, we will get the error same as you.
Get-AzureADDomain : Error occurred while executing GetDomains
Code: Authentication_Unauthorized
Message: User was not found
HttpStatusCode: Forbidden
The reason is that, the cmdlet GetAzureADDomian has no tenant specified, so the connection was established to a domian, where user has no admin privileges.
To ensure connection to expected AAD domian, the tenant ID must specified in call to Connect-AzureAD cmdlet.
PS C:\windows\system32> Connect-AzureAD -TenantId
As already answered here, please use:
PS C:\windows\system32> Connect-AzureAD -TenantId {YOUR_TENANT_ID}
Example:
PS C:\windows\system32> Connect-AzureAD -TenantId ce1af0ab-ae35-4f60-8f2d-944444444444
It's a common mistake to use TenantId we get when executing Connect-AzureAd, like following:
But use the TenantId from Azure Portal --> Azure Active Directory --> Properties --> Directory Id.
The Directory Id = TenantId.
Related
The use case i am working is create online meeting and i followed the following documentation https://learn.microsoft.com/en-us/graph/api/application-post-onlinemeetings?view=graph-rest-1.0&tabs=http
As part of this, Admin needs to create application access policy and grant it to a user.https://learn.microsoft.com/en-us/graph/cloud-communication-online-meeting-application-access-policy
While executing New-CsApplicationAccessPolicy cmdlet I am having the following error.
e.g New-CsApplicationAccessPolicy -Identity Test-policy -AppIds "ddb80e06-92f3-4978-bc22-a0eee85e6a9e", -Description "description here"
ERROR
Get-CsOnlineSession: /Users/avnika/.local/share/powershell/Modules/MicrosoftTeams/2.3.1/netcoreapp3.1/SfBORemotePowershellModule.psm1:63
Line |
63 | $remoteSession = & (Get-CsOnlineSessionCommand)
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| The remote server returned an error: (404) Not Found.
Invoke-Command: /Users/avnika/.local/share/powershell/Modules/MicrosoftTeams/2.3.1/netcoreapp3.1/SfBORemotePowershellModule.psm1:22959
Line |
22959 | … -Session (Get-PSImplicitRemotingSession -CommandName ‘New-CsApplic …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Cannot validate argument on parameter ‘Session’. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
2:20
this error when i execute below policy New-CsApplicationAccessPolicy -Identity Millo-Video-policy -AppIds “334941f7-50e4-4b19-9d5d-22328ad41553” -Description “video delegation policy for app”
I would appreciate if you can help me how to solve this problem.
P.s. I am using personal azure account
This cmdlet runs using skype connecter. But now this cmdlet is added in latest powershell module. please upgrate powershell module and run the cmdlet. please go through this link
I tried the following steps and its working:
Upgrade the microsoft teams powershell module to the latest (also follow the above steps provided by Kartheek above)
Connect-MicrosoftTeams #Enter global Administrator account credential and make sure that you see Admin account details in connection output.
Now execute the New-CsApplicationAccessPolicy
Make sure the powershell connects/works.
Usually i test the above steps in test demo tenant, before doing it in prod. Test the same and confirm if you can still repro the issue.
I have been given a task to setup a scheduled task which will run daily to pull down the list of allowed domains from SPO. This is not an issue if I use Connect-SPOService and Get-SPOTenant, like this:
Connect-SPOService –url https://xxxx-admin.sharepoint.com
Get-SPOTenant | select -ExpandProperty SharingAllowedDomainList > d:\allowedDomains.txt
The issue issue is that this has to be automated. There is also a requirement to use an ClientId and Secret in the script, rather than providing me with an account which bypasses MFA and has SP Admin rights.
Because of that, I've turned to SharePointPnP, which does allow you to connect with ClientId and Secret. I'm able to connect to connect with the following:
Connect-PnPOnline -url https://xxxx-admin.sharepoint.com -ClientId "xxxxx" -ClientSecret "xxxxx"
Where I'm struggling now is trying to how I can retrieve the SharingAllowedDomainList property through SharePointPnP, or if that is even possible?
#THTX,
Can you please have a try below pnp powershell cmdlet?
Get-PnPTenant
Get-PnPTenantSite
It has SharingAllowedDomainList property:
BR
Using PowerShell, I can access my Azure KeyVault locally, provide the secret and return stored passwords. I can also do this from a VM I spin up. Additionally, I can access a single password from the KeyVault and use it to impersonate a user on a VSTS build agent, but I cannot access the remaining stored passwords. What gives?
Here's the message I receive:
[error]Get-AzureKeyVaultSecret : Unable to retrieve service key for
ServicePrincipal account
[hiddenaccountname]#[companyaccount].com. Please log in
again to supply the credentials for this service principal. In
PowerShell, execute Login-AzureRMAccount for Azure Resource Manager
cmdlets or Add-AzureAccount for service management cmdlets.
...
CategoryInfo : CloseError: (:) [Get-AzureKeyVaultSecret], KeyNotFoundException
FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret
Here's what my code looks like at this section:
Login-AzureRmAccount -Credential $AzureCredential -ServicePrincipal -TenantId [abunchofnumbers]
$Password = (Get-AzureKeyVaultSecret -VaultName "[nameOfVault]" -Name "[nameOfSecret]").SecretValueText
The login accepts the provided credentials and logs me in, but the Get-AzureKeyVaultSecret cmdlet fails, and only on VSTS during a build.
Any ideas, you strange and wonderful devs?
[Resolved - Follow up] My process involved one Powershell script to impersonate a user by using Login-AzureRmAccount and Get-AzureKeyVaultSecret to get the password for a user, then a 2nd Powershell script to log back in to AzureRmAccount to get more passwords from the KeyVault. I swapped the order of these two scripts and problem went away.
I'm trying to use powershell to get info about my default ad. The first thing I do is sign on using my global admin account through the Connect-AzureAD cmdlet:
Connect-AzureAD
After running this command, I get something that looks like this:
Account Environment TenantId TenantDomain
------- ----------- -------- ------------
xxxyyyxcxx#hotmail.com AzureCloud zzz-xxxx-yyyyyyy
Now, whenever I try to run any command, I get an error saying that I'm not authorized to do that. For instance, If try to get all the groups, I get the following:
Get-AzureADGroup : Error occurred while executing GetGroups
Code: Authentication_Unauthorized
Message: User was not found
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
Am I missing something?
Thanks.
Luis
The reason for your error is: the cmdlet Get-AzureADGroup has no tenant specified, so the connection was established to a domain, where user has no admin privileges.
To ensure connection to expected AAD domain, the tenant ID must specified in call to Connect-AzureAD cmdlet. You could use the following cmdlet to login your tenant ID.
Connect-Azuread -TenantID <your tenantid>
You could get your users's tenantID with Get-AzureRmSubscription.
More information please refer to this blog.
I have "external user" from TenantA AD added to TenantB in Azure and added as "owner" to one of B subscriptions.
How can I connect with PowerShell using that external user to TenantB subscription?
Login-AzureRmAccount/Add-AzureRmAccount while using external users' UPN in -Credential and specifying tenantId/subscriptionId of TenantB gives me error:
add-azurermaccount : The provided account <...> does not have access to subscription ID "<...>". Please try logging in with
different credentials or a different subscription ID.**
Looking at Get-MsolUser output of TenantB, I can see external user from tenantA in the following form:
PS C:\> get-msoluser
UserPrincipalName DisplayName isLicensed
----------------- ----------- ----------
<username>_tenantA.onmicrosoft.com#EXT##tenantB.onmicrosoft.com <..> False
I would start with clearing the cached credentials using:
Get-AzureAccount | ForEach-Object { Remove-AzureAccount $_.ID -Force }
Then use Login-AzureRmAccount and enter the credentials for TenantA. You should be able to switch the subscription using.
Select-AzureRmSubscription -SubscriptionName