I'm trying to create a new Azure AD user via PowerShell.
I created a global admin in the portal:
I run Connect-MsolService without any issues.
However, running New-MsolUser -UserPrincipalName ... fails with insufficient permissions:
Any idea what is the issue?
If the login account for Connect-MsolService doesn't have sufficient permissions, for example, the account only has common user permissions, you might encounter the insufficient permissions problem.
However, if you create an account with Global administrator privileges in either new portal or classic portal, and use this account for login with Connect-MsolService, then you can create a new user by using the command 'New-MsolUser' successfully. Also, please note for the parameter '-UserPrincipalName', you must use the initial domain name for suffix, i.e. 'xxxxxx.onmicrosoft.com', or the customized domain verified in AzureAD.
Currently, there are two PowerShell modules for Azure AD: AzureAD and MSOnline.
MSOnline is the old module, which can still provide functionality that is not yet available in the AzureAD module. In future, the older MSOnline module will be deprecated when all of the functionality has been migrated to the newer module - AzureAD.
Therefore, it's encouraged to use the newer AzureAD module.
More details about Azure AD PowerShell, please refer to the following documentation.
https://learn.microsoft.com/en-us/powershell/azure/overview?view=azureadps-2.0
Related
I am the owner of an Azure AD registered application, and I need to run the command Add-AzureADServicePrincipalPolicy from AzureAdPreview Module (Powershell).
Running the command throws back the following error:
For the moment, the registered app has only the following rights in "API permissions":
Tell, me please, which rights that command demands in order to be successful, as I might need to ask an admin if they require Admin consent?
Or can it be my user's fault that it doesn't have enough rights?
You Need to have Azure AD's RBAC administrator roles to the user when authenticating with Connect-AzureAD,
For Example :- Any of the Application administrator,Global Administrator, ..etc is required.
Since, your account doesn't have permission you will return an error message containing "Insufficient privileges to complete the operation." Contact your Azure AD admin to grant you the required roles.
Reference here.
I am working with PowerShell. So we can connect MFA enabled O365 through connect-exopssession but we need to manully enter password and Code sent to mobile. But I want to schedule a solution which has to connect to O365 automtically without any manual intervention in MFA enabled O365. Is there any solution which can bypass MFA without disabling MFA in O365.
The only way to do this is to setup an account that is dedicated for these types of tasks and remove MFA for it, or use Conditional Access to bypass MFA when connecting from your Public IP etc. Just make sure that you secure this account as much as possible.
To create non-interactive scripts, you need EXO V2 PowerShell module version 2.0.3 preview or later version. This unattended script authentication uses Azure AD applications, certificates, and Modern authentication.
Connect to Exchange Online PowerShell with existing service principal and client-secret:
To connect Exchange online with existing service principal and client-secret, you need to follow the steps below.
Step1: Get an OAuth access token using Active Directory Authentication Library (ADAL) PowerShell.
Step 2: Create PSCredential object
$AppCredential= New-Object System.Management.Automation.PSCredential(<UPN>,<Token>)
Step 3: Pass the PSCredential to the EXO V2 module.
Connect-ExchangeOnline -Credential $AppCredential
For more information please read https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#setup-app-only-authentication
Use App passwords. App passwords do not need MFA.
From docs:
An app password is a code that gives an app or device permission to access your Office 365 account. If your admin has turned on multi-factor authentication for your organization, and you're using apps that connect to your Office 365 account, you'll need to generate an app password, so the app can connect to Office 365.
Read more and how to in MS Docs here:
When you adding a user to Azure Active Directory via the old portal you see this screen:
It allows you to add a user with an existing microsoft account.
I need to import many users with existing microsoft accounts. I'm planning on writing a powershell script to achive that.
How do I add an exising microsoft account to Azure AD with a powershell script?
New-AzureADUser complains that "userPrincipalName" is invalid, as can be seen in this question. Is there another way?
Unfortunately, Azure PowerShell modules do not support adding Microsoft accounts to Azure Active Directory. The only way to utilize this feature is to use the old Azure Portal https://manage.windowsazure.com/
This works using New-AzureADMSInvitation.
> Install-Module AzureAD
> Import-Module AzureAD
> Connect-AzureAD
> New-AzureADMSInvitation -InvitedUserEmailAddress 'test#test.com' -InviteRedirectUrl 'https://portal.azure.com'
Your output will contain an InviteRedeemUrl that the invitee should open in a browser which is already logged in with their Microsoft Account. There are other optional parameters that can be passed to New-AzureADMSInvitation. See the documentation here.
Are you sure you want to import all of the accounts? Azure Active Directory supports B2B model.
B2B is based on invitation model which lets you enable access to your corporate applications from partner-managed identities. You can provide email along with the applications you want to share and send invitation to your partners, customers or anyone else who have account in Azure Active Directory. Azure AD sends them an email invite with a link. The partner user follows the link and is prompted to sign in using their Azure AD account or sign up for a new Azure AD account.
In my opinion you don't have to import users. More info here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-collaboration-overview/
I am trying to login to Azure AD using PowerShell with a co-administrator account. I use Connect-MsolService and I get in but I can't see any subscriptions when I use Get-AzureSubscription. At the same time, I can login in the portal (both old and new) using that account and I see it there. The issue is I need to do some things that both portals do not let me do.
Is there an issue if I created the subscription using a Microsoft account on outlook.com? Am I missing something?
Just to add to the discussion, if you're not a direct owner of the subscriptions (but have an admin role for the whole or part of the Azure infrastructure) you can use the following cmdlets to get all subscriptions and switch between them:
Get-AzureRmSubscription
Select-AzureRmSubscription -SubscriptionName "subscription_name"
https://learn.microsoft.com/en-us/powershell/module/azurerm.profile/get-azurermsubscription?view=azurermps-5.0.0
This lists the available subscriptions for co-admins and contributors and can be used in Azure resource management scripts if you do not directly own the subscription but have sufficient privileges to access the resources.
Do you get a sign in dialgoue when you run Add-AzureAccount from powershell?
Can you then Get-AzureSubscription after that?
These guides might help in ensuring all the basics work:
https://redmondmag.com/articles/2016/01/25/connect-to-microsoft-azure-with-powershell.aspx
https://azure.microsoft.com/en-gb/documentation/articles/powershell-install-configure/
Update:
What are you trying to do after?
If you want to switch subscriptions, does the following work?:
Switch-AzureMode –Name AzureResourceManager
Get-AzureSubscription
Ref:
https://msdn.microsoft.com/en-us/library/azure/dn931949.aspx
I have an Azure subscription where the subscription administrator account is a Microsoft Account. I then added another Microsoft Account as a co-administrator. I'm told that when I add a co-administrator, it gets added to my subscription's default AD as a Guest user. What I really want to accomplish is change the user type from Guest to Member. For this, I am advised to use Azure AD PowerShell and this is where I am struggling.
I've already installed related PS Modules (based on this link: https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx).
So here's what I am doing:
First, this is the command I am issuing:
$msolcred = get-credential
I get prompted for entering my credentials which I provide and then I run the following command:
connect-msolservice -credential $msolcred
When I do this, I get the following error:
connect-msolservice : The user name or password is incorrect. Verify your user name, and then type your password again.
At line:1 char:1
+ connect-msolservice -Credential $cred -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
+ FullyQualifiedErrorId : 0x80048821,Microsoft.Online.Administration.Automation.ConnectMsolService
I even tried putting the username as domainname.onmicrosoft.com\username but still get the same result.
So my questions are:
Is it even possible to connect to Azure AD via PowerShell using Microsoft Account?
If it is possible, then how should I specify the username? I have tried both username as well as domainname\username and I got the same error.
If it is not possible, then what's the alternate solution? Should I just create a user in that AD and put that user in a role that has permission to manage users (as this is what I want to do)?
Any insights regarding this would be highly appreciated.
(Updated 2018-04-23 to clarify how to do this with AzureAD (v2) module.)
The AzureAD (v2) PowerShell module accepts the ‑TenantId parameter in Connect‑AzureAD, which can be either the Guid tenant ID, or any verified domain name in the Azure AD tenant. Doing so will allow you to sign in using an external account (e.g. you personal Microsoft account, or a work or school account from another Azure AD tenant, as long as this account was previously invited into the tenant):
Connect-AzureAD -TenantId "contoso.com"
The MSOnline (v1) module does not have an equivalent parameter, but it does accept ‑AdGraphAccessToken and ‑MsGraphAccessToken, which are access tokens to the Azure AD Graph API (https://graph.windows.net) and the Microsoft Graph API (https://graph.microsoft.com), respectively. Though you can use ADAL (for example) to obtain these access tokens for your specific tenant (which allows you to use external users), it's probably simpler to just create a "local" account to your Azure AD tenant for this.
Signing in to AAD PowerShell with a Microsoft Account is not currently supported. Your approach (make a new user that is "native" to the directory) is the way to go.
For those that run across this question in the future, the previous answer still appears to be correct. Basically, you have to create a new account that is native to the directory. This account can be used to login when running connect-msolservice in PowerShell, and then you can run set-msoluser to convert the user from "Guest" to "Member".
The following blog post has detailed step-by-step directions to do this. Note that you need to follow the Appendix first if your Global Admin account is not a work or school account. Also, I've added a few important details in the Comments section of the blog post.
https://blogs.msdn.microsoft.com/dstfs/2015/12/23/issues-with-azure-active-directory-guest-users-in-aad-backed-visual-studio-team-services-accounts/
For reference, a similar problem and resolution using set-msoluser can be found in this forum post:
https://social.msdn.microsoft.com/Forums/azure/en-US/469baa2d-7ff1-4e17-a8f0-f257cbdbf50b/cannot-see-the-active-directory-item-in-the-azure-portal?forum=WindowsAzureAD