I am working on proofing out if there is a way to automate a Global administrator's Azure AD access for other User role accounts in the same tenant to grant access to OneDrive.
If you navigate to portal.office.com and then click on a user's name, that will bring up some settings for that user. The setting I am referring to is under the dropdown for OneDrive Settings, (see attached image).
Is there a way to automate this process via some PowerShell cmdlet?
Solved
I found an article that shows how to run PowerShell commands via the SharePoint Online Management Shell
Tutorial link has the section for Prerequisites for setup: Easy Manage Multiple Office 365 Tenants with Windows PowerShell
Actual PowerShell commands:
$site = Get-SPOSite -Identity https://mydemo-my.sharepoint.com/personal/sarad_mydemo_onmicrosoft_com
Set-SPOUser -Site $site.Url -LoginName admin#mydemo.onmicrosoft.com -IsSiteCollectionAdmin $true
Tutorial: How to Get Administrative Access to the OneDrive for Business Environment for a User
Related
I have a AWS FSx configured to my Domain. I ran the below command on my powershell to provide "Authenticated Users" access to my FSx share "Test":
Grant-FSxSmbShareAccess -Name "Test" -AccountName "Autheticated Users" -AccessRight 1 -Force -Confirm $false
And the output on the Powershell console shows that the requested access has been provided.
Name ScopeName AccountName AccessControlType AccessRight PSComputerName
Test XXXXXXXX NT AUTHORITY\Authenticated Users Allow Change XXXXX.some.com
But now if I go to the same share from my windows machine, right-click, o to Properties and go to the Security tab, I dont see Authenticated users added there.
I can only see the SYSTEM Account and the Default Admin Group Added to the FSx
Again if I go to the share and add Change Access to the same share for a certain user from the Windows share drive properties window, and then do a Get-FSxSmbShareAccess from my powershell window, I don't see this added user. But I still see the same table I saw previously.
Where am I going wrong?
This script creates a guest user invitation, but errors when trying to add that newly created user to a SharePoint Online site with the following error:
Add-SPOUser : The specified user janedoe#email.com could not be found.
$tenant = "companyname"
Connect-SPOService -url "https://$tenant-admin.sharepoint.com"
Connect-AzureAD -TenantDomain "$tenant.onmicrosoft.com"
New-AzureADMSInvitation -InvitedUserDisplayName "Jane Doe" -InvitedUserEmailAddress "janedoe#email.com" -InviteRedirectURL "https://$tenant.sharepoint.com/sites/client1" -SendInvitationMessage $true
Start-Sleep -s 60
Add-SPOUser -Group "Client Site 1 Visitors" –LoginName "janedoe#email.com" -Site "https://$tenant.sharepoint.com/sites/client1"
Disconnect-SPOService
Disconnect-AzureAD
How long does it take for Azure AD to populate that user into Office 365?
When trying to add the external user email (outside tenancy) to a SP group via the GUI, tabbing away shows the following error:
"Your organization's policies don't allow you to share with these users. Go to External Sharing in the Office 365 admin center to enable it."
To fix this and the PS script error, after the creation of your extranet SP site run the following PS command after connecting to SPO (only need to run ONCE before adding an external user to a site):
Set-SPOSite -identity https://companyname.sharepoint.com/sites/client1 -sharingcapability ExternalUserAndGuestSharing
Now the PS script will work without error. Start-Sleep is not necessary.
I have a requirement to disable external sharing on SPOnline sites associated with new Groups (e.g., MS Teams, Planner, etc.). When an Office 365 user provisions a new Team, Planner, or Group an SPOnline site is provisioned in the background to store files for the associated Group. Be default, this "background" SPOnline site allows external sharing of content.
I have created an Azure Automation Runbook that creates a session to Exchange Online using a Stored Credential. I then get a list of the groups created in the past day.
$groups = Get-UnifiedGroup -Filter "WhenCreated -gt '$dt'"
With the list of Groups, I then iterate through them, connect to SPOnline with an AppId and AppSecret and disable sharing.
Connect-PnPOnline -AppId $appId -AppSecret $appSecret -Url $tenantUrl
$site = Get-PnPTenantSite -Url $group.SharePointSiteUrl
Write-Output "Sharing Capability: " $site.SharingCapability
if($site.SharingCapability -ne "Disabled")
{
#Set-PnPTenantSite -Url $site.Url -Sharing Disabled
Write-Output "Disabling external sharing"
}
else
{
Write-Output "External sharing already disabled"
}
My problem is that our production environment uses a PCS system to manage passwords for accounts. This would require more scripting to access the PCS, checkout the password, update the stored credential then do the work that I want to do.
I am able to get the list of Groups directly from Azure AD but the returned objects do not have the WhenCreated and SharePointSiteURL properties. Without these two pieces of information, I am not able to limit my script to the past day nor change the setting in SharePoint.
My goal is to explore any alternative that allow me to get the list of new Groups and the associated SPOnline site URL without using a stored credential in Azure Automation. Any ideas?
Thank you for your time.
Generally you only have 4 options:
hardcode credentials
use variables + certificates (you can make them secure string, so they are encrypted)
use run as account (allows use of certificates)
use credentials + certificates (pretty much the same as variables)
This may not even be possible without powershell (or Azure Powershell), but can I use a script to retrieve user information from AZURE active directory on a Windows 10 computer?
Since the user has already provided credentials and the user name has been pulled down from Azure, is there any other information pulled down that I can reference as a system object (for eg).
Example of code to show user name:
Set objSysInfo = CreateObject("ADSystemInfo")
wScript.Echo objSysInfo.UserName
I want to see other information such as users department(i.e. .department , so that I can map drives by identifying the users department rather than using the user name).
If I can't use vbs then is this possible with Azure powershell without re-entering user credentials and/or re-verifying user credentials?
It's possible with Azure PowerShell commandlets:
Connect-MsolService -CurrentCredential
Get-MsolUser -UserPrincipalName username#domain
I am writing a simple script to copy AD group membership from one user to the other. I am doing it using the ActiveDirectory module only.
The script looks like it would work and does work up until I try to ad the groups to the user.
Code:
import-module ActiveDirectory
$templateUser = get-ADUser user1
$targetUser = getADUser user2
$groups =get-adprincipalgroupmembership $templateUser
$groups2 = get-ADPrincipalGroupMembership $targetUser
foreach($group in $groups) {
add-adGroupMember $group $targetUser
}
Error:
Add-ADGroupMember : insufficient access rights to performt the operation
At line:9 char:18
+ FullyQualifiedErrorID : Insufficient access rights to perform the operation,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
Notes/Thoughts:
I am logged in as a normal user, but I ran the powershell as a different user (my admin account). I am not a local admin, but I am an admin on the domain. I am able to add the user to groups if I launch the AD Tools and do it manually (I have permissions to add to those groups).
Edit:
Run the powershell as admin.
Run powershell as administrator.
I hit this today in Server 2012. I was running the powershell as Administrator, I was a domain admin, I was a local admin, I was every kind of admin I could find.
I "fixed" it by using the Active Directory Users and Computers tool, adding myself as the Manager of the AD groups I was trying to add users to, and ticked the box to allow the manager to change membership. I could then run AD-AddGroupMember happily.
I ran into this problem as well using Powershell remoting to connect to a domain controller.
In my case it turned out Include inheritable permissions from this object's parent was turned off for the specific object I couldn't change.
I ran into this issue today where an automated system was using powershell scripts for various things.... It turned out to be executionpolicy.
We were running our script with the ExecutionPolicy Bypass flag, and even running the command directly in powershell outside of a script wouldn't work, but once we set executionpolicy to unrestricted, everything magically worked.
For us we were able to create security groups even, but not add users to groups via powershell, even though we could make the same changes in ADUC.