I have a .net application from which i am managing Lync server. I used the cmdlets Get-CsUser, Get-Nonscientific, Grant-Cs, Set-CsUser, Move-CsUser, Enable-CsUser, Disable-CsUser, Set-CsClientPin. For this to work I have assigned group RTCUniversalServerAdmins and CSAdministrator.
can I minimise these permissions on user as it is holding higher privileges?
or any one has a document that will explain which cmdlets required which permission?
any help would be appreciated.
Have you seen these links:
Lync2013:
Group membership requirements for Lync Server 2013
and
Planning for role-based access control in Lync Server 2013
Skype For Business:
Windows PowerShell and Skype for Business Server 2015 management tools
and
Role-based access control (RBAC) for Skype for Business Server 2015
It looks like it's all modeled around the "Role-Based Access Control" concept in Lync.
Related
We're experiencing issues with a third-party application running on Windows 2016 that uses Kerberos and SSPI (Windows Security Support Provider interface) where the vendor has suggested this could be related to Kerberos authentication failures. The service runs as a domain service account. In the Windows 2016 domain controller security logs we're seeing Event ID 5071 failure audits with the description:
Key access denied by Microsoft key distribution service
This all worked in the past and similar configuration works in other parts of our system (different service accounts, servers, domain controllers). In fact, we have a full hardware level clone of our setup as a test system and the issue doesn't exist there.
There is limited information online that we've been able to find on this particular event. We are in the process of performing all the normal Kerberos advanced troubleshooting so don't need assistance from that angle. We have a ticket open with Microsoft so will post their response here.
Has anyone encountered this event previously and has any insight into the potential cause(s)?
I'm relatively new to the whole Microsoft environment and this has been tickling my brain for a while. What exactly is the difference between company users present, for example, in the Microsoft 365 admin center and on AzureAD for propery-editting purposes? Are they both synced together, do they serve different purposes? Most powershell scripts I find to retrieve, for example, all users and properties use cmdlets such as Get-AzureADuser, hence the question.
Thank you in advance!
They are the same.
The basic attributes of the users are stored in Azure AD and you can use Microsoft Graph to query them easily.
The difference between them is:
In O365 admin center, you can manage the access to resources under O365 subscriptions. For example: Exchange Online, SharePoint online, Teams Online and so on. But in Azure Portal, you can manage the access to resources under Azure subscription, such as Azure web app, Azure AD app registration, Azure VM, Azure security group and so on.
The company users indeed are Azure AD users. It's just called differently according to the environment (O365 or Azure AD).
Get-AzureADuser is under Azure AD PowerShell Module. You can also use Get-MsolUser which is under MSOnline PowerShell Module (it's old O365 Module) to get the users.
So I can successfully run commands to manage our Microsoft 365/AzureAd/Exchange Online - this involves assigning and removing license, converting user to a shared mailbox, delegating access to a mailbox, etc. I followed the guide here for authentication. But that's me actually logging in with my credentials + MFA (Multi-factor authentication) for authentication.
I want to have a script that does these type of actions triggered by a schedule. I believe I can include the credentials but how to do MFA? Tried to follow this but getting error clientid is not a guid I have registered an app in https://portal.azure.com/ and able to do Graph API calls using that. No luck in PowerShell authentication though. Any thoughts? Thanks!
Maybe try this? It should allow you to connect to all Microsoft online services and includes support for MFA. If it does not work, the website has many other scripts you can try
This is not possible. A potential solution is to set some rules where in specific case, MFA will not be required.
I am trying to access the Outlook mail to manage it through powershell script and it works fine but when script tries to access the content of mail,outlook is asking for permission to allow access to script.Is there any way so that I can allow only my script to access the Outlook mail content.
Most probably you get a standard security prompt in Outlook when accessing some sensitivity properties from the Outlook object model.
There are several ways for suppressing such prompts:
Use a third-party components for supressing Outlook security warnings. See Security Manager for Microsoft Outlook for more information.
Use a low-level API instead of OOM. Or any other third-party wrappers around that API, for example, Redemption.
Develop a COM add-in that has access to the trusted Application object. And then communicate from a standalone application with an add-in using standard .Net tools (Remoting).
Use group policy objects for setting up machines.
I want to connect to Exchange Online using PowerShell and modern authentication without depending on any modules or dll's.
There's a module available for modern authentication to Exchange Online that depends on the CreateEXOPSSession.ps1 and Microsoft.Exchange.Management.ExoPowerShellModule.dll, I have decompiled the latter and found that it generates an access token as such:
TokenInformation accessToken = TokenProviderFactory.Instance.CreateTokenProvider(new TokenProviderContext(authType, "a0c73c16-a7e3-4564-9a95-2bdf47383716", this.AzureADAuthorizationEndpointUri, acquireTokenEndpoint, this.UserPrincipalName, this.Credential, clientAppRedirectUri, (Action<string>) (s => this.WriteWarning(s)))).GetAccessToken();
I want to request the access token is the same way in PowerShell but I can't seem to get the right authentication context and method of retrieving the access token.
Any ideas?
You have to have an MSOL connection and create a remote session to EXO to use EXO cmdlets. There is no workaround for this.
The dependencies are there for a reason. The backend plumbing of MSOL / Azure / O365 expects what it expects, and skirting it will just lead you down a very frustrating/hair-pulling activity.
That token is an Azure AD as MA/ADAL requires that you have an Azure AD Premium license.
MA requires use of the ADAL API/DLL. This is like asking to programmatically connect to and use Exchange on-prem EAS/EWS services without using the API/DLL, that's not a thing either.
So, no matter how you look at this, there will be dependencies, as noted below. So, if you are serious about this effort, you need to really dig into what MA really is and how it's plumbing really works. Also, MFA must be already enabled for you and users, either in O365 and or the ADAL MFA settings in Azure.
Modern Authentication – What is it?
Modern Authentication brings Active Directory Authentication Library (ADAL)-based sign-in to Office client apps across platforms.
Microsoft identity platform authentication libraries
There is also an ADAL module on the MS PowerShellGallery.com.
Microsoft.ADAL.PowerShell 1.12
ADAL module for PowerShell
https://www.powershellgallery.com/packages/Microsoft.ADAL.PowerShell/1.12
Functions
Get-ADALAccessToken Clear-ADALAccessTokenCache
Examples are here:
Microsoft.ADAL.Powershell ```
####Example 1 This example acquire accesstoken by using RedirectUri from contoso.onmicrosoft.com Azure Active Directory for PowerBI
service. It will only prompt you to sign in for the first time, or
when cache is expired.
Get-ADALAccessToken -AuthorityName contoso.onmicrosoft.com `
-ClientId 8f710b23-d3ea-4dd3-8a0e-c5958a6bc16d `
-ResourceId https://analysis.windows.net/powerbi/api `
-RedirectUri "http://yourredirecturi.local"
See also:
Azure-AD-Authentication-with-PowerShell-and-ADAL
This is a set of really simple PowerShell scripts which allow you to get access tokens with Azure Active Directory using ADAL.
and this...
ADAL and PowerShell