How do you set the Reply URL for a service principal with powershell.
The following doesn't commands don't add anything to that field when I check on the management portal.
$aa = new-AzureADApplication -DisplayName "Name" -HomePage "addr" -IdentifierUris "addr"
new-AzureADServicePrincipal -ApplicationId $aa.ApplicationId
..... setting up the roles and etc.
The IdentifierUris seem to only fill the APP ID URI. It takes an array but when I do something like this, azure responds with an internal error:
Either
$arr = #("addr1","addr2")
New-AzureAdApplication -IdentifierUris $arr
or
New-AzureAdApplication -IdentifierUris (,$arr)
or
New-AzureAdApplication -IdentifierUris #("addr1","addr2")
Is it possible to set this field through powershell?
I don't know of a way to do it with the Azure PowerShell modules, but you can do it with the Set-MsolServicePrincipal cmdlet in the Azure AD (aka MSOnline) module. Reply URLs can be managed via the Addresses collection.
Example (from https://gist.github.com/rytmis/4178996):
$addresses = $principal.Addresses
$addresses.Add((New-MsolServicePrincipalAddresses -Address http://localhost:81))
$addresses.Add((New-MsolServicePrincipalAddresses -Address http://my-deployment-endpoint.cloudapp.net))
Set-MsolServicePrincipal -AppPrincipalId $appPrincipalId -Addresses $addresses
Edit (some background info)
Applications and Service Principals are separate but related entities. (This article explains the relationship between the two).
When you create an application via the Azure AD portal, it creates both the application and the service principal. To get the same result from PowerShell, you have to create both objects.
# Create the application object
$azureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" `
-HomePage "<https://YourApplicationHomePage>" `
-IdentifierUris "<https://YouApplicationUri>"
# Create the corresponding service principal
New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId
Application/Service Principal combinations created this way should show up in the portal, and can be used the same way as those created in the portal.
Related
I hope someone can help..
I have a registered application (TestApp3), with which I connect successfully using:
Connect-AzureAD -TenantId $tenant -CertificateThumbprint $thumb -ApplicationId $applicationID
Now once connected, I need to assign users to a different application (TestApp2).
If I use the following command (when connected as Global Admin)
Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Application administrator"}).Objectid -RefObjectId $sp.ObjectId
This will grant the App Admin role to the application TestApp3.
So, the following will work when connected as TestApp3:
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectID -PrincipalId $user.ObjectID -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)
This will add a user to the list of assigned users for the servicePrincipal TestApp2.
However, its 'scoped' across the tenant. How do I configure it so TestApp3 can only assign users for the specific app TestApp2?
Thanks..
//A
How do I configure it so TestApp3 can only assign users for the
specific app TestApp2?
According to this microsoft document assign app owners
Similar to application administrator, an owner has capability to
manage many or all azure ad configuration aspects but for a
specific organization application (appl registration or enterprise
application.) they are assigned to.
They can do user assignments, SSO configuration and provisioning. Owner can even add /remove other owners and can manage the applications that they own only.
Add an owner using powershell cmds.
Connect-AzureAD
Add-AzureADApplicationOwner -ObjectId xxxxxx-xxxx-xxxx3-xxx -RefObjectId xxxx-xxxx-xxx-xxxx-xxxxxxxx
ObjectId > object id of the application
References:
assign-application-owners- Azure AD | Microsoft Docs
Add Azure AD Application as owner of another AD Application –
LockTar’s Blog
I have been given a task to setup a scheduled task which will run daily to pull down the list of allowed domains from SPO. This is not an issue if I use Connect-SPOService and Get-SPOTenant, like this:
Connect-SPOService –url https://xxxx-admin.sharepoint.com
Get-SPOTenant | select -ExpandProperty SharingAllowedDomainList > d:\allowedDomains.txt
The issue issue is that this has to be automated. There is also a requirement to use an ClientId and Secret in the script, rather than providing me with an account which bypasses MFA and has SP Admin rights.
Because of that, I've turned to SharePointPnP, which does allow you to connect with ClientId and Secret. I'm able to connect to connect with the following:
Connect-PnPOnline -url https://xxxx-admin.sharepoint.com -ClientId "xxxxx" -ClientSecret "xxxxx"
Where I'm struggling now is trying to how I can retrieve the SharingAllowedDomainList property through SharePointPnP, or if that is even possible?
#THTX,
Can you please have a try below pnp powershell cmdlet?
Get-PnPTenant
Get-PnPTenantSite
It has SharingAllowedDomainList property:
BR
How do I add an application from the AAD Gallery programmatically and configure it? I checked AAD Powershell commands but I could not find out how to use it to provision a pre-integrated applications from the Azure AD gallery. There is the New-AzureRmADApplication -DisplayName "NewApplication" -HomePage "http://www.microsoft.com" -IdentifierUris "http://NewApplication" for example but not an Add-AzureRmADApplication or similar. The application I need is already available under the "Developer Services" category in the AAD Applications Gallery and all I need is to add it and configure its Single-sign on and Provisioning attributes. Is that even possible or do I have to create a new app? Even if I created a new application how do I configure it past the just adding the HomePage and IdentifierUris parameters which is all I can do using the New-AzureRmADApplication cmndlt?
Any help would be appreciated. Thank you
There is currently no way to configure the applications from the AAD Application Gallery programmatically. You can refer to the following post:
https://social.msdn.microsoft.com/Forums/en-US/42f262e2-150e-48bd-a741-cbabf42fcf77/how-to-add-and-configure-aad-application-from-the-gallery-programatically?forum=WindowsAzureAD
In case anyone come's across this question again, this is now possible, with the AzVm modules, instead of AzRm.
First you get the "Gallery Application Version"
$galleryApp = Get-AzGalleryApplicationVersion -GalleryName $GalleryName `
-GalleryApplicationName $AppName `
-ResourceGroupName $ResourceGroupName
Then create a new app instance for your current PowerShell Session
$appInstance = New-GalleryApplication -PackageReferenceId $galleryApp.Id
You'll also need to set the order parameter after you create the instance. There's no parameter to set it when it's defined.
$appInstance.Order = $int32Value
Finally, add the application to your Virtual Machine
Add-AzVmGalleryApplication -VM $VirtualMachineObjet `
-GalleryApplication $appInstance
-ResourceGroupName $ResourceGroupName
Once the application(s) are added, you need to push the update with "Update-AzVm", otherwise they won't actually deploy.
Here's the full example:
$galleryApp = Get-AzGalleryApplicationVersion -GalleryName $GalleryName `
-GalleryApplicationName $AppName `
-ResourceGroupName $ResourceGroupName
$appInstance = New-GalleryApplication -PackageReferenceId $galleryApp.Id
$appInstance.Order = $int32Value
Add-AzVmGalleryApplication -VM $VirtualMachineObjet `
-GalleryApplication $appInstance `
-ResourceGroupName $ResourceGroupName `
-Order $int32Value
Update-AzVm -ResourceGroupName $ResourceGroupName -VM $VirtualMachineObject
Is it somehow possible to create an Azure AD Application Key via PowerShell?
I could not really find any working solution. Currently I have this piece of code:
$appName = "myAppName"
$password = "myPassword"
$app = New-AzureRmADApplication -DisplayName $appName -HomePage "https://$appName" -IdentifierUris "https://$appName" -Password $password
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
New-AzureRmRoleAssignment -RoleDefinitionName "Data Factory Contributor" -ServicePrincipalName $app.ApplicationId
This all works fine so far but I also need to create a Key for the app for clients to actually access it. In the Azure portal this would be under MyDirectory --> App registrations --> myAppName --> Settings --> Keys
also I am not quite sure what the Password for the application is actually used for?!
OK, I found this blog post and it seems to solve my issue:
https://www.sabin.io/blog/adding-an-azure-active-directory-application-and-key-using-powershell/
I've created an Azure PowerShell script in a Runbook within the Azure Automation portal in order to automatically scale the database performance level depending on what time it is.
I can successfully retrieve a service objective via "Get-AzureSqlDatabaseServiceObjective" when I want to scale down to a "P1" or "P2" performance level; however, when I want to scale up to "P6" or "P11", I am unable to do so with the same exact block of code:
$Edition = "Premium"
$PerfLevel = "P6"
$Servercredential = new-object System.Management.Automation.PSCredential($Credential.UserName, (($Credential).GetNetworkCredential().Password | ConvertTo-SecureString -asPlainText -Force))
$CTX = New-AzureSqlDatabaseServerContext -ManageUrl “https://$ServerName.database.windows.net” -Credential $ServerCredential
$ServiceObjective = Get-AzureSqlDatabaseServiceObjective $CTX -ServiceObjectiveName $PerfLevel
Set-AzureSqlDatabase $CTX –DatabaseName $DatabaseName –ServiceObjective $ServiceObjective –Edition $Edition -Force
When I specify "P6" as the "ServiceObjectiveName" this cmdlet returns null; however, when I specify "P1" or P2" the cmdlet returns the correct ServiceObjective object, and the code will execute properly.
The MSDN documentation for "Get-AzureSqlDatabaseServiceObjective" only shows "P1, P2, P3" as valid Premium values; however, there has to be a way to scale the database to these higher performance levels (I can specify "P3" as a parameter in this script and it will actually change the database performance level to P3, even though you can't select this performance level manually through the Azure Portal anymore).
Can anyone give advice or maybe another method to achieve scaling up to these higher performance levels via a PowerShell script? I've done hours of research on here and elsewhere and I can't find a solution to this or any other post with a similar problem that was resolved.
Azure Resource Management commandlet for sql server i.e Set-AzureRmSqlDatabase can be used to upscale db to any desired edition/performance level.
We have to connect to our Azure subscription and acquire database instance to upscale it. We can create a runbook to schedule upgrade/downgrade.
# Read the subscription credentials. AzureRunAsConnection asset is created as a part of Automation account setup(see link below)
$Conn = Get-AutomationConnection -Name AzureRunAsConnection
# Connect to the subscription (Uninteractive login).
Add-AzureRMAccount -ServicePrincipal -Tenant $Conn.TenantID `
-ApplicationId $Conn.ApplicationID `
-CertificateThumbprint $Conn.CertificateThumbprint
# Set the new performance tier of db.
Set-AzureRmSqlDatabase -DatabaseName $Using:DatabaseName `
-ServerName $Using:SqlServerName `
-ResourceGroupName $Using:ResourceGroupName `
-Edition $Using:Edition `
-RequestedServiceObjectiveName $Using:PerfLevel
Read Authentication runbook with AzureRunAsAccount for details on authentication using runbook connection asset.
NOTE: `(tick) is used to break the commandlet in multiple lines.
Here is my upgrade and downgrade example for Azure DB and Azure DWH: http://microsoft-bitools.blogspot.com/2017/04/scheduled-upgrade-and-downgrade-azure.html