I have an Azure subscription where the subscription administrator account is a Microsoft Account. I then added another Microsoft Account as a co-administrator. I'm told that when I add a co-administrator, it gets added to my subscription's default AD as a Guest user. What I really want to accomplish is change the user type from Guest to Member. For this, I am advised to use Azure AD PowerShell and this is where I am struggling.
I've already installed related PS Modules (based on this link: https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx).
So here's what I am doing:
First, this is the command I am issuing:
$msolcred = get-credential
I get prompted for entering my credentials which I provide and then I run the following command:
connect-msolservice -credential $msolcred
When I do this, I get the following error:
connect-msolservice : The user name or password is incorrect. Verify your user name, and then type your password again.
At line:1 char:1
+ connect-msolservice -Credential $cred -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
+ FullyQualifiedErrorId : 0x80048821,Microsoft.Online.Administration.Automation.ConnectMsolService
I even tried putting the username as domainname.onmicrosoft.com\username but still get the same result.
So my questions are:
Is it even possible to connect to Azure AD via PowerShell using Microsoft Account?
If it is possible, then how should I specify the username? I have tried both username as well as domainname\username and I got the same error.
If it is not possible, then what's the alternate solution? Should I just create a user in that AD and put that user in a role that has permission to manage users (as this is what I want to do)?
Any insights regarding this would be highly appreciated.
(Updated 2018-04-23 to clarify how to do this with AzureAD (v2) module.)
The AzureAD (v2) PowerShell module accepts the ‑TenantId parameter in Connect‑AzureAD, which can be either the Guid tenant ID, or any verified domain name in the Azure AD tenant. Doing so will allow you to sign in using an external account (e.g. you personal Microsoft account, or a work or school account from another Azure AD tenant, as long as this account was previously invited into the tenant):
Connect-AzureAD -TenantId "contoso.com"
The MSOnline (v1) module does not have an equivalent parameter, but it does accept ‑AdGraphAccessToken and ‑MsGraphAccessToken, which are access tokens to the Azure AD Graph API (https://graph.windows.net) and the Microsoft Graph API (https://graph.microsoft.com), respectively. Though you can use ADAL (for example) to obtain these access tokens for your specific tenant (which allows you to use external users), it's probably simpler to just create a "local" account to your Azure AD tenant for this.
Signing in to AAD PowerShell with a Microsoft Account is not currently supported. Your approach (make a new user that is "native" to the directory) is the way to go.
For those that run across this question in the future, the previous answer still appears to be correct. Basically, you have to create a new account that is native to the directory. This account can be used to login when running connect-msolservice in PowerShell, and then you can run set-msoluser to convert the user from "Guest" to "Member".
The following blog post has detailed step-by-step directions to do this. Note that you need to follow the Appendix first if your Global Admin account is not a work or school account. Also, I've added a few important details in the Comments section of the blog post.
https://blogs.msdn.microsoft.com/dstfs/2015/12/23/issues-with-azure-active-directory-guest-users-in-aad-backed-visual-studio-team-services-accounts/
For reference, a similar problem and resolution using set-msoluser can be found in this forum post:
https://social.msdn.microsoft.com/Forums/azure/en-US/469baa2d-7ff1-4e17-a8f0-f257cbdbf50b/cannot-see-the-active-directory-item-in-the-azure-portal?forum=WindowsAzureAD
Related
I am working with PowerShell. So we can connect MFA enabled O365 through connect-exopssession but we need to manully enter password and Code sent to mobile. But I want to schedule a solution which has to connect to O365 automtically without any manual intervention in MFA enabled O365. Is there any solution which can bypass MFA without disabling MFA in O365.
The only way to do this is to setup an account that is dedicated for these types of tasks and remove MFA for it, or use Conditional Access to bypass MFA when connecting from your Public IP etc. Just make sure that you secure this account as much as possible.
To create non-interactive scripts, you need EXO V2 PowerShell module version 2.0.3 preview or later version. This unattended script authentication uses Azure AD applications, certificates, and Modern authentication.
Connect to Exchange Online PowerShell with existing service principal and client-secret:
To connect Exchange online with existing service principal and client-secret, you need to follow the steps below.
Step1: Get an OAuth access token using Active Directory Authentication Library (ADAL) PowerShell.
Step 2: Create PSCredential object
$AppCredential= New-Object System.Management.Automation.PSCredential(<UPN>,<Token>)
Step 3: Pass the PSCredential to the EXO V2 module.
Connect-ExchangeOnline -Credential $AppCredential
For more information please read https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#setup-app-only-authentication
Use App passwords. App passwords do not need MFA.
From docs:
An app password is a code that gives an app or device permission to access your Office 365 account. If your admin has turned on multi-factor authentication for your organization, and you're using apps that connect to your Office 365 account, you'll need to generate an app password, so the app can connect to Office 365.
Read more and how to in MS Docs here:
While connecting the tenant's Azure AD from my partner center account/Delegated account, I'm getting below error.
Connect-AzureAD: One or more errors occurred.: AADSTS50076: Due to a configuration
change made by your administrator, or because you moved to a new location, you must
use multi-factor authentication to access 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXX'.
I'm doing some automation task but this error unable to make me connect to tenant's Azure AD:
Connect-AzureAD -Credential $cred -TenantId $id
$cred: Credential of my DA account
$id: tenant's ID to which I have to connect.
Please help..........
Try using interactive authentication, it'll allow you to go through MFA:
Connect-AzureAD -TenantId $id
Sounds like you are trying to pass username and password and by extension, using the ROPC flow.
It won't work if MFA is required.
You need to go through interactive authentication.
Is it possible to connect to exchange powershell online using registered Azure application ID/secret which allows GraphAPI/EWS access?
FYI, I know how to do it with basic auth (username/password) as guided in MSFT website: https://learn.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps
it is currently possible to use the Microsoft Graph API to make calls to the exchange endpoint. However it's not the same thing as Exchange Powershell Online, please refer to the docs on the exchange graph api here : https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/office-365-rest-apis-for-mail-calendars-and-contacts
For more information on how to make calls via powershell, please look here : https://blogs.technet.microsoft.com/cloudlojik/2018/06/29/connecting-to-microsoft-graph-with-a-native-app-using-powershell/
You will also need to login with a user that has access to said exchange resources. If you login with an application/user that does not have permissions to access the exchange resources you will get a access denied error.
I'd suggest try EXO V2 preview module to connect Exchange Online PowerShell using registered Azure application.
Step1: Get an OAuth access token using Active Directory Authentication Library (ADAL) PowerShell.
Step2: Create PSCredential object
$AppCredential= New-Object System.Management.Automation.PSCredential(<UPN>,<Token>)
Step3: Pass the PSCredential to the EXO V2 module.
Connect-ExchangeOnline -Credential $AppCredential
I'm trying to create a new Azure AD user via PowerShell.
I created a global admin in the portal:
I run Connect-MsolService without any issues.
However, running New-MsolUser -UserPrincipalName ... fails with insufficient permissions:
Any idea what is the issue?
If the login account for Connect-MsolService doesn't have sufficient permissions, for example, the account only has common user permissions, you might encounter the insufficient permissions problem.
However, if you create an account with Global administrator privileges in either new portal or classic portal, and use this account for login with Connect-MsolService, then you can create a new user by using the command 'New-MsolUser' successfully. Also, please note for the parameter '-UserPrincipalName', you must use the initial domain name for suffix, i.e. 'xxxxxx.onmicrosoft.com', or the customized domain verified in AzureAD.
Currently, there are two PowerShell modules for Azure AD: AzureAD and MSOnline.
MSOnline is the old module, which can still provide functionality that is not yet available in the AzureAD module. In future, the older MSOnline module will be deprecated when all of the functionality has been migrated to the newer module - AzureAD.
Therefore, it's encouraged to use the newer AzureAD module.
More details about Azure AD PowerShell, please refer to the following documentation.
https://learn.microsoft.com/en-us/powershell/azure/overview?view=azureadps-2.0
I am trying to login to Azure AD using PowerShell with a co-administrator account. I use Connect-MsolService and I get in but I can't see any subscriptions when I use Get-AzureSubscription. At the same time, I can login in the portal (both old and new) using that account and I see it there. The issue is I need to do some things that both portals do not let me do.
Is there an issue if I created the subscription using a Microsoft account on outlook.com? Am I missing something?
Just to add to the discussion, if you're not a direct owner of the subscriptions (but have an admin role for the whole or part of the Azure infrastructure) you can use the following cmdlets to get all subscriptions and switch between them:
Get-AzureRmSubscription
Select-AzureRmSubscription -SubscriptionName "subscription_name"
https://learn.microsoft.com/en-us/powershell/module/azurerm.profile/get-azurermsubscription?view=azurermps-5.0.0
This lists the available subscriptions for co-admins and contributors and can be used in Azure resource management scripts if you do not directly own the subscription but have sufficient privileges to access the resources.
Do you get a sign in dialgoue when you run Add-AzureAccount from powershell?
Can you then Get-AzureSubscription after that?
These guides might help in ensuring all the basics work:
https://redmondmag.com/articles/2016/01/25/connect-to-microsoft-azure-with-powershell.aspx
https://azure.microsoft.com/en-gb/documentation/articles/powershell-install-configure/
Update:
What are you trying to do after?
If you want to switch subscriptions, does the following work?:
Switch-AzureMode –Name AzureResourceManager
Get-AzureSubscription
Ref:
https://msdn.microsoft.com/en-us/library/azure/dn931949.aspx