I'm trying to use the Add-AzureAccount command that's part of the Azure PowerShell tools (August 2014, v0.8.6), and although various examples on the web lead me to expect that it will let me use either an organizational account or a Microsoft Account to log in, in practice, it seems to be requiring an organizational account.
When I execute the command, it opens a hosted browser window as expected, but the prompt says Sign in with your organizational account followed by a username and password. There seems to be no way to tell it that no, I actually need to use a Microsoft Account.
(As it happens, my email address is associated with both an organizational account, and also a Microsoft Account. This may not be helping.)
I could create a completely separate organizational account in an Azure Active Directory, make that a co-admin, and log in with that, but it seems like this shouldn't be necessary.
Is there some way to force it to offer me both options?
I was able to resolve this problem through trial-and-error. As Paul points out in his post, you can load your subscription info into PowerShell using the following sequence:
1. Get-AzurePublishSettingsFile
This will open a browser to a special page that lets you download your profile settings file.
Note: If you have multiple subscriptions, you must use the dropdown to select the one that contains the Azure components you want to manage. For instance, I have a BizSpark subscription that I use for my own company, and a separate MSDN subscription that my clients use (adding me as an administrator). Both subscriptions show up on my management portal page, so I needed to download 2 separate publishsettings files.
2. Import-AzurePublishSettingsFile my-subscription.publishsettings
In my case, I renamed the settings files to "BizSpark.publishsettings" and "MSDN.publishsettings", so I ran this command twice.
3. Get-AzureSubscription
This will list all of the subscriptions that have been imported into PowerShell, showing the subscription name and the other properties.
4. Select-AzureSubscription -SubscriptionName "my-subscription"
You can now use the subscription name to select the subscription you want to use. This allows you to switch back and forth between subscriptions and work with the Azure components you need to manage.
Use #outlook.com instead of the organizational address and you will be directed to the Microsoft Account login.
Azure can be signed up with either Microsoft Account or Organizational Account. Add-AzureAccount will display a message like "Sign in with your organizational account" in the browser window, but actually if you input your Microsoft Account email address into the box and move focus out, the page will redirect to Microsoft Account sign page automatically, and then you can sign in.
Sometimes you may meet some error like "The cache contains multiple tokens satisfying the requirements". You can try to clean all the existing Azure Accounts firstly and then try to sign in again.
To clean up, run Get-AzureAccount | Remove-AzureAccount.
I have a similar problem. Using Add-AzureAccount with my Microsoft Account result in adding my organizational account.
For example I run Add-AzureAccount, in the form I type davideicardi#hotmail.com (my Microsoft account) but the resulted account is davide.icardi#mycompany.com (my organizational account).
I solved by deleting all the Azure account registered on Power Shell (also the one not related to my account, using Remove-AzureAccount), then I have deleted IE cookies (not sure it this is important...), closed the powershell console and executing again Add-AzureAccount.
I suspect that there is a bug somewhere...
Related
I have signed up for Gsuite Essentials and attempted up upgrade to Gsuite Enterprise. I only have a single email address eg a#abc.com. I had already been using this account as a normal google account. (no gmail though).
I couldn't get the admin console to show the upgrade option, but found I needed to verify my domain. So I added the TXT record to my domain abc.com, which would then let me verify.
I could then log in to the admin console as a#abc.com and clicked on the upgrade option and completed the process. This then let my a#abc.com user have access to Gmail. I have not transferred any domain settings over to google, that is all still externally hosted.
I can now no longer log in to the admin console, it says that my a#abc.com account doesn't have the rights and I need to log in as the administrator. There is no other account linked to the Gsuite settings, so there is no other administrator. I can still log in to the normal google account and do the same functions as previous.
I have now removed the TXT record hoping that would cancel it out again.
How do I get access to the admin side again?
Side note: What I am mostly worried about is that I put my credit card details into the signup, but can't get into the admin page and can't contact any form of support. It is literally impossible to get support to use the serve I paid for.
First thing first, the txt records are a string for the only purpose to verify the ownership of the domain therefore deleting them won't change anything you only need this record for the verification process and once is done you can delete them.
As an example is like a text message sent to your mobile phone, if you delete the message nothing will happen right?
I tell you this so you won't more time on the domain DNS zone settings because the issue is not there and you won't solve the problem.
There may be few things that may have happened.
The first thing you should do is to navigate in an Incognito page, make sure that is the only incognito page that you have opened and log in with a#abc.com.
Try to run different test in incognito, the issue really looks like that you are logged in with multiple Google Accounts and when you go do admin.google.com it picks up the wrong one. That's why you should go in incognito.
EDIT
Use as reference this link Here.
Follow the steps in Paragraph 'I'm taking control from another admin' here the steps:
Go to the G Suite Essentials sign-up page.
2, Sign up using your email address at the domain you're verifying.
Use an address where you can get mail.
Follow instructions in the Setup Wizard to become the admin who manages G Suite Essentials for all users at your organization.
If this didn't solve the issue then you should contact the Google Support and they will tell you what happened.
The thing is that if you can't access the Google Admin you won't be able to contact the Google Support, hence you should follow this:
.1 Can't sign in to the Admin console: https://support.google.com/a/answer/6335621?hl=en
I have a problem and apparently it happens because before I had my business account registered as a personal account in microsoft. I have already deleted that account to keep the business account only but now when I want to add the account to my organization in DevOps it does not allow me to add it, it tells me that there is an error and already, it does not add it to the organization.
I realized that DevOps tries to add the personal Microsoft account again and not the new one I have (Microsoft 365), I don't know how I can solve that, if they could help me.
The question is also in Developer Community in Microsoft: https://developercommunity.visualstudio.com/content/problem/1096647/no-puedo-unirme-a-una-organizacion-en-devops.html
Solved the issue with these steps below:
Sign out the account and close the browser.
Please ask your Project Collection Admins (PCA) to delete and re-add the account in the organization.
Don't click the email link or use the normal browser window to access the organization.
Firstly, please open an InPrivate/incognito browser window. Then, you could access to "https://dev.azure.com/TCI-Software" directly in the InPrivate/incognito browser window.
I'm quite new to SharePoint/Azure/PowerShell, so apologies if what I'm asking is a stupid question!
We currently have client SharePoint sites hosted on our O365 tenant, with access to each site to be rolled out to each of our respective clients shortly. Initially, only the senior management of each client will have access to the sites, however as time goes on it's likely we'll be adding everyone else too; To streamline the new user process and save us from having to add each individual staff member, we've been considering using a Flow to automate user access instead, with the goal of adding authenticated external users without much real input from administrators other than a simple approval/rejection process.
The overall plan is as follows:
Visio Outline<
Each Client site has a SharePoint Custom List, titled "Employee Access List". Said list will have the following columns: Request ID (Text), First Name (Text), Last Name (Text), Job Title (Text), Company (Text), Contact Number (Text), E-Mail (Text), SharePoint Access (Yes/No Boolean).
If a member of staff requires access to the SharePoint site, then their respective manager will add the staff member to the list and fill in all the above fields, setting the "SharePoint Access" item value to "Yes".
This will trigger the flow and an approval email to be sent to myself and another administrator, with said email detailing the user to be created, and who has submitted the request.
Script insertion somehow - This would then run if the request was approved, and set the user up with access.
Email notification is automatically then sent to the creator of SharePoint list item, notifying them that the user now has access.
Step 4 is where I'm a little stuck in regards to what to do if the request is approved - I've written a little PowerShell script below which nearly achieves what I'm going for, in that it creates an external user PnP Group and PnP Role Definition (If there isn't one already), pulls what's in the "E-mail" fields on the "Employee Access" list and runs Add-PnPUsertoGroup to pull the users to the PnP group, which then sends the users an email with a link to the SharePoint site, allowing them to access it. However:
The script I've written targets everyone on the SharePoint List, whereas ideally I would just want the script to target the sole user that's been newly added to the list/is listed in the approval email, and only them. I'm assuming that I'd have to pipe information from the Flow into a script, which I'm not even sure is possible, and if it is, I haven't got a clue how to do it.
I know that that Azure Functions and Azure Automation can be used to insert scripts into Flows, but I don't have experience of either so I'm not sure which is the more suitable option. Is there any guidance on how to insert PowerShell scripts with them, and how to pipe what's in a flow into said scripts?
PowerShell Script as follows:
Hope this all makes sense - Any guidance would be appreciated.
Thank you!
EDIT:
Just as a bit of extra information, here is the Flow as it currently is:
Flow Part 1
Flow Part 2
Flow Part 3
Have since found an answer to the above - whilst Azure Functions/Automation are an option, you don't necessarily need them or PowerShell scripts running from Flow, in this case my goal scenario was achieved using an MS Graph Invitation API, App Permissions and a HTTP SharePoint call instead.
See attached screenshots:
Flow Answer 1
Flow Answer 2
Flow Answer 3
Step 1: Set up an App with permissions to make calls to MS Graph - use this guide for help on how to do so - http://blogopaxio.azurewebsites.net/accessing-graph-api-from-microsoft-flow-using-application-permissions-2/
Step 2: Add HTTP to MS Graph and set parameters as in screenshot 1 of this post - this action will create guest user and invitation URL the user would need to sign in to the site.
Step 3: At this point, run the flow so that we can get the 'inviteRedeemURL' from the body of the Output for the HTTP step - you will need this particular URL to send separately in your email to the end user.
Step 4: Throw in a pause for a minute or 2 just to make sure that the information from the previous actions 'sticks' - provided it all works, at this point, the user will actually have their guest account created and you'll be able to see them under Users in your O365 admin centre, however they won't be aware of their account access yet (We'll notify them of this in our email at the end).
Step 5: Add the user to SharePoint security group with a "Send HTTP Request to SharePoint" action. Please note that the "sitegroups(19)" in the URI of this action refers to the ID number of the PnP group you're putting them in, so in my case the group ID was 19. If you're unsure of the ID of your group, connect to your SharePoint Site through PowerShell with PnP commands, then run Get-PnPGroup.
Step 6: Send the email to the invited user with the Outlook Send Email action - FYI -the "SharePoint Site" variable in my screenshot is actually the "inviteRedeemURL".
Hope this helps anyone else that's unsure of how to do this. If anyone has a better solution that achieves this by all means post it!
Thanks!
When I created VSTS account, mistakenly I have chosen Personal instead of Work,School... (as you can see on the picture)
Now I need to associate it with my organisation account. I search a lot and I couldn't find anything useful.
Please guide me to solve this problem.
Sorry, you can't associate personal VSTS to an Organisation Although both identities use the same email address, they're still separate identities with different profiles, security settings, and permissions.
Please see the Q&A below:
Why must I choose between a "work or school account" and my "personal
account"?
Choose Work or school account if you want to use your organization's directory to authenticate VSTS users and to control
VSTS account access. This limits access to members in your
organization's directory. All other users must sign in with work or
school accounts too.
Choose Personal account if you want to use your Microsoft account with VSTS. All other users must sign in with Microsoft
accounts too.
If you feel annoying about the pop-up, you could just follow the
link to rename your personal Microsoft account.
If you are worrying about the subscribers:
Within the Visual Studio subscriber portal, you may be able to add an
alternate identity--in addition to the identity you used during activation. Today we allow you to add an alternate identity if you
used a Microsoft account to activate your subscription. This way you
can also add a work or school account (which you use when logging into
Visual Studio, Office 365, or your corporate or school network),
allowing you to access VSTS using both your personal account and your work or school account.
Detail steps please take a look at:How to add an alternate identity to your Visual Studio subscription
If you can't sign in when choose both please see: Why can't I sign
in after I choose either "personal Microsoft account" or "work or
school account"?
Check this link to associate your personal account with a organization account.
https://learn.microsoft.com/en-us/vsts/release-notes/2018/mar-05-vsts#subscriptions
I was trying to follow this tutorial here from official Microsoft Docs in order to give in a specific user group a role.
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
I want that role to be applied on subscription level. First, the screenshots are outdated and they are not represent the current portal. Second, the current portal seems to be unable to find the user groups through the search.
After searching and changing a lot of things I had realized that the issue wasn't on my action but on Azure portal. I gave up the portal and I started trying PowerShell and it works as it is expected to work.
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell
Therefore, save your time and use PowerShell instead of portal in case that you want to set a role in a user group. Again, there is no specific command as far as it concerns subscription level access. You need to modify a bit the one for Resource Groups and add -Scope. Your final command should be this:
New-AzureRmRoleAssignment -ObjectId $userGroupId -RoleDefinitionName 'Reader' -scope '/subscriptions/{Change_To_Subscription_ID}'