Is there a way to get the primary domain name using Azure Cli az ad command
There is no direct command to get Primary domain using Azure CLI.
Alternatively, you can make use of either Microsoft Graph Explorer or PowerShell like below:
In my Azure Portal, my Primary domain looks like this:
Using Microsoft Graph Explorer, you can run query like below:
GET https://graph.microsoft.com/v1.0/domains?$select=id
Response:
You can run the above query in Azure CLI using az rest method like below:
az rest --method get --url 'https://graph.microsoft.com/v1.0/domains?$select=id'
Response:
Using PowerShell, you can run command like below:
Connect-AzureAD
Get-AzureADDomain
Response:
References:
List domains - Microsoft Graph v1.0 | Microsoft Docs
Get-AzureADDomain (AzureAD) | Microsoft Docs
Related
is there a way to know using Advanced Hunting queries(KQL) whether a user logged in using certificate based authentication?
do we see these kind of data in AAdSignInEventsBeta?
Please follow the below steps to get the certificate-based authentication logs in Azure AD with KQL:
Create Log Analytics workspaces, like below.
Go to Azure Portal > Log Analytics workspaces > Create Log Analytics workspace.
Once create the Log Analytics workspaces, send all Azure AD Sign-in logs to Log Analytics workspaces, like below.
Go to **Azure Portal > Azure Active Directory > Diagnostic settings > Add diagnostic setting. **
Check the Azure AD sign-in logs, like below.
Open your Log Analytics workspaces > Logs.
Run the below KQL query to get the Azure AD sign-in logs.
SigninLogs
| where Category == "AuthenticationLogs"
| where Method == "Certificate"
Reference:
Analyze activity logs using Azure Monitor logs - Microsoft Entra | Microsoft Learn.
How can I find the credentials for this?
Please see image below.
I Tried to reproduce the same in my environment to connect using GMSA
First install ACTIVE DIRECTORY DOMAIN SERVICES and create service account for windows server using the below powershell.
Before executing the powershell script, kindly create one Security name GMSA-Test
PrincipalsAllowedToRetrieveManagedPassword is Security Group Name
Import-module ActiveDirectory
Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
New-ADServiceAccount <youraccountname> -DNSHostName ITFarm1.contoso.com -PrincipalsAllowedToRetrieveManagedPassword <GMSA-Test> -KerberosEncryptionType RC4, AES128, AES256 -ServicePrincipalNames http/ITFarm1.contoso.com/contoso.com, http/ITFarm1.contoso.com/contoso, http/ITFarm1/contoso.com, http/ITFarm1/contoso
get-ADServiceAccount GMSAtest
Install ADServiceAccount using powershellon AAD Connect Server
Install-ADServiceAccount -Identity <youraccountname>
successfully created service account after ran the powershell commands.
Configure AAD connect with your Service Account.
Service Account Name: your domain\GMSAtest$
Password: PrincipalsAllowedToRetrieveManagedPassword
Reference: Using Azure AD Connect with a gMSA - The things that are better left unspoken (dirteam.com)
I'm getting ERROR: Insufficient privileges to complete the operation. when running az ad app permission add
What permission do I need to grant my service principal for this to work?
I gave it the AppRoleAssignment.ReadWrite.All permission which says:
Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user.
Update: I also gave it Application.ReadWrite.All, but still getting the error.
I also gave it Application.ReadWrite.All, but still getting the error.
The Application.ReadWrite.All Application permission is enough. I suppose you gave the Application.ReadWrite.All permission in Microsoft Graph, it will not work. You need to use the Application.ReadWrite.All in Azure AD Graph, then it will work.
After giving the permission, wait for a while, run the command, it returns a warning, refresh the portal, you will find the API permission was added.
Since the Microsoft graph API is not working with the Azure CLI AD App permissions and the Azure AD graph API is deprecated from 2020 April, this can be achieved by giving Application administrator permissions to the AD app.
From Azure AD go to Roles and administrator > Application administrator.
Then Add assignment, find your client app and add it to the application administrator.
az cli is getting updated to use MS Graph API according to: https://github.com/Azure/azure-cli/issues/12946#issuecomment-737196942
Presumably this update will occur before AAD Graph API is retired on 6/30/2022: https://github.com/azure-deprecation/dashboard/issues/178
Once az cli gets updated then Application.ReadWrite.All permission on MS Graph API should work.
There is a deprecation warning for the Azure AD Graph API as below.
This application is using Azure AD Graph API, which is on a deprecation path. Starting June 30th, 2020 we will no longer add any new features to Azure AD Graph API. We strongly recommend that you upgrade your application to use Microsoft Graph API instead of Azure AD Graph API to access Azure Active Directory resources
Also it seems the Microsoft Graph API is not working even though the relevant permissions are not provided.
I have a working script via https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/configure-always-encrypted-keys-using-powershell (KeyVault + SQL Azure setup), in "Step 6. Authenticate to Azure, if your column master key is stored in Azure Key Vault.", I run PS "Add-SqlAzureAuthenticationContext -Interactive", but this will pop a dialog connect to Azure US,not Azure CN.
I browsed cmdlet doc, cannot see anything setting environment parameter, how can I let the cmdlet connect to AzureCN?
Thanks,
Cheng
Context
I am co-admin of an Azure subscription.
I created Azure active directory in the same.
I started the Azure Powershell.
Azure account was added successfully.
Problem
But, when I fire the command "Get-AzureADUser", it fails to provide the needed.
Also, when I tried with putting proper input like valid objectID, It did not return any value.
Question
To what Azure AD does the Azure Powershell command "Get-AzureADUser" establishes connection with?
"Get-AzureADUser" command works with AzureResourceManager mode.
It calls the "Default directory" of the Azure subscription.
It can only be authenticated with the credentials of Service Administrator of that
subscription.
It works fine if the above mentioned are followed.