I have a requirement to get RBAC Roles from subscription using PowerShell. I'm trying to run Get-AzRoleAssignment using an AAD App Registration. I am able to connect to subscription but unable to get RBAC Roles. Can someone tell me what might be the problem with my app permissions.
Run the Connect-AzAccount command and log in with the tenant administrator or subscription administrator account.
Run the Get-AzRoleAssignment command.
Adding Admin Consent to Azure Service Management solved my issue
Related
Is it possible to access sharepoint online from desktop app with azure ad token, but as a currently logged user?
I already registered client app in the azure ad and i'm able to connect to share point when the api permissions are set to "Application permissions", but when i set the permissions to "Delegated permissions" I can't access sharepoint site.
What i need is a way to create sp ClientContext based on the token i get from the azure. I know it's possible to try with SharePointOnlineCredentials, but i don't want to mess with users credentials.
To get the Access Token for Azure, pls use the below article.
active-directory-dotnet-native-headless
Below are the steps you have to follow:
Followed the steps mentioned in the article
Added Office 365 Sharepoint Online API access permissions for the App.
Selected necessary permissions for the App.
I'm setting up a Power BI auditing solution using an Azure Automation Account and the Power BI Powershell Cmdlets. In order to access PBI audit logs Power BI Services Admin role is needed.
This role can be granted to O365 Tenant users via Microsoft 365 admin center or via the Azure Portal using directory built-in roles.
This seems not that straightforward to me when I try to grant the given role to the AAD App Registration used to authorize the Power shell script in order to run programmatically. My question is: which is the best way to perform this operation on a service principal? I found a lot of documentation, but most of the time it is a bit confusing.
If I misunderstand your requirement, please let me know.
You mentioned we can add the role to service principal via Microsoft 365 admin center or via the Azure Portal using directory built-in roles. And then you want to know which is the best way to do this operation to allow you run the powershell script programmatically. So I think we can just use the powershell command which is shown in the tutorial you provided above, or you can refer to this tutorial to know more about this command.
Add-AzureADDirectoryRoleMember -ObjectId <the power bi admin role id> -RefObjectId <your service principal(or user) objectId>
Assign the role by this command, you can run it programmatically and without do the assign role operation in web page. I think this is the best way to do it.
I am a developer working on an application that will access O365 data via the Graph API. I have registered an application under my company account. I have authentication working on a per-user basis. Now I am trying to get it to work so that a tenant administrator can grant permission to my application for data access on an organization-wide basis. I have this working as well - I used the /adminconsent endpoint to bring the administrator to a page where he granted the consent.
What I am wondering about is the line in the documentation that says "You can rely on an administrator to grant the permissions your app needs at the Azure portal". I am trying to figure out what that procedure is so I can document it for admin users. I thought perhaps it was to go to App Registrations - there I see an option to create a new registration. But this has it's own Client Id. Don't I somehow have to give it the Client Id of my own application? Or is the idea that the tenant admin will supply the Client Id of his app to my app? Or am I in the wrong area altogether?
BTW in case it is relevant, I am not using any authentication library, just making direct http calls from a C++ program running on the Windows desktop.
Per my understanding, your application is an multi-tenant application. Only you or the administrators in your tenant can grant the permissions to your application. The administrators from other tenants can grant consent to use your application, but they can not control the permissions.
Update:
You can grant admin consent by calling admin consent endpoint.
https://login.microsoftonline.com/common/v2.0/adminconsent?
client_id={your_tenant_client_id}
&state=12345
&redirect_uri=http://localhost/myapp/permissions
&scope=
https://graph.microsoft.com/.default
If you want to grant admin consent via Azure portal. The application must already been provisioned in your tenant. For example, an app could be provisioned in your tenant if at least one user has already consented to the application.
We have an account that is an Application Administrator, and with that account, we registered an App.
When attempting to add permissions both Application and Delegated, there would be a message saying it needs admin approval. When trying to give admin consent from the apps permissions page with the following image would pop up
The permissions we were attempting to give were:
-Microsoft Graph: Reports.Read.All
-Office 365 Management API: ServiceHealth.read
And these were both Application and Delegated
What Exactly is happening here?
Are we doing something wrong?
You need to login in your application with the Azure AD global admin account.(Application Administrator can not do this)
Or you can ask your Azure AD admin to grant admin consent on Azure portal.
Go to your application->API permissions-Grant consent.
Could you please let me know, How we can be able to added the co-administrator or my colleague to the newly created B2C tenant as a Global admin.
I’m struggling to find the way out. I have gone through some article were it point to add/import the user from external Azure active directory as source using classic portal.
Scenario is: I’ve created the B2C tenant were I marked as GA. I want my colleague to manage the directory in my absence.
Have followed the guide to assign Admin Roles to a User in Azure AD. On the Step 5, select the Global Administrator under Directory Role
Still not able to connect through Powershell
Still not able to connect through Powershell
Do you mean your colleague can't use his Azure AD account to login your Azure AD with PowerShell? With this command Connect-AzureAD?
We can via Azure classic portal to add Global Admin role to your colleague's account, like this:
After that, we can use PowerShell to login your Azure AD with -TenantId, like this:
connect-azuread -TenantId 0e0a9c5d-xxxx-xxxx-xxxx-xxxx375bxxxx
============================
Update:
If you want make your account can login new azure portal, we should grant your account admin permission of this subscription, we can set this here: