In the Azure Portal, one can look-up an Azure AD object based on the Object ID as shown below:
Is it possible to retrieve an Azure AD object by the Object ID using the Azure CLI?
In order to use the Azure CLI to get the object related to the object ID, it appears that I need to know in advance if the related resource is a user, group, device, app registration, etc., in order to get the details. For example, if I know the Object ID is a user, I can use az ad user show --id. If all I have is the Object ID, I don't know the 'type' of the object, yet somehow the Portal can figure this out!
While I'd prefer an Azure CLI solution, an Azure PowerShell solution would be better than nothing. I am asking the question because I'm trying to generate a list of access policies within key vault using az keyvault list, but the access policy list from that CLI command just shows Object IDs for each policy... I have no way of determining if the objects are users, groups, etc.
If you want to get Azure AD resource with its object id, we can use the following Microsoft Graph API
POST https://graph.microsoft.com/v1.0/directoryObjects/getByIds
Content-type: application/json
{
"ids":[""]
}
If you want to call the Microsoft Graph with Azure CLI, we can use the command az rest
For example (I use Azure cloud shell)
az rest --method POST --url 'https://graph.microsoft.com/v1.0/directoryObjects/getByIds' --headers 'Content-Type=application/json' --body '{"ids":[""]}'
For more details, please refer to here nad here
If you have a CSV file with user IDs in one column, this script is useful to look up all users at once
param(
$file = "query_data.csv"
)
$data = Get-Content $file | ConvertFrom-Csv
$userIds = $data.User | Get-Unique
$body = #{
ids = $userIds
} | ConvertTo-Json -Compress;
$body = $body -replace '"', '\"';
$results = az rest `
--method POST `
--url 'https://graph.microsoft.com/v1.0/directoryObjects/getByIds' `
--headers 'Content-Type=application/json' `
--body $body;
$results > results.json
Related
I know how to get the tenant id of Azure AD. But i have registred an APP in Azure AD using microsoft graph powershell and i want to obtain tenant id of this registred app using microsoft graph powershell. I tried to get it using the variable i used to create the app registration:
$APP = New-MgApplication -displayName $AppName `
-RequiredResourceAccess #{ ResourceAppId = $GraphResourceId; ResourceAccess = #($resourceAccess) } `
-SignInAudience $SignInAudience `
-PublicClient #{ RedirectUris = $URL }
If i use the variable $App and try to get a property called tenantid, there is nth called like this. $App | Select * did not show any tenantid aswell.
Anyone know how to read the tenantid of this registred azure app using microsoft graph powershell?
Graph API doesn't provide any information about tenant for registered application, so you cannot get tenant id directly.
The registered application is created under the same tenant that the user or application is signed in to.
You can read organization data
Import-Module Microsoft.Graph.Identity.DirectoryManagement
$org = Get-MgOrganization
$org.id is the tenant ID.
Documentation:
Organization
You can get the tenant id, by following below commands , ref doc - https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-to-find-tenant#find-tenant-id-with-powershell
Connect-AzAccount
Get-AzTenant
To list all To the tenants for your account, you can use:
GET https://management.azure.com/tenants?api-version=2020-01-01
ref doc - https://docs.microsoft.com/en-us/rest/api/resources/tenants/list
If you want to see the tenant ID associated with an app registration, you can do so through the portal under Azure Active Directory > App Registrations > the app registration > Overview. I don't believe it's possible to get this data via Powershell since Powershell requires both Tenant ID and Application ID to query the application information.
See the doc more info - https://learn.microsoft.com/en-us/partner-center/find-ids-and-domain-names
Hope this helps
Thanks
I have a SP using Shibboleth as IDP for SSO, and Shibboleth uses Active Directory as User store.
In SP configuration, it maps an attribute "urn:oid:2.16.840.1.113730.3.1.3" to a local attribute.
I exported all objects from AD but didn't find any attributes associated with 2.16.840.1.113730.3.1.3. But when I check SAML log in SP, I did find values of "EmployeeID" from AD are filled into this attribute, but AD attribute "EmployeeID" has different AttributeID(1.2.840.113556.1.4.35).
I used the following 2 cmds to export AD schema objects, neither of them shows 2.16.840.1.113730.3.1.3:
$schemaPath = (Get-ADRootDSE).schemaNamingContext
Get-ADObject -filter * -SearchBase $schemaPath -Properties *|select-object lDAPDisplayName,attributeID
ldifde -f xxx.ldif cn=Schema,CN=Configuration,DC=xxxx,DC=xxxx,DC=edu
Anybody knows why 2.16.840.1.113730.3.1.3 doesn't show up in schema query but Shibboleth can query its values?
Thank you
It is possible to assign app role access for an app registration in terraform using required_resource_access for azuread_application. This will give access to a custom role to my API to another application/service principal.
I would like to do the same for a managed identity, but cannot figure a way to do that with terraform. It can be done with powershell like that e.g.:
New-AzureADServiceAppRoleAssignment -ObjectId $managedIdentityObjectId -Id $appRoleId -PrincipalId $managedIdentityObjectId -ResourceId $serverServicePrincipalObjectId
This call to graph api would achieve the same I think:
POST /servicePrincipals/{objectId}/appRoleAssignments
But I'd really love to do that with terraform if possible.
There is no such built-in resource in Terraform to achieve this, the only related thing here - azuread_application_app_role, if you want to do that, the workaround is to run the powershell command in Terraform manually via local-exec Provisioner.
We have an enterprise application in our Azure AD tenant for provisioning users to another SaaS platform. Currently it is only setup with the option "Sync only assigned users and groups" since we do not want the whole directory brought over.
My question is simple, is there a way to use the az-cli (currently have version 2.0.60 installed) to add users to that enterprise application?
I checked out the:
az ad sp
az ad app
az role assignment (seems to only work with subscriptions and resources below)
I would expect there would be a simple role assignment command to run that adds a user by upn/objectId to the enterprise application.
Everyone in my team are using Mac's and we could use PowerShellCore if that has better support.
Thanks!
If it helps, I did this using az rest. We all use Macs here and PowerShell core seems broken in a few places (doesn't support certificate-based logins and the New-AzureADUserAppRoleAssignment cmdlet didn't work for us. We were using the preview version. The Graph API docs are also quite wrong so took a bit of fiddling to get the right endpoint and payload. Example below:
az rest \
--method post \
--uri https://graph.microsoft.com/beta/users/$user/appRoleAssignments \
--body "{\"appRoleId\": \"$appRoleId\", \"principalId\": \"$user\", \"resourceId\": \"$spObjectId\"}" \
--headers "Content-Type=application/json"
Can post a sample bash script for the above that sets the vars if anyone's interested?
It seems you could not do that via Azure CLI, my workaround is to use powershell to do that.
Everyone in my team are using Mac's and we could use PowerShellCore if that has better support.
First, you need to install the AzureAD.Standard.Preview powershell module which supports powershell core, you can understand the module is an equivalent of AzureAD module in powershell core, they have the same usage, it is a preview version, for more details see this link.
Then try the command New-AzureADUserAppRoleAssignment as below, this sample assigns a user to an application with default app role id.
New-AzureADUserAppRoleAssignment -ObjectId "<user objectid>" -PrincipalId "<user objectid>" -ResourceId "<service principal objectid(i.e. Enterprise Application objectid)>" -Id ([Guid]::Empty)
Check in the portal:
If you want to assign a user to a specific app role within an application, try the command below.
$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"
# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
#Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
Is it possible to create Azure AD B2C tenants programmatically (e.g. with Powershell, REST API)?
We are developing a multi-tenant SaaS solution for which we would like to create an Azure B2C tenant automatically whenever a new tenant registers.
I'm afraid currently you cannot create Azure AD using either the APIs or using PowerShell. Although you can create additional directories in a subscription you cannot create one using any automation.
You can use PowerShell AzureADPreview 2.0 module to manage custom policies, applications, etc. Although not such a complete thing like ARM Templates, but you can automate many things for now.
Full doc is here: AzureADPreview 2 docs
I had no success to install this module to "old" PowerShell (5.x) so I gave a shot to the 'new' PowerShell 7 (Core). The only issue with PowerShell 7 and AzureAD module is that Connect-AzureAD uses a cryptographic function which is not in .NET Core, so you must import the AzureADPreview module using the -UseWindowsPowerShell option.
Here is a sample, works with PowerShell 7:
Install-Module AzureADPreview
Import-Module AzureADPreview -UseWindowsPowerShell
$tenantId = "yourb2ctenant.onmicrosoft.com"
# Note: this will interactively ask your credentials.
# If you want to run this unattended, use the -Credential parameter with a PSCredential object with a SecureString
Connect-AzureAD -TenantId $tenantId
# ready to go
#list your all custom policies:
Get-AzureADMSTrustFrameworkPolicy
# upload a policy:
$policyId = "B2C_1A_TrustFrameworkBase"
$policyFileName "YourTrustFrameworkBase.xml"
Set-AzureADMSTrustFrameworkPolicy -Id $policyId -InputFilePath $policyFileName
#list your all apps
Get-AzureADApplication
# examine one of you app and get ideas
$application = Get-AzureADApplication -ObjectId af46a788-8e55-4301-b2df-xxxxxxxxx
# create an application
$applicationName = "yourappname"
$application = New-AzureADApplication -DisplayName $applicationName -PublicClient $true etc