I'm trying to export AAD users from ADB2C to a csv file. I'm able to achieve this using the graph API "graph.windows.net" and some filter conditions. But with this approach, I can only get a limit of 999 records per response and I need to get the next link to do another API call and so on...
This process is taking a long time to fetch the AAD users. Hence I tried using Power shell scripts i.e using Get-AzureADUser, using this approach I was able to get all the users within a short duration. But the issue in this approach I'm not able to get all the attributes that I get via the rest call (i.e the attribute is userIdentites).
The reason I'm looking for userIdentites is, that I can filter out the users with social logins like gmail.com or facebook.com
How can I achieve this using PowerShell scripts? or using CLI or Python?
A sample response from the Graph API -
Powershell script to get the same attributes, but I'm getting blank userIdentites, which is wrong. Expected is few users are to get social logins as shows in Graph API Response
For($i=$index; $i -lt $regexArray.Length; $i++){
$regexArray[$i] | Out-File $tempLogFile -NoNewline
$blobFileName = $fileName + $i + ".csv"
Write-Output ("Exporting Users Information in a CSV File for Surname with Regex : " + $regexArray[$i])
Get-AzureADUser -All $true | where-Object { $_.Surname -cmatch $regexArray[$i]} |
select otherMails,DisplayName,userIdentites,UserPrincipalName,Department | Export-Csv $tempfilepath -NoTypeInformation
Set-AzureStorageBlobContent -Context $context -Container $container -File $tempfilepath -Blob $blobFileName -Force
Write-Output ("Exported File Name : " + $blobFileName)
Set-AzureStorageBlobContent -Context $context -Container $container -File $tempLogFile -Blob $logFile -Force
Write-Output ("Exporting completed for Surname with Regex : " + $regexArray[$i])
}
public static async Task ListUsers(GraphServiceClient graphClient)
{
Console.WriteLine("Getting list of users...");
try
{
// Get all users
var users = await graphClient.Users
.Request()
.Select(e => new
{
e.DisplayName,
e.Id,
e.Identities
})
.GetAsync();
// Iterate over all the users in the directory
var pageIterator = PageIterator<User>
.CreatePageIterator(
graphClient,
users,
// Callback executed for each user in the collection
(user) =>
{
Console.WriteLine(JsonSerializer.Serialize(user));
return true;
},
// Used to configure subsequent page requests
(req) =>
{
Console.WriteLine($"Reading next page of users...");
return req;
}
);
await pageIterator.IterateAsync();
}
catch (Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
Console.ResetColor();
}
}
https://learn.microsoft.com/en-us/samples/azure-samples/ms-identity-dotnetcore-b2c-account-management/manage-b2c-users-dotnet-core-ms-graph/
I'm currently writing a script to add users automatically. So far I can add a new SQL Login with the sqlserver modules Add-SqlLogin cmddlet. And I can add the database mapping for the user with another script I've found.
What remains is to actually allow the user to connect to the database (see image). I haven't found a way to do that through powershell yet. Can anyone point me to a solution?
The option I wish to set through powershell
After another hour of googling I have found a solution:
$ServerInstance = "server"
$name = "user"
$action = "Grant"
$permission = "ConnectSql"
$server = New-Object -TypeName Microsoft.SqlServer.Management.Smo.Server -ArgumentList $ServerInstance
$perm = New-Object Microsoft.SqlServer.Management.Smo.ServerPermissionSet
$perm.$($permission.ToString()) = $true
switch ($action)
{
'Grant' { $server.Grant($perm,$name) }
'Deny' { $server.Deny($perm,$name) }
'Revoke' { $server.Revoke($perm,$name) }
}
How to use Powershell to modify SQL login permission? as answered by Chad Miller.
How to retrieve details which contains information of login user including domain for example let say domain\useralias from Azure AD for a user input? Note that domain names are there in onprem ad which were sync to Azure AD.
You can use the OnPremiseDistinguishedName extension property.
Example:-
foreach($line in Get-Content c:\users\myuser\users.txt) {
if($line -match $regex){
$onPremisesDistinguishedName = (Get-AzureADUserExtension -ObjectId $line).get_item("onPremisesDistinguishedName")
$domain = $onPremisesDistinguishedName.split(",")
$alias = $line.Split("#")
$sAMAccountName = ($domain[2]).Substring(3)
$sAMAccountName + "\" + $alias[0]
}
}
Trying to get a ServerPermissionSet for a login and apply it to a new login. Can't seem to grasp if there is a relationship between the ServerPermissionSet and a Server.Login, or if there is a better way to do this. I can do this with tSQL, but am trying to look at this from the SMO perspective. Here is some sudo code on what I am trying to accomplish.
$server = new-object ('Microsoft.SqlServer.Management.Smo.Server')
"my_server"
$sps = new-object -TypeName
Microsoft.SqlServer.Management.SMO.ServerPermissionSet
$newlogin = new-object ('Microsoft.SqlServer.Management.Smo.Login') $Server,
"new_login"
$oldlogin = $server.Logins["old_login"]
// THIS PART OBVIOUSLY DOESN'T WORK
$newlogin.Create("password")
$sps = $oldlogin.ServerPermissionSet
$server.Grant($sps,"new_login")
I'm using the code example here to inform my answer:
$server = new-object ('Microsoft.SqlServer.Management.Smo.Server')
"my_server"
$newlogin = new-object ('Microsoft.SqlServer.Management.Smo.Login') $Server,
"new_login"
$newlogin.Create("password")
$sps = $server.EnumServerPermissions("old_login")
$server.Grant($sps,"new_login")
That is, you have to ask the server to enumerate the server permissions for old_login which will generate a ServerPermissionSet[] which you can then pass to the Grant method on the server object.
But I do have to ask: is there a reason not to use a server-level role to encapsulate these permissions and just grant membership in the role to the new login?
I like to uncheck in the internet connection settings "Automatically detect settings", which is on by default. I tried to modify the default profile and I can verify that my script creates the correct entry, which is working on the current profile as well.
But as soon a new profile gets created, it is ignoring exactly this setting and sets it to the default.
Here is an excerpt of the script I am using (note: the default user hive was loaded before into xxtray:
$key = 'HKLM:\xxtray\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
$data = (Get-ItemProperty -Path $key -Name DefaultConnectionSettings).DefaultConnectionSettings
if ($data.Length -eq 0) {
$keyorg = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
$data = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections' -Name DefaultConnectionSettings).DefaultConnectionSettings
}
if ($data.length -eq 0) {
$data = ([byte[]](0x46,0x00,0x00,0x00,06,0x00,0x00,0x00,01,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2d,0x00,0x00,0x00,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x65,
...
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
}
if ($data.length -ne 0) {
$data[8] = 1
remove-itemproperty -Path $key -Name DefaultConnectionSettings
Set-ItemProperty -Path $key -Name DefaultConnectionSettings -Value $data
}
So, if I logon with a fresh profile, "Automatically detect settings" is on, byte 8 is set to 9, while it is set at the same time in the default user profile to 1
The question:
How can I override this behavior? It's not an option to place something as autologon to fix it.
Target OS is Windows Server 2008R2 and Windows Server 2012.
Thanks for help,
Rolf.