I have a script which (among many other things) creates a service principal in our corp AAD instance. Since I've collected a good number of service principals during my time here, it would be nice to distinguish them visually using a photo. Is there any way to do this via script? I've found Set-AzureADUserThumbnailPhoto but it doesn't seem to work for AAD applications.
You are looking for Set-AzureADApplicationLogo, when you use it set the logo of the AD App(app registration), its service principal(enterprise application) logo will also change.
Set-AzureADApplicationLogo -ObjectId <app-objectid> -FilePath C:\Users\joyw\Desktop\pic.jpg
Related
I create successfully a ServicePrincipal (SP) in AzureAD and able to do a lot of stull like {Connect to Azure, Create resource, etc...}
I need my SP to use command Get-AzNetworkServiceTag but it always return empty values.
When I try command command Get-AzNetworkServiceTag with my own account I get expected result. I believe problem come from permission and your help is very welcome to set least privilege.
My current permissions looks like:
Do you know which one should I use ?
Alternative question is what is best practices to determine permissions based on powershell command ? Although permissions could name to determine there is so many that it's difficult to choose correct one. Thanks you.
The command Get-AzNetworkServiceTag essentially calls the Azure Management REST API - Service Tags - List, it is not related to Azure AD, to solve the issue, you need to assign the Azure RBAC role(not Azure AD admin role) to your service principal.
To solve the issue, the easiest way is to assign the built-in role e.g. Reader, Contributor to your service principal at the subscription scope. But if you want to the
least privilege, your option is to create a custom role then use it, you could follow the steps below.
1.Navigate to your subscription in the portal -> Access control (IAM) -> Add -> Add custom role, follow the screenshots.
Then skip the Permissions, in the JSON, click Edit, add Microsoft.Network/*/read to actions -> Next and create it.
After creating the custom role, wait for a while, navigate to the Access control (IAM) -> add the custom role to your service principal.
In conclusion, the Microsoft.Network/*/read action permission is the least privilege in this case, after giving the role, it will work fine.
Alternative question is what is best practice to determine permissions based on powershell command?
You just need to know what does the command do, then find the operation in the Azure resource provider operations, in this case, there is no such operation like Microsoft.Network/serviceTags/read, so we need to use Microsoft.Network/*/read at least.
You are facing this issue because Powershell cmdlet works differently than compared to MS Graph. Instead of permissions, Powershell require roles to do this operations. Please add Global Administrator role to your service principle and then try the Connect-AzAccount so that, the issue will be fixed.
For more details, you may refer to Assigning administrator roles in Azure Active Directory.
I need to implement an Active Directory(on-prem) manager in which user can do all tasks like add user, delete user, assign license and assign groups etc. User has username, password and domain controller name, so he just login to my app and manage everything. Actually arranging client properties physically is to a great wastage of time and particularly one should have intense knowledge of native tools and PowerShell.
So i am new to these technologies, can anyone please let me know the whole idea behind this. Already services are up like (https://www.manageengine.com/products/ad-manager/active-directory-management.html)
Is there any reason you want to stay on-premises? If you are willing to sync to the cloud Azure AD is great for user self-management. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-self-service-management
Quest also has an on-premises software with something similar to what you are looking for. https://www.quest.com/products/active-administrator/
I'm currently trying to integrate with Azure AD using the admin consent flow.
I've set up an app in our domain, set a few permissions on it and am then navigating to the following link:
https://login.microsoftonline.com/mytestdomain.onmicrosoft.com/oauth2/authorize?client_id=12345678-1234-1234-1234-123456789012&response_type=code&redirect_uri=http://example.com/responsehandler&resource=12345678-1234-1234-1234-123456789012&prompt=admin_consent&state=12345
(Some of the values here have been swapped out for "example" values)
When I navigate there I get asked to sign in, which I do using a different test domain into which I want to import the app.
After signing in I'm shown a list of all the permissions that the app needs (which appear to be correct), I click accept but then I get the following error:
AADSTS90002: Requested tenant identifier '00000000-0000-0000-0000-000000000000' is not valid. Tenant identifiers may not be an empty GUID.
I'm not sure where this empty GUID is coming from and after some searching I can't find any reference to what might be causing it.
Daniel Camargo's comment above seems to have done the trick.
When I navigated to the login.microsoftonline.com link I was logging in with the user that created the domain.
If I log in with a test admin user that I created it works as I'd want.
I am not convinced that we had exactly the same problem, given that my case was involving a Cordova application, but I will share my scenario anyway:
I created a trial account for my proof of concept and for that I used my personal Microsoft account that I will call mypersonalaccount#outlook.com.
Thus, mypersonalaccount#outlook.com is now part of 2 directories: the outlook.com and my recently created mypersonalaccount.onmicrosoft.com.
When I was trying to authenticate in my Oauth2 application using mypersonalaccount#outlook.com I got that error. My humble guess is that the error is related to some sort of collision between the 2 accounts.
I later created a user1#mypersonalaccount.onmicrosoft.com and a guest account using my gmail account. Everything worked fine with these ones.
Was having the same problem, and the same after 1 week of work by the azure team, was solved.
My problem was being trying to log in to VSTS with AAD accounts.
I would like to be automatically logged on a website using my password an login that are used on my computer when i open an AD session.
Connection must be granted if i'm in the right AD group .
Any advices ?
The easiest solution would be to use the built-in ASP.NET Membership and Role system and just use the "Active Directory" membership and role providers.
That way, your user is automatically authenticated, and you can use role-based security in ASP.NET to do something like:
[PrincipalPermission(SecurityAction=Demand, Role='MyAppRole')]
Put this on your critical or sensitvie methods to allow or refuse access to your app.
With the same method, you can also add protected subfolders to your application and protect them by specifying who has access (or not) in your web.config (in that folder).
See a few links for additional details:
http://blogs.msdn.com/gduthie/archive/2005/08/17/452905.aspx
http://slalomdev.blogspot.com/2008/08/active-directory-role-provider.html
http://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx
Hope this helps a bit.
Marc
I have a project requirement where I need to authenticate against ActiveDirectory in a remote/disconnected WPF application.
There is probably several ways to attempt to do this, but what would be the best approach using ActiveDirectory's MembershipProvider?
I need to:
Authenticate that the user exists.
obtain the AD user's groups and roles.
This needs to happen from a remote location, outside of the network Active Directory resides on.
From within a WinForms or WPF application you can now take advantage of "Client Application Services" (thanks MS for a very generic name, searching for help is now very painful!).
This allows you to connect to a WCF service that can validate the logins. The link above has a walkthrough that shows how easy it is to get it all working, once you have a working app you can modify your config to point to a different MembershipProvider and/or RoleProvider.
It's worth noting that the out-of-the-box solution includes a MembershipProvider named ActiveDirectoryMembershipProvider, but there's no RoleProvider for Active Directory.
If you do require the ability to get Roles (or Groups) and you are working with .NET 4.0 then you can take advantage of the new Active Directory API added that makes everything much easier, namely System.DirectoryServices.AccountManagement. For the most basic of Membership and Role services you'll want to have the following to create your own basic MembershipProvider and RoleProvider:
MembershipProvider.ValidateUser() - should use PrincipalContext.ValidateCredentials()
RoleProvider.GetAllRoles() - use a new GroupPrincipal() as a source to a new PrincipalSearcher()
RoleProvider.IsUserInrole() - use UserPrincipal.FindByIdentity() method to get a user, use GroupPrincipal.FindByIdentity() to get the group, then use the IsMemberOf() method on the user to see if they're a member of the group.
You can implement as little or as much of the API as needed, you should find everything you need in the new AccountManagement namespace to do this.