I'm following the following article on accessing the AAD Graph API using a managed identity - https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-azure-ad-graph
With my global admin account I am executing something along the lines of the following in powershell:
$AppRole = $WindowsAADServicePrincipal.AppRoles | Where-Object {$_.Value -eq "Application.ReadWrite.All" -and $_.AllowedMemberTypes
-contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $identity.PrincipalId -PrincipalId $identity.PrincipalId -ResourceId
$WindowsAADServicePrincipal.ObjectId -Id $AppRole.Id
The command reports the following Insufficient privileges exception - but the role seems to be still assigned to the service principal!!??
New-AzureAdServiceAppRoleAssignment : Error occurred while executing
NewServicePrincipalAppRoleAssignment Code:
Authorization_RequestDenied Message: Insufficient privileges to
complete the operation. RequestId: XXX DateTimeStamp: Mon, 17 Jun 2019
15:16:53 GMT HttpStatusCode: Forbidden HttpStatusDescription:
Forbidden HttpResponseStatus: Completed At line:5 char:5
+ New-AzureAdServiceAppRoleAssignment -ObjectId $identity.Principal ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewServicePrincipalAppRoleAssignment
My question is Why? If I look at an http trace of the requests made by this command to the aad graph api I dont see much of interest.
If I execute the request manually to assign a role using the managed identity above to which I assigned the required permissions. I get a similar exception but no role is assigned, whats odd is that I have tried assigning a number of permissions to the identity executing this request - up to even Global Admin on the tenant but I still see this error....
$created_permissions = Invoke-RestMethod -Method post -Uri "https://graph.windows.net/tenantname.onmicrosoft.com/servicePrincipals/$($created_principal.objectid)/appRoleAssignments?api-version=1.6" -Body ($permission | ConvertTo-Json -Depth 99 -Compress) -ContentType "application/json" -Headers #{ "Authorization" ="Bearer $access_token" }
I would like to avoid giving the identity Global Admin or similar role and would prefer if could give a granular permission i.e. Application.ReadWrite.OwnedBy
I think you're running into a known issue.
I've run into similar one with slightly different context, i.e. MSI for Logic Apps. Please take a look at this SO Post for more details - Assigning Microsoft Graph permissions to Azure Managed Service Identity.
I used to get Authorization_RequestDenied error for the first run and Request_BadRequest for any retries, because even though the first run gave an error, the permission/role assignment does actually get added. Even though it's supposed to be intermittent, I got it pretty consistently. In the end I could just ignore the error, because desired permission still gets assigned to the managed identity.
Here is a related GitHub issue - Executing the New-AzureAdServiceAppRoleAssignment step returns a Forbidden error
It's a long thread, but look at comment by daveba from Microsoft.
Related
I was facing an issue when tried to create and deploy a new AAD DS instance.
I got the following error:
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "RequestConflict",
"message": "Cannot modify resource with id '/subscriptions/XXX/resourceGroups/ADDS-resource-group/providers/Microsoft.AAD/domainServices/whatever.onmicrosoft.com' because the resource entity provisioning state is not terminal. Please wait for the provisioning state to become terminal and then retry the request."
}
]
}
I tried to redo the process multiple times without any success. Does anyone know, what might be the root cause, and how to fix it?
I am wondering if my subscription plan is too basic for AAD-DS?
With Same error multiple issue has reported and it belongs to troubleshooting and fix by MS support team.
Please raise support ticket on azure portal by following this link: https://learn.microsoft.com/en-us/azure/azure-supportability/how-to-create-azure-support-request
Reference 1 : Resource group with Azure AD Domain Service is not getting deleted
Reference 2 : Error while updating secure LDAPS in Azure AD DS
I am trying to open a gpmc for another domain. We have 2 AD Domains A and B. There are no trusts between them. My Computer is joined to Domain A and I want to open a gpmc for domain B.
For DSA (AD Users and Computers) this seems to be possible like this:
runas.exe /netonly /user:<Domain B>\<Domain B User> "mmc dsa.msc /domain=<Domain B>"
but when I try to run this for gpmc the following error comes up:
I probably do not have access to the logs of either domain.
This is working as expected and is not supposed to work. The GPMC console is designed to try to get a operational token for the PDC of the domain environment wherever you are opening the same. Because PDC(primary domain controller role holder in a domain ) is supposed to have the most recent copy of the group policies (but sometimes this is not true due to delayed replication etc.) So when you try to connect to GPMC of another domain it connects and sends a Kereros request which fails to get a ticket(to be considered same as token i mentioned above.) .
If you take a network trace in both the cases you will see that there is a TGT request to get a ticket for SPN ldap/(domain A) from the domain B domain controller which is not possible because you do not have trust between the domains. This fails with "KerberosV5:KRB_ERROR - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)" . This is the moment you see the access is denied error as shown in screenshot . I hope that provides clarity on your query .
It's been a while, but with the help of a colleague we came to a solution. The GPMC has an option called trust detection (View -> Options -> General).
Once this options is disabled, the GPMC has to be closed so that this option is saved. If you then start the GPMC via
runas.exe /netonly /user:<Domain B>\<Domain B User> "mmc gpmc.msc /domain=<Domain B>"
the forest from domain B can be added and you can configure your GPOs as you normally would.
As I was attempting to remove the additional configuration for on an app-registration created by PowerShell.. I came around a strange behaviour;
The this command az ad app update --id $app.appid --set oauth2AllowIdTokenImplicitFlow='false'
results in an exception namely "az : Property 'oauth2AllowIdTokenImplicitFlow' not found on root. Send it as an additional property". It however does apply the value.
Is there no documented way to automated this setting - as it can be send via the portal and via the API (Shoot and forget as per How to setup oauth2AllowIdTokenImplicitFlow in azure AD application from console? )
And i was expecting it to be part of the Permission-grants ..?
The command you have shared will not work as oauth2AllowIdTokenImplicitFlow was not the correct syntax of az ad app update as per Microsoft Document.
The correct syntax will be
az ad app update --id $app.appid --oauth2-allow-implicit-flow false
Microsoft split the oauth2AllowIdTokenImplicitFlow out of oauth2AllowImplicitFlow.
To reliably set it from within Az-context is; use the API instead:
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/<<Object_Id>' --headers 'Content-Type=application/json' --body '{\"web\":{\"implicitGrantSettings\":{\"enableIdTokenIssuance\":false}}}'
(reference: https://github.com/Azure/azure-cli/issues/10579)
I have a problem with the synchronization of active directory groups with MDM,
The user/password is correct, it is marked so it never expires. Looking at the logs I see the following error:
2016/12/21 07:25:32.433 CSWAIRWZ11 8e66e0df-00a6-4997-a293-bccd713e430c [0000000-0000000] (52) Error WanderingWiFi.AirWatch.BusinessImpl.EnterpriseIntegrationHelper.SearchGroups Directory call failed. System.DirectoryServices.Protocols.LdapException:80090311: LdapErr: DSID-0C0905DE, comment: AcceptSecurityContext error, data 51f, v1db1 Error code:49
Besides the user / password, what other problem could happen?
Thank you very much in advance.
Regards
LDAP Error code 49 means AD_INVALID CREDENTIALS (source).
Are you sure that the AD credentials of the account you are using to bind with your Domain Controller are correct? If yes, then I would try using some alternative bind authentication types supported by AirWatch. In my experience Basic and GSS-Negotiate work the best.
If this still does not work, then install an LDAP client on your console server (like for example LDP.exe) and make sure you can bind with your account.
Hope this helps!
I have used aws, azure and google-aapengine but i find the ability to share a storage lacking in them(correct me if i am wrong). My basic need is to have multiple vm instances having a common storage. My setup is
Having 2 sets of servers. 1st set will be running a web-app that will upload files. 2nd set will be processing the files. None of these services allow you to attach common disks to multiple vms. I tried to create AzureFileService But the 1st step is giving error. Get-Account does return me my account data.
$ctx=New-AzureStorageContext <account name> <account key>
I wrote got no clue what that <account key> is. I tried using the Azure login password as account-key but got the following error
PS C:\> $ctx=New-AzureStorageContext mewtoo **password**
New-AzureStorageContext : Invalid length for a Base-64 char array or string.
At line:1 char:6
+ $ctx=New-AzureStorageContext mewtoo *********
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureStorageContext], FormatException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.Storage.Common.Cmdlet.NewAzureStorageContext
Obviously the last option would be to upload/download the files using HTTP calls. But the files can be 100MB to 1GB+ in size so downloading each file processing them and uploading back will be time consuming. If better solutions are available, please let me know.
Thanks in advance.
The account key is the access key for your storage account, which you can find in the management portal:
Here's a step-by-step guide to create a new share: http://blogs.technet.com/b/canitpro/archive/2014/09/23/step-by-step-create-a-file-share-in-azure.aspx