I registered a native application on Azure Active Directory via powershell 6 (module AzureAD.Standard.Preview) and I need to grant the permissions with powershell 6 code (Settings > Required permissions> Grant permissions). I'm using the AZ modules.
I tried with this solution http://www.lieben.nu/liebensraum/2018/04/how-to-grant-oauth2-permissions-to-an-azure-ad-application-using-powershell-unattended-silently but this use powershell 5 and the old AzureRM module. It doesn't work with AZ module because the refresh token doesn't exist.
How is it possible to grant permission to a native app registered on AAD with PowerShell 6 and the AZ module?
Related
I've installed the latest version of MS AAD Connect Provisioning Agent (1.1.997.0), however the authentication step fails with the error "Please provide the Azure AD credentials of a global administrator or a hybrid administrator." I've tried both types (a gAdmin account as well as a hybrid identity admin) with no success. Is there a known issue?
I just followed the instructions as documented by MS.
downloaded and installed the latest version of the agent from AAD Connect cloud sync provisioning blade.
Once the agent installs the AAD authentication wizard launches but no matter which creds I use (global or hybrid admin), the error persists.
Instructions: https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/tutorial-pilot-aadc-aadccp
I tried to reproduce the same in my environment and got below error with Non-Admin Account credentials
Steps to Create AAD Connect Configuration:
1)Download the AAD Connect tool here and install.
2)Select Customize -> Choose any sign in method (For testing I selected password hash synchronization) -> Next
3)Make sure to enter Global admin credentials to sync to Azure AD.
4)Enter your On-Prem DC Admin credentials to verify the DC access, you will get below screen once you validate both Azure AD Global and DC Admin Credentials.
5)Complete next steps and finish the installation.
6)Verify Sync after completing the AAD installation.
7)Open Synchronization Service Manager and check sync Status.
8)Also check the status in Azure Portal
To disable IE Enhanced Security, you can follow below steps:
Go to Server Manager -> Local Servers -> IE Enhanced Security Configuration -> Select Off
I have a requirement to get RBAC Roles from subscription using PowerShell. I'm trying to run Get-AzRoleAssignment using an AAD App Registration. I am able to connect to subscription but unable to get RBAC Roles. Can someone tell me what might be the problem with my app permissions.
Run the Connect-AzAccount command and log in with the tenant administrator or subscription administrator account.
Run the Get-AzRoleAssignment command.
Adding Admin Consent to Azure Service Management solved my issue
I'm getting ERROR: Insufficient privileges to complete the operation. when running az ad app permission add
What permission do I need to grant my service principal for this to work?
I gave it the AppRoleAssignment.ReadWrite.All permission which says:
Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user.
Update: I also gave it Application.ReadWrite.All, but still getting the error.
I also gave it Application.ReadWrite.All, but still getting the error.
The Application.ReadWrite.All Application permission is enough. I suppose you gave the Application.ReadWrite.All permission in Microsoft Graph, it will not work. You need to use the Application.ReadWrite.All in Azure AD Graph, then it will work.
After giving the permission, wait for a while, run the command, it returns a warning, refresh the portal, you will find the API permission was added.
Since the Microsoft graph API is not working with the Azure CLI AD App permissions and the Azure AD graph API is deprecated from 2020 April, this can be achieved by giving Application administrator permissions to the AD app.
From Azure AD go to Roles and administrator > Application administrator.
Then Add assignment, find your client app and add it to the application administrator.
az cli is getting updated to use MS Graph API according to: https://github.com/Azure/azure-cli/issues/12946#issuecomment-737196942
Presumably this update will occur before AAD Graph API is retired on 6/30/2022: https://github.com/azure-deprecation/dashboard/issues/178
Once az cli gets updated then Application.ReadWrite.All permission on MS Graph API should work.
There is a deprecation warning for the Azure AD Graph API as below.
This application is using Azure AD Graph API, which is on a deprecation path. Starting June 30th, 2020 we will no longer add any new features to Azure AD Graph API. We strongly recommend that you upgrade your application to use Microsoft Graph API instead of Azure AD Graph API to access Azure Active Directory resources
Also it seems the Microsoft Graph API is not working even though the relevant permissions are not provided.
We have an account that is an Application Administrator, and with that account, we registered an App.
When attempting to add permissions both Application and Delegated, there would be a message saying it needs admin approval. When trying to give admin consent from the apps permissions page with the following image would pop up
The permissions we were attempting to give were:
-Microsoft Graph: Reports.Read.All
-Office 365 Management API: ServiceHealth.read
And these were both Application and Delegated
What Exactly is happening here?
Are we doing something wrong?
You need to login in your application with the Azure AD global admin account.(Application Administrator can not do this)
Or you can ask your Azure AD admin to grant admin consent on Azure portal.
Go to your application->API permissions-Grant consent.
Could you please let me know, How we can be able to added the co-administrator or my colleague to the newly created B2C tenant as a Global admin.
I’m struggling to find the way out. I have gone through some article were it point to add/import the user from external Azure active directory as source using classic portal.
Scenario is: I’ve created the B2C tenant were I marked as GA. I want my colleague to manage the directory in my absence.
Have followed the guide to assign Admin Roles to a User in Azure AD. On the Step 5, select the Global Administrator under Directory Role
Still not able to connect through Powershell
Still not able to connect through Powershell
Do you mean your colleague can't use his Azure AD account to login your Azure AD with PowerShell? With this command Connect-AzureAD?
We can via Azure classic portal to add Global Admin role to your colleague's account, like this:
After that, we can use PowerShell to login your Azure AD with -TenantId, like this:
connect-azuread -TenantId 0e0a9c5d-xxxx-xxxx-xxxx-xxxx375bxxxx
============================
Update:
If you want make your account can login new azure portal, we should grant your account admin permission of this subscription, we can set this here: