I registered a bot using Bot Channels Registration on Azure portal. I then generated a password for the bot. Now my requirement is to be able to update this password programmatically.
I tried removing the password using this powershell api and also using Azure Active Directory Graph API. In the both the approaches I get the same error
Updates to converged applications are not allowed in this version
Can anybody help me how converged applications are different from non-converged applications? And how can I resolve above error or use some alternative approach to update the password for my registered bot.
I don't believe there's a way to do with PowerShell at this time (it's the version of the cmdlets that don't currently support the operation). I attempted to try to just add an additional password via PowerShell, and got the same exception.
$pass = convertto-securestring "MyNewPasswword" -asplaintext -force
New-AzureRmADAppCredential -Password $pass -ObjectId $myapp.ObjectId
You can add and remove passwords through a GUI by going here:
https://apps.dev.microsoft.com/
Regarding your question of "Can anybody help me how converged applications are different from non-converged applications? ", I'm not sure I can answer that question. You might start here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/
You need to create your new password {password} and pass --available-to-other-tenants
az ad app create --password {password} --available-to-other-tenants
Related
It is possible to assign app role access for an app registration in terraform using required_resource_access for azuread_application. This will give access to a custom role to my API to another application/service principal.
I would like to do the same for a managed identity, but cannot figure a way to do that with terraform. It can be done with powershell like that e.g.:
New-AzureADServiceAppRoleAssignment -ObjectId $managedIdentityObjectId -Id $appRoleId -PrincipalId $managedIdentityObjectId -ResourceId $serverServicePrincipalObjectId
This call to graph api would achieve the same I think:
POST /servicePrincipals/{objectId}/appRoleAssignments
But I'd really love to do that with terraform if possible.
There is no such built-in resource in Terraform to achieve this, the only related thing here - azuread_application_app_role, if you want to do that, the workaround is to run the powershell command in Terraform manually via local-exec Provisioner.
I have a script which (among many other things) creates a service principal in our corp AAD instance. Since I've collected a good number of service principals during my time here, it would be nice to distinguish them visually using a photo. Is there any way to do this via script? I've found Set-AzureADUserThumbnailPhoto but it doesn't seem to work for AAD applications.
You are looking for Set-AzureADApplicationLogo, when you use it set the logo of the AD App(app registration), its service principal(enterprise application) logo will also change.
Set-AzureADApplicationLogo -ObjectId <app-objectid> -FilePath C:\Users\joyw\Desktop\pic.jpg
We have an enterprise application in our Azure AD tenant for provisioning users to another SaaS platform. Currently it is only setup with the option "Sync only assigned users and groups" since we do not want the whole directory brought over.
My question is simple, is there a way to use the az-cli (currently have version 2.0.60 installed) to add users to that enterprise application?
I checked out the:
az ad sp
az ad app
az role assignment (seems to only work with subscriptions and resources below)
I would expect there would be a simple role assignment command to run that adds a user by upn/objectId to the enterprise application.
Everyone in my team are using Mac's and we could use PowerShellCore if that has better support.
Thanks!
If it helps, I did this using az rest. We all use Macs here and PowerShell core seems broken in a few places (doesn't support certificate-based logins and the New-AzureADUserAppRoleAssignment cmdlet didn't work for us. We were using the preview version. The Graph API docs are also quite wrong so took a bit of fiddling to get the right endpoint and payload. Example below:
az rest \
--method post \
--uri https://graph.microsoft.com/beta/users/$user/appRoleAssignments \
--body "{\"appRoleId\": \"$appRoleId\", \"principalId\": \"$user\", \"resourceId\": \"$spObjectId\"}" \
--headers "Content-Type=application/json"
Can post a sample bash script for the above that sets the vars if anyone's interested?
It seems you could not do that via Azure CLI, my workaround is to use powershell to do that.
Everyone in my team are using Mac's and we could use PowerShellCore if that has better support.
First, you need to install the AzureAD.Standard.Preview powershell module which supports powershell core, you can understand the module is an equivalent of AzureAD module in powershell core, they have the same usage, it is a preview version, for more details see this link.
Then try the command New-AzureADUserAppRoleAssignment as below, this sample assigns a user to an application with default app role id.
New-AzureADUserAppRoleAssignment -ObjectId "<user objectid>" -PrincipalId "<user objectid>" -ResourceId "<service principal objectid(i.e. Enterprise Application objectid)>" -Id ([Guid]::Empty)
Check in the portal:
If you want to assign a user to a specific app role within an application, try the command below.
$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"
# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
#Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
Is it possible to create Azure AD B2C tenants programmatically (e.g. with Powershell, REST API)?
We are developing a multi-tenant SaaS solution for which we would like to create an Azure B2C tenant automatically whenever a new tenant registers.
I'm afraid currently you cannot create Azure AD using either the APIs or using PowerShell. Although you can create additional directories in a subscription you cannot create one using any automation.
You can use PowerShell AzureADPreview 2.0 module to manage custom policies, applications, etc. Although not such a complete thing like ARM Templates, but you can automate many things for now.
Full doc is here: AzureADPreview 2 docs
I had no success to install this module to "old" PowerShell (5.x) so I gave a shot to the 'new' PowerShell 7 (Core). The only issue with PowerShell 7 and AzureAD module is that Connect-AzureAD uses a cryptographic function which is not in .NET Core, so you must import the AzureADPreview module using the -UseWindowsPowerShell option.
Here is a sample, works with PowerShell 7:
Install-Module AzureADPreview
Import-Module AzureADPreview -UseWindowsPowerShell
$tenantId = "yourb2ctenant.onmicrosoft.com"
# Note: this will interactively ask your credentials.
# If you want to run this unattended, use the -Credential parameter with a PSCredential object with a SecureString
Connect-AzureAD -TenantId $tenantId
# ready to go
#list your all custom policies:
Get-AzureADMSTrustFrameworkPolicy
# upload a policy:
$policyId = "B2C_1A_TrustFrameworkBase"
$policyFileName "YourTrustFrameworkBase.xml"
Set-AzureADMSTrustFrameworkPolicy -Id $policyId -InputFilePath $policyFileName
#list your all apps
Get-AzureADApplication
# examine one of you app and get ideas
$application = Get-AzureADApplication -ObjectId af46a788-8e55-4301-b2df-xxxxxxxxx
# create an application
$applicationName = "yourappname"
$application = New-AzureADApplication -DisplayName $applicationName -PublicClient $true etc
I am pretty sure that the settings that I am using are correct, so all possible things can be wrong which I should check out so that I can make authentication with our Active Directory work.
Try test if PHP can connect to active directory
<?php
$ds = ldap_connect('host.ad.lan', 389);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_bind($ds, 'admin#ad.lan', 'xxx');
$sr = ldap_search($ds, 'CN=Cameron Zemek,OU=Users,OU=BRC,DC=ad,DC=lan', '(objectclass=*)', array('cn'));
$entryID = ldap_first_entry($ds, $sr);
$data = ldap_get_attributes($ds, $entryID);
print_r($data);
ldap_close($ds);
What do you have has your $config['ldap_user'] and $config['ldap_uid'] ? You want to set $config['ldap_uid'] to sAMAccountName
There is a trick to do activeDirectory auth with phpbb3. You should:
make an account in phpBB with a name identical to some AD-name
give this account admin/founder rights in phpBB
login with this account
set up auth parameters from within this account
By the way, what error messages do you get from phpBB?
#grom... thanks but, yes PHP is working just fine. I have a WordPress and a MediaWiki installation on the same server, and they are both authenticating against the same active directory just fine.
phpBB3 does not offer much info about how to enable LDAPS, so I hope this helps someone...
Note that you may need to actually clear all phpBB3 cookies immediately after the base installation. This will allow the admin user to see the ACP. Once you are able to consistently log into phpBB3 as an admin, and want to enable LDAPS authentication, do the following (tested with AD and Debian stretch):
Obtain the root TLS certificate from your AD/LDAP Administrator, or get it yourself with something like:
# openssl s_client -showcerts -connect google.com:443
See the MediaWiki documentation, as phpBB3 docs are quite sparse:
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements
Install the PEM formatted certificate with a .crt name into your OS certificate store. For Debian based systems, that would be /usr/local/share/ca-certificates then run # dpkg-reconfigure ca-certificates
Configure /etc/ldap/ldap.conf to your local settings. Note that port 3268 may not have in-built limits like 686 with AD. YMMV.
Create a special AD user for binding. Give it permissions to lookup, but not to change, attributes. Confirm that the credentials work with ldapsearch. eg: ldapsearch -x -LLL -h ad.mydomain.com -D binduser -W -z 30 -b "dc=mydomain,dc=com" searchString
Create a phpBB3 user with the same username as the above AD bind user. As the phpBB3 admin, grant the AD bind user Founder permissions.
Using a different browser, log into phpBB3 as the binduser, then set up the LDAP Authentication as that user. (As noted in the above post).
Test it! Logout of phpBB3 and then login again using the LDAP/AD credentials.
If that does not work, the PHP dev documentation is quite good, and offers many comments with examples and example code to try.