I'm trying to invoke an ARM template that requires a PrincipalId of the currently signed in user.
https://learn.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults
I've signed in using powershell, as a guest account in the organisation's AAD.
When I check the resulting context, I get:
Name : [sky.sigal#ministryof.me, 5f813400-5b93-43b0-af8f-5fd04714f1ef]
Account : me#here.com
SubscriptionName : SomeSubscriptionName
TenantId : e6d2d4cc-b762-486e-8894-4f5f540d5f31
Environment : AzureCloud
I'm wondering how to get the AAD ObjectId from the above, without string parsing "Name"?
Note that the documentation for the ARM Template is not very clear so not sure if me#here.com would work just as well (am assuming it's talking about a Guid).
Thank you.
You can also get it using the azure cli
az ad signed-in-user show --query objectId -o tsv
You could try Get-AzureRmADUser to get the ObjectId .
Sample:
Get-AzureRmADUser -UserPrincipalName "xxxx#xxxx.com"
Result:
The Id is the ObjectId, you could get it. Also, you could get it via other properties, not only -UserPrincipalName, just refer to the link of the command.
Update:
If you use a Guest account, you could try the command below.
Get-AzureADUser | ?{$_.UserType -eq "Guest"} | ?{$_.UserPrincipalName -like "*partofyouraccount*"}
Note: Before using this command, you need to install Azure AD powershell module.
The info on "Name" you are seeing is related to the subscription. Use the command below to get the objectId under "Account":
(Get-AzContext).Account.ExtendedProperties.HomeAccountId.Split('.')[0]
I am not an expert in AAD but I have found that my own personal Azure subscription unrelated to my work one returns nothing for the following command:
# does not work sometimes
(Get-AzADUser -UserPrincipalName (Get-AzContext).Account).Id
However I found that I can reliably get my user principal name (UPN) and object ID using the Az CLI to get an access token then the Microsoft Graph API to each back the user information.
$token = Get-AzAccessToken -Resource "https://graph.microsoft.com/"
$headers = #{ Authorization = "Bearer $($token.Token)" }
Invoke-RestMethod https://graph.microsoft.com/v1.0/me -Headers $headers
With Powershell cmdlets:
$myObjectId = (Get-AzADUser -UserPrincipalName (Get-AzContext).Account).Id
Related
I have created a provisioning mechanism not unlike this here:
group provisioning mechanism
I have successfully implemented the whole workflow on my developer tenant. Now our productive environment, I always receive this error:
[Error]Invoke - RestMethod: {
"error": "unauthorized_client",
"error_description": "AADSTS70001: Application 'ffffffff-...' is disabled.\r\nTrace ID: ffffffff-180f-4bc4-8087-867633c83e00\r\nCorrelation ID: ffffffff-2e5d-481d-adee-f068dbebaab1\r\nTimestamp: 2018-10-29 09:06:59Z",
"error_codes": [70001],
"timestamp": "2018-10-29 09:06:59Z",
"trace_id": "ffffffff-180f-4bc4-8087-867633c83e00",
"correlation_id": "ffffffff-2e5d-481d-adee-f068dbebaab1"
}
This is my code, that should do the authentication:
function Initialize-Authorization {
param
(
[string]
$ResourceURL = 'https://graph.microsoft.com',
[string]
[parameter(Mandatory)]
$TenantID,
[string]
[Parameter(Mandatory)]
$ClientKey,
[string]
[Parameter(Mandatory)]
$AppID
)
$Authority = "https://login.microsoftonline.com/$TenantID/oauth2/token"
Write-Output "auth: $Authority"
[Reflection.Assembly]::LoadWithPartialName("System.Web") | Out-Null
$EncodedKey = [System.Web.HttpUtility]::UrlEncode($ClientKey)
$body = "grant_type=client_credentials&client_id=$AppID&client_secret=$EncodedKey&resource=$ResourceUrl"
Write-Output "body: $body"
# Request a Token from the graph api
$result = Invoke-RestMethod -Method Post ` #`
-Uri $Authority ` #`
-ContentType 'application/x-www-form-urlencoded' ` #`
-Body $body
$script:APIHeader = #{'Authorization' = "Bearer $($result.access_token)" }
}
I already tried generating new keys but I'm stuck. How can the app registration be disabled?
Can someone guide me in the right direction with this?
It appears the ServicePrincipal object for your app, in your production tenant, has been disabled. The ServicePrincipal object is represented under "Enterprise apps" in the Azure portal.
In the production tenant, navigate to the Azure portal > Azure AD > Enterprise applications. Search for your app (if it doesn't show up initially, make sure you've selected "All Applications", under "Application Type"). Choose the app, and in the new blade, choose "Properties", on the left.
If "Enabled for users to sign in?" is set to "No", then the app is disabled in that tenant. Setting it to "Yes" will enable it.
Apps don't generally get disabled automatically, so it will probably be a good idea for you to understand why this was disabled, and ensure everyone is clear on what the requirements are.
My requirement is to fetch the OnPremisesDistinguishedName attribute of a user object via Microsoft Graph API.
After doing some extensive R & D I have observed that in the blog post
https://social.technet.microsoft.com/Forums/lync/en-US/df2b1b2b-a7ca-4b34-9ddf-82ffd78fc96e/how-to-retrive-ou-details-in-scripts-that-are-synced-with-office-365-with-aadc?forum=onlineservicesexchange
the same can be achieved via the powershell module as
Get-AzureADUser -SearchString <any string> | select -ExpandProperty ExtensionProperty)["onPremisesDistinguishedName"]
However how can this be achieved via GraphAPI ?
Any thoughts?
onPremisesDistinguishedName exist from January 2019.
API DOC.
Graph API doesn't provide the onPremisesDistinguishedName property.
Currently, we can get the following properties related to onPremises: onPremisesDomainName,onPremisesExtensionAttributes,onPremisesImmutableId onPremisesLastSyncDateTime,onPremisesProvisioningErrors,onPremisesSamAccountName
onPremisesSecurityIdentifier,onPremisesSyncEnabled,onPremisesUserPrincipalName
Call the graph api like this:
https://graph.microsoft.com/v1.0/users/test#test.onmicrosoft.com/?$select=onPremisesDomainName,onPremisesDistinguishedName
Because no property named onPremisesDistinguishedName, so although we add it to the query but it will be ignore.
If the above properties doesn't suit your requirement, you can submit an feature request in the user vocie.
More information for your reference: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/user
How to know the permissions of my azure ad app have for other APIs, such as Microsoft Grahp API .
In portal , i could check that in the [API Access]-->[Required permissions] , but how do i check that with powershell , i used
Get-AzureRmADApplication -ObjectId ,
Get-AzureRmADApplication -ObjectId xxxxx | fl *
But little attributes returned and AppPermissions is null , but with fiddle , i notice it use below request :
GET https://graph.windows.net/mytenant/applications/id?api-version=1.6 HTTP/1.1
And i could find a lot of attributes of that app ,which one shows the permission of the app and how do i get that in powershell ?
You could try the Azure Active Directory PowerShell Version 2 , the use command like :
$app = Get-AzureADApplication -Filter "appId eq '$appId'" | fl *
to get the RequiredResourceAccess claim ,that is the collection that is shown under "permissions to other applications" in the azure ad classic portal and "Required permissions" in new portal .
In addition , PowerShell essentially wraps the API's and just presents them to you in a simplified interface. If you don't find a command to do what you want you can always using PowerShell to invoke the Graph API directly. Please refer to below article for how to call Azure Active Directory Graph Api from Powershell :
https://blogs.technet.microsoft.com/paulomarques/2016/03/21/working-with-azure-active-directory-graph-api-from-powershell/
And here is a test code sample :
PS C:\Users\v-nany> $header = #{
>> 'Content-Type'='application\json'
>> 'Authorization'=$token.CreateAuthorizationHeader()
>> }
PS C:\Users\v-nany> $uriSAs = "https://graph.windows.net/xxxxxxx/applications/xxxxxx?api-version=1.6 "
PS C:\Users\v-nany> $appInfo = (Invoke-RestMethod -Uri $uriSAs –Headers $header –Method Get –Verbose)
PS C:\Users\v-nany> $appInfo.requiredResourceAccess
You will get resourceAppId represents the resource , and related resourceAccess which is a scope list.
I'm coding on top of some JNI libraries, and I don't really know the details about how they are doing it, but the output of lib is the windows domain user information with sid and sids... They look as shown below
sids: [
"S-1-5-21-2923429462-2395316905-2569861443-1123",
"S-1-5-32-545",
"S-1-5-2",
"S-1-5-5-0-79699478",
"S-1-5-11",
"S-1-1-0",
"S-1-5-15",
"S-1-18-1",
"S-1-5-21-2923429462-2395316905-2569861443-513"
],
sid: "S-1-5-21-2923429462-2395316905-2569861443-1123"
Issue
Can I get the information without a password but only with a user
id?
Is the information changeable?
What are SIDs... I thought there's only one secure identifier.
I'll take a stab at it:
I understand that you're using a Java Native Interface but I'm not sure what other language you're using. If it is with Active Directory, Powershell is perfect for it, though, I'm not sure how it would work with a JNI.
Anyway, here is what I can gather. Each account has a specific Security Identifier, called a SID. There are well-known SIDs for the common accounts (Administrator, for example). Even local account and groups have SIDs, as with any in Active Directory.
If you want to translate a SID to an account, that isn't a problem. If you aren't using Powershell, at least this may give you a starting point:
$SID = New-Object System.Security.Principal.SecurityIdentifier("SID_GOES_HERE")
$user = $SID.Translate([System.Security.Principal.NTAccount])
$user.Value
You could feed each line into these 3 steps by putting it into a function like so:
Function SIDtoUser($SIDint) {
$SID = New-Object System.Security.Principal.SecurityIdentifier($SIDint)
$user = $SID.Translate([System.Security.Principal.NTAccount])
return $user.Value
}
Gather all of the SIDs into an array and run through them like this:
$SIDArray | %{
SIDtoUser($_)
}
I hope this helps. Let me know if I can assist any further.
I’m trying to get Active Directory authentication working with Eucalyptus, but I’m not able to login to the console with the configured credentials. I’ve the following in my .lic file:
PROPERTY authentication.ldap_integration_configuration {
"ldap-service":{
"server-url":"ldap://<ldap-server-ip>:389",
"auth-method":"simple",
"user-auth-method":"simple",
"auth-principal":"eucalyptus#mydomain",
"auth-credentials":"{RSA/ECB/PKCS1Padding}oRv4cHzkJqBxqnT3S/w9tXAOAkrblaw/iGZtuXw4GWipcGbfthrthrDCt8U6P5G4re6eLd9hzcNYxPIdoNqEDeiWF9hfJB8Ndf1kEDV0xGXnzTHhI14F1DcaaasYMkvrqUqcefKrSmsGyg4JtcHF96kEtj3bhsdfsdfw3IpuRn0o4y2+iMoq+JkxOFogHuhGhtdMa7fsdfsdf232m0vOrFUeln5uI619yEFmoVtIsOZbF6tEJsM64GzSbtl0dOaSCdnHmOYeQ6ksfFcdmxz0/1QMOakHC+ntdGTZrO+83UQYGWue9IjKXP0dWTCpXNnp6+P6un+jY2cM25bR3uw==",
"use-ssl":"false",
"ignore-ssl-cert-validation":"true",
"krb5-conf":"/etc/krb5.conf",
},
"sync":{
"enable":"true",
"auto":"true",
"interval":"6000",
"clean-deletion":"true",
},
"accounting-groups":{
"base-dn":"OU=Eucalyptus,OU=Groups,MY_BASE_DN",
"id-attribute":"cn",
"member-attribute":"member",
"member-item-type":"cn",
"selection":{
"filter":"(&(objectClass=group)(!(memberOf=*)))"
}
},
"groups":{
"base-dn":" OU=Sec Groups,MY_BASE_DN",
"id-attribute":"cn",
"member-attribute":"member",
"member-item-type":"cn",
"selection":{
"filter":"(&(objectClass=group)(memberOf=*))",
}
},
"users":{
"base-dn":"MY_BASE_DN”,
"id-attribute":"cn",
"user-info-attributes":{
"displayname":"Full name"
},
"selection":{
"filter":"(&(objectClass=organizationalPerson)(objectClass=user))"
}
},
}
And the LDAP sync status:
# euare-getldapsyncstatus
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
SyncEnabled true
InSync false
In the log files, I see the following:
Mon Dec 29 11:31:14 2014 ERROR [LdapSync:LDAP sync] User admin is reserved for Eucalyptus only. Sync will skip this user from LDAP.
I’ve an accounting group added to the accounting-groups base dn, and I see that group when I run the list command:
# euare-accountlist
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
(eucalyptus)blockstorage 886472098984
eucalyptus 144711845746
mygroup 752874470188
However, no members of that accounting group appear:
# euare-grouplistbypath
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
Groups
# euare-userlistbypath
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
arn:aws:iam::144711845746:user/admin
I’ve tried every combination of username, DOMAIN\username, username#domain that I can think of, but I still can’t login to the Eucalyptus console. Any suggestions?
Thanks,
Dan
Ok, so in answer to my own question, it appears as if it was working. After logging into the console using the admin login credentials created during the install/configure, I was able to see that the users were being created correctly. I made one small tweak to the .lic file, namely I set the id-attribute to use sAMAccountName rather than cn to meet user expectations for their login.
"users":{
"base-dn":"MY_BASE_DN”,
"id-attribute":"sAMAccountName",
"user-info-attributes":{
"displayname":"Full name"
},
"selection":{
"filter":"(&(objectClass=organizationalPerson)(objectClass=user))"
}
Also, I failed to pass in the the account name when running the euare-userlistbypath, namely:
euare-userlistbypath --as-account mygroup
Running with the account retrieves the user list as expected.