I am trying to set companyname for a given user in Azure AD. I havent been able to find any samples with set-azureadusercompanyname, can anyone provide a sample?
Based on the ServerFault link above, you can set this (I have tested) using:
Set-AzureADUserExtension -ObjectId <UPN> -ExtensionName "CompanyName" -ExtensionValue "<VALUE>"
In fact how I did it was:
Get-AzureADUser -SearchString user.name | Set-AzureADUserExtension -ExtensionName "CompanyName" -ExtensionValue "Company Name"
Related
I registered an application in Azure AD from PowerShell using the below script.
//To create new application
$myapp = New-AzureADApplication -DisplayName MyApp
$myappId=$myapp.AppId
//To set ApplicationID URI
Set-AzureADApplication -ApplicationId $myappId -IdentifierUris "api://$myappId"
//To retrieve details of new application
Get-AzureADApplication -Filter "DisplayName eq $myapp"
Now I want to set delegated API permissions(Calendars.Read, Application.Read.All, Directory.Read.All) for this app.
From Azure Portal, I know how to assign these. But is it possible to add these permissions via PowerShell? If yes, can anyone help me with the script or cmdlets?
Any help will be appreciated. Thank you.
Yes, it's possible to set delegated API permissions via PowerShell
Initially, please note AppID of new application that can be retrieved by below cmdlet:
Get-AzureADApplication -Filter "DisplayName eq $myapp"
Check whether you have Service Principal named "Microsoft Graph" using below cmdlet:
Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
In order to assign API permissions via PowerShell, you should know the GUIDs of those delegated permissions that can be displayed using below cmdlet:
$MSGraph.Oauth2Permissions | FT ID, Value
Note the IDs of required permissions like Calendars.Read, Application.Read.All and Directory.Read.All
Please find the complete script below:
$myapp = New-AzureADApplication -DisplayName MyApp
$myappId=$myapp.ObjectId
Get-AzureADApplication -Filter "DisplayName eq 'MyApp'"
$MSGraph = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
$MSGraph.Oauth2Permissions | FT ID, Value
# Create a Resource Access resource object and assign the service principal’s App ID to it.
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = $MSGraph.AppId
# Create a set of delegated permissions using noted IDs
$Per1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "c79f8feb-a9db-4090-85f9-90d820caa0eb","Scope"
$Per2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "465a38f9-76ea-45b9-9f34-9e8b0d4b0b42","Scope"
$Per3 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "06da0dbc-49e2-44d2-8312-53f166ab848a","Scope"
$Graph.ResourceAccess = $Per1, $Per2, $Per3
# Set the above resource access object to your application ObjectId so permissions can be assigned.
Set-AzureADApplication -ObjectId $myappId -RequiredResourceAccess $Graph
Reference:
How to assign Permissions to Azure AD App by using PowerShell?
I am attempting to enumerate an array of certificates to a log file:
$allCerts = Get-ChildItem Cert:\LocalMachine\My\ | Select-Object name,subject,Thumbprint,Issuer,NotAfter
Then sending to log via logging function:
$allCerts | ForEach-Object {logger -logstr $_}
This shows the following in the log (sensitive info removed) - note the log isn't wrapped, this is one line for each cert:
[2020-0326-1003:11:10] : #{name=; Subject=CN=WinRM HTTPS mycomputer; Thumbprint=12345679679484747463etygvetevtreye; Issuer=CN=WinRM HTTPS computer; NotAfter=03/26/2023 09:38:09}
[2020-0326-1003:11:11] : #{name=; Subject=CN=mycompcert2.abc.de.fg; Thumbprint=fdhshs44he4hhh4the44h4h4; Issuer=CN=Enterprise CA, OU=Cert Svcs, O=A Corporation, L=location, S=state, C=AU; NotAfter=09/20/2050 10:30:00}
The only way I've found so far is to:
$allCerts | ForEach-Object {logger -logstr ($_ | Out-String)}
Which gives:
[2020-0326-0952:11:56] :
name :
Subject : CN=WinRM HTTPS mycomputer
Thumbprint : 12345679679484747463etygvetevtreye
Issuer : CN=WinRM HTTPS computer
NotAfter : 03/26/2023 09:38:09
[2020-0326-0952:11:57] :
name :
Subject : CN=mycompcert2.abc.de.fg
Thumbprint : fdhshs44he4hhh4the44h4h4
CN=Enterprise CA, OU=Cert Svcs, O=A Corporation, L=location, S=state, C=AU
NotAfter : 09/20/2050 10:30:00
Is there a "tidier" way I can enumerate the properties of each member of the array to a single line in the log without having to use | out-string?
your Logger function seems to require a string. so you need to build the string 1st. the default .ToString() method will not give you what you want, tho.
you can do a slightly iffy trick and use ConvertTo-CSV to give you the lines that would be in a CSV file ... and skip the 1st line to get rid of the header line. something like the following ...
[my cert list for the machine has no certs, so i used the current user. also, i have no Name property ... only a FriendlyName property.]
Get-ChildItem Cert:\CurrentUser\My |
Select-Object -Property FriendlyName, Subject, Thumbprint, Issuer, NotAfter |
ConvertTo-Csv -Delimiter ';' -NoTypeInformation |
Select-Object -Skip 1
output ...
"APNS certificate";"CN=95F066ED-5A55-4053-84A0-D49E72C4AF6B";"42DA37600AFD9F0423FDCCF298A89C6CF1F945C8";"CN=Apple iPhone Device CA, OU=Apple iPhone, O=Apple Inc., C=US";"2016-11-03 2:18:59 PM"
"APNS certificate Direct";"CN=8E9D6C89-2BEF-4677-A9AD-84645ABFE44A";"2580F9FD8CB5E49EAC1035940D0D8EC09746A078";"CN=Apple iPhone Device CA, OU=Apple iPhone, O=Apple Inc., C=US";"2019-12-09 3:39:44 AM"
if you want to strip out the quotes, that seems fairly easy. [grin]
I'm going to use Dbatools to check my job is running or not. If it isn't running I need to send out an email alert.
I only have a few backgrounds with PowerShell programming.
# Import-Module D:\Tools\dbatools\dbatools.psd1 if it isn't loaded
If ( ! (Get-module dbatools )) {
Import-Module D:\Tools\dbatools\dbatools.psd1
}
# Get the job status
Get-DbaAgentJob -SqlInstance My_SQL_Instance -Job My_Job_Name | Out-File C:\DBA\Result.txt
# Send the email alert if the job is not running
Send-MailMessage -From My_Email_Address -Subject "My_Job_Name job is not running..." -To User_Email_Address -Attachments C:\DBA\Result.txt -Body "The MiantoEDW replication job is not running..." -BodyAsHtml -SmtpServer My_SmtpServer
I need to verify the property of CurrentRunStatus to determine to send an email alert or not.
I would do something like the following:
$jobStatus = Get-DbaAgentJob -SqlInstance My_SQL_Instance -Job My_Job_Name
$jobStatus | Select-Object Name,CurrentRunStatus | Export-Csv C:\DBA\Result.csv -NoTypeInformation
if ($jobStatus.CurrentRunStatus -ne "Executing") {
# Run some code if job is not running
Send-MailMessage -From My_Email_Address -Subject "My_Job_Name job is not running..." -To User_Email_Address -Attachments C:\DBA\Result.csv -Body "The MiantoEDW replication job is not running..." -BodyAsHtml -SmtpServer My_SmtpServer
}
else {
# Run some code if job is running
}
Get-DbaAgentJob doesn't display the CurrentRunStatus property by default. You will need to retrieve it, which is done by Select-Object CurrentRunStatus. Since the command outputs an object, I chose to use Export-Csv to export a cleaner output that aligns the object properties and values. $jobStatus stores the output of the Get-DbaAgentJob command. Accessing the $jobStatus.CurrentRunStatus property for value Executing will verify if a job is currently running.
I've not used dbatools but I assume the CurrentRunStatus is available in the Result.txt file you're outputting to?
If so, assign the result of Get-DbaAgentJob to a variable and then Out-File from that variable. Then access the CurrentRunStatus property from the variable to determine whether or not to send the alert.
Hi,
I am trying to set the AAD(Azure Active Directory) application permission(read/write/execute & other settings) in ADLS(Azure DataLakeStore) using powershell commands.
I tried using below powershell command:
Set-AzureRmDataLakeStoreItemAclEntry -AccountName "adls" -Path /
-AceType User -Id (Get-AzureRmADApplication -ApplicationId 490eee0-2ee1-51ee-88er-0f53aerer7b).ApplicationId -Permissions All
But this command sets/displays the ApplicationId under "Access" properties in ADLS with only read/write/execute access. But this setting are not correct as I perform Manual steps of Service Authentication in ADLS.
Is there any other way to set permissions of AAD application in ADLS?
The parameter User of Set-AzureRmDataLakeStoreItemAclEntry commands should be the object ID of the AzureActive Directory user, group, or service principal for which to modify an ACE.
You can refer the command below to assign the permission:
Set-AzureRmDataLakeStoreItemAclEntry -AccountName "accountName" -Path / -AceType User -Id
(Get-AzureRmADServicePrincipal -ServicePrincipalName "{applicationId}").Id -Permissions All
More detail about this command, you can refer link below:
Set-AzureRmDataLakeStoreItemAclEntry
You need to set the ObjectId (not the application id) as the Id parameter to Set-AzureRmDataLakeStoreItemAclEntry
Set-AzureRmDataLakeStoreItemAclEntry -AccountName "adls" -Path / -AceType User -Id (Get-AzureRmADApplication -ApplicationId 490eee0-2ee1-51ee-88er-0f53aerer7b).Id -Permissions All
We are trying to find from which machine a user has taken rdp .
Using "quser" utility we are able to get all the information about logged in user except client name.
Following is the command
function Get-LoggedOnUser
{
param([String[]]$ComputerName = $env:COMPUTERNAME)
$ComputerName | ForEach-Object {
(quser /SERVER:$_) -replace '\s{2,}', ',' |
ConvertFrom-CSV |
Add-Member -MemberType NoteProperty -Name ComputerName -Value $_ -PassThru
}
}
It displays all the information which can be provided in Windows task manager except client Name .
How to get client Name using powershell?
I doubt if WMI has a way to do this. You can check the PSTerminal Services module and it has a Get-TSSession cmdlet which does the same job you are looking for.
http://archive.msdn.microsoft.com/PSTerminalServices
This module uses binary Cassia namespace.
You can use this:
http://gallery.technet.microsoft.com/scriptcenter/0e43993a-895a-4afe-a2b2-045a5146048a
and look for the logged on user with a logon type of RemoteInteractive
You can read that information from the Security eventlog (look for logon type 10):
$username = '...'
$eventID = 4624 # 526 on Server 2003 and earlier
$date = (Get-Date).Date
$pattern = 'logon type:\s+10[\s\S]+source network address:\s+(\S+)'
Get-EventLog Security -InstanceId $eventID -EntryType SuccessAudit `
-After $date -Message '*$username*' `
| ? { $_.Message -match $pattern } `
| % { $matches[1] } `
| select -Unique
Note that on Server 2003 and earlier you need to check for event ID 528 instead of 4624.
References:
http://technet.microsoft.com/en-us/library/cc787567
http://support.microsoft.com/kb/977519