Hi,
I am trying to set the AAD(Azure Active Directory) application permission(read/write/execute & other settings) in ADLS(Azure DataLakeStore) using powershell commands.
I tried using below powershell command:
Set-AzureRmDataLakeStoreItemAclEntry -AccountName "adls" -Path /
-AceType User -Id (Get-AzureRmADApplication -ApplicationId 490eee0-2ee1-51ee-88er-0f53aerer7b).ApplicationId -Permissions All
But this command sets/displays the ApplicationId under "Access" properties in ADLS with only read/write/execute access. But this setting are not correct as I perform Manual steps of Service Authentication in ADLS.
Is there any other way to set permissions of AAD application in ADLS?
The parameter User of Set-AzureRmDataLakeStoreItemAclEntry commands should be the object ID of the AzureActive Directory user, group, or service principal for which to modify an ACE.
You can refer the command below to assign the permission:
Set-AzureRmDataLakeStoreItemAclEntry -AccountName "accountName" -Path / -AceType User -Id
(Get-AzureRmADServicePrincipal -ServicePrincipalName "{applicationId}").Id -Permissions All
More detail about this command, you can refer link below:
Set-AzureRmDataLakeStoreItemAclEntry
You need to set the ObjectId (not the application id) as the Id parameter to Set-AzureRmDataLakeStoreItemAclEntry
Set-AzureRmDataLakeStoreItemAclEntry -AccountName "adls" -Path / -AceType User -Id (Get-AzureRmADApplication -ApplicationId 490eee0-2ee1-51ee-88er-0f53aerer7b).Id -Permissions All
Related
I registered an application in Azure AD from PowerShell using the below script.
//To create new application
$myapp = New-AzureADApplication -DisplayName MyApp
$myappId=$myapp.AppId
//To set ApplicationID URI
Set-AzureADApplication -ApplicationId $myappId -IdentifierUris "api://$myappId"
//To retrieve details of new application
Get-AzureADApplication -Filter "DisplayName eq $myapp"
Now I want to set delegated API permissions(Calendars.Read, Application.Read.All, Directory.Read.All) for this app.
From Azure Portal, I know how to assign these. But is it possible to add these permissions via PowerShell? If yes, can anyone help me with the script or cmdlets?
Any help will be appreciated. Thank you.
Yes, it's possible to set delegated API permissions via PowerShell
Initially, please note AppID of new application that can be retrieved by below cmdlet:
Get-AzureADApplication -Filter "DisplayName eq $myapp"
Check whether you have Service Principal named "Microsoft Graph" using below cmdlet:
Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
In order to assign API permissions via PowerShell, you should know the GUIDs of those delegated permissions that can be displayed using below cmdlet:
$MSGraph.Oauth2Permissions | FT ID, Value
Note the IDs of required permissions like Calendars.Read, Application.Read.All and Directory.Read.All
Please find the complete script below:
$myapp = New-AzureADApplication -DisplayName MyApp
$myappId=$myapp.ObjectId
Get-AzureADApplication -Filter "DisplayName eq 'MyApp'"
$MSGraph = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
$MSGraph.Oauth2Permissions | FT ID, Value
# Create a Resource Access resource object and assign the service principal’s App ID to it.
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = $MSGraph.AppId
# Create a set of delegated permissions using noted IDs
$Per1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "c79f8feb-a9db-4090-85f9-90d820caa0eb","Scope"
$Per2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "465a38f9-76ea-45b9-9f34-9e8b0d4b0b42","Scope"
$Per3 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "06da0dbc-49e2-44d2-8312-53f166ab848a","Scope"
$Graph.ResourceAccess = $Per1, $Per2, $Per3
# Set the above resource access object to your application ObjectId so permissions can be assigned.
Set-AzureADApplication -ObjectId $myappId -RequiredResourceAccess $Graph
Reference:
How to assign Permissions to Azure AD App by using PowerShell?
I have a Active Directory storage which hold password in field userPassword.
I used CAS 5.3.2 to do authenticate with AD, here's my configs:
# Interesting part for Active Directory:
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldap://85.2.58.119:389
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=OU=User Account,OU=CAS,DC=liferayadmin,DC=net
cas.authn.ldap[0].userFilter=cn={user}
cas.authn.ldap[0].subtreeSearch=true
# AD manager user like someone#company.com
cas.authn.ldap[0].bindDn=cn=casAdmin,OU=User Account,OU=CAS,cn=users,dc=liferayadmin,dc=net
cas.authn.ldap[0].bindCredential=password
cas.authn.ldap[0].dnFormat=%s#liferayadmin.net
cas.authn.ldap[0].principalAttributeId=cn
cas.authn.ldap[0].principalAttributePassword=
cas.authn.ldap[0].principalAttributeList=sAMAccountName,sn,cn,givenName,displayName
cas.authn.ldap[0].failFast=false
# Default values:
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].idleTime=5000
cas.authn.ldap[0].prunePeriod=5000
cas.authn.ldap[0].blockWaitTime=5000
It return failed authentication. Someone said that AD use another field to check password, but I can use this field 'userPassword' only.
How can I authenticate with AD using this field?
How can I check what is root cause of fail autheticate?(cannot connect AD / wrong bindCredential / other exceptions ...).
And if possible, pls look at my configs and find if I have some mistake.
Thanks!
Using a PowerShell script (part of script Invoke-Command -ComputerName $n -FilePath $filepath -Credential ($Cred) -EnableNetworkAccess) to perform activities like unzip files and run EXE on remote VM.
I'm able to perform activities like extracting and calling EXE first part of the exe activities like DB creation… However, part of the EXE like installing frontend is not working where as exe might validating user in admin group.
Please note that user has admin group/access in both the machines.
Error message:
</Message>
<StackTrace>
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(PrincipalContext context, String identityValue)
at DataLabsXC.ManagementLib.Collections.XCUsers.ListUsers(String DomainName, String GroupName, String orgUnits)
at DataLabsXC.ManagementLib.XCSqlManager.AddGroups(XCSecGroups SecGroups, String DomainName, String ADAdmin, String ADPassword, Boolean LdapProvider, String OrganizationalUnits)
at DataLabsXC.Management.Setup.FrontEndInstaller.Execute()
at DataLabsXC.Management.BatchProcess.BatchProcessor.Install()
</StackTrace>
<CallingMethod>An operations error occurred.
The same script is working fine when executed directly on the targegeted VM instead of being calling from remote machine.
So I mention the untrusted domain aspect because I went through all the hoops around credential delegation and trusted hosts lists etc to allow me to successfully push a DSC configuration from my RM server to a target node (not using RM, just native DSC). I get that bit and it works, great.
Now when I use those same scripts in RM (with some minor edits for the format expected by RM), RM reports a successful deploy but all that has happened is the components bits have been copied to the target node to the default location for $applicationPathRoot (C:\Windows\DtlDownloads), there is no real evidence of an attempt to apply a mof file.
My RM server and target nodes are in different domains with no trust. Both servers are W2k8R2 (+ WMF4 of course). I'm running with Update 4 of RM server and client.
Here are the DSC scripts I'm running in RM:
CopyDSCResources.ps1
Configuration CopyDSCResource
{
param (
[Parameter(Mandatory=$false)]
[ValidateNotNullOrEmpty()]
[String] $ModulePath = "$env:ProgramFiles\WindowsPowershell\Modules")
#[PSCredential] $credential = get-credential
Node VCTSCFDSMWEB01
{
File DeployWebDeployResource
{
Ensure = "Present"
SourcePath = "C:\test.txt"
DestinationPath = "D:\temp"
Force = $true
Type = "File"
}
}
}
CopyDSCResource -ConfigurationData $configData -Verbose
# test outside of RM
#CopyDSCResource -ConfigurationData CopyDSCResource.ConfigData.psd1
#Start-DscConfiguration -Path .\CopyDSCResource -Credential $credential -Verbose -Wait
CopyDSCResource.ConfigData.psd1
##{
$configData = #{
AllNodes = #(
#{
NodeName = "*"
PSDscAllowPlainTextPassword = $true
},
#{
NodeName = "VCTSCFDSWEB01.rlg.test"
Role = "WebServer"
}
)
}
I'm afraid I cant seem to upload screenshots from my current location but in terms of RM, I have a vNext environment with a single server linked, a vNext release path with a single 'Dev' stage and a vNext release template with a single 'Deploy PS/DSC' action. The configuration of the action is:
ServerName - VCTSCFDSMWEB01
ComponentName - COpyDSCResource vNext
PSScriptPath - copydscresources.ps1
PSConfigurationPath - copydscresource.configdata.psd1
UseCredSSP - true
When I run a new release, the deploy stage reports success and when I view the Deployment log files I get the following:
Upload components - Successfully uploaded to the normalized store.
Deploy Using PS/DSC - Copying recursively from \vcxxxxtfs03\Drops\CorrespondenceCI\CorrespondenceCI20150114.1\Scripts to C:\Windows\DtlDownloads\CopyDSCResource vNext succeeded.
Finally the DSC event log has the following:
Job {CD3BE350-4072-4C8B-835F-4B4D1C46D65D} :
Configuration is sent from computer NULL by user sid S-1-5-18.
This compares markedly to the same event log entry when run outside of RM:
Job {34F78498-CF18-4F2A-9874-EB54FDA2D990} :
Configuration is sent from computer VCXXXXTFS01 by user sid S-1-5-21-1034805355-1149422947-1317505720-10867.
Any pointers appreciated
It would be good if I could see evidence of a mof file being created on the RM server for example, anybody know where I can find this??
Turns out the crucial element was that my DSC script had to use an environment variable for naming the node. So:
Node $env:COMPUTERNAME
No idea why but it works!
I'm using the Google App Engine Launcher to deploy my app to the GAE servers. Is there a way to save my user account and password so I don't have to type it in every time I redeploy?
I'm still in the learning stages of using GAE so typing my 16 odd character password gets tiresome when I redeploy 15+ times per evening.
You can make a .bat file that has the following text:
echo <password> | c:\python25\python.exe "C:\Program Files\Google\google_appengine\appcfg.py" --email=username --passin update <directory of app on your pc>
(According to GAE docs you cannot specify the password as a command line option)
Use oauth to save an OAuth2 token so you don't need to keep re-typing your password.
The accepted solution didn't work for me. Using pipes did
echo <password> | c:\python25\python.exe "C:\Program Files\Google\google_appengine\appcfg.py" --email=username --passin update <directory of app on your pc>
appcfg already does this for you. Per the docs:
appcfg.py gets the application ID from
the app.yaml file, and prompts you for
the email address and password of your
Google account. After successfully
signing in with your account,
appcfg.py stores a "cookie" so that it
does not need to prompt for a password
on subsequent attempts.
If this isn't occurring for you, you might want to try deleting any .appcfg* config files.
Other tips & trick: using command line as below:
To get appcfg.py to accept --password on the command line instead of being prompted for it:
Change: *appengine/google_appengine/google/appengine/tools/appcfg.py*
add the following in the parser.add_option section:
parser.add_option("-p","--password", action="store", dest="password",
metavar="PASSWORD", default=None,
help="The password")
Then modify the GetUserCredentials function:
def GetUserCredentials():
"""Prompts the user for a username and password."""
email = self.options.email
if email is None:
email = self.raw_input_fn("Email: ")
password = self.options.password
if password is None:
password = self.raw_input_fn("Password: ")
# password_prompt = "Password for %s: " % email
# if self.options.passin:
# password = self.raw_input_fn(password_prompt)
# else:
# password = self.password_input_fn(password_prompt)
return (email, password)
That's it, now you can call:
appcfg.py update demos/guestbook --email=email#gmail.com --password=xxxx
Ref: http://samalolo.blogspot.com/2009/04/appcfgpy-tweak-to-allow-passing.html
I just wanted to say thank you to Friar Broccoli, it's exactly what I was looking for. To clarify for other beginners like myself, my final batch file ended up looking like the following,
c:\python27\pythonw.exe "C:\Program Files (x86)\Google\google_appengine\appcfg.py" --oauth2 update "C:\Users\[username]\[directory]\app.yaml"
Worked perfectly, wish this solution was higher up.
For windows 7, .appcfg_cookies under C:\Users\username\.appcfg_cookies
You could write a command line script that executes appcfg.py to do this.
You can specify the email to use with the --email= command line parameter.
You can pass in the password from stdin by using the --passin parameter.
It's amazingly simple. Just put this in a batch file:
appcfg.py --oauth2 update "X:\local\path\to\your\app.yaml\file"
The first time you run it google will authenticate, after that it's all automatic.