How to know the permissions of my azure ad app have for other APIs, such as Microsoft Grahp API .
In portal , i could check that in the [API Access]-->[Required permissions] , but how do i check that with powershell , i used
Get-AzureRmADApplication -ObjectId ,
Get-AzureRmADApplication -ObjectId xxxxx | fl *
But little attributes returned and AppPermissions is null , but with fiddle , i notice it use below request :
GET https://graph.windows.net/mytenant/applications/id?api-version=1.6 HTTP/1.1
And i could find a lot of attributes of that app ,which one shows the permission of the app and how do i get that in powershell ?
You could try the Azure Active Directory PowerShell Version 2 , the use command like :
$app = Get-AzureADApplication -Filter "appId eq '$appId'" | fl *
to get the RequiredResourceAccess claim ,that is the collection that is shown under "permissions to other applications" in the azure ad classic portal and "Required permissions" in new portal .
In addition , PowerShell essentially wraps the API's and just presents them to you in a simplified interface. If you don't find a command to do what you want you can always using PowerShell to invoke the Graph API directly. Please refer to below article for how to call Azure Active Directory Graph Api from Powershell :
https://blogs.technet.microsoft.com/paulomarques/2016/03/21/working-with-azure-active-directory-graph-api-from-powershell/
And here is a test code sample :
PS C:\Users\v-nany> $header = #{
>> 'Content-Type'='application\json'
>> 'Authorization'=$token.CreateAuthorizationHeader()
>> }
PS C:\Users\v-nany> $uriSAs = "https://graph.windows.net/xxxxxxx/applications/xxxxxx?api-version=1.6 "
PS C:\Users\v-nany> $appInfo = (Invoke-RestMethod -Uri $uriSAs –Headers $header –Method Get –Verbose)
PS C:\Users\v-nany> $appInfo.requiredResourceAccess
You will get resourceAppId represents the resource , and related resourceAccess which is a scope list.
Related
I have about 30 SAML configurations from various vendors, all are metadata files that reside on the internet (Azure AD, Auth0 and a couple other identity providers).
Is there a tool that exists to extract the expiration date from the signing cert in the metadata file? So I can keep track of all the expiration? Preferably a CLI.
For workaround you can use this powershell command to get the expiry time of siging certificate that is uploaded in Azure AD application.
Based on your requirements you can edit the code and pull the certificate from metafiles rather than directly from AzureAD application.
$expired = Get-AzureADApplication -All:$true | ForEach-Object {
$app = $_
#(
Get-AzureADApplicationKeyCredential -ObjectId $_.ObjectId
$CustomKeyIdentifier = (Get-AzureADApplicationKeyCredential -ObjectId $_.ObjectID).CustomKeyIdentifier
)| Where-Object {
$_.EndDate }| ForEach-Object {
$id = "Not set"
if($CustomKeyIdentifier) {
$id = [System.Convert]::ToBase64String($CustomKeyIdentifier)
}
[PSCustomObject] #{
App = $app.DisplayName
ObjectID = $app.ObjectId
AppId = $app.AppId
Type = $_.GetType().name
KeyIdentifier = $id
EndDate = $_.EndDate
}
}
}
$expired | Export-CSV 'C:\test.csv
Reference : How to retrieve thumbprint expiry date of enterprises application in azuread
How to automate PIM login in Azure. Daily it takes 3-5 mins to activate the login and which is valid for 8 hours, so again whenever it is required I need to reactivate it. Please suggest any automation approach for PIM Login.
To active the PIM automatically, you could follow the steps below.
1.Create automation account(need to create Run As account) and runbook(powershell type).
2.Navigate to the automation account in the portal-> Modules gallery -> search for AzureADPreview module and import it.
3.Follow this doc to assign the Global Administrator to the Run As account i.e. the service principal, just search for the name of your automation account, the name of the service principal has the format as automationaccount_xxxxxxxx.
4.In your runbook, use the script below to login with the service principal, use Open-AzureADMSPrivilegedRoleAssignmentRequest to active an eligible assignment for a user you need.
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Connect-AzureAD `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -ResourceId '926d99e7-117c-4a6a-8031-0cc481e9da26' -RoleDefinitionId 'f55a9a68-f424-41b7-8bee-cee6a442d418' -SubjectId 'f7d1887c-7777-4ba3-ba3d-974488524a9d' -Type 'UserAdd' -AssignmentState 'Active' -schedule $schedule -reason "dsasdsas"
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
5.Navigate to the runbook in the portal -> Schedules -> create and link a recurrence schedule to your runbook, e.g. every day, details depend on you.
How to retrieve details which contains information of login user including domain for example let say domain\useralias from Azure AD for a user input? Note that domain names are there in onprem ad which were sync to Azure AD.
You can use the OnPremiseDistinguishedName extension property.
Example:-
foreach($line in Get-Content c:\users\myuser\users.txt) {
if($line -match $regex){
$onPremisesDistinguishedName = (Get-AzureADUserExtension -ObjectId $line).get_item("onPremisesDistinguishedName")
$domain = $onPremisesDistinguishedName.split(",")
$alias = $line.Split("#")
$sAMAccountName = ($domain[2]).Substring(3)
$sAMAccountName + "\" + $alias[0]
}
}
I have created a provisioning mechanism not unlike this here:
group provisioning mechanism
I have successfully implemented the whole workflow on my developer tenant. Now our productive environment, I always receive this error:
[Error]Invoke - RestMethod: {
"error": "unauthorized_client",
"error_description": "AADSTS70001: Application 'ffffffff-...' is disabled.\r\nTrace ID: ffffffff-180f-4bc4-8087-867633c83e00\r\nCorrelation ID: ffffffff-2e5d-481d-adee-f068dbebaab1\r\nTimestamp: 2018-10-29 09:06:59Z",
"error_codes": [70001],
"timestamp": "2018-10-29 09:06:59Z",
"trace_id": "ffffffff-180f-4bc4-8087-867633c83e00",
"correlation_id": "ffffffff-2e5d-481d-adee-f068dbebaab1"
}
This is my code, that should do the authentication:
function Initialize-Authorization {
param
(
[string]
$ResourceURL = 'https://graph.microsoft.com',
[string]
[parameter(Mandatory)]
$TenantID,
[string]
[Parameter(Mandatory)]
$ClientKey,
[string]
[Parameter(Mandatory)]
$AppID
)
$Authority = "https://login.microsoftonline.com/$TenantID/oauth2/token"
Write-Output "auth: $Authority"
[Reflection.Assembly]::LoadWithPartialName("System.Web") | Out-Null
$EncodedKey = [System.Web.HttpUtility]::UrlEncode($ClientKey)
$body = "grant_type=client_credentials&client_id=$AppID&client_secret=$EncodedKey&resource=$ResourceUrl"
Write-Output "body: $body"
# Request a Token from the graph api
$result = Invoke-RestMethod -Method Post ` #`
-Uri $Authority ` #`
-ContentType 'application/x-www-form-urlencoded' ` #`
-Body $body
$script:APIHeader = #{'Authorization' = "Bearer $($result.access_token)" }
}
I already tried generating new keys but I'm stuck. How can the app registration be disabled?
Can someone guide me in the right direction with this?
It appears the ServicePrincipal object for your app, in your production tenant, has been disabled. The ServicePrincipal object is represented under "Enterprise apps" in the Azure portal.
In the production tenant, navigate to the Azure portal > Azure AD > Enterprise applications. Search for your app (if it doesn't show up initially, make sure you've selected "All Applications", under "Application Type"). Choose the app, and in the new blade, choose "Properties", on the left.
If "Enabled for users to sign in?" is set to "No", then the app is disabled in that tenant. Setting it to "Yes" will enable it.
Apps don't generally get disabled automatically, so it will probably be a good idea for you to understand why this was disabled, and ensure everyone is clear on what the requirements are.
I'm trying to invoke an ARM template that requires a PrincipalId of the currently signed in user.
https://learn.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults
I've signed in using powershell, as a guest account in the organisation's AAD.
When I check the resulting context, I get:
Name : [sky.sigal#ministryof.me, 5f813400-5b93-43b0-af8f-5fd04714f1ef]
Account : me#here.com
SubscriptionName : SomeSubscriptionName
TenantId : e6d2d4cc-b762-486e-8894-4f5f540d5f31
Environment : AzureCloud
I'm wondering how to get the AAD ObjectId from the above, without string parsing "Name"?
Note that the documentation for the ARM Template is not very clear so not sure if me#here.com would work just as well (am assuming it's talking about a Guid).
Thank you.
You can also get it using the azure cli
az ad signed-in-user show --query objectId -o tsv
You could try Get-AzureRmADUser to get the ObjectId .
Sample:
Get-AzureRmADUser -UserPrincipalName "xxxx#xxxx.com"
Result:
The Id is the ObjectId, you could get it. Also, you could get it via other properties, not only -UserPrincipalName, just refer to the link of the command.
Update:
If you use a Guest account, you could try the command below.
Get-AzureADUser | ?{$_.UserType -eq "Guest"} | ?{$_.UserPrincipalName -like "*partofyouraccount*"}
Note: Before using this command, you need to install Azure AD powershell module.
The info on "Name" you are seeing is related to the subscription. Use the command below to get the objectId under "Account":
(Get-AzContext).Account.ExtendedProperties.HomeAccountId.Split('.')[0]
I am not an expert in AAD but I have found that my own personal Azure subscription unrelated to my work one returns nothing for the following command:
# does not work sometimes
(Get-AzADUser -UserPrincipalName (Get-AzContext).Account).Id
However I found that I can reliably get my user principal name (UPN) and object ID using the Az CLI to get an access token then the Microsoft Graph API to each back the user information.
$token = Get-AzAccessToken -Resource "https://graph.microsoft.com/"
$headers = #{ Authorization = "Bearer $($token.Token)" }
Invoke-RestMethod https://graph.microsoft.com/v1.0/me -Headers $headers
With Powershell cmdlets:
$myObjectId = (Get-AzADUser -UserPrincipalName (Get-AzContext).Account).Id