Tag Archives: Azure

Azure AD B2B PowerShell Invites

I’ve written about Azure AD B2B before, as well as then giving those invited users access to SharePoint Online, but there’s been a lot of changes since I started using it. Have a read of my original article if you’re interested to see how I’m using B2B and why.

Azure AD B2B is still in preview, but in Feb 2017 a bunch of improvements were added. Part of these changes were around using the new Azure portal rather than the Classic Portal, and with that is the removal of inviting users via CSV file and uploading it to Azure AD. This was exactly the way I was using it, so I had to change to one of the newer methods.

Although CSV support is gone, it’s been replaced by PowerShell which can just call the same CSV file being used before, so it’s not a huge change. There’s a PowerShell example on this technet page which shows how to do it. There is a catch though, the ability to add the user to groups as part of the import is gone.

The other big change that impacted me was the invitation emails. This is the email that gets sent to the recipient when being invited – it was originally a plain text email from a generic Microsoft address, but it’s now changed to a much more professional looking email. The catch with this is, rather than coming from a generic Microsoft email account, it now comes from the user that sends the invites out. I found this out the hard way when invited parties started seeing my details and photo with the invite!

There’s four approaches I can come up with around this new invite method –

1. Leave it as showing the admin user who does the invites (not ideal)

2. Create and use a seperate service account for these invites, so it comes from a generic looking internal email address (quite good)

3. Get the users themselves to send the invites out – by default, all users have access to invite others to their tenant (worst option, users won’t do this themselves, need training and support, can’t automate)

4. Use APIs and send the invites out on behalf of the user (‘best’ option but requires the most work, most complex)

While I look at option 4, option 2 is a good middle ground and will probably do for most companies.

I’ve written and tested the below script, which works on a single user by user basis. This uses just the Azure AD Preview module for PowerShell, which is at version 2.0.0.85 at the time of writing. To use the method mentioned on that page to install, I had to first install Windows Management Framework 5.0.

$group = get-azureadgroup -SearchString "Put your exact search string here" | where {$_.dirsyncenabled -eq $null}
$newuser = New-AzureADMSInvitation -InvitedUserEmailAddress emailaddress@contoso.com -InvitedUserDisplayName "Full Name" -sendinvitationmessage $true -InviteRedirectUrl "http://myapps.microsoft.com"
Add-AzureADGroupMember -objectid $group.objectid -RefObjectId $newuser.InvitedUser.Id

 

This script requires you to first authenticate against Azure AD with the command connect-azuread : the same way you’d use connect-msol for Office 365. More on how to automate that part in an upcoming blog post.

I’ve written this on the basis that you already have a group to add the guest user into, which gives them the permissions required after being invited into your Azure AD tenant. It’s also more a proof of concept script, which shows how to automate these steps enough to then be able to do what you want with it – such as wrap it around a ‘for each’ and feed multiple users into it.

The first thing the script does is get the group name. As objects in Azure AD don’t have to have unique names like on-prem Active Directory, this script will fail if it finds multiple results the same. It’s also making sure the result that comes back is only a cloud based group, because you can only add B2B invited users into Azure AD groups (not ones synced from on-prem).

Next it will send out the invite to the user. This is the important part. If you don’t want an email to go out, you can change the -sendinvitationmessage value to $false.

Finally we’re adding the invited user into the group by ObjectIDs of each object – straight forward.

—-

The end result is a user who will be able to accept their invite, log in and have access to whatever they need to. Note that the way I do this is by having an app and advertising it to the group that also gives permissions to SharePoint Online, so they’ll see the single link on their myapps.microsoft.com page.

If you’re mucking about with Azure AD B2B this should give you somewhere to start. The Microsoft Technet pages for Azure AD are very comprehensive now as well as being easy to read, so check them out.

If you have any questions on Azure AD B2B feel free to ask!

Azure AD Group-Based License Management For Office 365

It’s finally here! At least in public preview…

The ability to allocate Office 365 licenses via groups is now available for everyone to use. This has been a long-awaited feature, up until now licenses have either been applied manually via the portal, or via scripts/3rd party software with logic applied for automation.

Now, you can automatically apply and manage license allocation using whatever logic you like. You can create on-premise AD groups, apply a license set to the groups, and members will be allocated the relevant licensing. If that doesn’t work for you, there’s also cloud based Dynamic Groups which let you use whatever logic you can come up with to add members to the group. You could do it on something like a department name, or use an extension attribute and populate that based on what license you want to allocate.

The above link covers a lot of information about how to deploy this. At the time of writing, I couldn’t get to the Azure Licensing page by searching for the word ‘Licensing’, and instead had to use a direct link: https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products

I’ve already deployed it, it seems to work quickly and without issue.

 

Once you’re done, you’ll need to remove the Office 365 licenses applied manually. This TechNet article shows the commands to use for removal. I used this:

$Users = Get-MsolUser -All | where {$_.isLicensed -eq $true}; $Users | foreach {Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -RemoveLicenses "litwareinc:ENTERPRISEPACK"}

This removes licenses from all your users, to be more specific add extra criteria to the first ‘Get-MsolUser’ command. Also note you need to swap ‘litwareinc’ with your tenant ID, and ENTERPRISEPACK with whichever license you’re removing. I’d recommend testing on one account first!

To see what your tenant’s license options are just use:

Get-MsolAccountSku

And you’ll see a list of the license options along with existing allocations.

If you have any questions please comment below.

Azure Active Directory – Assigning Groups to Applications in PowerShell

Azure Active Directory Applications have been around for a while, but it’s I’ve found it hard to find good information on them beyond the biggest benefit of Marketplace Apps.

Along with my Azure AD B2B journey (still in preview at time of writing), the option of pushing out something like a SharePoint Online site as an app is one of the jigsaw pieces required to make the whole B2B process work – as a version of the apps page is displayed as the default link to anyone who accepts an Azure AD B2B invite and logs in for the first time.

MyApps – an externally invited user will only see the apps they have access to (by default, none)

I’m trying to gloss over details here, as there’s a lot of steps with different parts of the Microsoft world to get a process automated end to end for inviting external users to a SharePoint Online site – but the last step of assigning a user or group to an application has no documentation I could find, that showed how to achieve this via PowerShell.

All I want to do here, is create an Application in Azure AD, then assign a group to it. Members of the group will then see the application on MyApps.

Two different modules are required – Azure Active Directory V2 PowerShell module and Azure Resource Manager.

What we can do with these two modules is first create the application with the New-AzureRMADApplication command:

New-AzureRmADApplication -DisplayName "SharePoint Online Site A" -HomePage "https://contoso.sharepointonline.com/sitea" -IdentifierUris "https://contoso.sharepointonline.com/sitea"

Easy, now you have an application that will point to the URL entered in Azure Active Directory. Assigning a group to it is a bit trickier…

First, a few values need to be obtained:

$app = Get-AzureRmADApplication | where displayname -eq "SharePoint Online Site A"
$appid = $app.ApplicationId
$fullgroup = get-msolgroup -all | where displayname -eq "SharePoint Online Site A"

This is getting the two objects as variables – the Application itself, and the group that you want to add onto it.

Then a new Service Principal needs to be created based on the Application, as this is required when adding the group onto the application:

New-AzureADServicePrincipal -AppId $appid

Another variable is needed, which is the new Service Principal we just created:

$servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"

Finally, we can assign the group to the application:

New-AzureADGroupAppRoleAssignment -objectid $fullgroup.objectid -principalid $fullgroup.objectid -resourceid $serviceprincipal.objectid -id ([Guid]::Empty)

You can check that this has applied by the Azure Active Directory portal too, by going to your Active Directory section, choosing ‘Applications’ and finding your app, then go into ‘users and groups’ and find the group. You should see a ‘yes’ in the assigned field.

If there’s any interest in documenting the entire SharePoint Online and Azure AD B2B invite process and script, let me know. It’s a great way of sharing data with clients via a portal.

Remove Microsoft Account or Work Account

If you’re using Office 365 and/or Azure, you may have run into this scenario. If you want detailed information about Microsoft Accounts vs Work or school accounts, read this comprehensive article.

For people who set up a Microsoft Account on a work email address, and then configured it for Office 365/Azure, you’d be used to seeing this screen every time you log in:

It’s necessary, but annoying when you’re signing in a lot. I’m not sure how long this has been around, but you can change the email address associated with your Microsoft account, and move it away from your work email address.

And you may notice, there’s that ‘Tired of seeing this?’ message. My brain blocked that out, so you can follow that link too :)

Atwork have a writeup on how to change the email address (the first link gives a 404 message, but you’re still in the right place to make the changes). I tested this on my own account, and within a few minutes I was no longer seeing the choice between Work or Personal when signing into Office 365/Azure services.

Combine that with ADFS or Azure AD Connect Pass-Through Authentication to make your Microsoft sign-ins a quicker process!

AzureAD – Assign Application to User via PowerShell

Scenario:

You’ve created an application in Azure AD, and want to script allocating access to the app rather than using the web interface. App show up at https://myapps.microsoft.com

Azure AD Premium is required for group access which would be ideal, but if you don’t have that you’ll need to add access on a user by user basis.

Answer:

PowerShell of course. First, you’ll need Azure AD for PowerShell (Preview version 2.0.0.17 at time of writing).

The below script which I modified from Philippe’s comment here should cover both internal, cloud and B2B invited users. The original script was using -objectid rather than -searchstring which works better and is more accurate for the internal and cloud accounts, but doesn’t work at all for B2B accounts.

The AppID can be obtained from this command:

Get-AzureADApplication -SearchString “Display Name for App”

Put the corresponding AppID into the below script, and you’re good to go. You’ll get prompted for Azure AD credentials as per usual. You can also get this

This is designed for a single user addition, but you could easily import the email addresses from a CSV file, and do a ‘for each’ on each entry like I did here.

# The UserPrincipalName or ObjectId of the user
$userId = “email@contoso.com”

# The AppId (a.k.a. “client ID”) of the app to assign the user to
$appId = “AppIDGoesHere”

# Connect to Azure AD
Connect-AzureAD -Confirm

# Get the user to be added
$user = Get-AzureADUser -searchstring $userId

# Get the service principal for the app you would like to assign the user to
$servicePrincipal = Get-AzureADServicePrincipal -Filter “appId eq ‘$appId'”

# Create the app role assignment
new-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)

 

Note: If you try this and get the error below, it’s because the app is already assigned.

new-AzureADUserAppRoleAssignment : Error occurred while executing NewUserAppRoleAssignment
StatusCode: BadRequest
ErrorCode: Request_BadRequest
Message: One or more properties are invalid.
At Z:\script.ps1:17 char:1
+ new-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADUserAppRoleAssignment], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewUser
AppRoleAssignment

Important Azure and Office 365 URLs for Admins

I keep forgetting some of the main URLs I need for Microsoft’s online cloud based services. Instead of going direct to where I want, I log into one point I know and follow the bouncing ball to get to my destination – hardly efficient.

Instead, here’s my list of important Azure and Office 365 URLs to get where you want. The ones that require your domain as part of the URL aren’t hotlinks.

Office 365
Office 365 Admin Portal https://portal.office.com/adminportal/home?switchtomodern=true#
Office 365 Admin Portal (old) https://portal.office.com/Admin/Default.aspx?switchtoclassic=true#
Office 365 Portal with specific internal domain https://login.microsoftonline.com/?whr=yourdomain.com (modify to your own domain on the end)
Office 365 Apps https://portal.office.com/myapps

Azure
Azure AD and Old Portal https://manage.windowsazure.com
Azure AD and Old Portal to a specific domain https://manage.windowsazure.com/yourdomain.com (modify to your own domain on the end)
Azure New Portal https://portal.azure.com/

Intune
Intune Admin Portal https://manage.microsoft.com/MicrosoftIntune/

Skype For Business Online
Skype For Business Admin Portal https://adminau1.online.lync.com/lscp/ (possibly Australia only?)

Exchange Online
Exchange Admin Center https://outlook.office365.com/ecp/

Apps
Power BI https://app.powerbi.com
Exchange Online Mailbox https://outlook.office365.com/
Yammer https://www.yammer.com/office365
SharePoint Online https://yourdomain.sharepoint.com/_layouts/15/sharepoint.aspx
Planner https://tasks.office.com
Office Online (Word, Excel etc) https://office.live.com
Sway https://www.sway.com/
Security and Compliance https://protection.office.com
Office Store https://portal.office.com/store

 

Microsoft have a list of all Office 365 URLs and IPs too, but that’s for you to configure your firewall preemptively rather than an Office 365/Azure Admin.

If you have any adds or changes, please let me know!

 

Update 7th September 2016

Microsoft have put up a giant list of links to all the Azure bits and pieces, check it out!