I am using the following command to set the logo of a app registration: Set-AzureADApplicationLogo -ObjectId $app.ObjectId -FilePath ".\logo.png"

The output is the following error:

Set-AzureADApplicationLogo : Invalid image file
At line:1 char:1
+ Set-AzureADApplicationLogo -ObjectId $app.ObjectId -FilePath ".\metas ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-AzureADApplicationLogo], IOException
    + FullyQualifiedErrorId : System.IO.IOException,Microsoft.Open.AzureAD16.Graph.PowerShell.Custom.Cmdlet.SetApplica
   tionMainLogoCustom

At first I thought the image was too large so I changed it to a 215x215 png as per the guidelines but that did not help.

If I configure an Enterprise Application, with SSO,
how do I get the certificate information, the notification email, the user attribs, the claims?

Get-AzureADapplication doesn't provide any of this.

Hello everyone,
this is my command:
New-AzureADMSInvitation -InvitedUserEmailAddress $email -SendInvitationMessage $false -InviteRedirectUrl "https://example.com" -InvitedUserDisplayName "$lastname, $firstname"
The variables are all initialized.
Nevertheless I am getting the following error:

New-AzureADMSInvitation : Object reference not set to an instance of an object.
At C:\Users\attenbej\Desktop\inviteUsersToAAD.ps1:84 char:9
+         New-AzureADMSInvitation -InvitedUserEmailAddress $email -Send ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADMSInvitation], NullReferenceException
    + FullyQualifiedErrorId : System.NullReferenceException,Microsoft.Open.MSGraphV10.PowerShell.NewAzureADMSInvitation

Could you please look into that, as I am pretty sure that my command is correct.
$PSVersionTable.PSVersion shows:

Major  Minor  Build  Revision
-----  -----  -----  --------
5      1      17763  1490

Thanks in advance.

Using the AzureADPreview module, version 2.0.2.136 I notice that the 'All' parameter of Get-AzureADUser behaves like a "boolean parameter" rather than a "switch parameter".

That is to say this:

Get-AzureADUser -All

throws this error:

Get-AzureADUser : Missing an argument for parameter 'All'. Specify a parameter of type 'System.Nullable`1[System.Boolean]' and try again.

The only way to use the 'All' parameter is by providing a boolean value:

Get-AzureADUser -All:$true

I'm trying to register an Azure application using the Powershell modules, however we are using the MSAL 2.0 Implicit flow which I belive means my reply URLs need to be type "SPA".

How do you specify type? Set-AzureADApplication takes a list of string only.

My manifest currently looks like:

"replyUrlsWithType": [ { "url": "http://localhost:8080/*", "type": "Web" } ]

But I believe I need:

"replyUrlsWithType": [ { "url": "http://localhost:8080/*", "type": "SPA" } ]

Thanks

See this post for details: MicrosoftDocs/azure-docs#10926

We tried to publish corporate app with Azure AD to apple store and got rejected as we are using Third-party Sign-ins. Is it possible to disable or remove Can’t access your account, Sign-in options for single tenant or clientid ? Also highlighted as part of screenshots

I was not sure about where to post , let me know if there is another forum where i can get better help.

Reference
https://stackoverflow.com/questions/59149871/sign-in-with-apple-under-azure-ad-b2c

Any pointers will be really appreciated.

Hello,

When trying to add Application Permissions to an App Registration, I am running into an issue where the permission is added as a GUID and is unable to verified.

For example, adding the Microsoft Graph Directory.Read.All permission, I am running the following:

Get the service principal

$graph = Get-AzureADServicePrincipal -SearchString "Microsoft Graph"

Create the access opject

$readAll = New-Object Microsoft.Open.AzureAd.Model.ResourceAccess

Application permission instead of delegated

$readAll.Type = "Role"

Permission ID

$readAll.Id = ($graph.Oauth2Permissions | where {$_.Value -eq 'Directory.Read.All'}).Id

$graphRequiredAccess = New-Object Microsoft.Open.AzureAd.Model.RequiredResourceAccess
$graphRequiredAccess.ResourceAppId = $graph.AppId
$graphRequiredAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
$graphRequiredAccess.ResourceAccess.Add($readAll)

$requiredPermissions = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAd.Model.RequiredResourceAccess]
$requiredPermissions.Add($graphRequiredAccess)

create the application

$app = New-AzureADApplication -DisplayName "Test Application" -AvailableToOtherTenants $false -RequiredResourceAccess $requiredPermissions

This creates the following permission in the app:

When attempting to validate through the web interface, I get the following:

I've tried the New-AzureADServiceAppRoleAssignment as well, but get an error when I try to use the ID of the required resource. The only way I can get the command to complete is with the following:

create the service principal to assign application permissions to

$sp = New-AzureADServicePrincipal -AppId $app.AppId

assign the permissions to the service prinicpal

foreach ($requiredApp in $app.RequiredResourceAccess)
{
New-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -PrincipalId $sp.ObjectId `
-ResourceId ($sps | where {$_.AppId -eq $requiredApp.ResourceAppId}).ObjectId -Id ([Guid]::Empty)
}

It still generates the Consent Validation Failed message from above.

From what I can see, none of these cmdlets have examples loaded into them, in either a Docs page or using the Get-Help -examples commands.

As a note, I tried using the Azure Bash CLI commands of az ad app permission grant --id 00000000-0000-0000-0000-000000000000 --api 0000-0000-c000-000000000000 --api-permission 06da0dbc-49e2-44d2-8312-53f166ab848a=Scope generates the same result in the web interface as the screen shot above, with the same Consent Validation Failed message when trying to grant access.

Let me know if I can provide any further information.

AzureAD does not seem to have something like Add-AzEnvironment in PowerShell Az. Then how to login to custom Azure environment using Connect-AzureAD?

I want to fill the field "Internal Notes" inside an App-Registration programatically:

I can archieve this with REST Query: https://docs.microsoft.com/en-us/graph/api/resources/application?view=graph-rest-1.0#properties

... but not with Powershell. Bug or Feature?

When creating or updating an Azure Ad Application, and adding optionalClaims, if you supply a samlToken List of OptionalClaim you get the following error

Set-AzureADApplication : Error occurred while executing SetApplication 
Code: Request_BadRequest
Message: The property 'samlToken' does not exist on type 'Microsoft.DirectoryServices.OptionalClaims'. Make sure to only use property names that are defined by the type.
RequestId: <obfuscated>
DateTimeStamp: Thu, 15 Jul 2021 08:47:01 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At C:\<obfuscated>\App Manifests\test-creation.ps1:73 char:1
+ Set-AzureADApplication -ObjectId $appObjectId -RequiredResourceAccess ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-AzureADApplication], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.SetApplication

It would appear to be an underlying issue as at least one other implementation also have this issue.

Certainly the type is different, but that may be an inheritance thing, or the wrong class is being used entirely as the model is of type Microsoft.Open.AzureAD.Model.OptionalClaims and not Microsoft.DirectoryServices.OptionalClaims'

$groups_claim = [Microsoft.Open.AzureAD.Model.OptionalClaim]::new("groups", $null, $false, @("sam_account_name","emit_as_roles"))
$email_claim = [Microsoft.Open.AzureAD.Model.OptionalClaim]::new("email", $null, $false, @())
$username_claim = [Microsoft.Open.AzureAD.Model.OptionalClaim]::new("preferred_username", $null, $false,  @())

$idtoken_claims = [System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OptionalClaim]]::new(2)
$idtoken_claims.Add($email_claim)
$idtoken_claims.Add($groups_claim)

$accessToken_claims = [System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OptionalClaim]]::new(2)
$accessToken_claims.Add($username_claim)
$accessToken_claims.Add($groups_claim)

$saml2Token_claims = [System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OptionalClaim]]::new(1)
$saml2Token_claims.Add($groups_claim)

$optional_claims = [Microsoft.Open.AzureAD.Model.OptionalClaims]::new($idtoken_claims, $accessToken_claims, $saml2Token_claims)

 #Set permissions in existing Azure AD App
$appObjectId=$aadApplication.ObjectId
Set-AzureADApplication -ObjectId $appObjectId -OptionalClaims

After using the New-AzureADMSNamedLocationPolicy cmdlet to create a named location, the new named location does not show up in the Azure AD Conditional Access > Named Locations. However, it does show up with Get-AzureADMSNamedLocationPolicy and it does show up in the portal under Named Locations (preview).

It also seems as thought the new policy is not taking effect. When I move an IP address from the old named location policy to the new location policy created with the script, I can no longer access the portal from that IP. The policies are both set as 'Trusted'.

The AzureAD PowerShell module does not work on PowerShell version 6.2.3:

PS C:\Users\alex> Import-Module AzureAD
Import-Module : Could not load file or assembly 'System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'. The system cannot find the file specified.
At line:1 char:1
+ Import-Module AzureAD
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Import-Module], FileNotFoundException
+ FullyQualifiedErrorId : System.IO.FileNotFoundException,Microsoft.PowerShell.Commands.ImportModuleCommand

PS C:\Users\alex> Get-Host | Select-Object Version

Version
-------
6.2.3

As the title states, if a tenant chooses Linux as a platform under any Conditional Access Policy, the commands to get policies throws a nasty error.

Get-AzureADMSConditionalAccessPolicy
Get-AzureADMSConditionalAccessPolicy : Error converting value "linux" to type 'Microsoft.Open.MSGraph.Model.ConditionalAccessDevicePlatforms'. Path
'value[5].conditions.platforms.includePlatforms[2]', line 1, position 5853.
At line:1 char:1
+ Get-AzureADMSConditionalAccessPolicy
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-AzureADMSConditionalAccessPolicy], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.GetAzureADMSConditionalAccessPolicy

I realize this next bit is beyond the scope of this repo, but additionally the Microsoft Graph module doesn't throw an error, it just omits the policy in it's entirety.
Not helpful for admins or auditors looking to programmatically pull the policies and details.

Linking with original issue

Is there a set of commands similar to "Get-AzureADDeletedApplication" and "Restore-AzureADDeletedApplication" but for Service Principals. I have been looking here: https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0#service-principals but I was not able to find anything like it.

Or else, is there any way to restore an app registration along with the associated service principal?

Module installation works, but:

PS C:\Users\viscia> connect-azuread
Connect-AzureAD: One or more errors occurred. (Could not load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.): Could not load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.
Connect-AzureAD: One or more errors occurred. (Could not load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.)
Connect-AzureAD: Could not load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.
Connect-AzureAD: One or more errors occurred. (Could not load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.): Could not load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.

It is possible and/or planned to have AzureADUtils module installable via the PowerShell Gallery. Been working through Get data using the Azure AD Reporting API with certificates and it would be nice if the install for AzureADUtils was as straight forward as the new AzureAD module and cmdlets. There are some useful and important cmdlets in AzureADUtils.

If a create an Application via the Azure Portal, the manifest shows the source as null

"optionalClaims": {
		"idToken": [
			{
				"name": "email",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": [
					"sam_account_name",
					"emit_as_roles"
				]
			}
		],

However if I create a optionalClaim via PowerShell, the resulting optionalClaim is string Empty and not null as provided.

	"optionalClaims": {
		"idToken": [
			{
				"name": "email",
				"source": "",
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "groups",
				"source": "",
				"essential": false,
				"additionalProperties": [
					"sam_account_name",
					"emit_as_roles"
				]
			}
		],

code to create the class instance in powershell is as follows, each of the instance uses the built in constructor and the 2nd parameter is the source, each is supplied as $null

$groups_claim = [Microsoft.Open.AzureAD.Model.OptionalClaim]::new("groups", $null, $false, @("sam_account_name","emit_as_roles"))
$email_claim = [Microsoft.Open.AzureAD.Model.OptionalClaim]::new("email", $null, $false, @())
$username_claim = [Microsoft.Open.AzureAD.Model.OptionalClaim]::new("preferred_username", $null, $false,  @())

$idtoken_claims = [System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OptionalClaim]]::new(2)
$idtoken_claims.Add($email_claim)
$idtoken_claims.Add($groups_claim)

$accessToken_claims = [System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OptionalClaim]]::new(2)
$accessToken_claims.Add($username_claim)
$accessToken_claims.Add($groups_claim)

$optional_claims = [Microsoft.Open.AzureAD.Model.OptionalClaims]::new($idtoken_claims, $accessToken_claims)

Set-AzureADApplication -ObjectId $appObjectId -RequiredResourceAccess $requiredResourcesAccess -OptionalClaims $optional_claims

This seems like the obvious place to host the powershell code. And all the other client libraries are here. Is there a reason the AzureAD powershell module isn't here? Can I find it somewhere else?

Cannot index into a null array.
At C:\docs\Powershell\AzureADUtils.psm1:83 char:7

•   $ADAL_Assembly = (Get-ChildItem "Microsoft.IdentityModel.Client ...
  

•   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [], RuntimeException
  • FullyQualifiedErrorId : NullArray

Cannot index into a null array.
At C:\docs\Powershell\AzureADUtils.psm1:85 char:7

•   $ADAL_WindowsForms_Assembly = (Get-ChildItem "Microsoft.Identit ...
  

•   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [], RuntimeException
  • FullyQualifiedErrorId : NullArray

I tried to Revoke-AzureADUserAllRefreshToken for a user but that fails while I have the authentication administrator and user administrator elevated by PIM. That fails with the following error:

 Get-AzureADUser -All:$true -SearchString username | Revoke-AzureADUserAllRefreshToken 
Revoke-AzureADUserAllRefreshToken : Error occurred while executing RevokeUserAllRefreshTokens
Code: Authorization_RequestDenied
Message: Access to invalidate refresh tokens operation is denied.
RequestId: 863a01c8-84bc-443d-815b-e09cb7a633e7
DateTimeStamp: Mon, 21 Dec 2020 12:35:15 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:82
 | Revoke-AzureADUserAllRefreshToken | 
+                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Revoke-AzureADUserAllRefreshToken], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.RevokeUserAllRefreshTokens

Environment data

$PSVersionTable

Name Value

PSVersion 5.1.19041.610
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.610
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Hello,
The following script does not display the first variable of $GroupMember. I think the problem in on the module because I tried the script with different parameters (for example without the | where), the issue is still here. The list could be sort by different way, but the first $GroupMember still not displayed.

$GroupMember=""
$Groups = Get-AzureADGroup
foreach ($Group in $Groups) {
    $GroupMember = Get-AzureADGroupMember -ObjectId $Group.ObjectId | where {$_.UserType -eq 'Guest'}
    if ($GroupMember) {
        Write-Host `n "Group :" -ForegroundColor Green $Group.DisplayName "-" $Group.ObjectId
        $GroupMember | select DisplayName,UserPrincipalName,UserType
    }
}

I found a different way to display what I want, but it could be good to fix this issue :)
Tanks for help

Hi Team,

We are suddenly observing that Set-MsolPasswordPolicy and Set-MsolCompanySettings are giving Access Denied. You do not have permissions to call this cmdlet.

The user account is having global administrator privileges, and earlier it was working fine suddenly we are observing it today.

Code:

Install-Module -Name MSOnline
Import-module MSOnline
$passwd = ConvertTo-SecureString 'XXXX' -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential('XXXXX', $passwd)

Connect-MSOlService -Credential $pscredential

Set-MsolPasswordPolicy -ValidityPeriod 60 -NotificationDays 14 -DomainName "XXXXX" -TenantId 'XXXX'

FYI Set-MsolDeviceRegistrationServicePolicy -MaximumDevicesPerUser 1 but it is working as expected.