Azure AD

Azure AD – Create Security Groups and Add Members using PowerShell

by

Azure AD security groups can be used to manage member and computer access to shared resources for a group of users. A security group can have users, devices, groups and SPNs as its members. In this post, I’ll go over steps on how to create a Azure AD security group, add users to one group and also bulk import users to one group and multiple groups.

Make sure you are connected to Azure AD,

$credential = Get-Credential
Connect-AzureAD -credential $credential

To create an Azure AD security group:

$GroupName = Read-Host "Enter name for Azure AD group"
New-AzureADGroup -DisplayName $GroupName -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"

To create multiple Azure AD security groups:

Note: csv file has name,description as column headers

$groups = import-csv "C:\tmp\AzureAD Groups\groups.csv"

Foreach($group in $groups) {
New-AzureADGroup -DisplayName $group.name -Description $group.description -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
}

To add an user and an owner to an existing group:

$Group = Read-Host "Enter name of Azure AD group"
$User = Read-Host "Enter username of user to be added"
$Owner = Read-Host "Enter username of group owner"

$GroupObj = Get-AzureADGroup -SearchString $Group
$UserObj = Get-AzureADUser -SearchString $User
$OwnerObj = Get-AzureADUser -SearchString $Owner

Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId
Add-AzureADGroupOwner -ObjectId $GroupObj.ObjectId -RefObjectId $OwnerObj.ObjectId

To display members of a security group:

$Group = Read-Host "Enter name of Azure AD group to display members"
$GroupObj = Get-AzureADGroup -SearchString $Group
Get-AzureADGroupMember -ObjectId $GroupObj.ObjectId

To display owners of a security group:

$Group = Read-Host "Enter name of Azure AD group to display owner(s)"
$GroupObj = Get-AzureADGroup -SearchString $Group
Get-AzureADGroupOwner -ObjectId $GroupObj.ObjectId

To bulk add multiple users to a specific group:

Note: csv file has UserPrincipalName as column header

$Group = Read-Host "Enter name of Azure AD group to add users"
$GroupObj = Get-AzureADGroup -SearchString $Group
$Members = Import-csv "C:\tmp\GroupMembers.csv"
Foreach($Member in $Members) {

$User = $Member.UserPrincipalName
Write-Progress -Activity "Adding user.." -Status $User

Try {
$UserObj = Get-AzureADUser -SearchString $User
Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId
}
catch {
Write-Host "Error occured while adding $User" -ForegroundColor Red
}
}

To bulk add multiple users to multiple groups. This below script checks to see if the user is already part of the Azure AD group and returns an error.

Note: csv file has UserPrincipalName,Group as column headers

$list = Import-csv "C:\tmp\UsersGroups.csv"
Foreach($entry in $list) {

$User = $entry.UserPrincipalName
$Group = $entry.Group
$UserObj = Get-AzureADUser -SearchString $User
$GroupObj = Get-AzureADGroup -SearchString $Group
$GroupMembers = (Get-AzureADGroupMember -ObjectId $GroupObj.ObjectId).UserPrincipalName

If ($User -notin $GroupMembers) {
    Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId
    Write-Host "$User added to $Group" -ForegroundColor Green
    }
    else {
    Write-Host "$User already in $Group" -ForegroundColor Red
    }
}

Hope this was helpful for you in exploring Azure AD security groups.

Thank you for stopping by. ✌

Azure AD – Bulk Add Guest users using PowerShell

by

With Azure AD B2B collaboration, we can invite guest users into our tenant to allow them to access M365 apps and other Azure AD SSO integrated apps. There are multiple ways to invite external users into our Azure AD tenant. In this post, I’ll go through what I worked on recently to invite a bunch of external users in to one of the tenants I manage.

Make sure you are connected to Azure AD,

$credential = Get-Credential
Connect-AzureAD -credential $credential

To send an invite to an external user:

$GuestName = Read-Host "Enter name of user being invited"
$GuestEmail = Read-Host "Enter email address of user being invited"
New-AzureADMSInvitation -InvitedUserDisplayName $GuestName -InvitedUserEmailAddress $GuestEmail -SendInvitationMessage $True -InviteRedirectUrl "http://myapps.microsoft.com"

To bulk invite users from a csv file, this below script will work. This script checks to make sure if the user is already invited and also includes a custom message you can include in the invite.

How the csv file looks like,

$GuestUsers = Import-csv "C:\tmp\InviteGuestUsers\GuestUsers.csv"

$invitationBody = @"
Hi,

Please accept this invitation to join our organization.
If you have any questions, please contact our helpdesk at
support@internaldomain.com

"@

$invitemessage = @{customizedmessagebody = $invitationBody}

ForEach($GuestUser in $GuestUsers) {

$GuestUserEmail = $GuestUser.GuestEmail
$GuestUserName = $GuestUser.GuestName

    if ((Get-AzureADUser -SearchString $GuestUserEmail).Length -le 0) {

        $Invite = New-AzureADMSInvitation -InvitedUserDisplayName $GuestUserName -InvitedUserEmailAddress $GuestUserEmail -SendInvitationMessage $True -InvitedUserMessageInfo $invitemessage -InviteRedirectUrl "http://myapps.microsoft.com"
        Write-Host "Guest user $GuestUserName invited" -ForegroundColor Green
        } else {
        $status = Get-AzureADUser -filter "Mail eq '$GuestUserEmail'" | Select -Expandproperty UserState
        Write-Host "Guest user $GuestUserName already invited - Guest account exists in tenant and invite status is $status" -ForegroundColor Red
        }
}

To list all guest users in the tenant and their invitation acceptance status:

Get-AzureADUser -filter "UserType eq 'Guest'" | Select DisplayName,UserPrincipalName,UserState

or a filter can be applied to determine a specific user,

$guestuser = Read-Host "Enter the guest user email address to check invite status"
Get-AzureADUser -filter "Mail eq '$guestuser'" | Select DisplayName,UserPrincipalName,UserState

Hope this post helped you in external user invites.

Thank you for stopping by. ✌

Enable Federation with Azure AD SSO and Amazon AppStream 2.0

by

We can enable users to sign in to AppStream 2.0 by using their existing Azure AD credentials, and start streaming applications. To accomplish this, we use an IAM role and a relay state URL to configure Azure AD and enable AWS to permit users to access an AppStream 2.0 stack. The IAM role grants users the permissions to access the stack. The relay state is the stack portal to which users are forwarded after successful authentication by AWS.

In this post, I’ll go over steps on how to configure federated user access for Amazon AppStream 2.0 using Azure AD SSO for Enterprise Apps.

The below diagram illustrates the authentication flow between AppStream 2.0 and Azure AD as identity provider (IdP).

Authentication Workflow

From a user’s perspective, this above process happens seamlessly. The user starts at myapps.microsoft.com and is automatically redirected to an AppStream 2.0 application portal without being required to enter AWS credentials.

The setup process goes like in this diagram below,

Create an Azure AD SSO application

  1. Login to Azure AD Admin Center (https://aad.portal.azure.com/)
  2. Click on the Enterprise applications tab
  3. To add new application, Click New application
Enterprise applications
  1. Click Create your own application
Azure AD – New Application
  1. Provide a name for your application
    • I’ve named my application AppStream-DesignUsers
  2. Select Integrate any other application you don’t find in the gallery (Non-gallery) and click Create
Create your own application
  1. Once the application is added, from the left navigation menu, Click on Single sign-on, and choose SAML
SSO method – SAML
  1. Click Edit in the Basic SAML Configuration
Basic SAML Configuration
  1. Provide the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL), then click Save
    • Identifier (Entity ID) = URN:AMAZON:WEBSERVICES
    • Reply URL (Assertion Consumer Service URL) = https://signin.aws.amazon.com/saml
    • Sign on URL (Optional) = <leave it blank>
    • Relay State (Optional) = <leave it blank>, We will revisit this later in this post
      • The entity ID is passed during the SAML exchange
      • Azure AD requires this value to be unique for each application
      • When we add more AppStream 2.0 stacks, we can append a number to the string; for example, URN:AMAZON:WEBSERVICES1,URN:AMAZON:WEBSERVICES2
Basic SAML Configuration – Continued
  1. In the SAML Signing Certificate section, click Download next to the Federation Metadata XML and save the .xml file to your computer
Download Federation Metadata XML

Create the SAML identity provider

Now, we need to create the SAML provider in AWS IAM console.

  1. In AWS console, search and open IAM
  2. In the left navigation window, click Identity providers, and the Add provider
AWS IAM – Add provider
  1. On the Configure Provider page, for the Provider Type, select SAML
  2. For Provider name, I’ve named it AzureAD-SSO
  3. Click Choose File to upload the metadata document that previously downloaded from Azure AD, and click Add provider
Configure identity provider
  1. Click on the identity provider we just created
Identity provider added
  1. Copy the value for the Provider ARN
    • The ARN is in the following format: arn:aws:iam::AccountID:saml-provider/Provider Name
Copy Identity provider ARN

Configure an IAM policy

We need to create a policy with permissions to the AppStream 2.0 stack. This way we can ensure that users have only the permission to stream applications from a specific stack.

  1. In the IAM console, choose Policies, click Create Policy
  2. In Create policy page, choose the JSON tab
  3. Copy and paste the following JSON policy into the JSON window
    • Modify the resource by entering your AWS Region Code, account ID, and stack name
      • AWS Region Code = Determine AWS region code here
      • account ID = In AWS console, click on your user name in the top right of the window and your account ID is there
      • Stack name = AppStream stack name which we want to grant access to users to
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "appstream:Stream",
      "Resource": "arn:aws:appstream:REGION-CODE:ACCOUNT-ID-WITHOUT-HYPHENS:stack/STACK-NAME",
      "Condition": {
          "StringEquals": {
              "appstream:userId": "${saml:sub}"           
          }
        }
    }
  ]
}
AWS IAM – Policy
  1. In the Review policy page, provide Name, Description and click Create policy
Review and create policy
  1. You should see the following notification once the policy is created,

Create an IAM Role

In this step, we will create a role that our Azure AD users will assume when federating to AppStream 2.0

  1. In the IAM console, choose Roles, click Create role
  2. For the Trusted entity type, select SAML 2.0 federation
  3. Under SAML 2.0-based provider, choose the SAML IdP that we created earlier
  4. For the Attribute, pick SAML:aud and type https://signin.aws.amazon.com/saml
  5. Do not add any conditions and click Next
AWS IAM – Role
  1. In Add permissions, select the IAM policy we created earlier and click Next
Add permissions
  1. Provide a Role Name and Description that identifies the role, and click Create Role
  2. Once created, locate and click on the role we just created
  3. Copy the Role ARN
    • The ARN is required to configure claims rules later
    • The ARN is in the following format: arn:aws:iam::AccountID:role/Role Name
Copy role ARN

Configure the Azure AD SSO Application

Now we are ready to finish configuring the Azure AD application we started working on earlier

  1. Login to Azure AD Admin Center (https://aad.portal.azure.com/)
  2. Click on the Enterprise applications tab
  3. Choose the application we created earlier, from the left navigation menu, Click on Single sign-on
  4. Click Edit in the Basic SAML Configuration, Provide Relay State URL and click Save
    • Relay State = The Relay State is unique to the account, AWS Region, and AppStream 2.0 stack
    • Format is,
      • https://relay-state-region-endpoint?stack=stackname&accountId=aws-account-id-without-hyphens
    • Below table has a list of AppStream 2.0 Relay State Region Endpoints
Region Relay state endpoint
US East (N. Virginia)https://appstream2.us-east-1.aws.amazon.com/saml
(FIPS) https://appstream2-fips.us-east-1.aws.amazon.com/saml
US West (Oregon)https://appstream2.us-west-2.aws.amazon.com/saml
(FIPS) https://appstream2-fips.us-west-2.aws.amazon.com/saml
Asia Pacific (Mumbai)https://appstream2.ap-south-1.aws.amazon.com/saml
Asia Pacific (Seoul)https://appstream2.ap-northeast-2.aws.amazon.com/saml
Asia Pacific (Singapore)https://appstream2.ap-southeast-1.aws.amazon.com/saml
Asia Pacific (Sydney)https://appstream2.ap-southeast-2.aws.amazon.com/saml
Asia Pacific (Tokyo)https://appstream2.ap-northeast-1.aws.amazon.com/saml
Canada (Central)https://appstream2.ca-central-1.aws.amazon.com/saml
Europe (Frankfurt)https://appstream2.eu-central-1.aws.amazon.com/saml
Europe (Ireland)https://appstream2.eu-west-1.aws.amazon.com/saml
Europe (London)https://appstream2.eu-west-2.aws.amazon.com/saml
AWS GovCloud (US-West)https://appstream2.us-gov-west-1.amazonaws-us-gov.com/saml
(FIPS) https://appstream2-fips.us-gov-west-1.amazonaws-us-gov.com/saml
AppStream 2.0 Relay State Region Endpoints
Azure AD – Add Relay State
  1. Click Edit in the Attributes & Claims section
Azure AD – Attributes & Claims
  1. In Required claim,
    • Unique User Identifier (Name ID) = Key used to identify users in the SAML assertion
    • I generally stick with user.userprincipalname
    • Usually user.mail or user.userprincipalname works
  2. Click + Add new claim and add the below claims
    • By default, Azure AD populates several SAML attributes for all new applications
    • These attributes are not needed for the federation to AppStream 2.0
    • We can remove them by choosing the three dots next to each, and choosing Delete
      • If you decide to leave them as is, it doesn’t do any harm

Name = Role
Namespace = https://aws.amazon.com/SAML/Attributes
Source = Attribute
Source Attribute = This is the Role ARN from earlier in this post, followed by a comma and then the Provider ARN

Role attribute

Name = RoleSessionName
Namespace = https://aws.amazon.com/SAML/Attributes
Source = Attribute
Source Attribute = We can provide any string value. I’m going with user.mail

RoleSessionName attribute

Name = SAML_SUBJECT
Namespace = https://aws.amazon.com/SAML/Attributes
Source = Attribute
Source Attribute = We can provide any string value. I’m going with user.displayname

SAML_SUBJECT attribute

If the user intend to use the AppStream 2.0 client, sessions will default to a 60 minute timeout. This setting will determine the duration.

Name = SessionDuration
Namespace = https://aws.amazon.com/SAML/Attributes
Source = Attribute
Source Attribute = Value in seconds between 900 (15 minutes) and 43200 (12 Hours). I’m going with 28800 (8 Hours)

SessionDuration attribute

Assign Azure AD groups in Application

  1. In the left navigation menu, click Users and groups, click + Add user/group
  2. In Add Assignment, click Users and groups
  3. In the Users and groups dialog box, select the Azure AD group to provide access the AppStream 2.0 stack
  4. Click Assign
Assign Group

Also click on the Properties tab in the left navigation menu to check the following,

  • Enabled for users to sign-in? = Yes
  • Assignment required? = Yes
  • Visible to users? = Yes

I also uploaded an icon file for the app to look nicer.😉

Test Application

With a Azure AD security group assigned to the application and the other setting configured, we’re ready to test this with a user account. I’ve already added the user account to the assigned Azure AD group. To test this,

  1. User logs into myapps portal (https://myapps.microsoft.com/) with their Azure AD credentials
  2. User is presented with the AppStream stack,
User’s myapps portal view
User redirected to AppStream 2.0 app catalog

I also created a second fleet and stack, associated the fleet to the stack to demonstrate how we can assign different users to stacks. IMO, the myapps portal is a really cool feature and we can it to present AppStream to our users.

As I mentioned earlier in this post, adding more stack will require adding additional Azure AD applications and assigning AD group(s) to it.

All Stacks
All Fleets

This below is a different user logging into the myapps portal (https://myapps.microsoft.com/) with their Azure AD credentials and I’ve assigned the ‘DeveloperUsers-Stack-0323’ stack to them.

User’s myapps portal view

The user gets redirected to the AppStream 2.0 portal

User redirected to AppStream 2.0 app catalog

Issues you may encounter and How to fix it

Error: RoleSessionName is required in AuthnResponse (service: AWSSecurityTokenService; status code: 400; error code: InvalidIdentityToken)

Fix: I encountered this error with the second stack I had created. When is saw this error, my obvious first step is to make sure I didn’t miss the RoleSessionName attribute in the Azure AD app I created. And it was there with the expected value.

I then decided to go back over the AWS IAM role and policy I created and realized that in the I had picked the wrong identity provider and once I picked the correct one, this issue was resolved.

RoleSessionName is required in AuthnResponse (service: AWSSecurityTokenService; status code: 400; error code: InvalidIdentityToken)

Error: Unable to authorize the session. (Error Code: INVALID_AUTH_POLICY);Status Code:401

Fix: This error message occurs when the IAM policy does not permit access to the AppStream 2.0 stack or when the stack name is not entered into the policy. Similar mess up on my part.

I had mistyped the stack’s name while creating/typing in the JSON window during the policy creation step.

Unable to authorize the session. (Error Code: INVALID_AUTH_POLICY);Status Code:401

In my experience, the SAML-tracer for Chrome and Firefox comes in handy to help identify SAML related issues. It has certainly helped me in several instances.

Hope this post helped you to setup Azure AD SSO for your AppStream 2.0 stacks.

Thank you for stopping by.✌

Office 365 – Update Primary Email Address in Bulk using PowerShell

by

In this post, I’ll go over steps on how to update users’ primary email address in bulk.

I had to update the custom domain name address for one of the tenants I manage. When the O365 tenant was setup, I didn’t have my domain name ready for various reasons and the users were setup with @{tenantname}.onmicrosoft.com addresses. Once I added the necessary DNS records for O365 and made sure my new domain name is listed as default in the domain tab(Microsoft 365 admin center -> Settings -> Domains) in the list of , I was ready to update the user accounts with the new domain name.

Before proceeding further make sure you are connected to Exchange Online,

$o365cred = Get-Credential
Connect-ExchangeOnline -credential $o365cred

To bulk update accounts from a csv file:

Note: csv file has User,Emailaddress as column headers. Enter the users’ email address with new domain in the csv file. It is strongly recommended to leave the onmicrosoft.com address in the users’ proxy addresses and specifying the new address as PrimarySmtpAddress with SMTP.

$users = Import-Csv C:\tmp\Update-Email\emails.csv
foreach ($user in $users){

$Mailbox= Get-Mailbox -Identity $user.User
$PrimaryEmail=$Mailbox.PrimarySmtpAddress
$SMTP ="SMTP:"+$user.Emailaddress
Set-Mailbox -Identity $user.User -EmailAddresses $SMTP,$PrimaryEmail -WindowsEmailAddress $user.Emailaddress -MicrosoftOnlineServicesID $user.Emailaddress 

}

To bulk update all accounts in the O365 tenant:

Note: This below script will change all accounts in the tenant from whatever your enter for the $oldDomain to the $newDomain. So, proceed with caution and comply with your change management process and steps.

$oldDomain = Read-Host "Enter existing domain name in '@domainname.com' format"
$newDomain = Read-Host "Enter new domain name in '@domainname.com' format"

$mailboxes = (Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox).where{$_.PrimarySmtpAddress -like "*$oldDomain"}
foreach ($mbx in $mailboxes){

$PrimaryEmail = $mbx.PrimarySmtpAddress
$newSMTPAddress = $mbx.PrimarySmtpAddress -split '@'
$newSMTPAddress = $newSMTPAddress[0] + $newDomain
$SMTP ="SMTP:"+$newSMTPAddress
Write-Host "Processing: $mbx.Name --> $newSMTPAddress"
Set-Mailbox -Identity $mbx.Identity -EmailAddresses $SMTP,$PrimaryEmail -WindowsEmailAddress $newSMTPAddress -MicrosoftOnlineServicesID $newSMTPAddress
}

You can also make this change in bulk in the portal as well,

  1. Select all the users whom you wish you update
  2. Click on Change domains
  3. Select the desired domain name from the drop down at the pop-up window
  4. Click Save changes

Thank you for stopping by.✌

AzureAD/O365 – Update User’s Manager using PowerShell

by

Organizational hierarchy is vital to run everyday activities smoothly in any enterprise. With Azure AD, user’s manager information can be updated easily and this information can be used in other features like Teams and apps that require workflow.

In this post, I’ll go over steps on how to update manager information for a specific user, for a list of users based on information from a csv file and to determine users’ manager information

Make sure you are connected to Azure AD,

$credential = Get-Credential
Connect-AzureAD -credential $credential

To update manager information for a specific user:

$user = Read-Host "Enter user's email address to update Manager information"
$Manager = Read-Host "Enter Manager's email address"
Set-AzureADUserManager -ObjectId (Get-AzureADUser -SearchString $User).Objectid -RefObjectId (Get-AzureADUser -SearchString $Manager).Objectid

To bulk update users’ manager information from a CSV file:

Note: csv file has UserEmail,ManagerEmail as column headers

$list = Import-csv "C:\tmp\SetManager\UsersManagers.csv"
Foreach($entry in $list) {
        $User = $entry.UserEmail
        $Manager = $entry.ManagerEmail
        $UserObj = Get-AzureADUser -SearchString $User
        $ManagerObj = Get-AzureADUser -SearchString $Manager

        Write-Host Updating $UserObj.DisplayName with $ManagerObj.DisplayName as manager -ForegroundColor Yellow

        Set-AzureADUserManager -ObjectId $UserObj.Objectid -RefObjectId $ManagerObj.Objectid

        Write-Host "Update Complete." -ForegroundColor Green

}

To determine a user’s manager:

$user = Read-Host "Enter user's email address to determine Manager information"
(Get-AzureADUserManager -ObjectId (Get-AzureADUser -SearchString $User).Objectid).DisplayName

To determine all users’ manager information in the Azure AD tenant:

$Users = Get-AzureADUser -All $true

ForEach($User in $Users) {

    $Manager = Get-AzureADUserManager -ObjectId $User.Objectid
    If ($Manager) {
    Write-Host $User.DisplayName manager is $Manager.DisplayName -ForegroundColor Green}
    Else {
    Write-Host "No Manager information found" for $User.DisplayName -ForegroundColor Red}
}

Thank you for stopping by. ✌