To perform management tasks a connection to AAD domain isrequired. The cmdlet Connect-AzureAD establishes connection to ADD domain.
Started this way the user is prompted to enter credentials for connection
If login succeeds a confirmation is displayed
The connection can be validated with the cmdlet Get-AzureADDomain
If the user is connected to AAD domain, where he has management privileges - the information about the domain will be displayed. But often following error message is returned instead:
Get-AzureADDomain : Error occurred while executing GetDomains
StatusCode: Forbidden
ErrorCode: Authentication_Unauthorized
Message: User was not found
At line:1 char:1
+ Get-AzureADDomain
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADDomain], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetDomain
The reason is: the cmdlet GetAzureADDomain has no tenant specified, so the connection was established to a domain, where user has no admin privileges.
To ensure connection to expected AAD domain, the tenant ID must specified in call to Connect-AzureAD cmdlet:
If tenant ID specified properly, the Get-AzureADDomain cmdlet returns confirmation with the same tenant ID as specified in call to Connect-AzureAD
The tenant ID for AAD domain can be obtained from Azure portal
Since only a few Azure users note the tenant ID of their AAD domains rather the domain name, an improvement of PowerShell module for Azure Active Directory is to expect: the parameter TenantDomainName as alternative for TenantId parameter - to enter full domain name instead of GUID based ID.
No comments:
Post a Comment