Thursday, February 16, 2017

Azure Active Directory: connect AAD for management with PowerShell

Azure Active Directory V2 PowerShell Module enables management of Azure Active Directory using PowerShell.
To perform management tasks a connection to AAD domain isrequired. The cmdlet Connect-AzureAD establishes connection to ADD domain.






Started this way the user is prompted to enter credentials for connection

If login succeeds a confirmation is displayed

The connection  can be validated with the cmdlet Get-AzureADDomain

If the user is connected to AAD domain, where he has management privileges - the information about the domain will be displayed. But often following error message is returned instead:

Get-AzureADDomain : Error occurred while executing GetDomains
StatusCode: Forbidden
ErrorCode: Authentication_Unauthorized
Message: User was not found
At line:1 char:1
+ Get-AzureADDomain
+ ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-AzureADDomain], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetDomain


The reason is: the cmdlet GetAzureADDomain has no tenant specified, so the connection was established to a domain, where user has no admin privileges.
To ensure connection to expected AAD domain, the tenant ID must specified in call to Connect-AzureAD cmdlet:


If tenant ID specified properly, the Get-AzureADDomain cmdlet returns confirmation with the same tenant ID as specified in call to Connect-AzureAD

The tenant ID for AAD domain can be obtained from Azure portal


Since only a few Azure users note the tenant ID of their AAD domains rather the domain name, an improvement of PowerShell module for Azure Active Directory is to expect: the parameter TenantDomainName as alternative for TenantId parameter - to enter full domain name instead of GUID based ID.


No comments: