Azure Essentials - Free Training
At Ignite 2017, we launched the new Microsoft Azure Essentials, the best place to get started with and learn more about Azure. Don`t know what is Azure, or want to learn more about Azure and Cloud? Just choose a topic and use the curated set of demo videos, hands-on labs, and product trials to learn about and try Azure at your own pace. Be sure to also check out the Azure learning paths, and Azure certification. You can access all this content for free at Azure.com/EssentialsLogin to Windows virtual machine in Azure using Azure AD authentication (and the pitfalls)!
Dear Microsoft Azure Friends, This article is about the login to Windows virtual machine in Azure using Azure Active Directory authentication and what needs to be considered in the process. This article describes the procedure. So far, everything is actually in perfect order. https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows So I have worked through the steps and now I want to log on to the virtual machine with an Azure Active Directory account. Why does this error message appear now? Have I done something wrong? I am going through all the steps again. No fits. So I take another close look at the article and discover the following: But that's exactly not the case with me. I want to connect from my local system which is not registered or joined in Azure. Let's take it one step at a time. First of all, I create a group in Azure Active Directory. This will contain the account I will use later for the login. ATTENTION: Use the appropriate Windows OS => Windows Server 2019 Datacenter edition and later or Windows 10 1809 and later Next I create a new virtual machine with the default settings (including a public IP address and yes this is not good, but this demo absolutely OK). Except for Management I set the following settings. If you want to work with an existing virtual machine you need to install the extension. You can do this with the Azure Cloud Shell, in a Bash terminal. az vm extension set \ --publisher Microsoft.Azure.ActiveDirectory \ --name AADLoginForWindows \ --resource-group YourResourceGroup \ --vm-name YourVM After the virtual machine is created we need to work with Role based Access Control RBAC. There are two roles that can be used. Virtual Machine Administrator Login or Virtual Machine User Login If you need local admin rights you need the first role. If you want to log in as a standard user, you can work with the second role. Now we connect to the virtual machine using RDP, but ATTENTION, I use the account I created when I created the virtual machine (not an Azure AD account). In the virtual machine I start the command prompt and use dsregcmd /status. The machine is Azure AD Joined. In the virtual machine, navigate to Start and invoke "run". Type sysdm.cpl and navigate to the Remote tab. Remove the "Allow connections..." option and click "Select Users". When you click on "Locations" you will immediately see that you cannot select an account from Azure AD. We need the command prompt for this. Start the command prompt with elevated privileges and enter the following (customized with your information, of course). net localgroup "remote desktop users" /add "AzureAD\Email address removed" Go back to the Azure Portal to your virtual machine. Download the RDP connection file. Open this RDP file with an editor and add the following lines. enablecredsspsupport:i:0 authentication level:i:2 Now double click on the RDP connection file and now use the Azure account for login. AND BINGO, we can now log in to our virtual machine using the Azure Active Directory account! Cool! I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerAzure Key Vault RBAC (Role Based Access Control) versus Access Policies!
Dear Microsoft Azure Friends, With an Azure Key Vault, RBAC (Role Based Access Control) and Access Policies always leads to confusion. Let me take this opportunity to explain this with a small example. First of all, let me show you with which account I logged into the Azure Portal. You can see this in the graphic on the top right. Now let's examine the subscription named "MSDN Platforms" by navigating to (Access Control IAM). In "Check Access" we are looking for a specific person. It is the Jane Ford, we see that Jane has the Contributor right on this subscription. So she can do (almost) everything except change or assign permissions. This is in short the Contributor right. Now we search for the Azure Kay Vault in "All resources", for this it is good to work with a filter. As you can see, Azure Key Vault (twkv77) is part of the "MSDN Platforms" subscription. We check again that Jane Ford has the Contributor Role (Inherited) by navigating to "Access Control IAM) in the Azure Kay Vault and clicking on "Role assignment". Now we navigate to "Access Policies" in the Azure Key Vault. As you can see there is a policy for the user "Tom" but none for Jane Ford. With an Access Policy you determine who has access to the key, passwords and certificates. This means that if there is no access policy for Jane, she will not have access to keys, passwords, etc. That's exactly what we're about to check. As you can see in the upper right corner I registered as "Jane Ford" (she gave me the authorization ;-)). If I now navigate to the keys we see immediately that the Jane has no right to look at the keys. There is no access policy for Jane where for example the right "List" is included, so she can't access the keys. With RBAC you control the so-called Management Plane and with the Access Policies the Data Plane. Now you know the difference between RBAC and an Access Policy in an Azure Key Vault! Sure this wasn't super exciting, but I still wanted to share this information with you. I hope this article was helpful for you? Thank you for taking the time to read this article. Best regards, Tom WechslerMy exam preparation for Microsoft Azure Administrator Associate (AZ-104)
Hi Azure Friends, Why should I take a certification? What does this certificate bring me? These are questions I am often asked. In all honesty, there is no exact answer to these questions. Let me explain how it would answer for me. The first question: I'm getting to know a new technology, I invest a lot of time, so why not complete this assignment with a certificate! Question number two: For me it is just a great feeling to learn new things, to keep up with the times and to get a new certificate. It also looks great in the CV (curriculum vitae) ;-)! So now let's look at the next steps together! My exam preparation checklist: 1. Read through the skills measured at your leisure https://docs.microsoft.com/en-us/learn/certifications/exams/az-104 2.Read the Study Guide by thomasmaurer . This is super helpful information! https://www.thomasmaurer.ch/2020/03/az-104-study-guide-azure-administrator/ 3. Create a free Azure account, if you don't already have one, so that you can do all the exercises in a hands-on manner https://azure.microsoft.com/en-us/free/ 4. Take a close look at the Microsoft learning path, even better work through it right away (the learning paths are listed a little further down on the website) https://docs.microsoft.com/en-us/learn/certifications/exams/az-104 5. Register for the exam early. This creates some pressure and you stay motivated https://docs.microsoft.com/en-us/learn/certifications/exams/az-104 6. Now it goes to the Microsoft Learn content. These learn paths (as you can see below) I have worked through completely and "mapped"/reconfigured as much as possible in my test environment. https://docs.microsoft.com/en-us/learn/paths/az-104-administrator-prerequisites/ https://docs.microsoft.com/en-us/learn/paths/az-104-manage-identities-governance/ https://docs.microsoft.com/en-us/learn/paths/az-104-manage-storage/ https://docs.microsoft.com/en-us/learn/paths/az-104-manage-compute-resources/ https://docs.microsoft.com/en-us/learn/paths/az-104-manage-virtual-networks/ https://docs.microsoft.com/en-us/learn/paths/az-104-monitor-backup-resources/ 7. Practice, practice, practice ... With examples from the Microsoft Azure documentation portal https://docs.microsoft.com/en-us/azure/?product=compute https://docs.microsoft.com/en-us/azure/?product=identity https://docs.microsoft.com/en-us/azure/?product=networking https://docs.microsoft.com/en-us/azure/?product=storage Perhaps as an additional tip. If you have learned something new, try to explain it to another person (regardless of whether this person is familiar with this topic), if you succeed without effort, you have understood the newly learned super. I do this in a similar way. Not that I explain it to another person, no I create a YouTube video. I hope this information helps you and that you successfully pass the exam. I wish you success! Kind regards, Tom WechslerList user information with PowerShell and Microsoft Graph from Azure Active Directory!
Hi Azure / Microsoft365 friends, In this small example I am concerned with how information can be collected with the Microsoft Graph. Really nothing spectacular, but an interesting lesson for me. I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments): #The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE. Set-Location C:\ Clear-Host #Install Microsoft Graph Module Install-Module Microsoft.Graph -AllowClobber -Force #Time range $date = (Get-Date).AddDays(-60) #A variable for later output $properties = 'AccountEnabled', 'UserPrincipalName','Id','CreatedDateTime','LastPasswordChangeDateTime' #Connect to the cloud (incl. necessary permissions) Connect-Graph -Scopes User.Read.All, Directory.AccessAsUser.All, User.ReadBasic.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All #We check the permissions (Get-MgContext).Scopes #List the users and store them in a variable $mgUsers = Get-MgUser -All -Select $properties #Let's look at the list $mgUsers #How many are there? $mgUsers.count #Get-Member to get the details Get-MgUser | Get-Member #Creation date and last password change $InfoUsers = $mgUsers | Where-Object { $_.CreatedDateTime -lt $date -and $_.LastPasswordChangeDateTime -lt $date } #How many have we found (No longer the same number)? $InfoUsers.count #We'll take a look at it $InfoUsers | Format-Table $properties #Remove the session Disconnect-Graph I know that wasn't super fancy at all. But I really wanted to share my experience with you. I hope this article was useful. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM, etc.) that I use can be found on github! https://github.com/tomwechslerHow to Learn Microsoft Azure in 2020
How to Learn Microsoft Azure in 2020 :party_popper:☁🎓 The year 2019 is almost over, and usually, we take the time to look back at the year and also to find some New Year’s resolutions for the new year. Why not take all that energy and prepare for the cloud computing era and advance your career by learning Microsoft Azure. In this post, I try to give you a quick look at how you can get started to learn Microsoft Azure in 2020. You can read more here: https://www.thomasmaurer.ch/2019/12/how-to-learn-microsoft-azure-in-2020/My learning path to the Microsoft Certified: Windows Server Hybrid Administrator Associate!
Dear Microsoft Azure Friends, When I read from Microsoft Learn that there was again a Windows Server exam along with Microsoft Azure, I was excited. The new certification is called: Microsoft Certified: Windows Server Hybrid Administrator Associate! This certification consists of two exams: AZ-800 and AZ-801. If you successfully pass both exams you will receive the certification. This article is all about the AZ-801 exam. I have described my learning path to the AZ-800 in this article! https://techcommunity.microsoft.com/t5/azure/my-preparations-for-the-exam-az-800-administering-windows-server/m-p/3262042 After I had passed the AZ-800, I quickly asked myself, will the AZ-801 be even more difficult? For me, it is always best to read the skills measured first. This gives me a first impression of the exam. Now let me show you how my preparation for the exam was: 1. First of all, I looked at the Exam Topics to get a first impression of the scope of topics. https://docs.microsoft.com/en-us/learn/certifications/exams/az-801 Please take a close look at the skills assessed: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWKPgH 2. So that I can prepare for an exam I need an Azure test environment (this is indispensable for me). You can sign up for a free trial here. https://azure.microsoft.com/en-us/free/ I have also set up a small local test environment with a couple of Windows Server 2022. You can get the operating systems directly from Microsoft: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2022 https://www.microsoft.com/en-us/evalcenter/evaluate-windows-11-enterprise https://www.microsoft.com/en-us/evalcenter/evaluate-windows-admin-center 3. Now it goes to the Microsoft Learning paths content. Work through the learning paths at your leisure. They are really super helpful to prepare for the exam. At this point, many thanks to Microsoft Learn ( SandraMarin ) for the great learning content: https://docs.microsoft.com/en-us/learn/paths/secure-windows-server-premises-hybrid-infrastructures/ https://docs.microsoft.com/en-us/learn/paths/implement-windows-server-high-availability/ https://docs.microsoft.com/en-us/learn/paths/implement-disaster-recovery-windows-server-premises/ https://docs.microsoft.com/en-us/learn/paths/migrate-servers-workloads-premises-hybrid-environments/ https://docs.microsoft.com/en-us/learn/paths/monitor-troubleshoot-windows-server-environments/ 4. Register for the exam early. This creates some pressure and you stay motivated. https://docs.microsoft.com/en-us/learn/certifications/exams/az-801 5. Please also have a look at thomasmaurer 's website this is also very helpful! https://www.thomasmaurer.ch/2022/03/az-801-exam-study-guide-configuring-windows-server-hybrid-advanced-services/ 6. I have created a repository on GitHub for the two exams AZ-800 and AZ-801. There are links, scripts and a lot of content in it, please have a look: https://github.com/tomwechsler/Microsoft_Certified_Windows_Server_Hybrid_Administrator_Associate 7. I started (in german) with a YouTube playlist (it's still early days) to become a Microsoft Certified: Windows Server Hybrid Administrator Associate https://www.youtube.com/playlist?list=PLi0MTIjZai_xLvMSMgOxnk-0QFSxjSEe5 8. More helpful information directly from Microsoft, divided into the functional groups (Skills measured)! Secure Windows Server On-premises and Hybrid Infrastructures: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection https://docs.microsoft.com/de-de/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-h--securing-local-administrator-accounts-and-groups https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory https://docs.microsoft.com/en-us/defender-for-identity/what-is https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference?tabs=LAA#windows-security-events-via-ama https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-introduction https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/best-practices-configuring https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-models https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview Implement and manage Windows Server high availability: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-shared https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets https://docs.microsoft.com/en-us/windows-server/failover-clustering/create-failover-cluster https://docs.microsoft.com/en-us/windows-server/storage/storage-replica/stretch-cluster-replication-using-shared-storage https://docs.microsoft.com/en-us/windows-server/storage/storage-replica/cluster-to-cluster-azure-cross-region https://docs.microsoft.com/en-us/windows-server/failover-clustering/clustering-requirements https://docs.microsoft.com/en-us/windows-server/storage/storage-replica/cluster-to-cluster-azure-cross-region https://docs.microsoft.com/en-us/windows-server/failover-clustering/clustering-requirements https://docs.microsoft.com/en-us/windows-server/failover-clustering/manage-cluster-quorum https://docs.microsoft.com/en-us/windows-server/failover-clustering/failover-clustering-overview https://docs.microsoft.com/en-us/azure-stack/hci/deploy/cluster-set https://docs.microsoft.com/en-us/windows-server/failover-clustering/sofs-overview https://docs.microsoft.com/en-us/windows-server/failover-clustering/deploy-cloud-witness https://docs.microsoft.com/en-us/troubleshoot/windows-server/high-availability/cluster-information-ip-address-failover https://docs.microsoft.com/en-us/windows-server/failover-clustering/cluster-aware-updating https://docs.microsoft.com/en-us/azure-stack/hci/concepts/storage-spaces-direct-overview https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/deploy-storage-spaces-direct Implement disaster recovery: https://docs.microsoft.com/en-us/azure/backup/backup-windows-with-mars-agent https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-windows-server https://docs.microsoft.com/en-us/azure/backup/backup-mabs-whats-new-mabs https://docs.microsoft.com/en-us/azure/backup/backup-azure-microsoft-azure-backup https://docs.microsoft.com/en-us/azure/backup/backup-instant-restore-capability https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-userestapi-createorupdatepolicy https://docs.microsoft.com/en-us/azure/backup/backup-client-automation https://docs.microsoft.com/en-us/azure/virtual-machines/backup-and-disaster-recovery-for-azure-iaas-disks https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-manage-network-interfaces-on-premises-to-azure https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-create-recovery-plans https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-about-networking https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-about-networking https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/manage/set-up-hyper-v-replica Migrate servers and workloads: https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-service/cutover https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-service/overview https://docs.microsoft.com/en-us/azure/storage/files/storage-files-migration-overview https://docs.microsoft.com/en-us/azure/migrate/deploy-appliance-script https://docs.microsoft.com/en-us/azure/migrate/how-to-set-up-appliance-physical https://docs.microsoft.com/en-us/azure/migrate/how-to-migrate https://docs.microsoft.com/en-us/iis/publish/using-web-deploy/migrate-a-web-site-from-iis-60-to-iis-7-or-above https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/building-sample-app https://docs.microsoft.com/en-us/windows-server/get-started/upgrade-migrate-roles-features Monitor and troubleshoot Windows Server environments: https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/performance-overview https://docs.microsoft.com/en-us/windows-server/manage/system-insights/overview https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/azure-monitor https://docs.microsoft.com/en-us/windows-server/manage/system-insights/overview https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-windows https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-windows https://docs.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/networking-overview https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/boot-error-troubleshoot https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/performance-diagnostics https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/support-agent-extensions https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/reset-directory-services-restore-mode-admin-pwd https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-pass-through-authentication https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/troubleshooting-domain-controller-deployment More helpful links: https://docs.microsoft.com/en-us/windows-server/failover-clustering/bitlocker-on-csv-in-ws-2022 https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-controlled-folders?view=o365-worldwide https://docs.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm https://docs.microsoft.com/en-us/defender-for-identity/technical-faq https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview https://docs.microsoft.com/en-us/windows-server/failover-clustering/deploy-cloud-witness https://docs.microsoft.com/en-us/windows-server/failover-clustering/sofs-overview https://docs.microsoft.com/en-us/azure/site-recovery/recovery-plan-overview https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-service/migrate-data https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-service/overview https://docs.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections https://docs.microsoft.com/en-us/azure/migrate/tutorial-discover-physical https://docs.microsoft.com/en-us/iis/publish/using-web-deploy/synchronize-iis I want to emphasize it again in this article, read the questions very carefully. The difference is very often in the details. If it says you have to back up the server and all data to Azure, then that is something different than if it would only say all data. This small difference has a big impact on the subsequent solution! One final tip: When you have learned something new, try to explain what you have learned to another person (whether or not they know your subject). If you can explain it in your own words, you understand the subject. That is exactly how I do it, except that I do not explain it to another person, but record a video for YouTube! I hope this information helps you and that you successfully pass the exam. I wish you success! Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerDynamic user membership rules, Azure Active Directory Administrative Units and password reset!
Dear Microsoft 365 and Azure Friends, A customer project involved the following issue. A department manager should be able to reset the passwords for his employees who are in his team. However, the department head does not want to bother with group membership. To meet this requirement, I worked with the following functions: - Azure Active Directory administrative units - Dynamic user membership rules - Password Administrator Role Important: Azure Active Directory administrative units are only available with Azure AD Premium P1 (or higher). In order to work with the Dynamic user membership rules feature, it is important that the profiles are maintained on the accounts. What exactly do I mean by that, for example that the attribute department is "Trading" or the city is "Bern". The more attributes are configured with a value, the more detailed you can work with the "Query Rule". Let me now explain this in detail. Let's take a look at an Azure AD account, more specifically the profile. Now it's time to create an Administrative Unit. Let's imagine that Jon Prime is the department manager and he gets the role "Password administrator". The Administrative Unit is created. Now it is a matter of automatically adding the members from his team (from Jon Prime) to this Administrative Unit. Now let's configure it. The first step is to navigate into the Administrative Unit. Now Jon Prime can go to the following URL and log in. For Jon Prime, the Administrative Unit is now visible with the members it contains. He can now reset the password for these members. Important: But only for these members in this Administrative Unit. Not for any other accounts in the Azure Active Directory. I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerManage licenses with PowerShell in Azure Active Directory!
Hi Azure friends, In this article, I will describe how you can use PowerShell in Azure Active Directory to quickly get information about licenses. I have summarized a few experiences and would like to share them with you. I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments): #The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE Set-Location C:\Temp Clear-Host #We need the cmdlets Install-Module -Name AzureAD -AllowClobber -Force -Verbose #Sometimes the module must be imported Import-Module AzureAD #Lets connect to the Azure Active Directory Connect-AzureAD #What licenses are available? Get-AzureADSubscribedSku #More info about the license package Get-AzureADSubscribedSku | Select-Object -Property ObjectId, SkuPartNumber, ConsumedUnits -ExpandProperty PrepaidUnits #What is included in the license package Get-AzureADSubscribedSku ` -ObjectId 95b14fab-6bbf-4756-94d4-99993dd27f55_05e9a617-0261-4cee-bb44-138d3ef5d965 | Select-Object -ExpandProperty ServicePlans #To list all licensed users Get-AzureAdUser | ForEach { $licensed=$False ; For ($i=0; $i -le ($_.AssignedLicenses | Measure).Count ; $i++)` { If( [string]::IsNullOrEmpty( $_.AssignedLicenses[$i].SkuId ) -ne $True) { $licensed=$true } } ; If( $licensed -eq $true)` { Write-Host $_.UserPrincipalName} } #To list all of the unlicensed users Get-AzureAdUser | ForEach{ $licensed=$False ; For ($i=0; $i -le ($_.AssignedLicenses | Measure).Count ; $i++)` { If( [string]::IsNullOrEmpty( $_.AssignedLicenses[$i].SkuId ) -ne $True) { $licensed=$true } } ; If( $licensed -eq $false)` { Write-Host $_.UserPrincipalName} } #Do users have a usage location? Get-AzureADUser | Select DisplayName,Department,UsageLocation #We select a user $User = Get-AzureADUser -ObjectId fred.prefect@tomscloud.ch #The user needs a location Set-AzureADUser -ObjectId $User.ObjectId -UsageLocation CH #We need the SKU ID Get-AzureADSubscribedSku | Select SkuPartNumber, SkuID #Create the AssignedLicense object $Sku = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense #Set the SKU ID $Sku.SkuId = "6fd2c87f-b296-42f0-b197-1e91e994b900" #Create the AssignedLicenses Object $Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses #Add the SKU $Licenses.AddLicenses = $Sku #Setting a License to a User Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $Licenses #Creating a Custom License $User = Get-AzureADUser -ObjectId fred.prefect@tomscloud.ch.ch #Create the AssignedLicense object $Sku = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense #Add the SKU $Sku.SkuId = "6fd2c87f-b296-42f0-b197-1e91e994b900" #Show the ServicePlans Get-AzureADSubscribedSku -ObjectId 95b14fab-6bbf-4756-94d4-99993dd27f55_05e9a617-0261-4cee-bb44-138d3ef5d965 | Select-Object -ExpandProperty ServicePlans #Get the LicenseSKU and create the Disabled ServicePlans object $Sku.DisabledPlans = @("a23b959c-7ce8-4e57-9140-b90eb88a9e97","aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1") #Create the AssignedLicenses Object $Licenses = New-Object –TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses #Add the SKU $Licenses.AddLicenses = $Sku #Assign the license to the user Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $Licenses Now you have successfully edited the licenses with PowerShell in Azure Active Directory! Congratulations! I hope this article was useful. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerSearch for users in Azure AD with PowerShell who have a directory role assigned!
Hi Azure friends, It was about a following customer scenario. The task was to search for users who have been assigned a directory role in Azure Active Directory. Of course this search can be done with the Azure Portal. However, I think we can agree that this might take a bit of time. Let's work together with PowerShell. I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments): #The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE. Set-Location C:\ Clear-Host #We need the cmdlets Install-Module -Name AzureAD -AllowClobber -Force -Verbose #Sometimes the module must be imported Import-Module AzureAD #Let's connect Connect-AzureAD #To explore the available cmdlets in the Azure AD module Get-Command -Module AzureAD | Measure-Object #Fetch list of all directory roles with object ID Get-AzureADDirectoryRole #Fetch a specific directory role by ID $role = Get-AzureADDirectoryRole -ObjectId "6fd5c3ac-2e62-4fca-84fe-9e32ae5282f2" #Fetch role membership for a role (to get an idee) Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser #Lets create some variables $roleUsers = @() $roles=Get-AzureADDirectoryRole #We use a loop ForEach($role in $roles) { $users=Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId ForEach($user in $users) { write-host $role.DisplayName,$user.DisplayName,$user.UsageLocation $obj = New-Object PSCustomObject $obj | Add-Member -type NoteProperty -name RoleName -value "" $obj | Add-Member -type NoteProperty -name UserDisplayName -value "" $obj | Add-Member -type NoteProperty -name UsageLocation -value "" $obj.RoleName=$role.DisplayName $obj.UserDisplayName=$user.DisplayName $obj.UsageLocation=$user.UsageLocation $roleUsers+=$obj } } #We have a result $roleUsers #A bit more readable $roleUsers | Sort-Object Userdisplayname | select Userdisplayname, RoleName #Remove the session Disconnect-AzureAD Now we have a listing of users who have been given a directory role in Azure AD. I know that wasn't super fancy at all. But I really wanted to share my experience with you. I hope this article was useful. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM, etc.) that I use can be found on github! https://github.com/tomwechsler
