Helping organizations move to the Office 365 / Azure cloud requires good explanations, deep planning, and usually some automation to make migration easier. During an engagement there was a need to implement account synchronization in Azure AD (Active Directory) before Microsoft's DirSync tool was installed and ready to go. Crazy talk you might say, but Powershell was able to handle this with ease.
To get started solving this, I had to understand how connecting to Azure AD is handled, what the available cmdlets were, and how the user data is represented coming back.
Getting started
Starting out, there are a few prerequisites we need to connect up to an Azure instance. Your Windows 8 desktop (or greater) will work just fine, but eventually you may move this to any Windows Server 2008 R2 or greater as PowerShell is available by default anymore.
- Install PowerShell 3.0, if it's not already present
- Install the Microsoft Online Services Sign-In Assistant to broker security
- Install the Azure AD Module
- An Azure AD logon name and password to login as
After all these are installed, launch the Azure Active Directory shell as this loads all the cmdlets available and removes the need to run the Import-Module cmdlet from normal Powershell.
Connect to Azure AD with credentials
Inside the shell, we need to first create a connection to our Azure AD instance using the Sign-In Assistant from before. To do this we have to create a Credential object by encoding our username and password. Finally, we call the Connect-Msolservice cmdlet to initiate the connection. Note: if you're not saving this as a .ps1 file for reuse, then you can just call Connect-MSolservice which will pop a logon box.
$strAAdLogon = "xxx@xxx.onmicrosoft.com"
$strAAdPassword = "xxx"
$password = convertto-securestring -String $strAAdPassword -AsPlainText -Force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $strAAdLogon, $password
Connect-Msolservice -credential $cred
Using the above variables and code PowerShell attempts to connect to the instance. Note: if no error's show (red text) and the command prompt is ready for input, then you connected correctly. That's the only indicator's for you.
Get Tenant instance information
With our instance now connected, we can get some information to see details about our instance. You can use this to verify you're in the right Tenant and any details.
The first command is Get-MsolCompanyInformation, which gives us all the high-level details on our Tenant and some synchronization information.
PS C:\> Get-MsolCompanyInformation
DisplayName : XXX
PreferredLanguage : en
Street : 123 S Someroad Street
City : Charlotte
State : NC
PostalCode : 00000
Country :
CountryLetterCode : US
TelephoneNumber : 111-222-3456
MarketingNotificationEmails : {}
TechnicalNotificationEmails : {xxx@xxx.com}
SelfServePasswordResetEnabled : True
UsersPermissionToCreateGroupsEnabled : True
UsersPermissionToCreateLOBAppsEnabled : True
UsersPermissionToReadOtherUsersEnabled : True
UsersPermissionToUserConsentToAppEnabled : True
DirectorySynchronizationEnabled : True
LastDirSyncTime : 1/7/2016 1:08:26 PM
LastPasswordSyncTime : 10/7/2014 5:45:36 AM
PasswordSynchronizationEnabled : True
The Get-MsolDomain cmdlet is used to retrieve company domains, their status, and what type of authentication they use.
PS C:\> Get-MsolDomain
Name Status Authentication
---- ------ --------------
xxx.com Verified Federated
xxx.xxx.com Verified Federated
xxx.onmicrosoft.com Verified Managed
xxx.mail.onmicrosoft.com Verified Managed
Get a list of Groups
Now that we know were working in the right Tenant, calls can be made to see what AD Groups are already in the sytem.
The Get-MsolGroup cmdlet is used to retrieve groups from Azure AD. This cmdlet will be used next to return a single group (if ObjectId is passed in), or to search within all groups by using PowerShell's pipeline feature to search something.
PS C:\> Get-MsolGroup
ObjectId DisplayName Description
-------- ----------- -----------
8f16927f-2bbb-47c9-9b34-7a0ab3af74a6 DnsUpdateProxy DNS clients who ...
1cbabadd-f241-4928-9135-e2eb11383cce DnsAdmins DNS Administrato...
6fa5d7ba-88a1-453a-8800-2f0ac102b2a4 WinRMRemoteWMIUse... Members of this ...
af0891f5-17dc-4cf4-b7d1-9e2a6eeee71e XXX ACS Aut... Test group creat...
e982a6f0-5676-427c-841a-6893f6a0e695 DL-Tester DL-Tester
Get a list of users in a group
Once we have an ObjectId from one of our groups, we can call it specifically to see all the users of that group.
The Get-MsolGroupMember cmdlet is used to retrieve members of the specified group. The members can be either users or groups.
PS C:\> Get-MsolGroupMember -GroupObjectId e982a6f0-5676-427c-841a-6893f6a0e695
GroupMemberType EmailAddress DisplayName
--------------- ------------ -----------
User sallysupport@xxx.com Sally Support
Get a specific user
Finally, we have a few specific users to look at to see their individual attributes. To retrieve more than just the standar properties I'll pipe the object to the Select command.
The Get-MsolUser cmdlet can be used to retrieve an individual user, or list of users. An individual user will be retrieved if the ObjectId or UserPrincipalName parameter is used.
PS C:\> Get-MsolUser -UserPrincipalName sallysupport@slalomdev.com | Select DisplayName, LastName, F irstName, ObjectId, isLicensed
DisplayName : Sally Support
LastName : Support
FirstName : Sally
ObjectId : 5bb30da2-96a0-47a6-b99f-79d8460922e4
IsLicensed : True
Conclusion
And that gives us enough informamtion to start wrapping our heads around the storage methods. Using the above Azure AD cmdlets I was able to start looking at users that had already been created in the system to understand how synchronizing new users into the Azure AD should happen to ensure the accounts are linked.
- MSDN - Manage Azure AD using Windows PowerShell
- Microsoft Downloads
- Microsoft Online Services Sign-In Assistant for IT Professionals (64-bit version)
- http://ift.tt/1G4625j
- Azure Active Directory Module for Windows PowerShell (64-bit version)
- http://ift.tt/1caO1SH
by Craig Pilkenton via Everyone's Blog Posts - SharePoint Community
No comments:
Post a Comment