Open chlillelund opened 6 years ago
markcowl
commented
6 years ago @chlillelund Generally, you need to have some authorization to RM resources in order to use the Azure PowerShell cmdlets. The ADS functionality we provide is tightly coupled with usage of AD objects inside Azure Resource Manager.
The AzureAD cmdlets porvide more general functionality for manipulating AAD and Graph objects: https://www.powershellgallery.com/packages/AzureAD/2.0.1.16
chlillelund
commented
6 years ago @markcowl Thanks for your answer. I know it might be a bit overkill to use AzureRM, but it provides a lot more functionality than AzureAD. For example, I use AzureRM.Profile to get an access token so that I can grant admin consent to my application (http://www.lieben.nu/liebensraum/2018/04/how-to-grant-oauth2-permissions-to-an-azure-ad-application-using-powershell-unattended-silently/). The "fun" thing about this, and the reason for me creating the bug report is that it works just fine on my developer laptop, where I have e.g. Visual Studio installed. And as stated in the bug report, it also works just fine on the clean Win10 machine, if I just log in with an account that does have an Azure subscription, and then log in with my O365 admin account.
mattmcspirit
commented
6 years ago I had the same issue as you - Get-AzureRmContext would return blank for an Azure AD account that had no subscription associated, so I couldn't get a refreshToken, grant permissions etc.
Then I figured out this:
$azureDirectoryTenantName = "domain.com"
$tenantId = (Invoke-RestMethod "https://login.microsoftonline.com/$($azureDirectoryTenantName)/.well-known/openid-configuration").issuer.TrimEnd('/').Split('/')[-1]
Add-AzureRmAccount -EnvironmentName "AzureCloud" -TenantId $tenantId -Credential <creds> -ErrorAction Stop
$refreshToken = @([Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.TokenCache.ReadItems() | Where-Object {$_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date)})[0].RefreshToken
$refreshtoken = $refreshtoken.Split("`n")[0]
$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'
$header = @{
'Authorization' = 'Bearer ' + $apiToken.access_token
'X-Requested-With' = 'XMLHttpRequest'
'x-ms-client-request-id' = [guid]::NewGuid()
'x-ms-correlation-id' = [guid]::NewGuid()
}
$url = "https://main.iam.ad.ext.azure.com/api/RegisteredApplications/$identityApplicationID/Consent?onBehalfOfAll=true"
Invoke-RestMethod –Uri $url –Headers $header –Method POST -ErrorAction StopThis works for my needs, and overcame the issue of trying to automate granting of permissions when the Azure Ad account had no subscription associated.
Description
On a fresh installation of Windows 10, Connect-AzureRMAccount does not return a context. The function runs, but returns the following output.
The tenant I am connecting to does not have any Azure subscriptions per se. It is an Office 365 subscription, with a related Azure AD that I need to log in to, in order to create an application, assign permissions, and grant admin consent.
If I from the same clean Windows 10 do a Connect-AzureRMAccount with a user that does have an Azure subscription, a context is created.
After getting this context I can again try with the user that I originally needed to log in with (the Office 365 admin user). And now I get a context
If I then clear all context objects and try again with the Office 365 admin user, I get the following error
In my developer machine there is no problem connecting to the subscription and getting a context
Script/Steps for Reproduction
Clean installation of Windows 10 The following has been tried with running both as administrator and as non-priv user
Now I reboot the machine, as I would otherwise get the above NullReferenceException
Module Version
Environment Data
Debug Output