Comments (18)
hausec
commented on June 27, 2024
Does it tell you what line the error is on?
from powerzure.
halfluke
commented on June 27, 2024
yes, PowerZure.ps1:209 char:1
from powerzure.
halfluke
commented on June 27, 2024
it doesn't seem to like -welcome. Once removed it, everything seems to work
from powerzure.
hausec
commented on June 27, 2024
I'm thinking it has to do with the API call which pulls some info about the current user roles. Can you run the following code and tell me if you get the same error? (Just copy+paste into a powershell window)
$APSUser = Get-AzContext *>&1
$resource = "https://graph.microsoft.com"
$Token = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($APSUser.Account, $APSUser.Environment, $APSUser.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, $resource).AccessToken
$Headers = @{}
$Headers.Add("Authorization","Bearer"+ " " + "$($token)")
$Headers = Get-AzureGraphToken
Write-Host "You are logged into Azure PowerShell" -ForegroundColor Yellow
$obj = New-Object -TypeName psobject
$username = $APSUser.Account
$user = Get-AzADUser -UserPrincipalName $Username
$userid=$user.id
$rbacroles = Get-AzRoleAssignment -ObjectId $userid *>&1
$obj | Add-Member -MemberType NoteProperty -Name Username -Value $user.userPrincipalName
$obj | Add-Member -MemberType NoteProperty -Name objectId -Value $userId
$rolearray = @()
$scopearray = @()
$uri = 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?$filter+=+principalId eq' + " " + "'" + $userid + "'"
$data = Invoke-RestMethod -Headers $Headers -Uri $uri
$aadroles = $data.value
ForEach ($aadrole in $aadroles)
{
$id = $aadrole.roleDefinitionId
$uri = "https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/$id"
$roledef = Invoke-RestMethod -Headers $Headers -Uri $uri
$rolearray += $roledef.displayName
$scopearray += $roledef.resourceScopes
}
$obj | Add-Member -MemberType NoteProperty -Name AADRole -Value $rolearray
$obj | Add-Member -MemberType NoteProperty -Name AADRoleScope -Value $scopearray
$uri = "https://graph.microsoft.com/v1.0/Users/$userid/getMemberGroups"
$body =
@"
{ "securityEnabledOnly": "False"
}
"@
$grouparray = @()
$groupdata = Invoke-RestMethod -Headers $Headers -Uri $uri -Body $body -Method Post -Contenttype application/json
$groupids = $groupdata.value
foreach ($groupid in $groupids)
{
$groupstuff= Get-AzADGroup -Objectid $groupid
$grouparray += $groupstuff.DisplayName
}
$obj | Add-Member -MemberType NoteProperty -Name Groups -Value $grouparray
$obj | Add-Member -MemberType NoteProperty -Name AzureRoles -Value $rbacroles.roleDefinitionName
$obj | Add-Member -MemberType NoteProperty -Name Scope -Value $rbacroles.scope
$obj | Add-Member -MemberType NoteProperty -Name SubscriptionName -Value $APSUser.Subscription.Name
$obj | Add-Member -MemberType NoteProperty -Name SubscriptionId -Value $APSUser.Subscription.Id
$obj
Write-Host ""
Write-Host "Please set your default subscription with 'Set-Subscription -Id {id} if you have multiple subscriptions." -ForegroundColor Yellow
from powerzure.
halfluke
commented on June 27, 2024
Getting the same error but after this line:
$rbacroles = Get-AzRoleAssignment -ObjectId $userid *>&1
from powerzure.
hausec
commented on June 27, 2024
Ok, can you run this?
$APSUser = Get-AzContext *>&1
$APSUser.Account
And check if you get any output?
from powerzure.
halfluke
commented on June 27, 2024
yes I get my tenantid. Id, type, tenants, and extendedproperties field. The accesstoken field is empty instead
from powerzure.
hausec
commented on June 27, 2024
Try this:
$username = $APSUser.Account.id
$user = Get-AzADUser -UserPrincipalName $Username
$userid=$user.id
$rbacroles = Get-AzRoleAssignment -ObjectId $userid *>&1
If it errors, can you verify that $userid is populated (has content)?
from powerzure.
halfluke
commented on June 27, 2024
it errors and for some reason $userid has no content...
from powerzure.
hausec
commented on June 27, 2024
Does $User have content?
from powerzure.
halfluke
commented on June 27, 2024
nope, only $username has content.
from powerzure.
hausec
commented on June 27, 2024
Ok so Get-AzADUser -UserPrincipalName is failing.
Do you get any results back when you type Get-AzADUser?
If so, try manually putting in your userprincipalname and see if you get any results back
Get-AzADUser -UserPrincipalName [username@domain]
from powerzure.
halfluke
commented on June 27, 2024
Yeah... get-azaduser returns my two users. One is the root account (external, @live.com) and the other one is a IAM user.
What happens is:
$username = $APSUser.Account.id -> this one returns my @live.com account
$user = Get-AzADUser -UserPrincipalName $Username
This one returns nothing
from powerzure.
halfluke
commented on June 27, 2024
The userprincipalname is:
xxxxx_live.com#EXT#@xxxxxx.onmicrosoft.com
So basically the @live.com $username returned above is not equivalent to the UserPrincipalName returned by get-AzADUser
from powerzure.
hausec
commented on June 27, 2024
Ahhhh ok I see what's happening, thank you for finding this, i'll update it right now.
from powerzure.
halfluke
commented on June 27, 2024
Glad you see it, as I don't :) I am basically testing some tools on my account for an Azure configuration review I'll have to do in a couple of days :)
from powerzure.
hausec
commented on June 27, 2024
Fixed here: ef6f905
Get-AzContext will erroneously populate the 'id' property without appending #EXT#@tenant.onmicrosoft.com which is why searching via UPN does not return any data, as the id is not a proper UPN.
Fixed by fetching the UPN via Graph API call instead of Get-AzContext
from powerzure.
halfluke
commented on June 27, 2024
Hmm, getting a different error though:
Get-AzRoleAssignment : The Principal ID xxxxx_live.com#EXT#@xxxxxx.onmicrosoft.com is not valid. Principal ID must be a GUID
from powerzure.
Related Issues (13)
- The command to set the subscription in the script output is wrong HOT 1
- Unprivileged Users Not Supported? HOT 2
- Ideas - audit public resources HOT 1
- Missing Get-AllAppSecrets and Get-AllSecrets Commands
- Docs say Get-AzureDeviceOwner but command is Get-AzureDeviceOwners
- Add-AzureSPSecret -Password parameter doesn't work. HOT 1
- Docs Get-AzureGroup command missing HOT 1
- Add-AzureSPSecret fails HOT 2
- New-AzureBackdoor RemoteServer connection error 404
- Cannot convert null to type "System.DateTime" HOT 5
- Get-AzRoleAssignment : The Principal ID xxxxx_live.com#EXT#@xxxxxx.onmicrosoft.com is not valid. Principal ID must be a GUID HOT 8
- Get-AzureRunbookContent -All -OutfilePath isn't working properly HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from powerzure.