I am able to use PowerShell to authenticate with the Azure AD resource I have created and where I am a Global Administrator. I execute this command to authenticate with the AD
$AzureADCred = Get-Credential -Message "Cred to connect to AD"
Connect-AzureAD -Credential $AzureADCred
This returns my Account
, SubscriptionName
, TenantID
and AccountType
(User) which would seem to indicate that my login is associated with a specific tenant. I can then execute this command:
Get-AzureADCurrentSessionInfo
However, all of the other AzureAD queries I have tried fail. This includes:
Get-AzureADUser -SearchString "XXX"
Get-AzureADCurrentSessionInfo
Get-AzureADtenantdetail
Get-AzureADDomain
The error message states (for instance)
Get-AzureADDomain : Error occurred while executing GetDomains
Code: Authentication_Unauthorized
Message: User was not found
It would appear that I have the correct management privileges and I am connected to the correct tenant. What else do I need to do to be able to execute these commands?
I went back and tried adding the tenantID but with no success. I'm not sure why this would work since even when I log in without the tenantID,
Get-AzureADCurrentSessionInfo
returns the acct and tenant so it seems like my login is correctly associated with the tenant at initial login. I could see where this would be a problem if that login was associated with multiple tenants. When I switched to a user I had created in AD so it had the AD domain xxx.onmicrosoft.com and made that user a global admin I could execute all of the commands that had failed with the other user ID. Even though both users are global admins, only the user in the my AD domain can execute these commands. Perhaps this is not a well known limitation of AD users who are not in the AD domain. Or maybe there is a Powershell command I need to run to give this user additional privileges? Update - I also tried to replicate this issue using Azure Cloud Shell but found that any AD user with Global Admin privileges, regardless of domain, can execute the range of AzureAD commands. At this point I am concluding that there is an issue with my local Powershell installation but I am unable to find any documentation on exactly what the issue is. So for now, when encountering this issue, I recommend the workaround of running the AzureAD commands under a Global Admin User ID that is in the same domain as the AD.