2

I am able to use PowerShell to authenticate with the Azure AD resource I have created and where I am a Global Administrator. I execute this command to authenticate with the AD

$AzureADCred = Get-Credential -Message "Cred to connect to AD"
Connect-AzureAD -Credential $AzureADCred

This returns my Account, SubscriptionName, TenantID and AccountType (User) which would seem to indicate that my login is associated with a specific tenant. I can then execute this command:

Get-AzureADCurrentSessionInfo

However, all of the other AzureAD queries I have tried fail. This includes:

Get-AzureADUser -SearchString "XXX"
Get-AzureADCurrentSessionInfo
Get-AzureADtenantdetail
Get-AzureADDomain

The error message states (for instance)

Get-AzureADDomain : Error occurred while executing GetDomains

Code: Authentication_Unauthorized

Message: User was not found

It would appear that I have the correct management privileges and I am connected to the correct tenant. What else do I need to do to be able to execute these commands?


I went back and tried adding the tenantID but with no success. I'm not sure why this would work since even when I log in without the tenantID,

Get-AzureADCurrentSessionInfo

returns the acct and tenant so it seems like my login is correctly associated with the tenant at initial login. I could see where this would be a problem if that login was associated with multiple tenants. When I switched to a user I had created in AD so it had the AD domain xxx.onmicrosoft.com and made that user a global admin I could execute all of the commands that had failed with the other user ID. Even though both users are global admins, only the user in the my AD domain can execute these commands. Perhaps this is not a well known limitation of AD users who are not in the AD domain. Or maybe there is a Powershell command I need to run to give this user additional privileges? Update - I also tried to replicate this issue using Azure Cloud Shell but found that any AD user with Global Admin privileges, regardless of domain, can execute the range of AzureAD commands. At this point I am concluding that there is an issue with my local Powershell installation but I am unable to find any documentation on exactly what the issue is. So for now, when encountering this issue, I recommend the workaround of running the AzureAD commands under a Global Admin User ID that is in the same domain as the AD.

Community
  • 1
  • 1

2 Answers2

3

I can reproduce your issue on my side, I suppose you are using a Guest user account, e.g. xxx@hotmail.com, if you Connect-AzureAD without the parameter -TenantId, it will not log in the tenant like xxx.onmicrosoft.com by default.

enter image description here

To fix the issue, your command should be Connect-AzureAD -Credential $AzureADCred -TenantId "<your TenantId>", then it will work.

enter image description here

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • @JohnHankins Are you using a guest user account? – Joy Wang Jan 11 '19 at 16:20
  • The acct that failed is the acct I used to set up the AD. So it is not in the AD domain but not a guest acct is the sense that I didn't add the acct by sending it an invitation to join the AD. – John Hankins Jan 11 '19 at 17:15
  • Just checked, the account that cannot execute these commands shows the user type as "Member" and source as Microsoft Account. User Name is xxx@gmail.com. The account that does work is also a member, source is Azure Active Directory. User name is xxx@yyy.onmicrosoft.com. Both are Global Admins. – John Hankins Jan 11 '19 at 17:27
  • Just tried this with another user that I added as a guest and then set their role to Global Admin. The Powershell commands also fail with this user. – John Hankins Jan 11 '19 at 18:02
0

If you use your microsoft account, it will not work. You need to create a new Azure AD account and assign the Global admin role, if possible also assign the User access Admin role. This solved the issue for me