I need reource code of main.iam.ad.ext.azure.us

Question

I need to collect information about total and assigned licenses programmatically. The way that is described here: https://tech.nicolonsky.ch/manage-azure-ad-group-based-licensing-with-powershell/ - does not work on AzureUSGovernment environment. The following error occurs: ""Get-AADLicenseSku : AADSTS900382: Confidential Client is not supported in Cross Cloud request."

So, I am looking for a way to adjust it and use it on AzureUSGovernment. But I could not find the resource ID of main.iam.ad.ext.azure.us As I understood, the ID of main.iam.ad.ext.azure.com is 74658136-14ec-4630-ad9b-26e160ff0f. But I do not understand where it is coming from. Thank you in advance for the help. I created a script based on the original scripts:

        $context = Get-AzContext
        
        if ($null -eq $context) {
            $null = Connect-AZAccount -EA stop
            $context = Get-AzContext
        }
        $apiToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id, $null, "Never", $null, "https://main.iam.ad.ext.azure.us")

        $header = @{
            'Authorization'          = 'Bearer ' + $apiToken.AccessToken.ToString()
            'Content-Type'           = 'application/json'
            'X-Requested-With'       = 'XMLHttpRequest'
            'x-ms-client-request-id' = [guid]::NewGuid()
            'x-ms-correlation-id'    = [guid]::NewGuid()
        }

        Write-Verbose "Connected to tenant: '$($context.Tenant.Id)' as: '$($context.Account)'"


       $baseUrl = "https://main.iam.ad.ext.azure.us/api/"

        try {
            $request = Invoke-WebRequest -Method Get -Uri $($baseUrl + "AccountSkus") -Headers $header
            $requestContent = $request | ConvertFrom-Json
            return $requestContent
        }
        catch {
            # convert the error message if it appears to be JSON
            if ($_.ErrorDetails.Message -like "{`"Classname*") {
                $local:errmsg = $_.ErrorDetails.Message | ConvertFrom-Json
                if ($local:errmsg.Clientdata.operationresults.details) {
                    Write-Error $local:errmsg.Clientdata.operationresults.details
                }
                else {
                    Write-Error $local:errmsg
                }
            }
            else {
                Write-Error $_
            }
        }

But it fails with the following error: "Invoke-RestMethod : 401 - Unauthorized: Access is denied due to invalid credentials. Server Error

401 - Unauthorized: Access is denied due to invalid credentials. You do not have permission to view this directory or page using the credentials that you supplied."

I tried to use the user account and service principal. Global Admin role is assigned to both.

Answer 1

I found the solution. In my script above ^^, I replaced

$apiToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id, $null, "Never", $null, "https://main.iam.ad.ext.azure.us")

with

$apiToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id, $null, "Never", $null, "ee62de39-b9b0-4886-aa58-08b89c4e3db3")

And now it works. Here is the example of the response:

name            : Office 365 E3 - GCCHIGH
accountId       : XXXXXX-XXXX-4427-8719-XXXXXXXXXXXX
accountSkuId    : TEST:ENTERPRISEPACK_USGOV_GCCHIGH
availableUnits  : 0
totalUnits      : 1
consumedUnits   : 1
skuId           : aea38a85-XXXX-XXXX-aa00-XXXXXXXXXXXX
isDepartment    : False
warningUnits    : 0
serviceStatuses : {@{provisioningStatus=Success; servicePlan=}, @{provisioningStatus=Success; servicePlan=}, @{provisioningStatus=Success; servicePlan=}, @{provisioningStatus=Success; servicePlan=}...}