Also look if the input csv file is not correct.
Looks like there might be an issue with csv file make sure there are no spaces and the header input is UserPrincipalName
Disabling Powershell in my Azure Tenant
I'm attempting to disable Powershell for users in my Azure/365 tenant with the exception of a few users. I'm trying to use the script I found from this Microsoft article:
https://learn.microsoft.com/en-us/schooldatasync/blocking-powershell-for-edu
When I run the script, I get these errors pointing to the object ID (screenshot attached)
This led me to believe there was an issue with the app ID used in the script so I created a test app in app registrations and used that app ID with the script and it ran perfectly.
The only possibilities I can think of for why this script isn't working, is that the article is using the wrong app ID for Azure Powershell (could not find another app ID in my google searches and could not find any Azure powershell app in enterprise apps or app registrations in Azure), I need to be a global admin to run the script or you can only run this script successfully for the PowerShell app in an EDU tenant.
If anyone has any ideas or have tried doing something similar in their tenant, please let me know.
Here is the script for reference:
#Connect to Azure AD and establish a session
$session = Connect-AzureAD
#set the Graph App ID as a variable
$appId = "1b730954-1685-4b74-9bfd-dac224a7b894"
#Ensure the service principal is present in the tenant, and if not add it
$sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
if (-not $sp) {
$sp = New-AzureADServicePrincipal -AppId $appId
}
#Require user assignment for the Graph app
Set-AzureADServicePrincipal -ObjectId $sp.ObjectId -AppRoleAssignmentRequired $true
# Assign the default app role (0-Guid) to the current user
$admins = import-csv C:\tmp\ExcludedUsers.csv
Foreach ($admin in $admins) {
$user = Get-AzureADUser -objectId $admin.userprincipalname
New-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -ResourceId $sp.ObjectId -Id ([Guid]::Empty.ToString()) -PrincipalId $user.ObjectId
}
Write-host "Script Complete. PowerShell is now restricted."
2 answers
Sort by: Newest
-
Sathish Veerapandian 81 Reputation points MVP
2022-05-04T13:25:15.883+00:00 -
Rich Matheisen 45,091 Reputation points
2022-05-03T21:45:22.357+00:00 I'm sure that you've already noticed that when you post code as if it was just plain text that there are bits and pieces that look quite different to what you see on your machine! So, when posting code, use the "Code Sample" editor (it's the icon that's 5th from the left on the Format Bar and has the graphic "101 010"). That'll make it clear what's code and what's text. It will also prevent the normal (text) editor from removing or altering certain character sequences.
W/R/T your post, in a recent other posr (access-denied-for-this-calling-application-identif.html) please note the "tag" ("azure-ad-graph) used there and add it to your post. That will (or should) engage the appropriate SMEs.