Disabling Powershell in my Azure Tenant

John Parker 26 Reputation points
2022-05-02T14:23:41.407+00:00

I'm attempting to disable Powershell for users in my Azure/365 tenant with the exception of a few users. I'm trying to use the script I found from this Microsoft article:

https://learn.microsoft.com/en-us/schooldatasync/blocking-powershell-for-edu

When I run the script, I get these errors pointing to the object ID (screenshot attached)198291-2022-04-29-12-36-50.png

This led me to believe there was an issue with the app ID used in the script so I created a test app in app registrations and used that app ID with the script and it ran perfectly.

The only possibilities I can think of for why this script isn't working, is that the article is using the wrong app ID for Azure Powershell (could not find another app ID in my google searches and could not find any Azure powershell app in enterprise apps or app registrations in Azure), I need to be a global admin to run the script or you can only run this script successfully for the PowerShell app in an EDU tenant.

If anyone has any ideas or have tried doing something similar in their tenant, please let me know.

Here is the script for reference:

#Connect to Azure AD and establish a session  
$session = Connect-AzureAD  
  
#set the Graph App ID as a variable  
$appId = "1b730954-1685-4b74-9bfd-dac224a7b894"  
  
#Ensure the service principal is present in the tenant, and if not add it  
$sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"  
  
if (-not $sp) {  
    $sp = New-AzureADServicePrincipal -AppId $appId  
}  
  
#Require user assignment for the Graph app  
Set-AzureADServicePrincipal -ObjectId $sp.ObjectId -AppRoleAssignmentRequired $true  
  
# Assign the default app role (0-Guid) to the current user  
$admins = import-csv C:\tmp\ExcludedUsers.csv  
Foreach ($admin in $admins) {  
    $user = Get-AzureADUser -objectId $admin.userprincipalname  
    New-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -ResourceId $sp.ObjectId -Id ([Guid]::Empty.ToString()) -PrincipalId $user.ObjectId  
    }  
  
Write-host "Script Complete. PowerShell is now restricted."  
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,322 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,102 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Rich Matheisen 44,416 Reputation points
    2022-05-03T21:45:22.357+00:00

    I'm sure that you've already noticed that when you post code as if it was just plain text that there are bits and pieces that look quite different to what you see on your machine! So, when posting code, use the "Code Sample" editor (it's the icon that's 5th from the left on the Format Bar and has the graphic "101 010"). That'll make it clear what's code and what's text. It will also prevent the normal (text) editor from removing or altering certain character sequences.

    W/R/T your post, in a recent other posr (access-denied-for-this-calling-application-identif.html) please note the "tag" ("azure-ad-graph) used there and add it to your post. That will (or should) engage the appropriate SMEs.


  2. Sathish Veerapandian 81 Reputation points MVP
    2022-05-04T13:25:15.883+00:00

    Also look if the input csv file is not correct.
    Looks like there might be an issue with csv file make sure there are no spaces and the header input is UserPrincipalName