This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I'm following the https://learn.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-invite-powershell article, but getting an "Object reference not set to an instance of an object" error when running the New-AzureADMSInvitation command.
I'm running this from a on-prem vm. The goal is to auto-invite B2B users that are added to an application we have on-prem.
I have a registered app that I'm using to connect and have granted admin consent for the following MSGraph API permissions: User.Invite.All, User.ManageIdentities.All, User.ReadWrite.All
I load all the variables for the registered app, tenant, etc. , then this...
Import-Module -Name AzureADPreview -force
# Get Access Token
$azurePassword = ConvertTo-SecureString $ClientSecret -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($AplicationId , $azurePassword)
Connect-AzAccount -Credential $psCred -TenantId $TenantId -ServicePrincipal
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id
After running the above it displays
If I run Get-AzureADUser -All $true it shows all the users in my tenant correctly and it will let me add/delete regular users.
But if I try to run the following i get New-AzureADMSInvitation : Object reference not set to an instance of an object.
New-AzureADMSInvitation -InvitedUserEmailAddress $email.'InvitedUserEmailAddress' -InvitedUserDisplayName $email.Name -InviteRedirectUrl https://myapps.microsoft.com -SendInvitationMessage:$true
Hi @Michael Spencer, have a good day!
Would you please provide us with an update on the status of your issue?
Hi @Michael Spencer
Azure AD PowerShell is about to be deprecated, you can use the latest graph PowerShell to invite B2B collaboration users to your tenant.
Import-Module Microsoft.Graph.Identity.SignIns
Connect-MgGraph -Scopes "User.Invite.All"
$params = @{
InvitedUserEmailAddress = "admin@fabrikam.com"
InviteRedirectUrl = "https://myapp.contoso.com"
}
New-MgInvitation -BodyParameter $params
Hope this helps.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
Hi @Michael Spencer
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Hi @Michael Spencer
Have you tried the solution I proposed?
If you have any questions or progress, you can contact me in time.
Looking forward to your reply
Have a lucky day!
Thanks,
Carl Zhao
Hi @Michael Spencer
This is because you are using Azure AD graph access token to connect to Microsoft graph powershell, and New-MgInvitation cmdlet is a Microsoft graph powershell command, which does not support Azure AD graph access token, that's what is causing the issue.
If you must use an Azure AD graph access token, then you should use that token to connect to Azure AD and then use Azure AD powershell commands to invite external users to collaborate.
Connect to Azure AD:
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id
Invite users:
New-AzureADMSInvitation -InvitedUserEmailAddress someexternaluser@externaldomain.com -SendInvitationMessage $True -InviteRedirectUrl "http://myapps.microsoft.com"
Hope this helps.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
I want to use the latest and greatest, rather than something that is on it's way out, but this and previous post did give me a few clues !
Thanks
Thanks this and previous post gave me a few clues.
Hi @Michael Spencer
Good to know that it helped you, can you accept an answer that helped you? Thank you so much!
I need to be able to script this, so far I have this, which works as far as authentication apparently.
$azurePassword = ConvertTo-SecureString $ClientSecret -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($AplicationId , $azurePassword)
Connect-AzAccount -Credential $psCred -TenantId $TenantId -ServicePrincipal
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id
Connect-MgGraph -AccessToken $aadToken
And I get the "Welcome To Microsoft Graph!" response.
When I then try:
$params = @{
InvitedUserEmailAddress = $email.'InvitedUserEmailAddress'
InviteRedirectUrl = "https://myapp.microsoft.com"
}
New-MgInvitation -BodyParameter $params
It errors with:
New-MgInvitation : Access token validation failure. Invalid audience.
But I can list, add, delete regular users w/o issue.
Hi @Michael Spencer, have a good day!
Please refer to my latest answer. If it helps you, don't forget to accept it as an answer. Thank you so much!
Success !
Several issues: Cert must be installed in user's store, won't be found if it's in the local machine store !
Missing modules and 2 versions of Microsoft.Graph.Authentication, so it wouldn't load correctly.
# load configs
. Import-Module "$($PWD)\UserUpdate_config.ps1" -force
# enforce TLS1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Import-Module Microsoft.Graph.Identity.SignIns -force
Import-Module Microsoft.Graph.Authentication -force
Import-Module Microsoft.Graph.Users -force
Import-Module Microsoft.Graph.Groups -force
# cert must be in user's store to be seen
Connect-MgGraph -ClientID $AplicationId -TenantId $TenantId -CertificateThumbprint $certthumb -ContextScope Process
# get group object used by app
$relgroupinfo = New-MgDirectoryObject -Id $(Get-MgGroup -Filter "DisplayName eq '$($relgroup)'").Id
# get users to add. This will eventually be pulled directly from the app via SQL
$invitations = import-csv -Path $invitespath
foreach ($usit in $invitations) {
# create user and send invite
$userinfo = New-MgInvitation -InvitedUserDisplayName $usit.'Name' -InvitedUserEmailAddress $usit.'InvitedUserEmailAddress' -InviteRedirectUrl "https://myapp.microsoft.com" -SendInvitationMessage
# add user to group
New-MgGroupMember -GroupId $group2add.Id -DirectoryObjectId $userinfo.Id
}
Disconnect-MgGraph
Hi @Michael Spencer
Before that, make sure you have properly installed the Microsoft Graph PowerShell SDK, then connect to MgGraph using the application-only.