I'm attempting to disable Powershell for users in my Azure/365 tenant with the exception of a few users. I'm trying to use the script I found from this Microsoft article:
https://learn.microsoft.com/en-us/schooldatasync/blocking-powershell-for-edu
When I run the script, I get these errors pointing to the object ID (screenshot attached)
This led me to believe there was an issue with the app ID used in the script so I created a test app in app registrations and used that app ID with the script and it ran perfectly.
The only possibilities I can think of for why this script isn't working, is that the article is using the wrong app ID for Azure Powershell (could not find another app ID in my google searches and could not find any Azure powershell app in enterprise apps or app registrations in Azure), I need to be a global admin to run the script or you can only run this script successfully for the PowerShell app in an EDU tenant.
If anyone has any ideas or have tried doing something similar in their tenant, please let me know.
Here is the script for reference:
#Connect to Azure AD and establish a session
$session = Connect-AzureAD
#set the Graph App ID as a variable
$appId = "1b730954-1685-4b74-9bfd-dac224a7b894"
#Ensure the service principal is present in the tenant, and if not add it
$sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
if (-not $sp) {
$sp = New-AzureADServicePrincipal -AppId $appId
}
#Require user assignment for the Graph app
Set-AzureADServicePrincipal -ObjectId $sp.ObjectId -AppRoleAssignmentRequired $true
# Assign the default app role (0-Guid) to the current user
$admins = import-csv C:\tmp\ExcludedUsers.csv
Foreach ($admin in $admins) {
$user = Get-AzureADUser -objectId $admin.userprincipalname
New-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -ResourceId $sp.ObjectId -Id ([Guid]::Empty.ToString()) -PrincipalId $user.ObjectId
}
Write-host "Script Complete. PowerShell is now restricted."