Disabling Powershell in my Azure Tenant

John Parker 26 Reputation points

I'm attempting to disable Powershell for users in my Azure/365 tenant with the exception of a few users. I'm trying to use the script I found from this Microsoft article:


When I run the script, I get these errors pointing to the object ID (screenshot attached)198291-2022-04-29-12-36-50.png

This led me to believe there was an issue with the app ID used in the script so I created a test app in app registrations and used that app ID with the script and it ran perfectly.

The only possibilities I can think of for why this script isn't working, is that the article is using the wrong app ID for Azure Powershell (could not find another app ID in my google searches and could not find any Azure powershell app in enterprise apps or app registrations in Azure), I need to be a global admin to run the script or you can only run this script successfully for the PowerShell app in an EDU tenant.

If anyone has any ideas or have tried doing something similar in their tenant, please let me know.

Here is the script for reference:

#Connect to Azure AD and establish a session  
$session = Connect-AzureAD  
#set the Graph App ID as a variable  
$appId = "1b730954-1685-4b74-9bfd-dac224a7b894"  
#Ensure the service principal is present in the tenant, and if not add it  
$sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"  
if (-not $sp) {  
    $sp = New-AzureADServicePrincipal -AppId $appId  
#Require user assignment for the Graph app  
Set-AzureADServicePrincipal -ObjectId $sp.ObjectId -AppRoleAssignmentRequired $true  
# Assign the default app role (0-Guid) to the current user  
$admins = import-csv C:\tmp\ExcludedUsers.csv  
Foreach ($admin in $admins) {  
    $user = Get-AzureADUser -objectId $admin.userprincipalname  
    New-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -ResourceId $sp.ObjectId -Id ([Guid]::Empty.ToString()) -PrincipalId $user.ObjectId  
Write-host "Script Complete. PowerShell is now restricted."  
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,617 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
4,882 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Rich Matheisen 38,821 Reputation points

    I'm sure that you've already noticed that when you post code as if it was just plain text that there are bits and pieces that look quite different to what you see on your machine! So, when posting code, use the "Code Sample" editor (it's the icon that's 5th from the left on the Format Bar and has the graphic "101 010"). That'll make it clear what's code and what's text. It will also prevent the normal (text) editor from removing or altering certain character sequences.

    W/R/T your post, in a recent other posr (access-denied-for-this-calling-application-identif.html) please note the "tag" ("azure-ad-graph) used there and add it to your post. That will (or should) engage the appropriate SMEs.

  2. sathish veerapandian 81 Reputation points MVP

    Also look if the input csv file is not correct.
    Looks like there might be an issue with csv file make sure there are no spaces and the header input is UserPrincipalName