question

JohnParker-3426 avatar image
0 Votes"
JohnParker-3426 asked JohnParker-3426 commented

Disabling Powershell in my Azure Tenant

I'm attempting to disable Powershell for users in my Azure/365 tenant with the exception of a few users. I'm trying to use the script I found from this Microsoft article:

https://docs.microsoft.com/en-us/schooldatasync/blocking-powershell-for-edu

When I run the script, I get these errors pointing to the object ID (screenshot attached)198291-2022-04-29-12-36-50.png

This led me to believe there was an issue with the app ID used in the script so I created a test app in app registrations and used that app ID with the script and it ran perfectly.

The only possibilities I can think of for why this script isn't working, is that the article is using the wrong app ID for Azure Powershell (could not find another app ID in my google searches and could not find any Azure powershell app in enterprise apps or app registrations in Azure), I need to be a global admin to run the script or you can only run this script successfully for the PowerShell app in an EDU tenant.

If anyone has any ideas or have tried doing something similar in their tenant, please let me know.

Here is the script for reference:

 #Connect to Azure AD and establish a session
 $session = Connect-AzureAD
    
 #set the Graph App ID as a variable
 $appId = "1b730954-1685-4b74-9bfd-dac224a7b894"
    
 #Ensure the service principal is present in the tenant, and if not add it
 $sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
    
 if (-not $sp) {
     $sp = New-AzureADServicePrincipal -AppId $appId
 }
    
 #Require user assignment for the Graph app
 Set-AzureADServicePrincipal -ObjectId $sp.ObjectId -AppRoleAssignmentRequired $true
    
 # Assign the default app role (0-Guid) to the current user
 $admins = import-csv C:\tmp\ExcludedUsers.csv
 Foreach ($admin in $admins) {
     $user = Get-AzureADUser -objectId $admin.userprincipalname
     New-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -ResourceId $sp.ObjectId -Id ([Guid]::Empty.ToString()) -PrincipalId $user.ObjectId
     }
    
 Write-host "Script Complete. PowerShell is now restricted."




windows-server-powershellazure-ad-app-registrationazure-ad-graph
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered JohnParker-3426 commented

I'm sure that you've already noticed that when you post code as if it was just plain text that there are bits and pieces that look quite different to what you see on your machine! So, when posting code, use the "Code Sample" editor (it's the icon that's 5th from the left on the Format Bar and has the graphic "101 010"). That'll make it clear what's code and what's text. It will also prevent the normal (text) editor from removing or altering certain character sequences.

W/R/T your post, in a recent other posr (access-denied-for-this-calling-application-identif.html) please note the "tag" ("azure-ad-graph) used there and add it to your post. That will (or should) engage the appropriate SMEs.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the tips! I'll fix the code and add the tag.

0 Votes 0 ·
sathishveerapandian-7090 avatar image
0 Votes"
sathishveerapandian-7090 answered JohnParker-3426 commented

Also look if the input csv file is not correct.
Looks like there might be an issue with csv file make sure there are no spaces and the header input is UserPrincipalName

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I wish it was something that simple but the errors start at the "Set-AzureADServicePrincipal" line (15) which is before the csv is imported. Also, I ran the script with only modifying the app Id from line 5 to a test app I created and it worked properly.

0 Votes 0 ·