azure AD powerShell edit manager

0
votes

I have written a DotNet Forms applications which uses PowerShell automation to create and modify users in On-premise AD, On-premise Exchange, Azure AD and O365 to match records provided by HR. This has been in use by a customer for a few years and works fine.

The code makes use of the Azure Active Directory Module for Windows PowerShell (MSOnline - MSOL) to view and edit users in Azure AD. I originally used MSOL version 8073.4 but I've since upgraded to MSOL version 1.1.166.0 (see http://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-release-history.aspx)

For example I'd use the following PowerShell to modify a user's title:

Import-Module MSOnline
$Cred = Get-Credential
Connect-MSOLService -Credential $Cred
Set-MSOLUser -UserPrincipalName [email protected] -Title 'Deliverer of presents'

Everything was fine until I was asked to extend the code to update each Azure AD user's "Manager ID" attribute. Easy I thought! I just need to update the user's "Manager ID" field (which is the ObjectID of the manager's Azure AD account) just like I update the title.....

Er, no. I can't find any way to change the manager field. I've gone over and over the MSDN documentation and cannot find any method to do this:

So I looked at the new v2 Azure AD modules which are in preview at the moment (mentioned in the above release history URL) and can be downloaded from the PowerShell Gallery (search for "AzureADPreview"). These are ultimately going to replace the old MSOL cmdlets and look very similar to the existing Azure PowerShell modules (for creating VMs etc). This does provide support for setting a user's "manager ID" via the command

Set-AzureADUserManager

and I've tried this and it works, so I thought I'd update my application to use the new v2 APIs instead of the v1 APIs (MSOL).

Unfortunately I found that the

Set-AzureADUser

command (used to set attributes like job title) is completely broken in v2.0.0.1 and fails with the error

"Exception has been thrown by the target of the invocation"

for any combination that I try. I've reported this to the developers via the PowerShell gallery.

Luckily I found that the previous version 1.1.167.0 of these modules works fine so I'm using that version and can now successfully create users, modify users, configure the user's "Manager ID" but I cannot work out how to set licenses (e.g. O365_BUSINESS_PREMIUM). The documentation for the command Set-AzureADUserLicense is pretty much non-existent and I've been unable to work out how to use it.

I think I need to do the following:

# Create an object which contains the individual license 'x' I want to add
# The available license SkuIDs can be read from Get-AzureADSubscribedSku
$MySingleLicenseToAdd = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
$MySingleLicenseToAdd.SkuID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

# Create a licenses object which is assigned the individual licenses I want to add or remove
$MyLicensesToAddOrRemove = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$MyLicensesToAddOrRemove.AddLicenses = $MySingleLicenseToAdd
$MyLicensesToAddOrRemove.RemoveLicenses = $Null

# Perform the license action against the specified user 'y'
Set-AzureADUserLicense -ObjectId 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyy' -AssignedLicenses $MyLicensesToAddOrRemove

but it fails on the second line of code saying that "SkuID" is a read-only field.

So I can't use the V1 (MSOL) APIs because I cannot find a way to update the user's "Manager ID" field. I can't use the V2 APIs because I cannot find a way to assign licenses (and it's in preview so not a great idea to use in live)

My current plan is to go back to using the V1 APIs but then make use of the V2 APIs to update the "Manager ID" field only, but this is hardly an ideal solution (because I'll be signed into Azure twice with two different APIs) so I was wondering if anyone could provide any suggestions?

  1. My preference would be to use the v1 (MSOL) APIs to update the "Manager ID" field.
  2. My second preference would be to use the v2 APIs and learn how to assign licenses.
  3. My third preference is anything else ;)

I have read one article about using the REST APIs directly, but that was WAY heavy and I'd prefer to avoid and stick with an Azure PowerShell API if possible.

Sorry about the looooong question, but I was trying to provide some context as to why I'm trying to use the V2 APIs.

Update (23/09/2016):

AzureADPreview 2.0.0.2 was just released and it fixes the problem with Set-AzureADUser :) but unfortunately partially breaks Set-AzureADUserManager :(

Same problem with licenses with this new version

2
powershellazureazure-powershell

2 Answers

0
votes

Here is an example of how you can use the Set-AzureADuserLicense cmdlet to set licenses for a user.

Please let me know if this clarifies.

# Get the License SkuId from a template user that we want to apply to the new user 
$licensedUser = Get-AzureADUser -ObjectId "[email protected]"  
# Get the new User we want to apply the license too 
$user = Get-AzureADUser -ObjectId "[email protected]"  
# Create the new License object 
$license = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense 
$license.SkuId = $licensedUser.AssignedLicenses.SkuId 
# Create the Licenses Table and add the license from above 
$licenses = New-Object -TypeName   Microsoft.Open.AzureAD.Model.AssignedLicenses 
$licenses.AddLicenses = $license 
# Apply the license to the new user 
Set-AzureADUserLicense -ObjectId $user.ObjectId -AssignedLicenses $licenses
0
votes

Thanks for replying. Rob.

The code you supplied is the same as what I was trying (see the code in my original question) with the exception that you retrieve the SkuID from an existing user.

Since two new versions of AzureADPreview have since been released (2.0.0.7 and 2.0.0.17), this prompted me to try again with the new versions of AzureADPreview and also the original versions that were available when I originally posted.

My results are as follows:

2.0.0.1: Doesn't work. Read-Only error.

2.0.0.2: Doesn't work. Read-Only error.

2.0.0.7: Works

2.0.0.17: Works

So basically it was a fault in the original versions of AzureADPreview but Microsoft have since fixed it.

All working now.