You have a system connected to M365 but you need to connect to another M365 Tenant to do some work.
- close all PS session
- Navigate to C:\Users\<User Name>\.Azure
- delete "AzureRmContext.json"
- open PS session
- type Connect-AzAccount -UseDeviceAuthentication
- open a browser with the URL https://microsoft.com/devicelogin
- Enter the code displayed on screen
Now let's look at some of the basic info of the Tenant:
- Install-Module Az -AllowClobber
- Update-Module Az
- update-module Az.Resources
- Connect-AzAccount
- Get-AzTenant
- Get-AzDomain
- Get-AzSubscription
- Get-AzResourceGroup
- get-azresource
Now let's look at the data center locations:
- Get-AzLocation
- Get-AzLocation |select location,displayname,longitude,latitude,PhysicalLocation,geographygroup |sort location |ft
https://www.google.com/maps/place/@26.6800586,-80.1964032,15z
- Ashburn/Dulles
- Leesburg-Compass-Creek-Campus
- Stone Ridge-IAD11
- Manassas-MNZ02
- Boydton
Now let's look at the resources on the Tenant:
Update-AzConfig -EnableLoginByWam $false
Connect-AzAccount -AuthScope MicrosoftGraphEndpointResourceId
Connect-AzAccount -AuthScope MicrosoftGraphEndpointResourceId -TenantId domain.tld d8136a00-15ba-48b8-0139-10b25bab63c6
Get-AzRoleAssignment -ResourceGroupName "RG-FOO-01"
Get-AzRoleAssignment -ResourceGroupName "RG-FOO-01" |select displayname,signinname,scope |sort signinname
Get-AzRoleAssignment -ResourceGroupName "RG-FOO-01" -ResourceName "RESNAME-FOO-01" -ResourceType "Microsoft.Compute/virtualMachines"
See the IAM access to a specific VM:
Get-AzRoleAssignment -Scope /subscriptions/939245b7-8911-4bb1-bfc6-bccc99dab72f/resourceGroups/RG-FOO-01/providers/Microsoft.Compute/virtualMachines/SRV-FOO-01
Add an AzureAD group:
new-azureadgroup -DisplayName app-foo -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
Take the IAM access and add them to the group so you can assign the group access IAM access to the VM:
Get-AzRoleAssignment -ResourceGroupName "RG-FOO-01" |select -exp signinname |sort signinname |%{Add-AzureADGroupMember -objectid ((get-azureadgroup -SearchString "app-foo").objectid) -refobjectid ((Get-AzureADUser -SearchString $_).objectid)}
Removing IAM access to a specific VM:
Get-AzRoleAssignment -Scope /subscriptions/939245b7-8911-4bb1-bfc6-bccc99dab72f/resourceGroups/RG-FOO-01/providers/Microsoft.Compute/virtualMachines/SRV-FOO-01 |?{($_.roledefinitionname -eq "Virtual Machine Administrator Login") -and ($_.signinname -ne $null)} |remove-azroleassignment
This works because the azureadgroup does not have a $_.signinname.