I am working with a Teams app enterprise application. We are testing some permission related changes and require a fresh app load that does not have any permissions granted by the user or admin.
To revoke the user permissions inside Azure Portal: Enterprise Applications, selecting my app, then the "Permissions" tab/blade, click the "Review Permissions" button, select radio button "This application has more permissions than I want", copy the Powershell script (all of it, some of it is cropped out in the small input box), running the script gives the following error on the second line:
$sp = Get-AzureADServicePrincipal -ObjectId "17a19fcd-xxxx-yyyy-zzzz-7b1411390c01
Get-AzureADServicePrincipal : Error occurred while executing GetServicePrincipal
Code: Request_ResourceNotFound
Message: Resource '17a19fcd-xxxx-yyyy-zzzz-7b1411390c01' does not exist or one of its queried reference-property objects are not present.
RequestId: bfdcfd56-xxxx-yyyy-zzzz-fb16d4c796ef
DateTimeStamp: Wed, 06 Apr 2022 09:17:09 GMT
HttpStatusCode: NotFound
HttpStatusDescription: Not Found
HttpResponseStatus: Completed
At line:1 char:1
+ Get-AzureADServicePrincipal -ObjectId "17a19fcd-xxxx-yyyy-zzzz-7b1411390c01 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADServicePrincipal], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetServicePrincipal
The reason for this was that I already ran the sript once before, on the second run, the ObjectId has changed, but Azure Portal doesn't tell you the correct one and just shows the old script with the old ObjectId.
To fix the script, get the new ObjectId:
Run Get-AzureADServicePrincipal -All $true
Copy out the output and search for your app, if the output is being cut out then increase the Screen buffer size in the PowerShell/CMD Properties.
Now use this new ObjectId in the second line: $sp = Get-AzureADServicePrincipal -ObjectId "NEW_ID-HERE-yyyy-zzzz-123abc123abc
Related
I am trying to run this powershell cmdlet :
Get-AzureRmDataLakeStoreChildItem -AccountName "xxxx" -Path "xxxxxx"
It fails with an access error. It does not really make sense because i have complete access to the ADLS account. I can browse in the Azure portal. It does not even work with a AzureRunAsConnection from an automation account. But it works perfectly for my colleague. What am i doing wrong?
Error :
Operation: LISTSTATUS failed with HttpStatus:Forbidden
RemoteException: AccessControlException LISTSTATUS failed with error
0x83090aa2 (Forbidden. ACL verification failed. Either the resource
does not exist or the user is not authorized to perform the requested
operation.).
[1f6e5d40-9be1-4682-84be-d538dfca0d19][2019-01-24T21:12:27.0252648-08:00]
JavaClassName: org.apache.hadoop.security.AccessControlException.
Last encountered exception thrown after 1 tries. [Forbidden (
AccessControlException LISTSTATUS failed with error 0x83090aa2
(Forbidden. ACL verification failed. Either the resource does not
exist or the user is not authorized to perform the requested
operation.).
I don't see any firewall restrictions :
I resolved the problem by providing read and execute access to all parent folders in the path. Since ADLS uses the POSIX standard, it does not inherit permissions from parent folders. So, even though the SPN(generated by the automation account) i was using had read/execute access to the specific folder i was interested in, it did not have access to other folders in that path.
What could be causing this banner error 'Save failed: undefined' for v2.1.1 in Chrome 68 and Firefox 62 on Ubuntu?
With a fresh/recent login with admin permissions, suddenly (versus a few days ago with same system) I cannot create a new document in a custom database or the _users database, or edit any existing documents, or create a new database, but I can view all documents. Creating a database never gives the normal subsequent 'Database created successfully' banner.
Our server was out of storage space. Rule #1, save a backup before doing any remedying operation.
I have various scripts which I used to run in a wrapper to allow me to handle things like checking I had a valid connection and to ask the user if the connection/subscription currently selected is the one they want to run the script on before running it etc.
The classic commands have Clear-AzureProfile which allows me to run it from a script and effectively break the connection so that it can't be used again without calling Add-AzureAccount.
With the RM cmdlets I can only find Login-AzureRmAccount but once I've logged in...how do I call logout?
There doesn't appear to be a Logout-AzureRMAccount or Remove-AzureRMAccount and Clear-AzureProfile has no effect.
I run a dev workstation and connect to several different client subscriptions so want to be able to destroy the connection rather than just calling another login over the top of it (if that login failed I would still have the old connection set up which is dangerous for me)
I've just logged this at: https://msdn.microsoft.com/en-us/library/mt619248.aspx as from the documentation it looks like the commands may be lacking
It appears the following works:
Set-AzureRmContext -Context ([Microsoft.Azure.Commands.Profile.Models.PSAzureContext]::new())
UPDATE: For new powershell Azure "az" module, please use
Connect-AzAccount
for login and
Disconnect-AzAccount
for logout.
> get-command -Module AzureRM.Profile
CommandType Name
----------- ----
Alias Login-AzureRmAccount
Alias Select-AzureRmSubscription
Cmdlet Add-AzureRmAccount
Cmdlet Add-AzureRmEnvironment
Cmdlet Disable-AzureRmDataCollection
Cmdlet Enable-AzureRmDataCollection
Cmdlet Get-AzureRmContext
Cmdlet Get-AzureRmEnvironment
Cmdlet Get-AzureRmSubscription
Cmdlet Get-AzureRmTenant
Cmdlet Remove-AzureRmEnvironment
Cmdlet Save-AzureRmProfile
Cmdlet Select-AzureRmProfile
Cmdlet Set-AzureRmContext
Cmdlet Set-AzureRmEnvironment
Note that Login-AzureRmAccount is an alias to Add-AzureRmAccount and there's no corresponding Remove.
Set-AzureRmContext might take a $null to clear the context, but I would be surprised if it doesn't instead just give an error.
Directly closing your PS session would do. The AzureRM.Profile module won't persist your profile until you tell it to do so with Save-AzureRmProfile.
In latest powershell version 1.0.1 MS hasn't provided any cmdlets which you are searching like Logout-AzureRMAccount or Remove-AzureRMAccount and Clear-AzureRMProfile.
In your case I would rather suggest a workaround for you.
Firstly close your PS window, delete your cahce and temp data.
Secondly, Delete your name from Azure AD and then Add it back. Download a new publishsetting file and start doing afresh. Once you re-add the name it will treat everything as new for you.
It's worth noting that you can always kick out an exception if the call to Login-AzureRmAccount fails to ensure your script doesn't continue with the old account:
Login-AzureRmAccount -ErrorAction Stop
The resulting dialog won't allow an invalid login. It will let you know if you're already logged in and give the choice to stay logged in with the current account or login with another, at which point the user still has to make some sort of conscious choice to proceed. If they choose to cancel out of the login dialog, the resulting exception will stop the script.
login-azurermaccount : authentication_canceled: User canceled authentication
At line:1 char:1
+ login-azurermaccount
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzureRmAccount], AadAuthenticationCanceledException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.AddAzureRMAccountCommand
I know this is an old question. But it looks like this has been updated with Remove-AzureAccount. You can read more about it here and Remove-AzureRMAccount found here.
AzureRM context used to be bound to a powershell session, so just closing the console was enough.
But it seems latest versions of the powershell module have changed that.
Using the latest version of the powershell module, if you login in one console, you will also be logged in all the other consoles.
And you can log off using the new cmdlet Logout-AzureRmAccount.
I am writing a small app using PowerShell in order for users to query and in some cases write to a DB. The connection is using a stored credential, which is encrypted in the code and then converted to a secure string. The connection works on my machine, but when opened by another user on their machine, the connection fails. I have tried variations of the following parameters for the $connectionString, which seems to be pointed at by many forums:
Integrated Security=$FALSE
Integrated Security=$TRUE;
Integrated ecurity=$SSPI;
Trusted_Connection=yes;
Trusted_Connection=no;
My question is whether or not this is possible, or if I am wasting my time and need to build a proxy service to handle these transactions. Thanks in advance.
Here is the errror:
Exception calling "Open" with "0" argument(s): "Login failed for user 'first.last#domain.com'."
At line:10 char:1
+ $connection.Open()
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : SqlException
I created an SSIS package which is having ftp pull files from ftp server and save to my local drive but I'm getting this issue.
With same error message I was getting only warning but today the job fails.
Message:
Executed as user: cam\Package.Runner. Microsoft (R) SQL Server Execute Package Utility Version 10.0.4000.0 for 64-bit Copyright (C) Microsoft Corp 1984-2005. All rights reserved. Started: 10:00:00 AM Error: 2012-02-15 10:00:00.61 Code: 0xC0016016 Source: Description: Failed to decrypt protected XML node "DTS:Password" with error 0x8009000B "Key not valid for use in specified state.". You may not be authorized to access this information. This error occurs when there is a cryptographic error. Verify that the correct key is available. End Error Error: 2012-02-15 10:00:00.62 Code: 0xC0016016 Source: Description: Failed to decrypt protected XML node "DTS:Property" with error 0x8009000B "Key not valid for use in specified state.". You may not be authorized to access this information. This error occurs when there is a cryptographic error. Verify that the correct key is available. End Error Error: 2012-02-15 10:00:33.53 Code: 0xC0029183 Source: Principal Balance File FTP Get FTP Task Description: File represented by "/Concerto/Virtus_Reports/Concerto Principal Balance Report*.pdf" does not exist. End Error DTExec: The package execution returned DTSER_FAILURE (1). Started: 10:00:00 AM Finished: 10:00:33 AM Elapsed: 33.088 seconds. The package execution failed. The step failed.
You can fix this issue by setting the Protection Level property
Protection Level : DontSaveSensitive
With this property, the package will not be password protected, and another server can access and execute any job with other credentials.
While importing the package to SQL Server choose Protection Level:
Either
1- Don't save sensitive data.
Or
2- Rely on Server Storage and roles for access control.
Screenshot from SSIS Project Package Properties:
Please try save your package with the option "EncryptSensitiveWithPassword".
Step-1: Right click on your FTP connection manager, go to its Properties (the very bottom, not the Edit button),
and type in the password.
Step-2: Save your package with EncryptSensitiveWithPassword.
Step-3: Now edit the command ling in SQL job agent as below
/FILE "C:\Fullpath of SSIS pkg.dtsx" /DECRYPT password
Before Building and deploying the package, please be sure you've changed the property of the solution like this :
Run64BitRuntime = False
I got the same error message for FTP Connections. I think it was caused by me opening the Package while running BIDS under different credentials to those I created it with.
As a clunky workaround I deleted and re-created the FTP Connection. It worked fine afterwards.
Main part of your SSIS job error is
" 0xC0029183 Source: Principal Balance File FTP Get FTP Task Description: File represented by "/Concerto/Virtus_Reports/Concerto Principal Balance Report*.pdf" does not exist. End Error DTExec: The package execution returned DTSER_FAILURE (1). Started: 10:00:00 AM Finished: 10:00:33 AM Elapsed: 33.088 seconds. The package execution failed. "
It seems that you don't have pdf file on path you have configured in your SSIS package.
Please,check up path and pdf files for import.
Best regards,
Branislav
In case of FTP Connection, you can just create one Script Task before FTP task and set a password for that for example
ConnectionManager FTPConn;
FTPConn = Dts.Connections["FTP Connection Manager"];
FTPConn.Properties["ServerPassword"].SetValue(FTPConn,Dts.Variables["FtpPwd"].value);
and in case of OLE DB you can just add password in the connection string of OLEDB Connection.
This are the steps that worked for me.
copied the package to another folder (just to be safe)
Set the Protection Level to EncryptAllWithPassword and gave it a Password like 'Test'
changed the creator Name to another User that I created
Recreated the job
created a Proxy to run the job
Worked!!