question

SiegfriedHeintze-9929 avatar image
SiegfriedHeintze-9929 asked ·

Problems with Powershell Script in 1-3-AnyOrgOrPersonal Tutorial


After fighting to get some tutorial examples from 9781484250396 working, I learned that most of the examples required that I check the ID tokens feature for Implicit grant flow.

So I'm abandoning tutorials in the above book and I'm hoping 1-3-AnyOrgOrPersonal will demonstrate some good techniques with regard to security and ID tokens.

As per the directions I execute these commands:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force
cd .\AppCreationScripts\
.\Configure.ps1

I'm getting errors. Is there a bug in this power shell script?

Thanks

Siegfried

Notes:
I am having trouble posting all the error message text -- this web site aborts my posts if they get too long.

This could be related to how-to-restore-original-default-aad-directory.html.



PS C:\Users\shein\Source\Repos\MicrosoftAADGitHubExamples\VariousSignInEg\1-WebApp-OIDC\1-3-AnyOrgOrPersonal\AppCreationScripts> .\Configure.ps1
Import-Module : The specified module 'AzureAD' was not loaded because no valid module file was found in any module directory.
At C:\Users\shein\Source\Repos\MicrosoftAADGitHubExamples\VariousSignInEg\1-WebApp-OIDC\1-3-AnyOrgOrPersonal\AppCreationScripts\C
onfigure.ps1:152 char:1
+ Import-Module AzureAD
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (AzureAD:String) [Import-Module], FileNotFoundException
+ FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

Connect-AzureAD : The term 'Connect-AzureAD' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\shein\Source\Repos\MicrosoftAADGitHubExamples\VariousSignInEg\1-WebApp-OIDC\1-3-AnyOrgOrPersonal\AppCreationScripts\C
onfigure.ps1:82 char:22
+ $creds = Connect-AzureAD -Credential $Credential
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Connect-AzureAD:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException


Get-AzureADTenantDetail : The term 'Get-AzureADTenantDetail' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\shein\Source\Repos\MicrosoftAADGitHubExamples\VariousSignInEg\1-WebApp-OIDC\1-3-AnyOrgOrPersonal\AppCreationScripts\C
onfigure.ps1:95 char:15
+ $tenant = Get-AzureADTenantDetail
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AzureADTenantDetail:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException


Get-AzureADUser : The term 'Get-AzureADUser' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\shein\Source\Repos\MicrosoftAADGitHubExamples\VariousSignInEg\1-WebApp-OIDC\1-3-AnyOrgOrPersonal\AppCreationScripts\C
onfigure.ps1:99 char:13
+ $user = Get-AzureADUser -ObjectId $creds.Account.Id
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AzureADUser:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Creating the AAD application (WebApp)
New-AzureADApplication : The term 'New-AzureADApplication' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\shein\Source\Repos\MicrosoftAADGitHubExamples\VariousSignInEg\1-WebApp-OIDC\1-3-AnyOrgOrPersonal\AppCreationScripts\C
onfigure.ps1:103 char:28
+ $webAppAadApplication = New-AzureADApplication -DisplayName "WebAp ...
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (New-AzureADApplication:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException


New-AzureADServicePrincipal : The term 'New-AzureADServicePrincipal' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At C:\Users\shein\Source\Repos\MicrosoftAADGitHubExamples\VariousSignInEg\1-WebApp-OIDC\1-3-AnyOrgOrPersonal\AppCreationScripts\C
onfigure.ps1:113 char:30
+ $webAppServicePrincipal = New-AzureADServicePrincipal -AppId $curr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (New-AzureADServicePrincipal:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException


Get-AzureADApplicationOwner : The term 'Get-AzureADApplicationOwner' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At C:\Users\shein\Source\Repos\MicrosoftAADGitHubExamples\VariousSignInEg\1-WebApp-OIDC\1-3-AnyOrgOrPersonal\AppCreationScripts\C
onfigure.ps1:116 char:13
+ $owner = Get-AzureADApplicationOwner -ObjectId $webAppAadApplicati ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AzureADApplicationOwner:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException


Add-AzureADApplicationOwner : The term 'Add-AzureADApplicationOwner' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At C:\Users\shein\Source\Repos\MicrosoftAADGitHubExamples\VariousSignInEg\1-WebApp-OIDC\1-3-AnyOrgOrPersonal\AppCreationScripts\C
onfigure.ps1:119 char:9
+ Add-AzureADApplicationOwner -ObjectId $webAppAadApplication.O ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Add-AzureADApplicationOwner:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException


azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ohseongkooi avatar image
ohseongkooi answered ·


strong text



Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
DSPatrick answered ·

QnA currently supports the products listed in right-hand pane (more to be added) Better to reach out to subject matter experts in dedicated forums over here.


https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverpowershell


(please don't forget to mark helpful replies as answer)


Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows Server] Datacenter Management


Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.




Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SiegfriedHeintze-9929 avatar image
SiegfriedHeintze-9929 answered ·

I'm a little surprised because it looks like a AAD problem to me.


Nevertheless, here is the new posting:

problems-with-powershell-script-in-1-3-anyorgorper.html


Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
DSPatrick answered ·

Sounds good, you're welcome.

(please don't forget to mark helpful replies as answer)





Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
soumi-MSFT answered ·

@SiegfriedHeintze-9929, Looking at the errors it looks like the script is failing as the AzureAD Poswershell cmdlet is missing on your machine.

You can try installing this module using the following steps:

  1. Install the PS module: install-module AzureAD

  2. Connect to the AzureAD module: connect-AzureAD

Ideally this should get the script going. I have personally tried that script out and it worked for me.

Incase the install-module cmdlet fails by any chance, try the following:

  1. import-module AzureAD

  2. get-module -name Azure AD

  3. install-module AzureAD

Hope this helps. Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.





Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SiegfriedHeintze-9929 avatar image
SiegfriedHeintze-9929 answered ·

Since I was worried that I might have forgotten my password, I logged out of hotmail and logged back in again and confirmed that I had not forgotten my password.

I finally got connect-AzureAD to work in elevated mode.

I believe I have restored the default directory as mentioned previously so this should not be causing any problem...
I have typed in all of Soumi's commands and I still get the same errors when I ".\Configure.ps" and I have carefully typed in my MSA credentials (which work with hotmail) several times now.

I tried to pick the simplest tutorial I could to demonstrate authentication with C# and my MSA. This example also does the "work or school feature" (is this also known as B2B?) and I'm not terribly interested in the "work or school feature" (yet).

Could the problem be that I need a premium azure account for this "work or school" featuer? If this is the problem, could someone recommend another minimal example that demonstrates authentication with a C#/.NETCore Web app for a MSA (like my hotmail account). After I get authentication with a MSA working, I'd like to try a tutorial that demonstrates giving the user a choice of MSA or google/facebook/github (I think this is B2C).


Here are the errors from ".\Configure.ps1" after typing Soumi's commands:


Get-AzureADTenantDetail : Error occurred while executing GetTenantDetails
Code: Authentication_Unauthorized
Message: User was not found.
RequestId: 18d9126c-2a19-4610-9fc1-03ffcd493935
DateTimeStamp: Tue, 12 May 2020 20:37:01 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At C:\Users\shein\Source\Repos\MicrosoftAADGitHubExamples\VariousSignInEg\1-WebApp-OIDC\1-3-AnyOrgOrPersonal\AppCreationScripts\C
onfigure.ps1:95 char:15
+ $tenant = Get-AzureADTenantDetail
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADTenantDetail], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetTenantDetails


Get-AzureADUser : Error occurred while executing GetUser
Code: Authentication_Unauthorized
Message: User was not found.
RequestId: b7a6b8d7-a6f6-46a2-a4ea-d0b3eeaf728e
DateTimeStamp: Tue, 12 May 2020 20:37:01 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At C:\Users\shein\Source\Repos\MicrosoftAADGitHubExamples\VariousSignInEg\1-WebApp-OIDC\1-3-AnyOrgOrPersonal\AppCreationScripts\C
onfigure.ps1:99 char:13
+ $user = Get-AzureADUser -ObjectId $creds.Account.Id
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADUser], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetUser

Creating the AAD application (WebApp)
New-AzureADApplication : Error occurred while executing NewApplication
Code: Authentication_Unauthorized
Message: User was not found.
RequestId: be328ca7-8009-4589-befa-a895286123a1
DateTimeStamp: Tue, 12 May 2020 20:37:02 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At C:\Users\shein\Source\Repos\MicrosoftAADGitHubExamples\VariousSignInEg\1-WebApp-OIDC\1-3-AnyOrgOrPersonal\AppCreationScripts\C
onfigure.ps1:103 char:28
+ ... webAppAadApplication = New-AzureADApplication -DisplayName "WebApp" `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADApplication], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewApplication



Get-AzureADApplicationOwner : Cannot bind argument to parameter 'ObjectId' because it is null.
At C:\Users\shein\Source\Repos\MicrosoftAADGitHubExamples\VariousSignInEg\1-WebApp-OIDC\1-3-AnyOrgOrPersonal\AppCreationScripts\C
onfigure.ps1:116 char:51
+ ... Get-AzureADApplicationOwner -ObjectId $webAppAadApplication.ObjectId
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-AzureADApplicationOwner], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Open.AzureAD16.PowerShell.GetApplicationO
wners


Add-AzureADApplicationOwner : Cannot bind argument to parameter 'ObjectId' because it is null.
At C:\Users\shein\Source\Repos\MicrosoftAADGitHubExamples\VariousSignInEg\1-WebApp-OIDC\1-3-AnyOrgOrPersonal\AppCreationScripts\C
onfigure.ps1:119 char:47
+ ... reADApplicationOwner -ObjectId $webAppAadApplication.ObjectId -RefObj ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Add-AzureADApplicationOwner], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Open.AzureAD16.PowerShell.AddApplicationO
wner

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SiegfriedHeintze-9929 avatar image
SiegfriedHeintze-9929 answered ·

I see it gives me the options of using my github account. Here are the results:

When I tried using my github account, I got slightly different errors:

Connect-AzureAD : One or more errors occurred.: AADSTS90123: The token can't be issued because the identity or claim issuance provider denied the request. Response code: access_denied.
Trace ID: f52dec09-4bdf-49cc-b048-dc2606eb2800
Correlation ID: cdb9f696-2eae-4184-874b-495f46116ba9
Timestamp: 2020-05-13 17:39:27Z
At C:\Users\shein\Source\Repos\MicrosoftAADGitHubExamples\VariousSignInEg\1-WebApp-OIDC\1-3-AnyOrgOrPersonal\AppCreationScripts\Configure.ps1:82 char:22
+ $creds = Connect-AzureAD -Credential $Credential
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : AuthenticationError: (:) [Connect-AzureAD], AadAuthenticationFailedException
+ FullyQualifiedErrorId : Connect-AzureAD,Microsoft.Open.Azure.AD.CommonLibrary.ConnectAzureAD

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SiegfriedHeintze-9929 avatar image
SiegfriedHeintze-9929 answered ·

See the parallel thread here: problems-with-powershell-script-in-13anyorgorpersonal-tutorial where Rich suggested I use another account (which is strange because only had one account and I assumed it was all powerfull).

When I created a global admin account, I was able to log in and the configure.ps1 script appears to have worked.

Someone should update the tutorials with this information.


1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SiegfriedHeintze-9929, Sure, we are taking this feedback and would be updating the document soon.

0 Votes 0 · ·