Month: March 2015

Azure AD – PowerShell Script to Change UPN of All Users in a Group

Posted on Updated on

Imagine that if users in a domain have a UPN suffix which is not a public domain, such as @company.local instead of @company.com.  When those users synchronize into Azure AD for EMS, Intune, O365, etc., then the users’ UPNs will be @company.onmicrosoft.com instead of a friendly @company.com UPN for logging into portals or for enrolling devices.

This is an instance that recently occurred for a customer.  There are plenty of PowerShell examples around for how to change the UPN of users in Azure AD.  However, this customer wanted the ability to only change the users that were part of a specific AD group, rather than the entire organization.

The following PowerShell script can do exactly just that.  But please use extreme caution and thoroughly test the script first as well as the impact to those users and the Microsoft cloud technologies which they use.  There are high risks and many possible negative side effects.  Use this script at your own risk.


# This script will change the UPN for the user members of an AD group
$AdGrp = "EMS_Users"
$oldSuffix = "@company.onmicrosoft.com"
$newSuffix = "@company.com"

# Get the AD Group in Azure
$AzAdGrp = Get-MsolGroup -All | Where-Object { $_.DisplayName -eq $AdGrp }
$AzAdGrp_members = Get-MsolGroupMember -All -GroupObjectId $AzAdGrp.ObjectId
write-host "Total members of group: " $AzAdGrp_members.Count

# Create array of users to change
# Example command to test only a portion of the users in the group:
$users = Get-MsolGroupMember -All -GroupObjectId $AzAdGrp.ObjectId | Get-MsolUser | Where-Object { $_.UserPrincipalName -like "*john.doe*"}
# Command to run for all users in the group:
# $users = Get-MsolGroupMember -All -GroupObjectId $AzAdGrp.ObjectId | Get-MsolUser

# Change UPN of users
$users | ForEach-Object {
    $newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
    Set-MsolUserPrincipalName -NewUserPrincipalName $newUpn -UserPrincipalName $_.UserPrincipalName
    Write-host "New UPN assigned: " $newUpn
}

 

Advertisements

Azure AD DS Sync Account Permissions – Replicating Directory Changes

Posted on Updated on

Microsoft has a decent outline for getting started with setup of the Azure AD Sync tool.  One of the prerequisites is to prepare the AD account used for the synchronization of passwords is to grant it permissions for “Replicating Directory Changes” and “Replicating Directory Changes All”.  This blog post serves as a quick guide on how to configure that.

1.  Within ADUC, right-click on the domain and select Delegate Control

azuresync1

2.  Click Next

azuresync2

3.  Add the AD service account that will be used

azuresync3

4.  Select to create a custom task delegation

azuresync4

5.  Select to delegate to This folder…

azuresync5

6.  Scroll through the list and find both “Replicating Directory Changes” and “Replicating Directory Changes All”

azuresync6

7.  Finally, complete the wizard

azuresync7

Azure AD Setup – Sync Service Account – Login Failure

Posted on Updated on

When setting up Azure AD synchronization tools, such as Azure AD Connect, there is the option to specify an on-premise AD user/service account to be used for the local sync authentication.  During the setup wizard, you may encounter the error “Logon failure: the user has not been granted the required logon type at this computer” (image below).

azuresynclogon0

This error occurs may be occurring if you’re installing Azure AD sync tools on a domain controller (DC), and the service account cannot login to the DC.  In most cases, logon rights to DCs are limited to domain administrators.  And if you’re following the best practices for Azure AD sync, then the service account is a low-rights domain user, and not an administrator.

Fortunately the fix is quite simple.  To add logon rights, simply add the service account into the Default Domain Controllers group policy.  The appropriate setting is Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment, then add the account into the “Allow log on locally” policy.

azuresynclogon1

After performing a gpupdate on the domain controller, you’ll be able to click the install button and get on your way!

azuresynclogon2

Azure AD Global Admin – No Subscriptions Found

Posted on Updated on

If you’ve assigned a new user in Azure AD as a global admin, but when logging into https://manage.windowsazure.com/ with that new user, you may receive a message “No Subscriptions Found”.

azure_ad_no_script_found

To correct this problem, it’s a matter of adding the user a subscription administrator.  In Azure AD, navigate to Settings > Administrators, then click Add+ at the bottom.

azure_ad_subscription_admin

App-V 5.0 – get .appv package file

Posted on Updated on

If using standalone AppV 5.0 infrastructure, use the following SQL query against your AppVManagement database to retrieve the list of packages and their corresponding .appv file/path.


Select Name, PackageURL

From dbo.PackageVersions

Order By Name

AppV5-packageversions