Authentication_Unauthorized while fetching list of applications in AAD - azure-ad-powershell-v2

I am trying to get list of applications registered in AAD via PowerShell.
I got into my tenant successfully using Connect-AzureAD. But when I'm running Get-AzureADApplication, I'm getting error like below:
Get-AzureADApplication : Error occurred while executing GetApplications
Code: Authentication_Unauthorized
Message: User was not found.
RequestId: 28b83872-c29b-423a-9870-ed2ad714f597
DateTimeStamp: Sat, 25 Jun 2022 1:35:23 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ Get-AzureADApplication
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADApplication], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetApplication
What does User was not found message mean?
I have Global Admin role and I tried elevating my access too that gives me access to all. But still I'm facing the same error.
Can anyone help me out what am I missing here?

The error 'User not found' usually occurs if you are trying to retrieve info of one tenant by connecting wrong(different) tenant or tenant that does not exist.
Please check the TenantDomain you are getting in the response while executing Connect-AzureAD cmdlet.
I tried to reproduce the same in my environment and got below results:
When I ran Connect-AzureAD cmdlet and logged in with personal Microsoft account, I got blank under TenantDomain that means it does not exist.
I got the same error when I executed Get-AzureADApplication after that like below:
To resolve the error, try running Connect-AzAccount first and include TenantId that you got in response while executing Connect-AzureAD cmdlet like below:
Connect-AzAccount
Connect-AzureAD -TenantId 'your_tenant_id'
Get-AzureADApplication
I got the list of Azure AD applications successfully after running above script like below:
Reference:
powershell - Authentication_Unauthorized, User Not Found - answered by JoyWang

Related

Powershell curl to an URL throws WebCmdletWebResponseException

I'm trying to access/download a file from our URL, this URL basically downloads a file from s3 bucket(reverse proxy via nginx). Using AWS ACM for SSL certificates.
When I'm trying to download the file using that URL on the Windows16 instance it is throwing WebCmdletWebResponseException. Below is the detailed error message.
curl : The underlying connection was closed: An unexpected error occurred on a send.
At line:1 char:1
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
eption
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Findings:
The same URL works fine with windows 19 and 22 editions.
Through other blogs and posts found that the issue is because Powershell by default uses TLS 1.0 to connect to the website, but website security requires TLS 1.2.
But if I try to use the s3 URL directly to download the file it is working fine. Both the s3 URL and our URL certificate have TLS 1.2.
Can someone please help to solve this issue?

Connecting Workflow Manager with SharePoint 2019 error

Current configuration:
1 SharePoint 2019 farm (single server installation)
3 Workflow Manager Servers
Workflow Manager servers are load balanced
Workflow Manager is set to work only on https
Workflow Manager SSL certificate with DNS=*.domain.com & all 3 server names
Required permissions are in place
URLs (SharePoint web application/site and wfm) are accessible both ways
Running with farm admin account:
Register-SPWorkflowService -SPSite "https://siteurl" -WorkflowHostUri "https://wfmurl:12290/" -Force -Verbose
Throws the following error:
Register-SPWorkflowService : Failed to query the OAuth S2S metadata endpoint at URI 'https://webappurl/_layouts/15/metadata/json/1'. Error details: 'There was an error deserializing
the object of type Microsoft.Workflow.Management.Security.OAuthS2SJsonMetadataDocument+JsonMetadataDocumentContract. Encountered unexpected character '<'.'. HTTP headers received from the server -
ActivityId: 6de1c881-b1ca-411d-9004-ceea397d4453. NodeId: SERVERNAME. Scope: /DEV. Client ActivityId : bdeb429f-7bb1-e0c1-d7d1-f868a175396b.
At line:1 char:1
+ Register-SPWorkflowService -SPSite https://webappurl ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (Microsoft.Share...WorkflowService:RegisterSPWorkflowService) [Register-SPWorkflowService], InvalidRequestException
+ FullyQualifiedErrorId : Microsoft.SharePoint.WorkflowServices.PowerShell.RegisterSPWorkflowService
Any input is appreciated.
it's related with post installing the April 2020 CU KB 4484292 and KB 4484291.
After call with MS premier field engineer it's resolved like http://thewindowsupdate.com/2020/06/04/sharepoint-2019-issue-with-sharepoint-2013-workflows-post-april-2020-cu/
You need to remove the existing SPTrustedSecurityTokenIssuer and the register it like below
Remove-SPTrustedSecurityTokenIssuer -Identity 9854855e-cea8-457f-8293-e405d4055ffb
(id from Get-SPTrustedSecurityTokenIssuer collection)
New-SPTrustedSecurityTokenIssuer -Name "00000005-0000-0000-c000-000000000000" -MetadataEndPoint 'http://server:12291/$System/$Metadata/json/1' -RegisteredIssuerName "00000005-0000-0000-c000-000000000000#*"
or
New-SPTrustedSecurityTokenIssuer -Name "00000005-0000-0000-c000-000000000000" -MetadataEndPoint 'https://server:12290/$System/$Metadata/json/1' -RegisteredIssuerName "00000005-0000-0000-c000-000000000000#*"
PS No any concern here at
Remove-SPTrustedSecurityTokenIssuer
easy to go
thanks!
in the end, it looked like there were some issues with the F5 load balancing. As a test we added in the host files the URL of the WFM and the connection worked fine afterwards. this was handed over after to the team that managed the F5 and they resolved the issue on their end.

WMI query generic failure when accessing MDM_VPNv2_01 class

I am trying to setup auto VPN on Windows 10 laptop and created a Powershell scripted as suggested in https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections. I am using the same script to setup the VPN.
The profile creation works fine, but when I run the script again, deletion of the profile fails. I debugged the problem and found out that EnumerateInstances on MDM_VPNv2_01 class in root\cimv2\mdm\dmmap namespace is failing. It fails with following error string - "A general error occurred that is not covered by a more specific error code..".
On doing some more exploration, I found out that I need to execute following WMI query to get the instances of MDM_VPNv2_01 class, that too returns a Generic Failure (Please note I have a VPN adapter created on the laptop when I executed this query):
PS C:\> Get-WmiObject -Namespace root\cimv2\mdm\dmmap -Class MDM_VPNv2_01
Get-WmiObject : Generic failure
At line:1 char:1
+ Get-WmiObject -Namespace root\cimv2\mdm\dmmap -Class MDM_VPNv2_01
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
I tried several options like running this query in WMI-explorer, recompiling the MOF for this particular provider etc., but nothing helped. I ran WMIDiag on my machine which gives following message for the MDM_VPNv2_01 class:
.9847 17:26:21 (3) 1 static instance(s) found for '__SystemSecurity' in 'ROOT/CIMV2/MDM/DMMAP'in 0 second(s).
.9848 17:26:21 (3) Retrieving static information (MOF) of 'MDM_VPNv2_01' (I=1).
.9849 17:26:21 (3) Qualifier information of 'MDM_VPNv2_01': Dynamic=True, Provider='DMWmiBridgeProv', Association=False.
.9850 17:26:21 (3) Dynamic 'MDM_VPNv2_01' class in 'ROOT/CIMV2/MDM/DMMAP' is supported by WMI provider 'DMWmiBridgeProv'.
.9851 17:26:21 (3) Skipping request of dynamic instances of 'MDM_VPNv2_01' in 'ROOT/CIMV2/MDM/DMMAP' because:
.9852 17:26:21 (3) - Request all dynamic instances is set to FALSE.
Please note that the same script works fine on other laptops. It is worth mentioning here that I am running this script with a local user account having administrator privileges.
I could not find any helpful information related to this problem on Internet. It would be really a great help if someone can suggest a possible solution for this problem.
I enabled WMI activity debug and observed following error log on running the query to get MDM_VPNv2_01 class instances:
Log Name: Microsoft-Windows-WMI-Activity/Debug
Source: Microsoft-Windows-WMI-Activity
Date: 20-09-2018 19:38:41
Event ID: 101
Task Category: None
Level: Error
Keywords:
User: INCT-ARUN\akoshal
Computer: INCT-Arun
Description:
ComponentName = WMI_ADAPTER; ErrorId = 0x1; ErrorDetail = WMIContext::PostResultToServer, provider completed the operation with context (00000211E4C517A0). Failed with MIRESULT (1).; FileName = onecore\admin\wmi\wmiv2\tools\adapter\wmicontext.cpp:945

Remove-TeamUser command from Powershell module for teams throwing an error

The following command throws an error while removing an owner from microsoft teams.
Remove-TeamUser -GroupId 7ad89f19-1c20-4f51-a520-1228002ac93d -User Megan.ryn.admin#xxx.onmicrosoft.com
ERROR:
Remove-TeamUser : Error occurred while executing Remove-TeamUser
Code: Request_ResourceNotFound
Message: Resource '7ad89f19-1c20-4f51-a520-1228002ac93d' does not exist or one of its queried reference-property
objects are not present.
InnerError:
RequestId: 7676f32b-2ed3-49fc-8013-69ea4a63b97b
DateTimeStamp: 2018-08-20T11:29:26
HttpStatusCode: Request_ResourceNotFound
At line:1 char:1
+ Remove-TeamUser -GroupId 7ad89f19-1c20-4f51-a520-1228002ac93d -User ...
+ CategoryInfo : NotSpecified: (:) [Remove-TeamUser], ApiException
+ FullyQualifiedErrorId : Microsoft.TeamsCmdlets.PowerShell.Custom.ErrorHandling.ApiException,Microsoft.TeamsCmdle ts.PowerShell.Custom.RemoveTeamUser
Strangely its the Teams GUID which the command reports as not being able to find. I can confirm further operations on adding new users to this team via powershell work fine
Some background
The team was provisioned via C# using Graph api. The user in question is the admin account under which the C# application was running.
I can confirm that the user Meganryn.admin has sufficient permissions
thanks
a
You need the user ID not the user try...
$megryn = get-teamuser -groupid 7ad89f19-1c20-4f51-a520-1228002ac93d | where-object{$_.Name -like "Megan.ryn.admin} | select -expandproperty userid
remove-teamuser -groupid 7ad89f19-1c20-4f51-a520-1228002ac93d -user $megryn

mvn appengine:update will not deploy due to permissions error

I am trying to deploy a basic app engine web app with maven.
As a part of the deployment process, I am required to authenticate via a web browser.
I am using 2 different google accounts. 1 for home. 1 for work. When maven opened up the browser tab to ask me to authenticate, it selected the wrong account. I didn't notice this and clicked the "Allow" button.
This account does not have the right credentials so I got an access denied error.
😈 >mvn appengine:update
...
Beginning interaction for module default...
Apr 01, 2016 4:47:32 PM com.google.appengine.tools.admin.AbstractServerConnection send1
WARNING: Error posting to URL: https://appengine.google.com/api/appversion/getresourcelimits?app_id=maven-1268&version=1&
403 Forbidden
You do not have permission to modify this app (app_id=u's~maven-1268').
This is try #0
Apr 01, 2016 4:47:32 PM com.google.appengine.tools.admin.AbstractServerConnection send1
WARNING: Error posting to URL: https://appengine.google.com/api/appversion/getresourcelimits?app_id=maven-1268&version=1&
403 Forbidden
You do not have permission to modify this app (app_id=u's~maven-1268').
This is try #1
Apr 01, 2016 4:47:32 PM com.google.appengine.tools.admin.AbstractServerConnection send1
WARNING: Error posting to URL: https://appengine.google.com/api/appversion/getresourcelimits?app_id=maven-1268&version=1&
403 Forbidden
You do not have permission to modify this app (app_id=u's~maven-1268').
This is try #2
Apr 01, 2016 4:47:33 PM com.google.appengine.tools.admin.AbstractServerConnection send1
WARNING: Error posting to URL: https://appengine.google.com/api/appversion/getresourcelimits?app_id=maven-1268&version=1&
403 Forbidden
You do not have permission to modify this app (app_id=u's~maven-1268').
This is try #3
So I think "no biggee", I'll just run it again. Somehow I'll get maven to select the correct account (maybe I'll temporarily logout of the incorrect one) and that will solve the problem.
Unfortunately, I am no longer being prompted to authenticate. It just keeps giving me accessed denied errors.
I am presuming there is a file somewhere on the file system that I need to delete in order to get prompted for my authorization again.
Does anyone know where this file is?
UPDATE
I tried completely recreating my project from scratch in a different directory, and I still get the access denied errors.
By running this command ...
mvn help:describe -Dplugin=appengine -Ddetail
I have discovered that there is an additional parameter that I can pass to the update goal that will do exactly what I need it to do, but I don't know how the correct syntax to use to actually pass this additional parameter.
appengine:update
Description: Create or update an app version.
Implementation: com.google.appengine.appcfg.Update Language: java
Before this mojo executes, it will call:
Phase: 'package'
Available parameters:
additionalParams
User property: appengine.additionalParams
Additional parameters to pass through to AppCfg.
noCookies
User property: appengine.noCookies
Do not save/load access credentials to/from disk.
I think this might be the correct syntax ...
😈 >mvn appengine:update -DadditionalParams="--noCookies"
However, this does NOT solve the problem as the update seems to ignore the parameter.
I fixed the error using this command before mvn appengine:update command:
rm ~/.appcfg_oauth2_tokens_java
I was able to solve this problem by using the appcfg.sh tool instead of maven.
😈 >appcfg.sh --no_cookies update /path/to/maven/project/first_project_second_try/guestbook/target/guestbook-1.0-SNAPSHOT
I suspect that it is possible to do this with maven as well, but I am uncertain as to how pass the "--no_cookies" option to maven.

Resources