PowerShell - 使用 Microsoft 帐户连接到 Azure Active Directory [英] PowerShell - Connecting to Azure Active Directory using Microsoft Account
问题描述
我有一个 Azure 订阅,其中订阅管理员帐户是 Microsoft 帐户.然后,我添加了另一个 Microsoft 帐户作为共同管理员.有人告诉我,当我添加一个共同管理员时,它会作为 Guest 用户添加到我的订阅的默认 AD 中.我真正想要完成的是将用户类型从 Guest 更改为 Member.为此,建议我使用 Azure AD PowerShell,而这正是我苦苦挣扎的地方.
I have an Azure subscription where the subscription administrator account is a Microsoft Account. I then added another Microsoft Account as a co-administrator. I'm told that when I add a co-administrator, it gets added to my subscription's default AD as a Guest user. What I really want to accomplish is change the user type from Guest to Member. For this, I am advised to use Azure AD PowerShell and this is where I am struggling.
我已经安装了相关的 PS 模块(基于此链接:https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx).
I've already installed related PS Modules (based on this link: https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx).
这就是我正在做的事情:
So here's what I am doing:
首先,这是我发出的命令:
First, this is the command I am issuing:
$msolcred = get-credential
系统提示我输入我提供的凭据,然后运行以下命令:
I get prompted for entering my credentials which I provide and then I run the following command:
connect-msolservice -credential $msolcred
当我这样做时,我收到以下错误:
When I do this, I get the following error:
connect-msolservice : The user name or password is incorrect. Verify your user name, and then type your password again.
At line:1 char:1
+ connect-msolservice -Credential $cred -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
+ FullyQualifiedErrorId : 0x80048821,Microsoft.Online.Administration.Automation.ConnectMsolService
我什至尝试将用户名设置为 domainname.onmicrosoft.comusername 但仍然得到相同的结果.
I even tried putting the username as domainname.onmicrosoft.comusername but still get the same result.
所以我的问题是:
- 是否可以使用 Microsoft 帐户通过 PowerShell 连接到 Azure AD?
- 如果可以的话,我应该如何指定用户名?我已经尝试了
username以及domainnameusername并且我得到了同样的错误. - 如果不可能,那么替代解决方案是什么?我是否应该在该 AD 中创建一个用户并将该用户置于有权管理用户的角色中(因为这是我想要做的)?
- Is it even possible to connect to Azure AD via PowerShell using Microsoft Account?
- If it is possible, then how should I specify the username? I have tried both
usernameas well asdomainnameusernameand I got the same error. - If it is not possible, then what's the alternate solution? Should I just create a user in that AD and put that user in a role that has permission to manage users (as this is what I want to do)?
我们将非常感谢您对此的任何见解.
Any insights regarding this would be highly appreciated.
推荐答案
(2018-04-23 更新,阐明如何使用 AzureAD (v2) 模块执行此操作.)
(Updated 2018-04-23 to clarify how to do this with AzureAD (v2) module.)
AzureAD (v2) PowerShell 模块接受 ‑TenantId 参数"nofollow noreferrer">Connect‑AzureAD,可以是 Guid 租户 ID,也可以是 Azure AD 租户中任何经过验证的域名.这样做将允许您使用外部帐户登录(例如,您的个人 Microsoft 帐户,或者来自另一个 Azure AD 租户的工作或学校帐户,只要此帐户之前曾被邀请加入租户):
The AzureAD (v2) PowerShell module accepts the ‑TenantId parameter in Connect‑AzureAD, which can be either the Guid tenant ID, or any verified domain name in the Azure AD tenant. Doing so will allow you to sign in using an external account (e.g. you personal Microsoft account, or a work or school account from another Azure AD tenant, as long as this account was previously invited into the tenant):
Connect-AzureAD -TenantId "contoso.com"
MSOnline (v1) 模块没有等效参数,但它接受 ‑AdGraphAccessToken 和 ‑MsGraphAccessToken,它们是 Azure AD Graph API (https://graph.windows.net) 和 Microsoft Graph API (https://graph.microsoft.com).虽然您可以使用 ADAL(例如)为您的特定租户(允许您使用外部用户)获取这些访问令牌,但为此为您的 Azure AD 租户创建一个本地"帐户可能更简单.
The MSOnline (v1) module does not have an equivalent parameter, but it does accept ‑AdGraphAccessToken and ‑MsGraphAccessToken, which are access tokens to the Azure AD Graph API (https://graph.windows.net) and the Microsoft Graph API (https://graph.microsoft.com), respectively. Though you can use ADAL (for example) to obtain these access tokens for your specific tenant (which allows you to use external users), it's probably simpler to just create a "local" account to your Azure AD tenant for this.
目前不支持使用 Microsoft 帐户登录 AAD PowerShell.您的方法(创建一个本地"目录的新用户)是可行的方法.
这篇关于PowerShell - 使用 Microsoft 帐户连接到 Azure Active Directory的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
