Creating Azure AD & AD objects using PowerShell; Delegating authority on Azure Internal Load Balancer
John Savill's Frequently Asked Questions
September 20, 2017
Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions.
Read through the FAQ archives, or send him your questions via email.
Q. How can I grant rights to an Azure resource to an Azure AD group using PowerShell?
Q. I want to create a new group in each OU and automatically populate it with all the users in that OU. How can I do this?
Q. I'm using the Azure Internal Load Balancer but notice the URL is being redirected, how can I stop this?
Q. How can I grant rights to an Azure resource to an Azure AD group using PowerShell?
Dept - Azure
A. The only requirement is to have the object ID of the Azure AD group. This is easily found with PowerShell. In the code below I find the ID of an Azure AD group then grant it contributor rights to an ARM Resource Group object in Azure.
$AzureADTAGroup = Get-AzureRMADGroup -SearchString "TAGroupDallas"
New-AzureRmRoleAssignment -ObjectId $AzureADTAGroup.Id -RoleDefinitionName "Contributor" -ResourceGroupName $RGName
Q. I want to create a new group in each OU and automatically populate it with all the users in that OU. How can I do this?
Dept - Active Directory
A. PowerShell! Using PowerShell it is easy to enumerate OUs under a certain path, create an empty group (name is based on the OU name) then populate with all the users in that OU. In the script below I base it around each child OU has a child OU named Groups and Users just to better organize objects. If you don't have this structure you can change the paths used.
$RootPath = "OU=Teams,DC=savilltech,DC=net"
$OUs = Get-ADOrganizationalUnit -filter * -searchbase "$RootPath" -SearchScope OneLevel
foreach($OU in $OUs)
{
$GroupOU = "OU=Groups,$($OU.DistinguishedName)"
$UserOU = "OU=Users,$($OU.DistinguishedName)"
$UserGroupName = "$($OU.Name)Users"
$UserGroup = New-ADGroup -Name $UserGroupName -GroupCategory Security -GroupScope Global `
-DisplayName $UserGroupName -Path $GroupOU `
-Description "$($OU.Name) Users Group" -PassThru
#Now add all the users to it
$Users = Get-ADUser -Filter * -SearchBase $UserOU
foreach($User in $Users)
{
$User | Add-ADPrincipalGroupMembership -MemberOf $UserGroupName
}
}
Q. I'm using the Azure Internal Load Balancer but notice the URL is being redirected, how can I stop this?
Dept - Azure
A. The Azure Load Balancer runs at layer 4 (TCP/UDP) and does not understand HTTP and so is not capable of redirecting URLs. Instead it simply forwards packets to the target backend server which as part of the operation, the destination IP of the packet is changed. When the backend server replies, the Software Defined Networking layer swaps again the backend server IP address for the load balancer IP address before returning the packet to sender.
One option to identify what is happening is to use a tool like fiddler or the developer tools in the browser (F12) and look for the data. If you are receiving a HTTP redirect (one of the 30X status codes) then that is coming from something that is not the ILB.
About the Author
You May Also Like