In this post we detail how to assign roles to enterprise applications in Azure B2C, issues with assigning via PowerShell and troubleshooting.
So this is just a super quick post to document an issue that stumped me recently. I had been asked to assign the Helpdesk Administrator role to a custom enterprise app in an Azure B2C environment. The steps I had been given to follow were from this blog post and got me most of the way there.
I had issues with using MSOL initially, but managed to get around that but every time I ran the Add-MsolRoleMember cmdlet I kept getting the same error:
Error adding Service Principal to Role: This role does not exist. Check the name and try again.
As always, the simplest solution is often the best and in this case that was true again! I was able to assign the role to the enterprise applications through the Azure B2C AAD GUI. The way I did it was to:
Open Azure Active Directory
Select Roles and administrators
Select the relevant admin role (e.g. Helpdesk Administrator)
Under Assignments > press + Add Assignments
Search for the name of the enterprise app you want to assign the role too > select it > press Add
That’s it, no need for PowerShell you can just assign the roles direct from Azure AD.
As a general rule I’ve found that most users who are in your M365 tenancy should have OneDrive irrespective of whether they are using it or not.
During a project I was involved with, we were compiling a list of all our M365 users home drive source locations to migrate the data into their respective OneDrive’s. Completing this exercise we found that not everyone in our organisation actually had OneDrive provisioned.
Information online as to the reasons why was scant, with much of what others describe around licensing issues not being applicable in this situation.
When you look at a user’s OneDrive information within the M365 admin center, you will see this:
I’m not 100% sure why these users are without OneDrive as the accounts checked hadn’t been blocked. However they have not had any sign in activity for the last 30 days – although we have set our retention for OneDrive to be 90 days before deleting so it’s still a bit of a mystery.
Microsoft have provided documentation on how to pre-provision OneDrive for users in your organization which is exactly what we needed. The documentation details two ways in which you can approach the problem:
The script should loop through until it completes for all users in your tenancy. You should see it looping through like in the example screenshot below:
Issues & resolution steps
Before I start describing my experiences of running the script, I am a relative PowerShell novice so forgive my ignorance if some of this is elementary. I had some trouble getting the script to run, which I think was more to do with the cmdlets I had installed (I’ve had a new laptop recently) rather than the script.
Issues with Connect-sposervice
I had issues connecting to the SharePoint admin center, I was receiving an error like this:
I found this post on koskila.net that is really helpful and may help others with similar issues. In the end I got the script to run by removing the $credential variable at the start of the Microsoft script and connecting to the msolservice and sposervice directly.
With the $credential variable removed, I was prompted to login twice, once for msolservice, and again for sposervice, which then authenticated moved on to the next stage of the script.
Once the SharePoint Starter Kit has concluded it will provision 3 site collections as well as other tenant level settings like themes, site designs and taxonomy term sets. You will be able to access all the site collections and web parts deployed through the starter kit in your tenant either through the new SharePoint admin center or through the SharePoint app in Office 365.