How to manage Azure Government directories with Powershell
When utilizing a new directory for your Azure Government environment, one gap commonly encountered is assigning an alternate email address to each user. This attribute is only mandatory for accounts given a Service Administrator role, thus many accounts, including Co-Administrators, do not have the attribute set. Enabling features such as Self-Service Password Reset requires the alternate email address to be assigned as well. The Azure Active Directory V2 PowerShell module can be used to solve this issue. If you have used this PowerShell module for Azure Public, it is very similar with the exception of connecting your account as you need to specify the Environment Name.
| Connect-AzureAD -AzureEnvironmentName AzureUSGovernment |
In order to set the alternate email address, you need to identify the account’s Object ID. The easiest way to achieve this is running a search against the directory for the alias using the following command:
| Get-AzureADUser -SearchString “accountName” |
With the Object Id identified, now the alternate email can be set on the account.
| Set-AzureADUser -objectid “objectID” -OtherMails @(‘accountName@contoso.com’) |
Many organizations use the same account name on their directory for Azure Government and their enterprise directory. If your organization follows this convention, adding an alternate email can be done for every user with a simple script that utilizes the commands above and some string manipulation.
To run this script, you will need to update the $govTenant and $enterpriseTenant variables with the appropriate details. The script gets a list of 5000 user accounts and iterates through each account. It checks if there is an alternate email set. If there is no alternate email, it adds one assuming that the alias on the Azure Government tenant is valid on the enterprise tenant.
| Connect-AzureAD -AzureEnvironmentName AzureUSGovernment
$users = Get-AzureADUser -Top 5000
$govTenant = ‘@AzureGovTenant.onmicrosoft.com’ $enterpriseTenant = ‘@Contoso.com’
foreach($user in $users) { $upn = $user.UserPrincipalName
if($user.OtherMails.Count -eq 0) { $corpEmail = $upn.Replace($govTenant, $enterpriseTenant)
Set-AzureADUser -objectid $user.ObjectID -OtherMails @( $corpEmail ) Write-Output “update $upn” } else { Write-Output “no update $upn” } } |
References:
Managing and connecting to your subscription in Azure Government
Azure Active Directory V2 PowerShell module
We welcome your comments and suggestions to help us continually improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed and to receive emails, click “Subscribe by Email!” on the Azure Government Blog. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial.
Light
Dark
0 comments