Issue
I was planning a migration from ADFS to Pass-through Authentication for a client, and was unable to run Get-MsolDomainFederationSettings due to permissions.
The command I’m running is Get-MsolDomainFederationSettings -DomainName x500.co.uk | fl *
Error:
Get-MsolDomainFederationSettings : Access Denied. You do not have permissions to call this cmdlet.
At line:2 char:1
+ Get-MsolDomainFederationSettings -DomainName x500.co.uk | fl *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Get-MsolDomainFederationSettings], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.AccessDeniedException,Microsoft.Online.Administration.Automation.GetDomainFederationSettings
Cause
The account I’d been given wasn’t assigned the Global Administrator role.
The following command will return users with the role, note in Azure AD PowerShell, the role is identified as “Company Administrator”. In the Azure portal, it’s “Global Administrator”.
$CompRole = Get-MsolRole -RoleName “Company Administrator”
Get-MsolRoleMember -RoleObjectId $CompRole.Objectid
My account was assigned the role, and I was then able to run Get-MsolDomainFederationSettings.