Get-MsolDomainFederationSettings : Access Denied

Issue

I was planning a migration from ADFS to Pass-through Authentication for a client, and was unable to run Get-MsolDomainFederationSettings due to permissions.

The command I’m running is Get-MsolDomainFederationSettings -DomainName x500.co.uk | fl *

Error:

Get-MsolDomainFederationSettings : Access Denied. You do not have permissions to call this cmdlet.
At line:2 char:1
+ Get-MsolDomainFederationSettings -DomainName x500.co.uk | fl *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Get-MsolDomainFederationSettings], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.AccessDeniedException,Microsoft.Online.Administration.Automation.GetDomainFederationSettings

Cause

The account I’d been given wasn’t assigned the Global Administrator role.

The following command will return users with the role, note in Azure AD PowerShell, the role is identified as “Company Administrator”.  In the Azure portal, it’s “Global Administrator”.

$CompRole = Get-MsolRole -RoleName “Company Administrator”

Get-MsolRoleMember -RoleObjectId $CompRole.Objectid

My account was assigned the role, and I was then able to run Get-MsolDomainFederationSettings.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s