Anuj Chaudhary: 2020

Wednesday, September 30, 2020

Azure AD PowerShell for Azure Resources in PIM

Have you wondered how to user Azure AD PowerShell for Azure Resources in PIM. This is a little tricky since the id's in OData do not support slashes but the id's for Azure resources contains slashes. Hence the id for these resources are mapped to a GUID in Graph.

To query the azure resources in Graph, you will need to pass an ExternalId filter and the rest should be straight forward.

Below is an example of adding a user as Eligible Owner on a subscription.

The pre-requisite is that you have already installed Azure AD Preview PowerShell by following these steps https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0

Connect-AzureAD

$resource = Get-AzureADMSPrivilegedResource -Provider azureResources -Filter "ExternalId eq '/subscriptions/38ab2ccc-3747-4567-b36b-9478f5602f0d'"

$roleDefinition = Get-AzureADMSPrivilegedRoleDefinition -ProviderId azureResources -ResourceId $resource.Id -Filter "DisplayName eq 'Owner'"

$subject = Get-AzureADUser -Filter "userPrincipalName eq 'upn'"

$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule

$schedule.Type = "Once"

$schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")

$schedule.EndDateTime = (Get-Date).AddDays(30).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")

Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId azureResources -Schedule $schedule -ResourceId $resource.Id -RoleDefinitionId $roleDefinition.Id -SubjectId $subject.ObjectId -AssignmentState "Eligible" -Type "AdminAdd" -Reason "Test"

Friday, February 14, 2020

Connect to Azure AD PowerShell with MFA

Sometimes you might want to connect to Azure AD PowerShell with MFA but there is no way for the PowerShell to prompt you for MFA unless you have MFA enforced on the account.

The scenario which I had was calling a cmdlet for Privileged Identity Management where I was activating a role which requires MFA https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0-preview#privileged_role_management

The solution is to get an access token with MFA and pass the token while connecting to PowerShell.

# Install msal.ps

if(!(Get-Module | Where-Object {$_.Name -eq 'PowerShellGet' -and $_.Version -ge '2.2.4.1'})) { Install-Module PowerShellGet -Force }

if(!(Get-Package msal.ps)) { Install-Package msal.ps }

# Get token for MS Graph by prompting for MFA

$MsResponse = Get-MSALToken -Scopes @("https://graph.microsoft.com/.default") -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common" -Interactive -ExtraQueryParameters @{claims='{"access_token" : {"amr": { "values": ["mfa"] }}}'}

# Get token for AAD Graph

$AadResponse = Get-MSALToken -Scopes @("https://graph.windows.net/.default") -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common"

Connect-AzureAD -AadAccessToken $AadResponse.AccessToken -MsAccessToken $MsResponse.AccessToken -AccountId: "upn" -tenantId: "tenantId"

# Call cmdlet which requires MFA

$resource = Get-AzureADMSPrivilegedResource -ProviderId AadRoles

$roleDefinition = Get-AzureADMSPrivilegedRoleDefinition -ProviderId AadRoles -ResourceId $resource.Id -Filter "DisplayName eq 'Global Administrator'"

$subject = Get-AzureADUser -Filter "userPrincipalName eq 'upn'"

$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule

$schedule.Type = "Once"

$schedule.Duration="PT1H"

$schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")

Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId AadRoles -Schedule $schedule -ResourceId $resource.Id -RoleDefinitionId $roleDefinition.Id -SubjectId $subject.ObjectId -AssignmentState "Active" -Type "UserAdd" -Reason "Test"