Sometimes you might want to connect to Azure AD PowerShell
with MFA but there is no way for the PowerShell to prompt you for MFA unless
you have MFA enforced on the account.
# Install adal.ps
if(!(Get-Package adal.ps)) { Install-Package -Name adal.ps }
# Get token for MS Graph by prompting for MFA
$MsResponse = Get-ADALToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common" -PromptBehavior Always -extraQueryParameters amr_values=mfa
# Get token for AAD Graph
$AadResponse = Get-ADALToken -Resource "https://graph.windows.net" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common" -PromptBehavior Auto
Connect-AzureAD -AadAccessToken $AadResponse.AccessToken -MsAccessToken $MsResponse.AccessToken -AccountId: upn -tenantId: tenantId
# Call cmdlet which requires MFA
$resource = Get-AzureADMSPrivilegedResource -ProviderId AadRoles
$roleDefinition = Get-AzureADMSPrivilegedRoleDefinition -ProviderId AadRoles -ResourceId $resource.Id -Filter "DisplayName eq 'Global Administrator'"
$subject = Get-AzureADUser -Filter "userPrincipalName eq 'upn'"
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.Duration="PT1H"
$schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId AadRoles -Schedule $schedule -ResourceId $resource.Id -RoleDefinitionId $roleDefinition.Id -SubjectId $subject.ObjectId -AssignmentState "Active" -Type "UserAdd" -Reason "Test"
The scenario which I had was calling a cmdlet for Privileged
Identity Management where I was activating a role which requires MFA https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0-preview#privileged_role_management
The solution is to get an access token with MFA and pass the
token while connecting to PowerShell.
The pre-requisite is that you have already installed Azure
AD PowerShell by following these steps https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0
if(!(Get-Package adal.ps)) { Install-Package -Name adal.ps }
# Get token for MS Graph by prompting for MFA
$MsResponse = Get-ADALToken -Resource "https://graph.microsoft.com" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common" -PromptBehavior Always -extraQueryParameters amr_values=mfa
# Get token for AAD Graph
$AadResponse = Get-ADALToken -Resource "https://graph.windows.net" -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common" -PromptBehavior Auto
Connect-AzureAD -AadAccessToken $AadResponse.AccessToken -MsAccessToken $MsResponse.AccessToken -AccountId: upn -tenantId: tenantId
# Call cmdlet which requires MFA
$resource = Get-AzureADMSPrivilegedResource -ProviderId AadRoles
$roleDefinition = Get-AzureADMSPrivilegedRoleDefinition -ProviderId AadRoles -ResourceId $resource.Id -Filter "DisplayName eq 'Global Administrator'"
$subject = Get-AzureADUser -Filter "userPrincipalName eq 'upn'"
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.Duration="PT1H"
$schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId AadRoles -Schedule $schedule -ResourceId $resource.Id -RoleDefinitionId $roleDefinition.Id -SubjectId $subject.ObjectId -AssignmentState "Active" -Type "UserAdd" -Reason "Test"
No comments:
Post a Comment