Connect to Azure PowerShell with Conditional Access Authentical Context

You can require users who are eligible for a role to satisfy Conditional Access policy requirements. For example, you can require users to use a specific authentication method enforced through Authentication Strengths, elevate the role from an Intune-compliant device, and comply with terms of use. Learn more here https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings#on-activation-require-microsoft-entra-conditional-access-authentication-context 

However, once this is enabled, users cannot activate their eligible roles using Azure PowerShell since there is no way to login to Azure PowerShell with authentication context. 

To solve this issue, you can first acquire a token with authentication context and use it to connect to Azure PowerShell.

First, remember to disconnect so an older token is not used by Azure PowerShell

DisConnect-AzAccount

Now, acquire a token with authentication context. Replace c1 with the id of your authentication context. Learn more here https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#configure-authentication-contexts 

$MsResponse = Get-MSALToken -Scopes @("https://management.core.windows.net//.default openid profile offline_access") -ClientId "04b07795-8ddb-461a-bbee-02f9e1bf7b46" -RedirectUri "http://localhost:8400/" -Authority "https://login.microsoftonline.com/common" -Interactive -ExtraQueryParameters @{claims='{"access_token":{"xms_cc":{"values":["CP1"]},"acrs":{"essential":true, "value":"c1"}}}'} 

Connect to Azure PowerShell with the acquired access token and provide the upn of the user if prompted for AccountId

Connect-AzAccount -AccessToken $MsResponse.AccessToken 

Activate your eligible role. Replace $scope, $role and $principal with your values. Learn more here https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azroleassignmentschedulerequest?view=azps-13.0.0#example-3-activate-a-new-role-assignment-schedule-request-as-user 

$guid = (New-Guid).Guid 

$startTime = Get-Date -Format o 

$scope = "/subscriptions/c896b064-0cd9-49d5-a7df-c82df3dc60f3" 

$role = "/subscriptions/c896b064-0cd9-49d5-a7df-c82df3dc60f3/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" 

$principal = "290190c3-1372-4076-99a5-9efa5a1a18e3" 

New-AzRoleAssignmentScheduleRequest -Name $guid -Scope $scope -ExpirationDuration PT1H -ExpirationType AfterDuration -PrincipalId $principal -RequestType SelfActivate -RoleDefinitionId $role -ScheduleInfoStartDateTime $startTime -Justification "test" 

Azure AD PowerShell for Azure Resources in PIM

Have you wondered how to user Azure AD PowerShell for Azure Resources in PIM. This is a little tricky since the id's in OData do not support slashes but the id's for Azure resources contains slashes. Hence the id for these resources are mapped to a GUID in Graph.

To query the azure resources in Graph, you will need to pass an ExternalId filter and the rest should be straight forward.

Below is an example of adding a user as Eligible Owner on a subscription.

The pre-requisite is that you have already installed Azure AD Preview PowerShell by following these steps https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0

Connect-AzureAD

$resource = Get-AzureADMSPrivilegedResource -Provider azureResources -Filter "ExternalId eq '/subscriptions/38ab2ccc-3747-4567-b36b-9478f5602f0d'"

$roleDefinition = Get-AzureADMSPrivilegedRoleDefinition -ProviderId azureResources -ResourceId $resource.Id -Filter "DisplayName eq 'Owner'"

$subject = Get-AzureADUser -Filter "userPrincipalName eq 'upn'"

$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule

$schedule.Type = "Once"

$schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")

$schedule.EndDateTime = (Get-Date).AddDays(30).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")

Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId azureResources -Schedule $schedule -ResourceId $resource.Id -RoleDefinitionId $roleDefinition.Id -SubjectId $subject.ObjectId -AssignmentState "Eligible" -Type "AdminAdd" -Reason "Test"

Connect to Azure AD PowerShell with MFA

Sometimes you might want to connect to Azure AD PowerShell with MFA but there is no way for the PowerShell to prompt you for MFA unless you have MFA enforced on the account.

The scenario which I had was calling a cmdlet for Privileged Identity Management where I was activating a role which requires MFA https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0-preview#privileged_role_management

The solution is to get an access token with MFA and pass the token while connecting to PowerShell.

The pre-requisite is that you have already installed Azure AD Preview PowerShell by following these steps https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0

# Install msal.ps

if(!(Get-Module | Where-Object {$_.Name -eq 'PowerShellGet' -and $_.Version -ge '2.2.4.1'})) { Install-Module PowerShellGet -Force }

if(!(Get-Package msal.ps)) { Install-Package msal.ps }

# Get token for MS Graph by prompting for MFA

$MsResponse = Get-MSALToken -Scopes @("https://graph.microsoft.com/.default") -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common" -Interactive -ExtraQueryParameters @{claims='{"access_token" : {"amr": { "values": ["mfa"] }}}'}

# Get token for AAD Graph

$AadResponse = Get-MSALToken -Scopes @("https://graph.windows.net/.default") -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common"

Connect-AzureAD -AadAccessToken $AadResponse.AccessToken -MsAccessToken $MsResponse.AccessToken -AccountId: "upn" -tenantId: "tenantId"

# Call cmdlet which requires MFA

$resource = Get-AzureADMSPrivilegedResource -ProviderId AadRoles

$roleDefinition = Get-AzureADMSPrivilegedRoleDefinition  -ProviderId AadRoles -ResourceId $resource.Id -Filter "DisplayName eq 'Global Administrator'"

$subject = Get-AzureADUser -Filter "userPrincipalName eq 'upn'"

$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule

$schedule.Type = "Once"

$schedule.Duration="PT1H"

$schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")

Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId AadRoles -Schedule $schedule -ResourceId $resource.Id -RoleDefinitionId $roleDefinition.Id -SubjectId $subject.ObjectId -AssignmentState "Active" -Type "UserAdd" -Reason "Test"

Handle Conditional Access challenge for Privileged Identity Management on Microsoft Graph

Privileged Identity Management (PIM) for Azure resources api’s are available on Microsoft Graph (MSGraph) so that developers can automate the PIM operations like activation, assignment, etc. To learn more, see http://www.anujchaudhary.com/2018/02/powershell-sample-for-privileged.html

Some organizations enable conditional policies like Multi factor authentication (MFA) for accessing any Azure resources. When users go to PIM through Azure Portal, they are prompted for MFA while logging into the Azure Portal. When they access the PIM UI, everything works since they have already performed MFA.

However, if the users are accessing PIM api’s for Azure resources through MSGraph, they might not be prompted for MFA on login since no conditional access policy might be enabled for MSGraph. When a PIM api is called, it fails with 400 Bad Request invalid_grant error since a conditional access policy is not met for Azure resources.

Example:

HTTP/1.1 400 Bad Request

{

  "error": {

    "code": "invalid_grant",

    "message": "{\"Name\":\"MsalUiRequiredException\",\"Message\":\"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'.\\r\\nTrace ID: 7bdbe148-89e6-4493-a150-93dac7a06c00\\r\\nCorrelation ID: ff221ee5-ebb9-42d0-8f70-dbffde1b2104\\r\\nTimestamp: 2020-09-16 01:16:03Z\",\"Claims\":\"{\\\"access_token\\\":{\\\"capolids\\\":{\\\"essential\\\":true,\\\"values\\\":[\\\"051744ca-6abe-4095-b526-14a7f4033309\\\"]}}}\"}",

    "innerError": {

      "date": "2020-09-16T01:16:03",

      "request-id": "82cd21d1-6413-4512-a2d1-fa1d0a3c5826",

      "client-request-id": "82cd21d1-6413-4512-a2d1-fa1d0a3c5826"

    }

  }

}

To handle this, the user needs to catch the error, get the claims challenge and send in a login request with claims challenge as an extra query string parameter.

To learn more, see https://docs.microsoft.com/en-us/azure/active-directory/develop/conditional-access-dev-guide#scenario-app-performing-the-on-behalf-of-flow

Below is a PowerShell sample which showcases on how to handle the conditional access challenge when calling PIM api's on MSGraph. Just save this as a .ps1 file and run it with PowerShell.

Sceenshot

Source code

#Acquire AAD token

function AcquireToken($claims){

    $clientID = "dabc52c4-106b-4179-9df2-2f791f44ba14"

    $redirectUri = "https://pimmsgraph"

 

    $authority = "https://login.microsoftonline.com/common"

    if($claims -ne $null)

    {

        $authResult = Get-MSALToken -Scopes @("https://graph.microsoft.com/.default") -ClientId $ClientID -RedirectUri $redirectUri -Authority $authority -Interactive -ExtraQueryParameters @{claims=$claims}

        Set-Variable -Name mfaDone -Value $true -Scope Global

    }

    else

    {

        $authResult = Get-MSALToken -Scopes @("https://graph.microsoft.com/.default") -ClientId $ClientID -RedirectUri $redirectUri -Authority $authority -Interactive

    }

    if($authResult -ne $null)

    {

        Write-Host "User logged in successfully ..." -ForegroundColor Green

    }

    Set-Variable -Name headerParams -Value @{'Authorization'="$($authResult.AccessTokenType) $($authResult.AccessToken)"} -Scope Global

    Set-Variable -Name assigneeId -Value $authResult.UserInfo.UniqueId -Scope Global

} 

#List resources

function ListResources(){

    $url = $serviceRoot + "resources?`$filter=(type+eq+'subscription')" 

     Write-Host $url

    $response = Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url -Method Get

    $resources = ConvertFrom-Json $response.Content

    $i = 0

    $obj = @()

    foreach ($resource in $resources.value)

    {

        $item = New-Object psobject -Property @{

        Id = ++$i

        ResourceId =  $resource.id

        ResourceName =  $resource.displayName

        ResourceType =  $resource.type

    }

    $obj = $obj + $item

}

 

return $obj

}

#Disaplay resources

function DisplayResources(){

    $resources = ListResources

    $resources | Format-Table -AutoSize -Wrap Id,ResourceName,ResourceType

}

 

############################################################################################################################################################################

 

$global:serviceRoot = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/"

$global:MSGraphRoot = "https://graph.microsoft.com/v1.0/"

$global:headerParams = ""

$global:assigneeId = ""

$global:mfaDone = $false;

 

# Install msal.ps

if(!(Get-Module | Where-Object {$_.Name -eq 'PowerShellGet' -and $_.Version -ge '2.2.4.1'})) { Install-Module PowerShellGet -Force }

if(!(Get-Package msal.ps)) { Install-Package msal.ps }

$Authed = AcquireToken $global:clientID $global:redirectUri $global:resourceAppIdURI $global:authority $false

if ($Authed -eq $false)

{

    return

}

try

{

    DisplayResources

}

catch

{

    $stream = $_.Exception.Response.GetResponseStream()

    $stream.Position = 0;

    $streamReader = New-Object System.IO.StreamReader($stream)

    $err = $streamReader.ReadToEnd()

    $streamReader.Close()

    $stream.Close()

 

    if($err.Contains("invalid_grant"))

    {

        $errorObject = ConvertFrom-Json $err

        $message = ConvertFrom-Json $errorObject.error.message

        $claims = $message.claims

        Write-Host "Prompting the user again since since a conditional access policy is enabled..." -ForegroundColor Green

        AcquireToken $claims

        DisplayResources

    }

    else

    {

        Write-Host $err -ForegroundColor Red

    }

}

 

Write-Host ""

SQL interceptors

SQL interceptors are a way to apply filtering by tenant for securing multi-tenant applications. Here is a good read on it http://xabikos.com/2014/11/18/Create-a-multitenant-application-with-Entity-Framework-Code-First-Part-2/

However, you need to be careful with it since they modify your query at runtime. 

Specifically, DbExpressionBuilder.Bind(databaseExpression) in the interceptor causes a random variable to be created which creates a random query text for the same query on every reinitialize which is generally a recycle on the VM where the application is running.

This puts unnecessary unnecessary pressure on QDS (Query Data Store).

Also, if you force a query plan for a specific query hash, a new query hash will be generated the next time so the forced plan will not work.

To fix this, make sure to bind it with a specific variable name like DbExpressionBuilder.BindAs(databaseExpression, "Filter")

Troubleshooting SQL Azure issues

Query Performance Insights

The most common place to look for SQL Azure issues is Query Performance Insights on Azure portal https://docs.microsoft.com/en-us/azure/sql-database/sql-database-query-performance

Troubleshoot SQL query timeouts

There are various Data Management Views (DMV’s) created by SQL Azure team https://docs.microsoft.com/en-us/azure/sql-database/sql-database-monitoring-with-dmvs

I tweaked them a little below:

Find query hashes which are timing out

Look for Aborted_Execution_Count column.

-- Top 15 CPU consuming queries by query hash

-- note that a query  hash can have many query id if not parameterized or not parameterized properly

-- it grabs a sample query text by min

WITH AggregatedCPU AS (SELECT q.query_hash, p.query_plan_hash, SUM(count_executions * avg_cpu_time / 1000.0) AS total_cpu_millisec, SUM(count_executions * avg_cpu_time / 1000.0)/ SUM(count_executions) AS avg_cpu_millisec, MAX(rs.max_cpu_time / 1000.00) AS max_cpu_millisec, MAX(max_logical_io_reads) max_logical_reads, COUNT(DISTINCT p.plan_id) AS number_of_distinct_plans, COUNT(DISTINCT p.query_id) AS number_of_distinct_query_ids, SUM(CASE WHEN rs.execution_type_desc='Aborted' THEN count_executions ELSE 0 END) AS Aborted_Execution_Count, SUM(CASE WHEN rs.execution_type_desc='Regular' THEN count_executions ELSE 0 END) AS Regular_Execution_Count, SUM(CASE WHEN rs.execution_type_desc='Exception' THEN count_executions ELSE 0 END) AS Exception_Execution_Count, SUM(count_executions) AS total_executions, MIN(qt.query_sql_text) AS sampled_query_text

                       FROM sys.query_store_query_text AS qt

                            JOIN sys.query_store_query AS q ON qt.query_text_id=q.query_text_id

                            JOIN sys.query_store_plan AS p ON q.query_id=p.query_id

                            JOIN sys.query_store_runtime_stats AS rs ON rs.plan_id=p.plan_id

                            JOIN sys.query_store_runtime_stats_interval AS rsi ON rsi.runtime_stats_interval_id=rs.runtime_stats_interval_id

                       WHERE rs.execution_type_desc IN ('Regular', 'Aborted', 'Exception')AND rsi.start_time>=DATEADD(HOUR, -24, GETUTCDATE())

                       GROUP BY q.query_hash, p.query_plan_hash), OrderedCPU AS (SELECT query_hash, query_plan_hash, total_cpu_millisec, avg_cpu_millisec, max_cpu_millisec, max_logical_reads, number_of_distinct_plans, number_of_distinct_query_ids, total_executions, Aborted_Execution_Count, Regular_Execution_Count, Exception_Execution_Count, sampled_query_text, ROW_NUMBER() OVER (ORDER BY total_cpu_millisec DESC, query_hash ASC) AS RN

                                                              FROM AggregatedCPU)

SELECT OD.query_hash, OD.query_plan_hash, OD.total_cpu_millisec, OD.avg_cpu_millisec, OD.max_cpu_millisec, OD.max_logical_reads, OD.number_of_distinct_plans, OD.number_of_distinct_query_ids, OD.total_executions, OD.Aborted_Execution_Count, OD.Regular_Execution_Count, OD.Exception_Execution_Count, OD.sampled_query_text, OD.RN

FROM OrderedCPU AS OD

WHERE OD.RN<=15

ORDER BY total_cpu_millisec DESC;

Compare query plans for timing out query hash

Look for avg_cpu_millisec column. The query plan with lower value is better. If there is only one query plan, then you need to change your query to use the right indexes.

-- Top 15 CPU consuming queries by query hash

-- note that a query  hash can have many query id if not parameterized or not parameterized properly

-- it grabs a sample query text by min

WITH AggregatedCPU AS (SELECT q.query_hash, p.query_plan_hash, SUM(count_executions * avg_cpu_time / 1000.0) AS total_cpu_millisec, SUM(count_executions * avg_cpu_time / 1000.0)/ SUM(count_executions) AS avg_cpu_millisec, MAX(rs.max_cpu_time / 1000.00) AS max_cpu_millisec, MAX(max_logical_io_reads) max_logical_reads, COUNT(DISTINCT p.plan_id) AS number_of_distinct_plans, COUNT(DISTINCT p.query_id) AS number_of_distinct_query_ids, SUM(CASE WHEN rs.execution_type_desc='Aborted' THEN count_executions ELSE 0 END) AS Aborted_Execution_Count, SUM(CASE WHEN rs.execution_type_desc='Regular' THEN count_executions ELSE 0 END) AS Regular_Execution_Count, SUM(CASE WHEN rs.execution_type_desc='Exception' THEN count_executions ELSE 0 END) AS Exception_Execution_Count, SUM(count_executions) AS total_executions, MIN(qt.query_sql_text) AS sampled_query_text

                       FROM sys.query_store_query_text AS qt

                            JOIN sys.query_store_query AS q ON qt.query_text_id=q.query_text_id

                            JOIN sys.query_store_plan AS p ON q.query_id=p.query_id

                            JOIN sys.query_store_runtime_stats AS rs ON rs.plan_id=p.plan_id

                            JOIN sys.query_store_runtime_stats_interval AS rsi ON rsi.runtime_stats_interval_id=rs.runtime_stats_interval_id

                       WHERE rs.execution_type_desc IN ('Regular', 'Aborted', 'Exception')AND rsi.start_time>=DATEADD(HOUR, -24, GETUTCDATE())

                       GROUP BY q.query_hash, p.query_plan_hash), OrderedCPU AS (SELECT query_hash, query_plan_hash, total_cpu_millisec, avg_cpu_millisec, max_cpu_millisec, max_logical_reads, number_of_distinct_plans, number_of_distinct_query_ids, total_executions, Aborted_Execution_Count, Regular_Execution_Count, Exception_Execution_Count, sampled_query_text, ROW_NUMBER() OVER (ORDER BY total_cpu_millisec DESC, query_hash ASC) AS RN

                                                              FROM AggregatedCPU)

SELECT OD.query_hash, OD.query_plan_hash, OD.total_cpu_millisec, OD.avg_cpu_millisec, OD.max_cpu_millisec, OD.max_logical_reads, OD.number_of_distinct_plans, OD.number_of_distinct_query_ids, OD.total_executions, OD.Aborted_Execution_Count, OD.Regular_Execution_Count, OD.Exception_Execution_Count, OD.sampled_query_text, OD.RN

FROM OrderedCPU AS OD

WHERE OD.query_hash= query_hash

ORDER BY total_cpu_millisec DESC;

Analyze the query plan

Once you have the query plan hash for which the query is timing out, you can view and analyze it by running this query

select qsq.query_hash

 ,qsp.query_plan_hash

 ,qsq.query_id

 ,qsp.plan_id

 ,qsq.query_text_id

 ,qsq.is_internal_query

 ,qsrts.first_execution_time

 ,qsrts.last_execution_time

 ,qsqt.query_sql_text

 ,CAST(qsp.query_plan AS XML)

 ,qsrts.count_executions

from

 [sys].[query_store_runtime_stats] qsrts

 inner join [sys].[query_store_plan] qsp on qsrts.plan_id = qsp.plan_id

 inner join [sys].[query_store_query] qsq on qsp.query_id = qsq.query_id

 inner join [sys].[query_store_query_text] qsqt on qsq.query_text_id = qsqt.query_text_id

where  qsp.query_plan_hash = query_plan_hash

Force a query plan

If you have multiple query plans for a query, where one query plan is performing far better than the other, you can force that query plan. You need to analyze both query plans before you decide a force a specific plan so that it will work for both large and small volume of data.

https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-query-store-force-plan-transact-sql?view=sql-server-2017

select * from sys.query_store_plan where is_forced_plan=1

EXEC sp_query_store_force_plan query_id, plan_id;

MSDN blog posts

My MSDN blog posts have been moved here.
Please see the list of redirections below:

PowerShell sample for Privileged Identity Management (PIM) for Azure AD Roles

https://blogs.msdn.microsoft.com/anujchaudhary/2018/06/07/powershell-sample-for-privileged-identity-management-pim-for-azure-ad-roles/ > http://www.anujchaudhary.com/2018/06/powershell-sample-for-privileged_7.html

PowerShell sample for Privileged Identity Management (PIM) for Azure Resources

https://blogs.msdn.microsoft.com/anujchaudhary/2018/02/07/powershell-sample-for-privileged-identity-management-pim-for-azure-resources/ > http://www.anujchaudhary.com/2018/02/powershell-sample-for-privileged.html

Securing Azure resources with Privileged Identity Management

https://blogs.msdn.microsoft.com/anujchaudhary/2018/04/12/securing-azure-resources-with-privileged-identity-management/ > http://www.anujchaudhary.com/2018/04/securing-azure-resources-with.html

Windows Azure: Automated UI testing using the power of cloud

http://blogs.msdn.com/b/anujchaudhary/archive/2012/11/02/windows-azure-automated-ui-testing-using-the-power-of-cloud.aspx > http://www.anujchaudhary.com/2012/11/windows-azure-automated-ui-testing.html 

OData Client Code Generator for VS 2015

I had been using OData Client Code Generator for VS 2015 to generate client for my OData service.
See https://blogs.msdn.microsoft.com/odatateam/2014/03/11/tutorial-sample-how-to-use-odata-client-code-generator-to-generate-client-side-proxy-class/

The extension used to be deployed in my VS 2015 but recently it disappeared.
When I tried to search for it in Extension and Updates, it would show a newer version of OData Client Code Generator which won't work for VS 2015.

After looking around, I found the older version here https://github.com/OData/lab/blob/Tools/Tools/ODataT4ItemTemplate.2.4.0.vsix
You can download and install it from here and restart VS 2015.

After that, you should be able to generate the OData client as usual in VS 2015.

PowerShell sample for Privileged Identity Management (PIM) for Azure AD Roles

PIM for Azure AD Roles provides Just in Time (JIT) capability for Azure AD Roles. See more at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-identity-management-getting-started 

How cool would it be if I can use the MSGraph PIM api’s to build custom applications. For example, you have multiple roles where you want to activate every day. It would be time consuming to activate them one by one. Instead, you can build a custom app using PowerShell or UI so that you can activate to all of these roles in one shot.

In this blog, I will share a sample to list all your eligible roles and activate or deactivate them. You will also be able to assign someone to a role.

I will share the full source code so you can customize it to suit your needs. Just save this as a .ps1 file and run it with PowerShell.

Note: If you tenant has migrated to newer version of PIM, see http://www.anujchaudhary.com/2018/02/powershell-sample-for-privileged.html

Screenshot

Setup

• Create a native AAD application. See https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications
• 
• Grant it the following permissions to the application.
• Read and write privileged access to Azure AD - You will need it if you are going to use the app for PIM for Azure AD Roles
• Read and write privileged access to Azure resources - You will need it if you are going to use the app for PIM for Azure Resources
• Read directory data - You will need it if you are going to read users, etc. from directory like the assignment example in the below source code
• 
• 
• Note than these permissions require Admin consent so you will have to contact the tenant admin to grant these permissions. See https://docs.microsoft.com/en-us/azure/active-directory/application-dev-registration-config-grant-permissions-how-to 
• In the below code, update $clientID with your application id and $redirectUri with the redirect uri of the application.

Source code

#Loads Active Directory Authentication Library

function Load-ActiveDirectoryAuthenticationLibrary(){

    $moduleDirPath = [Environment]::GetFolderPath("MyDocuments") + "\WindowsPowerShell\Modules"

    $modulePath = $moduleDirPath + "\AADGraph"

    if(-not (Test-Path ($modulePath+"\Nugets"))) {New-Item -Path ($modulePath+"\Nugets") -ItemType "Directory" | out-null}

    $adalPackageDirectories = (Get-ChildItem -Path ($modulePath+"\Nugets") -Filter "Microsoft.IdentityModel.Clients.ActiveDirectory*" -Directory)

    if($adalPackageDirectories.Length -eq 0){

        Write-Host "Active Directory Authentication Library Nuget doesn't exist. Downloading now ..." -ForegroundColor Yellow

        if(-not(Test-Path ($modulePath + "\Nugets\nuget.exe")))

        {

            Write-Host "nuget.exe not found. Downloading from http://www.nuget.org/nuget.exe ..." -ForegroundColor Yellow

            $wc = New-Object System.Net.WebClient

            $wc.DownloadFile("http://www.nuget.org/nuget.exe",$modulePath + "\Nugets\nuget.exe");

        }

        $nugetDownloadExpression = $modulePath + "\Nugets\nuget.exe install Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.14.201151115 -OutputDirectory " + $modulePath + "\Nugets | out-null"

        Invoke-Expression $nugetDownloadExpression

    }

    $adalPackageDirectories = (Get-ChildItem -Path ($modulePath+"\Nugets") -Filter "Microsoft.IdentityModel.Clients.ActiveDirectory*" -Directory)

    $ADAL_Assembly = (Get-ChildItem "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" -Path $adalPackageDirectories[$adalPackageDirectories.length-1].FullName -Recurse)

    $ADAL_WindowsForms_Assembly = (Get-ChildItem "Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll" -Path $adalPackageDirectories[$adalPackageDirectories.length-1].FullName -Recurse)

    if($ADAL_Assembly.Length -gt 0 -and $ADAL_WindowsForms_Assembly.Length -gt 0){

        Write-Host "Loading ADAL Assemblies ..." -ForegroundColor Green

        [System.Reflection.Assembly]::LoadFrom($ADAL_Assembly[0].FullName) | out-null

        [System.Reflection.Assembly]::LoadFrom($ADAL_WindowsForms_Assembly.FullName) | out-null

        return $true

    }

    else{

        Write-Host "Fixing Active Directory Authentication Library package directories ..." -ForegroundColor Yellow

        $adalPackageDirectories | Remove-Item -Recurse -Force | Out-Null

        Write-Host "Not able to load ADAL assembly. Delete the Nugets folder under" $modulePath ", restart PowerShell session and try again ..."

        return $false

    }

}

#Acquire AAD token

function AcquireToken($mfa){

    $clientID = "c7c64917-42bd-4a36-8ed6-af40122626eb"

    $redirectUri = "https://pimmsgraph"

    $authority = "https://login.microsoftonline.com/common"

    $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority,$false

    if($mfa)

    {

        $authResult = $authContext.AcquireToken("https://graph.microsoft.com",$ClientID,$redirectUri,[Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto, [Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier]::AnyUser, "amr_values=mfa")

        Set-Variable -Name mfaDone -Value $true -Scope Global

    }

    else

    {

        $authResult = $authContext.AcquireToken("https://graph.microsoft.com",$ClientID,$redirectUri,[Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Always)

    }

    if($authResult -ne $null)

    {

        Write-Host "User logged in successfully ..." -ForegroundColor Green

    }

    Set-Variable -Name headerParams -Value @{'Authorization'="$($authResult.AccessTokenType) $($authResult.AccessToken)"} -Scope Global

    Set-Variable -Name assigneeId -Value $authResult.UserInfo.UniqueId -Scope Global

}

#Gets my jit assignments

function MyJitAssignments(){

    $url = $serviceRoot + "privilegedRoleAssignments/my?`$expand=roleInfo&`$filter=isElevated+eq+false" 

    Write-Host $url

    $response = Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url -Method Get

    $assignments = ConvertFrom-Json $response.Content

    Write-Host ""

    Write-Host "Role assignments..." -ForegroundColor Green

    $i = 0

    $obj = @()

    foreach ($assignment in $assignments.value)

    {

        $item = New-Object psobject -Property @{

        Id = ++$i

        RoleAssignmentId =  $assignment.id

        RoleId =  $assignment.roleInfo.id

        RoleName =  $assignment.roleInfo.name

        UserId = $assignment.userid

    }

    $obj = $obj + $item

    }

    return $obj

}

#Gets my active assignments

function MyActivatedAssignments(){

    $url = $serviceRoot + "privilegedRoleAssignments/my?`$expand=roleInfo&`$filter=isElevated+eq+true+and+expirationDateTime+ne+null" 

    Write-Host $url

    $response = Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url -Method Get

    $assignments = ConvertFrom-Json $response.Content

    Write-Host ""

    Write-Host "Role assignments..." -ForegroundColor Green

    $i = 0

    $obj = @()

    foreach ($assignment in $assignments.value)

    {

        $item = New-Object psobject -Property @{

        Id = ++$i

        RoleAssignmentId =  $assignment.id

        RoleId =  $assignment.roleInfo.id

        RoleName =  $assignment.roleInfo.name

        UserId = $assignment.userid

        ExpirationDateTime = $assignment.expirationDateTime

    }

    $obj = $obj + $item

    }

    return $obj

}

#List roles

function ListRoles(){

    $url = $serviceRoot + "privilegedRoles?&`$orderby=name"

    Write-Host $url

    $response = Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url -Method Get

    $roles = ConvertFrom-Json $response.Content

    $i = 0

    $obj = @()

    foreach ($role in $roles.value)

    {

        $item = New-Object psobject -Property @{

        Id = ++$i

        RoleId =  $role.id

        RoleName =  $role.name

    }

    $obj = $obj + $item

    }

    return $obj

}

#List Assignment

function ListAssignmentsWithFilter($roleId){

    $url = $serviceRoot + "privilegedRoleAssignments?`$expand=roleInfo&`$filter=roleId+eq+'" + $roleId + "'"

    Write-Host $url

    $response = Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url -Method Get

    $roleAssignments = ConvertFrom-Json $response.Content

    $i = 0

    $obj = @()

    foreach ($roleAssignment in $roleAssignments.value)

        {

        $item = New-Object psobject -Property @{

        Id = ++$i

        RoleAssignmentId =  $roleAssignment.id

        RoleId = $roleAssignment.roleInfo.id

        RoleName = $roleAssignment.roleInfo.name

        IsElevated = $roleAssignment.isElevated

        ExpirationDateTime = $roleAssignment.expirationDateTime

        UserId = $roleAssignment.userId

    }

    $obj = $obj + $item

}

return $obj

}

#List Users

function ListUsers($user_search){

    $url = $MSGraphRoot + "users?`$filter=startswith(displayName,'" + $user_search + "')"

    Write-Host $url

    $response = Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url -Method Get

    $users = ConvertFrom-Json $response.Content

    $i = 0

    $obj = @()

    foreach ($user in $users.value)

    {

        $item = New-Object psobject -Property @{

        Id = ++$i

        UserId =  $user.id

        UserName =  $user.DisplayName

    }

    $obj = $obj + $item

    }

    return $obj

}

#Activates the user

function Activate($isRecursive = $false){

    if($isRecursive -eq $false)

    {

        $assignments = MyJitAssignments

        $assignments | Format-Table -AutoSize -Wrap Id,RoleName

        $choice = Read-Host "Enter Id to activate"

        $hours = Read-Host "Enter Activation duration in hours"

        $reason = Read-Host "Enter Reason"

    }

    $roleId = $assignments[$choice-1].RoleId

    $url = $serviceRoot + "privilegedRoles('" + $roleId + "')/selfActivate"

    $postParams = '{"duration":"' + $hours + '","reason":"' + $reason + '"}'

    write-Host $postParams

    try

    {

        $response = Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url -Method Post -ContentType "application/json" -Body $postParams

        Write-Host "Role activated successfully ..." -ForegroundColor Green

    }

    catch

    {

        $stream = $_.Exception.Response.GetResponseStream()

        $stream.Position = 0;

        $streamReader = New-Object System.IO.StreamReader($stream)

        $err = $streamReader.ReadToEnd()

        $streamReader.Close()

        $stream.Close()

        if($mfaDone -eq $false -and $err.Contains("MfaRule"))

        {

            Write-Host "Prompting the user for mfa ..." -ForegroundColor Green

            AcquireToken true

            Activate $true

        }

        else

        {

            Write-Host $err -ForegroundColor Red

        }

    }

}

#Deactivates the user

function Deactivate($isRecursive = $false){

    if($isRecursive -eq $false)

    {

        $assignments = MyActivatedAssignments

        $assignments | Format-Table -AutoSize -Wrap Id,RoleName,ExpirationDateTime

        $choice = Read-Host "Enter Id to deactivate"

    }

    $roleId = $assignments[$choice-1].RoleId

    $url = $serviceRoot + "privilegedRoles('" + $roleId + "')/selfDeactivate"

    $response = Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url -Method Post -ContentType "application/json"

    Write-Host "Role deactivated successfully ..." -ForegroundColor Green

}

#List RoleAssignment

function ListAssignment(){

    #List and Pick a role

    $roles = ListRoles

    $roles | Format-Table -AutoSize -Wrap Id, RoleName, RoleId

    $role_choice = Read-Host "Pick a role Id"

    $roleId = $roles[$role_choice-1].RoleId

    write-Host $roleId

    #List Member

    $roleAssignments = ListAssignmentsWithFilter $roleId

    $roleAssignments | Format-Table -AutoSize -Wrap Id, RoleName, UserId, IsElevated, ExpirationDateTime

}

#Assign a user to Eligible

function AssignmentEligible() {

    #List and Pick a role

    $roles = ListRoles

    $roles | Format-Table -AutoSize -Wrap Id, RoleName

    $role_choice = Read-Host "Pick a role Id"

    $roleId = $roles[$role_choice-1].RoleId

    write-Host $roleId

    #Search user by Name, and pick a user

    $user_search = Read-Host "user Name start with..."

    $users = ListUsers($user_search)

    $users | Format-Table -AutoSize -Wrap Id, UserName, UserId

    $user_choice = Read-Host "Pick a user Id"

    $userId = $users[$user_choice-1].UserId

    $url = $serviceRoot + "privilegedRoleAssignments"

    $postParams = '{"roleId":"' + $roleId + '","userId":"' + $userId + '"}'

    write-Host $postParams

        

    $response = Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url -Method Post -ContentType "application/json" -Body $postParams

    Write-Host "Assignment added successfully ..." -ForegroundColor Green

}

#Show menu

function ShowMenu(){

    Write-Host ""

    Write-Host "Azure AD JIT - PowerShell Menu v1.0"

    Write-Host "  1. List your eligible role assignments"

    Write-Host "  2. Activate an eligible role"

    Write-Host "  3. Deactivate an active role"

    Write-Host "  4. List Assignment against a role"

    Write-Host "  5. Assign a user to a role"

    Write-Host "  6. Exit"

}

############################################################################################################################################################################

$global:serviceRoot = "https://graph.microsoft.com/beta/"

$global:MSGraphRoot = "https://graph.microsoft.com/v1.0/"

$global:headerParams = ""

$global:assigneeId = ""

$global:mfaDone = $false;

Load-ActiveDirectoryAuthenticationLibrary

AcquireToken

do

{

    ShowMenu

    #Write-Host "Enter your selection"

    $input = Read-Host "Enter your selection"

    switch ($input)

    {

        '1'

        {

            $assignments = MyJitAssignments

            $assignments | Format-Table -AutoSize -Wrap Id,RoleName

        }

        '2'

        {

            Activate

        }

        '3'

        {

            Deactivate

        }

        '4'

        {

            ListAssignment

        }

        '5'

        {

            AssignmentEligible

        }

        '6'

        {

            return

        }

    }

}

until ($input -eq '6')

Write-Host ""

user_interaction_required – Not able to add/refresh account in VS 2015

One day all of a sudden most of our team members were not able to add/refresh their account in VS 2015. We were getting an error

---------------------------

Microsoft Visual Studio

---------------------------

We could not refresh the credentials for the account xxx

user_interaction_required: One of two conditions was encountered: 1. The PromptBehavior.Never flag was passed, but the constraint could not be honored, because user interaction was required. 2. An error occurred during a silent web authentication that prevented the http authentication flow from completing in a short enough time frame

---------------------------

OK  

---------------------------

I then started looking at the network traces to figure out what’s wrong. I saw that there was an interaction between login.microsoftonline.com and tokenprovider.termsofuse.identitygovernance.azure.com after which the error would occur.

I copied the first url which looks like https://login.microsoftonline.com/xxx/oauth2/authorize?resource=https%3a%2f%2fmanagement.core.windows.net%2f&client_id=872cd9fa-d31f-45e0-9eab-6e460a02d1f1&response_type=code&redirect_uri=urn%3aietf%3awg%3aoauth%3a2.0%3aoob&login_hint=xxx&client-request-id=f9c9ba16-48c2-4def-9b2d-c2218191eb7f&prompt=attempt_none&x-client-SKU=.NET&x-client-Ver=2.16.0.0&x-client-CPU=x64&x-client-OS=Microsoft+Windows+NT+10.0.16299.0&sso_nonce=xxx&mscrid=xxx  and pasted it into browser.

Now, I saw a prompt to accept Terms Of Use in a different tenant that my home tenant. Looked like someone had enabled a Terms of Use Conditional Access policy on that tenant. See more details about Terms of Use here https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tou

On analyzing more, it looks like VS tries to get a token for all the tenants you belong to. If one of the tenant has a Conditional Access policy like Terms of Use which requires a user input, VS 2015 will not be able to show it to you. So will you have to upgrade to VS 2017 or disable the Conditional Access policy.

Once this is done, everything should start working as usual.

Securing Azure resources with Privileged Identity Management

With Azure Active Directory Privileged Identity Management (PIM), you can now manage, control, and monitor access to Azure Resources within your organization. To learn more, see https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-pim-resource-rbac

It is important to have a Just In Time (JIT) capability to JIT into an Azure subscription for few hours to investigate any issues. However, once a bad guy has access to the subscription, he can get a lot of information out (like secrets, etc.) and do bad things even after the access is lost.

With PIM, you can assign JIT access not only at the subscription level but also at a specific Resource group or Resource level to prevent any information disclosure. Here is an example of how you can manage your subscription securely with PIM.

Create a Resource group for all your secrets. Let’s call it SecretsResourceGroup. This resource group can have the following resources:

• Azure Storage
• SQL Azure
• Cosmos DB
• Etc.

Create a Resource group for all your deployments. Let’s call it DeploymentsResourceGroup. This resource can have the following resources:

• Cloud Service
• Service Fabric
• App Service
• Virtual Machines
• Etc.

You will notice that almost anyone who needs access to the subscription actually needs access to a resource within DeploymentsResourceGroup. Typical scenarios include:

• Investigating live site issue with a specific deployment
• Restarting a VM
• Installing a software update
• Etc.

If they need access to multiple resources, you can assign them Eligible assignment on the Resource group. If they need access to a specific resource, you can assign them Eligible assignment on the specific resource. Now whenever, they need access, they can JIT into the specific resource at that time. You can also configure approval so that they can only JIT upon approval.

Thus, due to the granularity that PIM supports, you can now prevent people from accessing your secrets but still allow them to JIT into the specific resources where they need to investigate any issues.