I get got a PowerShell script which today uses AzureAD commandlets to perform about write operations inwards Azure AD. This script is to hold out run on a schedule, in addition to where amend to run this than inwards Azure. It could hold out every bit a spider web undertaking or every bit an Azure Function.
When running inwards an app service nosotros cannot utilization interactive login, but get got to utilization the connect signature below which takes an ADAL app id in addition to a certificate:
Connect-AzureAD –TenantId <tenantId> –ApplicationId <appid> –CertificateThumbprint <thumbprint>
This agency nosotros get got to practise in addition to ADAL app which accepts a certificate, too every bit brand certain nosotros tin access the certificate from the app service.
For this tutorial I’ll instruct amongst an Azure Function, but the steps are pretty much the same.
Pre-requisite
Install the AzureAD or AzureADPreview ascendance lets on your local machine.
Steps covered
- Create a self-signed certificate
- Create an ADAL app
- Grant the ADAL app access to write to AAD
- Create an Azure Function
- Load Azure AD PowerShell inwards an Azure Function
- Connect to AzureAD using an ADAL app in addition to a certificate
Create a self-signed certificate
You tin practise in addition to export a certificate using the steps at https://docs.microsoft.com/en-us/powershell/azure/active-directory/signing-in-service-principal?view=azureadps-2.0. Make certain yous opened upward PowerShell every bit an admin account.
$pwd = "mikael" $currentDate = Get-Date $endDate = $currentDate.AddYears(10) #10 years is dainty in addition to long $thumb = (New-SelfSignedCertificate -DnsName "techmikael.com" -CertStoreLocation "cert:\LocalMachine\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA in addition to AES Cryptographic Provider" -NotAfter $endDate).Thumbprint $pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath .\techmikael.pfx -Password $pwd $path = (Get-Item -Path ".\").FullName $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("$path\techmikael.pfx", $pwd) $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Create ADAL application in addition to exam connection
Next upward is creating the application registration in addition to service primary which nosotros volition demand when connectedness to Azure AD.
# Connect to Azure AD every bit an admin draw organisation human relationship Connect-AzureAD # Create Azure Active Directory Application (ADAL App) $application = New-AzureADApplication -DisplayName "AzureADPosh" -IdentifierUris "https://techmikael.com/AzureADPosh" New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "AzureADPosh" -Type AsymmetricX509Cert -Usage Verify -Value $keyValue -StartDate $currentDate -EndDate $endDate # Create the Service Principal in addition to connect it to the Application $sp=New-AzureADServicePrincipal -AppId $application.AppId # Give the application read/write permissions to AAD Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Directory Writers"}).Objectid -RefObjectId $sp.ObjectId # Test to login using the app $tenant = Get-AzureADTenantDetail $appId = $application.AppId Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $Application.AppId -CertificateThumbprint $thumb
You should at 1 time hold out able to run whatever AzureAD ascendance inwards the context of the service primary for the ADAL app yous only created.
Make certain to re-create out:
- Tenant id
- Application id
- Thumbprint
as yous volition demand this afterward inwards the Azure function.
Create in addition to configure a Function App inwards Azure
Log inwards to the Azure Portal (portal.azure.com) in addition to practise a novel Function App.
Next navigate to Application settings for the Function App in addition to click SSL, inwards social club to upload the self-signed certificate.
Point to the exported pfx file in addition to utilization the password yous selected.
Next navigate to Application settings where yous should laid the platform to 64bit, which works best for PowerShell, too every bit add together an application setting named WEBSITE_LOAD_CERTIFICATES which has the thumbprint of the certificate to ensure your certificate is available to the function.
By opening KUDU PowerShell for the Function App yous tin run across the certificate existence available.
Uploading the AzureAD module to the Azure Function
You powerfulness get got seen tutorials where yous practise a folder named modules below the PowerShell function, where these modules volition in addition to thus hold out machine loaded for your use. This volition non piece of job every bit at that spot are about warnings/errors which yous desire to ignore when loading the module. Instead upload it to a dissever folder, in addition to charge it manually.
The easiest way to upload the module is to opened upward Kudu, works life on the Application settings page.
In Kudu navigate to D:\home\site in addition to practise a folder named PoshModules in addition to navigate to within the folder. Open a Windows Explorer window on your local machine in addition to discovery your installation of AzureAD. On my machine they are located at C:\Program Files\WindowsPowerShell\Modules\AzureADPreview\2.0.1.2.
Then drag in addition to drib all the files over to the PoshModules folder.
Create a component in addition to exam it
Create a novel custom component of type PowerShell. You demand to enable experimental back upward for PowerShell to hold out available.
Copy inwards this sample component where yous supervene upon appId, tenantId in addition to pollex variables amongst your own.
$ProgressPreference = "SilentlyContinue" $WarningPreference = "SilentlyContinue" # Import AzureAD in addition to suppress errors Import-Module "d:\home\site\PoshModules\AzureADPreview.psd1" -ErrorAction SilentlyContinue # POST method: $req $requestBody = Get-Content $req -Raw | ConvertFrom-Json $appId = "<appid>" $thumb = "<thumb>" $tenantId = "<tenantid>" Connect-AzureAD -TenantId $tenantId -ApplicationId $appId -CertificateThumbprint $thumb $user = (Get-AzureADUser)[0] Out-File -Encoding Ascii -FilePath $res -inputObject "User:$($user.DisplayName)"
Summary
If yous get got scripts fix using for illustration Azure AD PowerShell commandlets, yous tin indeed movement them to Azure, running using a service principal. There are about hoops to fountain though, but it’s non impossible.
Thanks for reading : How To Hold Upwards Azuread Powershell Commandlets Inwards Azure