-
Notifications
You must be signed in to change notification settings - Fork 2
/
Setup-Access.ps1
67 lines (54 loc) · 3.53 KB
/
Setup-Access.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
$adalUrlIdentifier = "https://madcow.dog/AzureADPosh"
$dummyReplyUrl = "https://www.puzzlepart.com"
$pwd = "spc19"
$certStore = "Cert:\CurrentUser\My"
$currentDate = Get-Date
$endDate = $currentDate.AddYears(10) # 10 years is nice and long
$thumb = (New-SelfSignedCertificate -DnsName "madcow.dog" -CertStoreLocation $certStore -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $endDate).Thumbprint
$thumb > cert-thumb.txt # Save to file
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "$certStore\$thumb" -FilePath .\madcow.pfx -Password $pwd
$path = (Get-Item -Path ".\").FullName
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("$path\madcow.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
# Connect to Azure AD as an admin account
Connect-AzureAD
# Store tenantid
$tenant = Get-AzureADTenantDetail
$tenant.ObjectId > tenantid.txt
# Add Reports.Read.All access
$svcPrincipal = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Microsoft Graph" }
$appRole = $svcPrincipal.AppRoles | ? { $_.Value -eq "Reports.Read.All" }
$appPermission = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "$($appRole.Id)", "Role"
# Needed for Teams archiving
$appRole2 = $svcPrincipal.AppRoles | ? { $_.Value -eq "Group.ReadWrite.All" }
$appPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "$($appRole2.Id)", "Role"
$reqGraph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$reqGraph.ResourceAppId = $svcPrincipal.AppId
$reqGraph.ResourceAccess = $appPermission, $appPermission2
# Create Azure Active Directory Application (ADAL App)
$application = New-AzureADApplication -DisplayName "AzureADPosh" -IdentifierUris $adalUrlIdentifier -ReplyUrls $dummyReplyUrl -RequiredResourceAccess $reqGraph
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "AzureADPosh" -Type AsymmetricX509Cert -Usage Verify -Value $keyValue -StartDate $currentDate -EndDate $endDate.AddDays(-1)
# https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
$consentUri = "https://login.microsoftonline.com/$($tenant.ObjectId)/adminconsent?client_id=$($application.AppId)&state=12345&redirect_uri=$dummyReplyUrl"
$consentUri | clip
Write-Host "Consent URL is copied to your clipboard - paste it into a browser, and ignore the redirect" -ForegroundColor Green
Write-Host $consentUri -ForegroundColor Blue
Read-Host -Prompt "Press ENTER when consented"
$sp = Get-AzureADServicePrincipal | ? AppId -eq $application.AppId
if (-not $sp) {
# Create the Service Principal and connect it to the Application
$sp = New-AzureADServicePrincipal -AppId $application.AppId
}
$azureDirectoryWriteRoleId = ( Get-AzureADDirectoryRoleTemplate | Where-Object DisplayName -eq "Directory Writers").ObjectId
try {
Enable-AzureADDirectoryRole -RoleTemplateId $azureDirectoryWriteRoleId
}
catch { }
# Give the application read/write permissions to AAD
Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | Where-Object DisplayName -eq "Directory Writers" ).Objectid -RefObjectId $sp.ObjectId
$appId = $application.AppId
$appId > appid.txt
Start-Sleep 10 # give it some seconds before connecting
Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $Application.AppId -CertificateThumbprint $thumb
[Microsoft.Open.Azure.AD.CommonLibrary.AzureSession]::AccessTokens["AccessToken"]