Home > front end >  Execute an App registration without AzureAD
Execute an App registration without AzureAD

Time:12-01

For a professional project, a chunk of the pipeline must be able to create an application (the first App registration, so I only have a global Admin) automatically within Azure AD. So far I used AzureAD which works well with Powershell 5.6 on Windows. I now must be able to run the code with Ubuntu 20.04 and its Powershell 7.2. Unfortunately for me, AzureAD module is only supported on non-core Windows PowerShell, therefore it does not work on core PS6 or PS7. A very simplified piece of code is the following:

# Connection infos
$tenantId = "abcdef12345-1234-1234-124-abcdef12346789"
$account = "[email protected]" # Is cloud Admin by default
$password = ConvertTo-SecureString "MyPassword" -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential -ArgumentList ($account, $password)

Connect-AzureAD -Credential $psCred -Tenant $tenantId

# Create app
$appName = "MyApp"

New-App -appName $appName -tenant_id $tenantId

I am stuck and my question is the following: how could I run such an operation with Powershell 7.2 considering AzureAD is not usable? I did check Connect-MgGraph for the connection part only (https://github.com/microsoftgraph/msgraph-sdk-powershell) but the clientId is an infos that I don't have -and want to create-.

Thanks in advance

CodePudding user response:

You can use DeviceLogin as explained in this article to obtain an oAuth access token for you Global Administrator account in PowerShell (independent of the version) but this first step needs a human interaction.

After obtaining the token, you can use it to make Graph API calls with your Global Administrator permissions to create an application.

Once you create your first application, you must attribute required permissions and use it to automate the process (obtain token programmatically using API calls) for application creation in PowerShell.

CodePudding user response:

You could use Resource Owner Password Credentials (ROPC) to authenticate, however Microsoft actively discourages it in their documentation due to the security implications of sending a password over the wire.

If the security issues present with this method of authentication are still tolerated within your acceptance criteria, you would still need a ClientID. Luckily, AzureAD has a well-known ClientID that you can use to authenticate. This ID is 1950a258-227b-4e31-a9cf-717495945fc2

The below Powershell code should get you started. I've basically translated the HTTP request within Microsoft's documentation into a splatted Invoke-RestMethod command.

$LoginWithROPCParameters = @{
  URI = "https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/v2.0/token"
  Method = "POST"
  Body = @{
    client_id = "1950a258-227b-4e31-a9cf-717495945fc2"
    scope = "user.read openid profile offline_access"
    username = "[email protected]"
    password = "hunter2"
    grant_type = "password"
  }
}
Invoke-RestMethod @LoginWithROPCParameters
  • Related