0

I need to connect to AD in azure function app using powershell script. (as it is in function i need to do it without prompt) I am trying this:

Import-Module D:\home\site\wwwroot\HttpTrigger1\AzureAD\AzureAD.psd1 -UseWindowsPowershell
$creds = Connect-AzureAD -TenantId $tenantId -Credential $Credential

In my function app I have enabled Authentication through Log in with Azure Active Directory. Is there a way to use that authentication in powershell script to connect to azuread module. I mean the user clicks on the function-app url, logs-in with their credentials and that authentication can be used in the script for connect-azuread. The current script is not working as MFA is enabled, which cannot be removed as per our use-case.

Use-case: I have an application in the form of an ARM template that would be deployed as a managed application. The ARM template is supposed to deploy a set of resources on the tenant of the user, whoever purchases the app. But I need "client id" and "client secret" of the application registration on user/customer's tenant with O365 mgt api permissions, as input to my mainTemplate.json.
This App registration is a one-time thing and is not possible through ARM template, that is why I am trying to achieve the above via powershell. I am creating a powershell function-app, enabled Authentication through Log in with Azure Active Directory.
Idea behind this approach is that at the time of purchasing the app, while filling-in other details(like Resource group name and region) at the UI(created by createUIDefinition.json), the user clicks on the function app link, logs-in and the script runs in the background. The script should be able to create the app registration at the user's tenant and provide back the client id and client secret of that app reg.

vidhi
  • 75
  • 1
  • 2
  • 6
  • Not sure if we could get the AAD Credential in the function app. But if you don't want to sign in interactively, you could use this script: `$username = "{username}" $password = "{password}" $tenantId = "{teanntId}" $secureStringPwd = $password | ConvertTo-SecureString -AsPlainText -Force $Credential = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $secureStringPwd $creds = Connect-AzureAD -TenantId $tenantId -Credential $Credential` – Allen Wu Nov 24 '20 at 06:35
  • Thanks Allen, but thats exactly what I am using. The script fails as MFA is enabled. – vidhi Nov 24 '20 at 09:38

1 Answers1

0

Unfortunately No !

If MFA is enabled, you will not be able to login non-interactively. This is kind of intentional considering to make it more secure. You cannot as well pass along the authentication.

The workaround for this you could possibly make use of the Azure Service Principal.Get the function authenticated and make the Azure Service Principal to do the job.

What Are Azure Service Principal ?

Service principals are non-interactive Azure accounts. Like other user accounts, their permissions are managed within Azure Active Directory.

Sharing some reference articles to get a deeper insight on the Azure Service Principal:

Creating the Service Principal (The creation is one time process)

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals

Creating the Service Principal through Powershell

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-authenticate-service-principal-powershell#create-service-principal-with-self-signed-certificate

Authenticating the Service Principal

https://learn.microsoft.com/en-us/powershell/azure/authenticate-azureps?view=azps-5.1.0

Coming back to your scenario, to execute Connect-AzureAD with out the interactive login using the service principal you could use the below snippet

# Login to Azure AD PowerShell With Admin Account
Connect-AzureAD 

# Create the self signed cert
$currentDate = Get-Date
$endDate = $currentDate.AddYears(1)
$notAfter = $endDate.AddYears(1)
$pwd = ""
$thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName com.foo.bar -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath c:\temp\examplecert.pfx -Password $pwd

# Load the certificate
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\temp\examplecert.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())


# Create the Azure Active Directory Application
$application = New-AzureADApplication -DisplayName "test123" -IdentifierUris "https://test123"
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "Test123" -StartDate $currentDate -EndDate $endDate -Type AsymmetricX509Cert -Usage Verify -Value $keyValue

# Create the Service Principal and connect it to the Application
$sp=New-AzureADServicePrincipal -AppId $application.AppId

# Give the Service Principal Reader access to the current tenant (Get-AzureADDirectoryRole)
Add-AzureADDirectoryRoleMember -ObjectId 5997d714-c3b5-4d5b-9973-ec2f38fd49d5 -RefObjectId $sp.ObjectId

# Get Tenant Detail
$tenant=Get-AzureADTenantDetail
# Now you can login to Azure PowerShell with your Service Principal and Certificate
Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId  $sp.AppId -CertificateThumbprint $thumb

Short Explanation of the code :

The above script creates Service Principal, grants a Read Access at the tenant level and connects to the Azure AD at the end using the created Service Principal.

Satya V
  • 3,811
  • 1
  • 6
  • 9
  • Thanks for your answer. But this is part of a bigger automation process, the scenario is similar to the one explained this question. https://stackoverflow.com/questions/64789758/is-automating-app-registration-on-azure-possible-through-arm-template-on-the-use So the service principal also needs to be created on the client's tenant, that too via script or some automation. Is there a solution or work around? – vidhi Nov 24 '20 at 11:25
  • Creation of service Principal is a one time job. Once you create the service principal and you can re-use it any number of times non-interactively. Event creation of Service Principal - would connect-AzureAD - you will have to pass login interactively if MFA is enabled – Satya V Nov 24 '20 at 11:55
  • You cannot by pass the MFA - considering the security concerns. – Satya V Nov 24 '20 at 12:13
  • hey, I have provided more details of my use-case in the question. Could you plz help me understand how in this case I can make use of a service principal? I am still learning these technologies, don't have clear idea about it. – vidhi Nov 24 '20 at 17:31
  • Where is the function app created ? don't you need APP Id for the same ? – Satya V Nov 25 '20 at 11:45
  • function app is created in my tenant. – vidhi Nov 26 '20 at 11:34
  • I see you are calling New-AzureADApplication and New-SelfSignedCertificate every single time in that script above. Should that be the case? – Victorio Berra May 03 '23 at 14:03