Our PS Universal environment is running on a Windows Server 19 VM, and the PowerShell Universal service is running as an AD service account without privileges to create new AD users, mail enable, assign licenses, etc.
What would be the best way, whether that be functionality using a script and a credential parameter or something from within the toolbox within a page? A while back, before I knew about PSU, I had build out some custom functions for disabling and creating AD users. Part of those scripts would be simple Get-Credential cmdlets that would prompt the user running the script for their creds, and then connect to a service like MSOnline.
I’d like, if possible to do something similar in Universal without just needing to create secret variables and storing our AD admin usernames and domain passwords. Thanks!
Is there a particular reason why you would not give the service account the abilities you mention, and then enable Windows Auth and set up privileges? You could build out a function to log the information like what was done, what user ran it… On the AD side you will see the service account, but you would still be able to audit it.
One would be to have a Form on the page to accept their username/password and invoke the job…
You could also probably have the same form, and have them enter their credentials into that in order to specify -Credential on the various commands. In the end though, I would recommend option A, as that doesn’t involve sending AD Admin/Azure Admin information, while still retaining accountability.
Thank you for the reply. After reading up on Parameters (ty for the links) it would seem the easiest would be to ask for our AD service account to have rights to run Enable-RemoteMailbox as well as Set-MsolUserLicense. But to be honest, it seems a bit off that there is not a way to ask the user for credentials, similar to running Get-Credential? So my options are either:
Give an AD service account more privileges than I am sure our Security team would NOT like. Although I cant tell if this is really a big deal or not?
Or have a form with say, two text boxes where the user enters in their username and password (in plain text) and then those values get passed into a script, which invokes another script (AD user creation for example)?
I guess I am hoping our global ops/security team sees no issue with granting our PS Universal service account in AD the perms necessary? But really feels like there should be a more simple solution here to allow user input during script execution to handle Get-Credential.