Connect-AzureAd with MFA

PowerShell Universal Universal Dashboard
1

Hi,

I am building a dashboard to manage Office 365 resources but I instead of using a high-priviledge service account I would like that all tasks are running in the user context.
However the accounts used have MFA enabled and I am not sure how to integrate it.

Is there a way to run e.g."Connect-AdzureAd and authenticate with a MFA enabled account?
I don’t need to use the account logged in to Powershell Universal. It would be perfectly fine to have a button “Connect to Azure” that is displaying the Microsoft sign in page in a separate Window/Modal etc.

Thank you.

Product: PowerShell Universal
Version: 1.5.10
2

Something like this should be possible with OIDC. The idea is that you can specify the SaveTokens and Resource settings in appsettings.json and it will persist a token that can then be used with the O365 cmdlets. The user would then use the standard OIDC login flow including their MFA prompt. Then you could use that token during your O365 calls for that user’s session and everything would execute under their privileges.

I don’t have a good tutorial for this at the moment but will put it on my TODO to put something together.

1 Like
3

A tutorial on this would be great as I will need to use this functionality within my dashboard soon :slight_smile:

1 Like
4

This will require a code change in PSU. Luckily, it’s already been merged and we need to do a release for a critical issue we just discovered in 1.5.11. :face_with_head_bandage:

I’ll write up a formal tutorial for the blog but this is how you’ll do it. You need to enable permissions to O365 (or whatever resource you are trying to access) for your application in the app registration.

image
image1654×393 40.5 KB

You also need to enable tokens in your authentication for your app registration.

image
image1291×378 30.4 KB

Finally, you need to set the resource and response type appropriately in your appsettings.json for PSU. You also need to set SaveTokens to true. The resource URL is listed when you enable permissions in the Azure AD app registration. So depending on the resource, it will be a different URL.

    "OIDC": {
      "Enabled": "true",
      "CallbackPath": "/auth/signin-oidc",
      "ClientID": "mine",
      "ClientSecret": "shhhhhhhhhhhhhhhhh",
      "Resource": "https://manage.office.com/",
      "Authority": "https://login.microsoftonline.com/tenant",
      "ResponseType": "id_token token",
      "SaveTokens": "true",
      "UseTokenLifetime": true
    },

Once this is done, you will have access to an $AccessToken and $IdToken variable in your dashboard.

It looks like Connect-AzureAD has a couple parameters for access tokens. I’m not sure which one you will need to use.

Connect-AzureAD
       [-AzureEnvironmentName <EnvironmentName>]
       [-TenantId <String>]
       -AadAccessToken <String>
       [-MsAccessToken <String>]
       -AccountId <String>
       [-LogLevel <LogLevel>]
       [-LogFilePath <String>]
       [-InformationAction <ActionPreference>]
       [-InformationVariable <String>]
       [-WhatIf]
       [-Confirm]
       [<CommonParameters>]

This should work for O365, Graph and Azure management. I suspect 1.5.12 will go out today because the issue we just found is causing manually scheduled jobs to run 10x due to them failing and the service retrying the job…

1 Like
5

Awesome Adam. I’ll try to test this asap.

6

He @Lhaard, if you got it to work, could you share the setup? I’m struggling a bit doing the same.

7

@Lhaard, I second the above post. Seeing how this works would be helpful

1 Like
9

Hey Adam, did you end up writing a step by step on the blog for this?