Per app authentication

Product: PowerShell Universal
Version: 1.4.6

Hi!

Currently I am facing the issue that I want to have applications with their own authentication mainly because of the claims I can request within Azure API’s. Is there anyway to fix this issue that anyone knows?

Backstory:

We want to build a app where a Super user can request PIM Access for Password Reset and then reset someones password but this has to be through PIM and through our app. We also want to have delegate access as a certificate that could reset passwords is to risky.

Because of this we need a kind of authorization flow as follows:

  1. Authenticate to a standard app to get something of a code to use for next api call
  2. Request PIM access with that code
  3. Authenticate user to another azure registred app with now rights to reset passwords
  4. Logic that resets password

The logic part is not that hard but finding a user friendly way of doing this authentication is proving really hard for me.

Does someone have an idea how I can solve this or what direction to look as I have tried a lot!

  • Compiled powershell
  • Web app
  • Multiple ways of authentication
  • Rewrote parts of the Microsoft.Graph Module

But always end up with a mess that I do not trust at all

Hi blokhunt

Welcome!

I’m having a hard time understanding the problem your are trying to solve?

If you are in Azure, then using SSPR and PIM’s buil-in workflows would be the preferred method. You already have all the tools needed there to customize your approval flows. With SSPR you can even have the users reset their own password.

But here is one option if you really want to do it with code/web app.

  1. Create an App Registration in Azure with api permissons allowing password change - Generate a secret to allow authentication against this app.
  2. Put the secret in a secret vault and close this down with PIM.
  3. In code or app, use the az module to active your PIM and retrieve the secret from your vault (you authenticate with your own account first)
  4. Use Graph or az and authenticate against the app registration with the secret and do the password reset.

Another option,

  1. Add PIM on a role in Azure that allows password resets. Have the users active their pim with aka.ms/pim
  2. Make the super users authenticate with their own account and do a password reset (either through app or code) with your preferred method.

Thank you for your response!

Yeah the problem I’m currently having is that the users that need these rights can’t be send to any Azure resource as the people requesting this find it confusing for them (I work in healthcare). So basically I need to abstract everything away.

The problem I’m having now is how can I make in a easy way to get authenticate to PIM to active the password reset role and then authenticate back to Graph to actually change the password.

Are you able to change another persons password through SSPR? if that is the case that would be amazing and I could use that.

As the problem I’m trying to solve is within the night people forget their passwords and now we get called awake to change these. We have people working in the night which could have a more administrative role but are 0% technical and we want to give them an easy platform to solve this problem.