This is a companion discussion topic for the original entry at https://blog.ironmansoftware.com/powershell-universal-external-bearer-tokens/
I was just examining this blog, and wondering if the same method could be employed for using Entra ID as the identity provider, rather than Okta?
I’m not all that clued up on JWT, but isnt that just OpenID Connect | PowerShell Universal ?
I guess that doesnt include the part around getting tokens and using them against the PSU API? and it’s just for user passthru auth?
So I was able to get this working. It’s not exactly the same as that document, since that document outlines setting up full OpenID for interactive user access to the portal UI, right? For that I’d rather just use SAML or something.
In my case, I just configured the appsettings.json similarly to what was outlined in the blog. I just updated the jwt object like so:
“Jwt”: {
“Issuer”: “https://login.microsoftonline.com/{{TenantID}}/v2.0”,
“Audience”: “”,
“DiscoveryDocument”: “https://login.microsoftonline.com/{{TenantID}}/v2.0/.well-known/openid-configuration”,
“RoleClaimType”: “roles”
}
- In Azure, I created an app role to assign to a client app registration. In my case I named it “Vendor.{{vendorName}}”
- Then I went to the app registration representing the vendor, created a client secret, and added the app role I created under app permissions.
- I updated the manifest of the Azure PSU app to set requestedAccessTokenVersion value to “2”
- Lastly, I created roles in the PSU admin portal that match exactly the role names I created earlier, in this case “Vendor.{{vendorName}}” and assign it to my endpoint.
Now I have endpoints which can authenticate requests by tokens provided by my Azure AD tenant and authorize access by role assignments.
There’s no real claim mapping going on, so it’s not true OpenID, but it does allow for proper token-based authentication from AzureAD resources.