- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe to Topic
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Powershell automating
Hi There,
We are using powershell scripts to set options (not available in the API eg: MFA settings) in customers tenants.
The scripts are strarted by a management portal and are running in the context of one admin user living in our CSP tenant. The user that is using the management portal is not aware of the credentials the scripts are using.
When we enable MFA all our scripts stop working. We need to know if excluding one account from MFA make us noncompliant.
Solved! Go to Solution.
- Labels:
-
CSP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Excluding this account would not be in compliance with the requirements (see also the updated program guide for official wording: https://docs.microsoft.com/en-us/partner-center/csp-documents-and-learning-resources)
This user account has full admin permission on all customer tenants, so especially these types of accounts need to be secured.
So, if I understand the need correctly, you will need to move to the secure app model where you register an app within each customer tenant and then use access tokens in the powershell.
So a combination of https://docs.microsoft.com/en-us/powershell/partnercenter/secure-app-model?view=partnercenterps-1.5 with this concept: https://blogs.msdn.microsoft.com/ankitsharma/2017/08/25/azure-ad-working-across-tenants-using-powershell/
Also you could use the same approach to use Azure Automation: https://blogs.technet.microsoft.com/stefan_stranger/2017/08/09/triggering-azure-automation-runbooks-using-the-azure-arm-rest-api/
Receive consultations via Technical Presales and Deployment Services team
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Excluding this account would not be in compliance with the requirements (see also the updated program guide for official wording: https://docs.microsoft.com/en-us/partner-center/csp-documents-and-learning-resources)
This user account has full admin permission on all customer tenants, so especially these types of accounts need to be secured.
So, if I understand the need correctly, you will need to move to the secure app model where you register an app within each customer tenant and then use access tokens in the powershell.
So a combination of https://docs.microsoft.com/en-us/powershell/partnercenter/secure-app-model?view=partnercenterps-1.5 with this concept: https://blogs.msdn.microsoft.com/ankitsharma/2017/08/25/azure-ad-working-across-tenants-using-powershell/
Also you could use the same approach to use Azure Automation: https://blogs.technet.microsoft.com/stefan_stranger/2017/08/09/triggering-azure-automation-runbooks-using-the-azure-arm-rest-api/
Receive consultations via Technical Presales and Deployment Services team
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
The Secure Application Model documentation states that the modules Az, AzureRM en MSonline supports the ability to authenticate using access tokens. How about the azureAD module?
At the moment we can revoke refresh tokens (in a custom made portal) from users when needed (e.g a security incident) in our customers tenants. The below code is now in use:
Connect-AzureAd -TenantId $o365TenantIDparam -Credential $LiveCred
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi @degraafm76,
Yes, you can find more information on that here. You will be switching from using user credentials when connecting to an access token. The Az, AzureRM, Azure AD, and MS Online modules all support the use of access tokens when authenticating. There are numerous others, but the ones I listed are the most common. Hope that this helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
We run a PowerShell script through Azure Automation for auditing and enforcing various MFA requirements across our entire directory. This is even more imperitive, given the recent partner-enforced mandatory new security requirements.
How can we continue to run this?
- Set-MsolUser does not support using a Service Principal (password alternative) for authentication, so accessing with an MFA-enabled account cannot be used in an automated fashion.
- The Azure AD PowerShell module - while it fully supports Service Principals - does not support configuring MFA on target accounts.
See also:
- https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/36816202-set-mfa-using-azure-active-directory-powershell-mo
- Please vote!
- Can someone from Microsoft please at least acknowledge the feedback entry by replying with a status on it?
- https://github.com/AzureAD/azure-activedirectory-powershell/issues/12
- https://github.com/MicrosoftDocs/azure-docs/issues/10926
To-date, we've been using a dedicated service account with MFA disabled and other security controls in-place - which seems will no longer be allowed in the new security requirements.
Please advise. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi @ziesemer,
The MS Online module supports the use of access tokens for authentication. So, you can leverage the secure application model framework to generate the token used wen establishing the connection. You can find more information on this at https://docs.microsoft.com/powershell/partnercenter/secure-app-model
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
@idwilliamsand @JanoschUlmer - thank you for your replies. Despite the "Email me when someone replies", I did not receive any notifications and didn't see the updates until checking back here just now.
I'll work through validating this here sometime yet today.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
I am indeed interested if someone could answer this. We are struggling on how we have to proceed with Azure.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi @alexstucchi and @degraafm76,
We have added functionality to the Partner Center PowerShell module, that makes it possible for you to follow the secure application model framework. You can find more information, including samples on to connect to modules like Azure and Azure AD, at https://docs.microsoft.com/en-us/powershell/partnercenter/secure-app-model. Please let us know if you have any concerns or questions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi @idwilliams,
thanks for you reply. I have already read that documentation but I was confused on how it is possible to connect to AzureAD powershell using ApplicationId and Refresh Token. Otherwise it seems impossible to me to create an Azure Application and Service Principal programmatically without user interaction during the process.
Could you please help?
Alex
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
@alexstucchi : Examples for using AzureAD powershell with appid & service principal are here: https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0
However, you are correct that for settig up an application at least one time this requires an interactive logon.
Receive consultations via Technical Presales and Deployment Services team
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
How on earth do I interact with Exchange Online Powershell Cmdlets? The entire thing doesn't seem to support the secure app model.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
Yes, this is a known problem: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements#exchange-online-powershell
Currently the only working solution is to create a user account in the customer tenant specifically for Exchange Online administration.
Receive consultations via Technical Presales and Deployment Services team
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
@JanoschUlmer - Was there any update to this around using the ExchangeOnline powershell CmdLets?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Email to a Friend
- Report Inappropriate Content
See also this other discussion, seems there is still an issue: https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/Exchange-Online-and-the-Secure-App-Model/m-p/11771#M39
Receive consultations via Technical Presales and Deployment Services team
