Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
degraafm76
Level 1 Contributor

Powershell automating

Hi There,

 

We are using powershell scripts to set options (not available in the API eg: MFA settings) in customers tenants.

The scripts are strarted by a management portal and are running in the context of one admin user living in our CSP tenant. The user that is using the management portal is not aware of the credentials the scripts are using.

 

When we enable MFA all our scripts stop working. We need to know if excluding one account from MFA make us noncompliant. 

 

 

 

1 ACCEPTED SOLUTION
JanoschUlmer
Microsoft

Excluding this account would not be in compliance with the requirements (see also the updated program guide for official wording: https://docs.microsoft.com/en-us/partner-center/csp-documents-and-learning-resources

This user account has full admin permission on all customer tenants, so especially these types of accounts need to be secured.

So, if I understand the need correctly, you will need to move to the secure app model where you register an app within each customer tenant and then use access tokens in the powershell.

So a combination of https://docs.microsoft.com/en-us/powershell/partnercenter/secure-app-model?view=partnercenterps-1.5 with this concept: https://blogs.msdn.microsoft.com/ankitsharma/2017/08/25/azure-ad-working-across-tenants-using-powershell/

 

Also you could use the same approach to use Azure Automation: https://blogs.technet.microsoft.com/stefan_stranger/2017/08/09/triggering-azure-automation-runbooks-using-the-azure-arm-rest-api/

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices

View solution in original post

14 REPLIES 14
JanoschUlmer
Microsoft

Excluding this account would not be in compliance with the requirements (see also the updated program guide for official wording: https://docs.microsoft.com/en-us/partner-center/csp-documents-and-learning-resources

This user account has full admin permission on all customer tenants, so especially these types of accounts need to be secured.

So, if I understand the need correctly, you will need to move to the secure app model where you register an app within each customer tenant and then use access tokens in the powershell.

So a combination of https://docs.microsoft.com/en-us/powershell/partnercenter/secure-app-model?view=partnercenterps-1.5 with this concept: https://blogs.msdn.microsoft.com/ankitsharma/2017/08/25/azure-ad-working-across-tenants-using-powershell/

 

Also you could use the same approach to use Azure Automation: https://blogs.technet.microsoft.com/stefan_stranger/2017/08/09/triggering-azure-automation-runbooks-using-the-azure-arm-rest-api/

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices

View solution in original post

degraafm76
Level 1 Contributor

The Secure Application Model documentation states that the modules Az, AzureRM en MSonline supports the ability to authenticate using access tokens.  How about the azureAD module?

 

At the moment we can revoke refresh tokens (in a custom made portal) from users when needed (e.g a security incident) in our customers tenants. The below code is now in use:

 

Connect-AzureAd -TenantId $o365TenantIDparam -Credential $LiveCred

Get-AzureAduser -objectid $userPrincipalname | Revoke-AzureADUserAllRefreshToken 
 
Is there a way to achieve the same making use of the Secure Application Model?
 
 
idwilliams
Moderator

Hi @degraafm76

 

Yes, you can find more information on that here. You will be switching from using user credentials when connecting to an access token. The Az, AzureRM, Azure AD, and MS Online modules all support the use of access tokens when authenticating. There are numerous others, but the ones I listed are the most common. Hope that this helps.

ziesemer
Level 4 Contributor

We run a PowerShell script through Azure Automation for auditing and enforcing various MFA requirements across our entire directory.  This is even more imperitive, given the recent partner-enforced mandatory new security requirements.

 

How can we continue to run this?

 

  • Set-MsolUser does not support using a Service Principal (password alternative) for authentication, so accessing with an MFA-enabled account cannot be used in an automated fashion.
  • The Azure AD PowerShell module - while it fully supports Service Principals - does not support configuring MFA on target accounts.

See also:

To-date, we've been using a dedicated service account with MFA disabled and other security controls in-place - which seems will no longer be allowed in the new security requirements.

 

Please advise.  Thanks!

idwilliams
Moderator

Hi @ziesemer,

 

The MS Online module supports the use of access tokens for authentication. So, you can leverage the secure application model framework to generate the token used wen establishing the connection. You can find more information on this at https://docs.microsoft.com/powershell/partnercenter/secure-app-model

 

ziesemer
Level 4 Contributor

@idwilliamsand @JanoschUlmer - thank you for your replies.  Despite the "Email me when someone replies", I did not receive any notifications and didn't see the updates until checking back here just now.

 

I'll work through validating this here sometime yet today.

alexstucchi
Level 1 Contributor

I am indeed interested if someone could answer this. We are struggling on how we have to proceed with Azure.

idwilliams
Moderator

Hi @alexstucchi and @degraafm76,

 

We have added functionality to the Partner Center PowerShell module, that makes it possible for you to follow the secure application model framework. You can find more information, including samples on to connect to modules like Azure and Azure AD, at https://docs.microsoft.com/en-us/powershell/partnercenter/secure-app-model. Please let us know if you have any concerns or questions.  

alexstucchi
Level 1 Contributor

Hi @idwilliams,

 

thanks for you reply. I have already read that documentation but I was confused on how it is possible to connect to AzureAD powershell using ApplicationId and Refresh Token. Otherwise it seems impossible to me to create an Azure Application and Service Principal programmatically without user interaction during the process.

Could you please help?
Alex

JanoschUlmer
Microsoft

@alexstucchi : Examples for using AzureAD powershell with appid & service principal are here: https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0

 

However, you are correct that for settig up an application at least one time this requires an interactive logon.

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
Gavsto
Level 3 Contributor

How on earth do I interact with Exchange Online Powershell Cmdlets? The entire thing doesn't seem to support the secure app model.

JanoschUlmer
Microsoft

@Gavsto 

Yes, this is a known problem: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements#exchange-online-powershell

Currently the only working solution is to create a user account in the customer tenant specifically for Exchange Online administration.

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
rexchoi
Level 1 Contributor

@JanoschUlmer - Was there any update to this around using the ExchangeOnline powershell CmdLets?

JanoschUlmer
Microsoft

Yes - https://docs.microsoft.com/en-gb/powershell/module/exchange/powershell-v2-module/connect-exchangeonline?view=exchange-ps

 

See also this other discussion, seems there is still an issue: https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/Exchange-Online-and-the-Secure-App-Model/m-p/11771#M39

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices