Typically if you want to create an account to sign in to MSOL (for Azure AD - because you can't use the MS account) you log in to the portal, create an account, make that account a co-administrator, and then log into MSOL.
Is it possible to perform those steps entirely through Powershell?
So can I log in with an MS account, then create an account I can log into AAD with (because AAD doesn't support MS accounts) purely from Powershell. i.e. can I go from a brand new Azure subscription, to logging in to AAD without going near the portal.
My only thought so far has been to create a service principal, but I haven't figured out how to give that directory permission without the portal or an admin account for MSOL.
Failing this, a canonical answer as to why this isn't possible will suffice.
1 Answers
Answers 1
You can use the Graph API to add a user to the default AD of you subscription, and then, you can use the REST API to assign that user to be a classic administrator. Here is the PowerShell script I wrote.
# Adding the AD library to your PowerShell Session. Add-Type -Path 'C:\Program Files\Microsoft Azure Active Directory Connect\Microsoft.IdentityModel.Clients.ActiveDirectory.dll' # This is the tenant id of you Azure AD. You can use tenant name instead if you want. $tenantID = "<the tenant id of you subscription>" $authString = "https://login.microsoftonline.com/$tenantID" # Here, the username must be MFA disabled. $username = "<the username of your root admin>" $password = "<the passwaor of you root admin>" # The resource URI for your token. $resource = "https://graph.windows.net/" # This is the common client id. $client_id = "1950a258-227b-4e31-a9cf-717495945fc2" # Create a client credential with the above common client id, username and password. $creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" ` -ArgumentList $username,$password # Create a authentication context with the above authentication string. $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" ` -ArgumentList $authString # Acquire access token from server. $authenticationResult = $authContext.AcquireToken($resource,$client_id,$creds) # Use the access token to setup headers for your http request. $authHeader = $authenticationResult.AccessTokenType + " " + $authenticationResult.AccessToken $headers = @{"Authorization"=$authHeader; "Content-Type"="application/json"} # Send a request to create a new user. Invoke-RestMethod -Method POST -Uri "https://graph.windows.net/$tenantID/users?api-version=1.6-internal" ` -Headers $headers -InFile ./user.json # The resource URI for your token. Here, you are using Azure Management API. # It also can be "https://management.core.windows.net/". $resource = "https://management.azure.com/" # Acquire access token from server again, for a different resource URI. $authenticationResult = $authContext.AcquireToken($resource,$client_id,$creds) # Your subscription ID. $subscriptionID = <your subscription id> # Use the access token to setup headers for your http request. $authHeader = $authenticationResult.AccessTokenType + " " + $authenticationResult.AccessToken $headers = @{"Authorization"=$authHeader; "Content-Type"="application/json"} # Send a request to assign the above user to be a classic administrator. Invoke-RestMethod -Method PUT -Uri "https://management.azure.com/subscriptions/$subscriptionID/providers/Microsoft.Authorization/classicAdministrators/newAdmin?api-version=2015-06-01" ` -Headers $headers -InFile ./admin.json Here is a sample of user.json and admin.json.
user.json:
{ "accountEnabled": true, "displayName": "graphtest", "mailNickname": "graphtest", "passwordProfile": { "password": "Test1234", "forceChangePasswordNextLogin": false }, "userPrincipalName": "graphtest@<subdomain>.onmicrosoft.com" } admin.json
{ "properties": { "emailAddress": "graphtest@<subdomain>.onmicrosoft.com", "role": "CoAdministrator" }, "type": "Microsoft.Authorization/classicAdministrators", "name": "newAdmin" } 
0 comments:
Post a Comment