batch-import-spn-app-proxy.ps1
|
#----------------------------------------------------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. #----------------------------------------------------------------------------------------------------------------------- # PowerShell script to import on-premises service principal objects associated with # Windows Integrated Authentication (WIA) single sign on configuration of the App Proxy application into the Azure # Active Directory (AD). # # Usage Syntax # .\batch-import-spn-app-proxy.ps1 -Domain {domain name} \ # -CloudUser {username for Azure AD} -CloudUserPwdFile {Path to encrypted password file for cloud account} \ # -DomainUser {domain AD username} -DomainUserPwdFile {Path to encrypted file for on-premises AD account} # # You must provide a Global Administrator privileged account using the -CloudUserName and -CloudUserPwdFile parameters # for the Azure AD access. In addition, you have to use an encrypted file using Windows Data Protection API(DPAPI) # for the password value. # # You must provide a Domain Administrator privileged account using -DomainUser and -DomainUserPwdFile parameters for # the on-premises AD access. # * If a Windows Scheduled Task were registered using a Domain administrative privileged account, you could skip # these domain credential associated parameters. In this case, the script will automatically use the same # service account with the Windows Scheduled Task for on-premises Active Directory access. # # * If you want to provide user credentials for the on-premises AD access, you must use an encrypted file using # Windows Data Protection API(DPAPI) for the password value. # # NOTE: # 1. Windows scheduled task running as a background service will call this script file to sync on-prem service # principal object into the Azure AD periodically without any user interaction. The account used for the Azure AD # access should be enabled using the username/password authentication method to call from a background service. # # 2. Credentials of high privileged accounts such as a Domain Administrative privileged account for your on-premises # AD and a Global Administrator privileged account for the Azure AD is required to manage the secrets of # associated service principal objects or registered Azure AD application. Therefore, you must provide credentials # for these accounts via encrypted file using Windows Data Protection API (DPAPI) for security reasons. # # Encrypted file using Windows Data Protection API (DPAPI) only works for the same user on the same computer used # to create this file. Therefore, you must make this encrypted password file under the domain-joined machine with # the same Domain Admin privileged account used to register the Windows scheduled task. # # You can create a password file for cloud account and on-premises Active Directory access account like this: # $cloudUserPwd = "password value" # $filePath = "C:\ProgramData\AzureADKeberosHybrid\CloudUserCredential.txt" # # # Convert cloud user password to encrypted string and save to the destination file. # $cloudUerPwd | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File $filePath # # Set the action parameter while creating a Windows Scheduled task: # Action: Start a program # Program/script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe # Add arguments: # -Command "& '{Path to the Azure AD Kerberos PowerShell module}\batch-import-spn-app-proxy.ps1' \ # -Domain 'yokodc.nttest.microsoft.com' \ # -CloudUserName 'yoko@ymoon1972.onmicrosoft.com' \ # -CloudUserPwdFile 'C:\ProgramData\AzureADKeberosHybrid\CloudUserCredential.txt' \ # -DomainUserName 'YOKODC\yokoadmin' \ # -DomainUserPwdFile 'C:\ProgramData\AzureADKeberosHybrid\DomainUserCredential.txt'" # param ([Parameter(Mandatory)]$domain, [Parameter(Mandatory)]$cloudUserName, [Parameter(Mandatory)]$cloudUserPwdFile, $domainUserName = "", $domainUserPwdFile = "") # Set credential to access the on-premises Active Directory (Uses a Domain Admin privileged account) if (($domainUserName.length -gt 0) -And ($domainUserPwdFile.length -gt 0)) { # read secrets for the active directory domain account from Windows Data Protection API (DPAPI) encrypted file. $domainSecurePwd = (Get-Content $domainUserPwdFile | ConvertTo-SecureString) # Set credential to access the on-premises Active Directory. $domainCred = New-Object System.Management.Automation.PSCredential ($domainUserName, $domainSecurePwd) } else { # use the current windows login credential (same service account running this scheduled job). $domainCred = $null } # read secrets for the cloud account from Windows Data Protection API (DPAPI) encrypted file. $cloudSecurePwd = (Get-Content $cloudUserPwdFile | ConvertTo-SecureString) # Set credential to access the Azure AD (Uses a Global Admin privileged account) $cloudCred = New-Object System.Management.Automation.PSCredential ($cloudUserName, $cloudSecurePwd) # Enables TLS1.2 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 # Run batch import operation Import-AzureADKerberosServicePrincipal -Domain $domain -DomainCredential $domainCred -CloudCredential $cloudCred |