Scripts/PowerShellAppAuthGraph.ps1
|
# Create new AAD App registration $targetSp = Get-AzureADServicePrincipal -All $true | Where-Object AppId -EQ "00000003-0000-0000-c000-000000000000" $ResourceAccessObjects = New-Object 'System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]' foreach ($RoleAssignment in $targetSp.AppRoles) { $resourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" $resourceAccess.Id = $RoleAssignment.Id $resourceAccess.Type = 'Role' $ResourceAccessObjects.Add($resourceAccess) } $requiredResourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess" $requiredResourceAccess.ResourceAppId = $targetSp.AppId $requiredResourceAccess.ResourceAccess = $ResourceAccessObjects $AzureAdAppProperties = @{ DisplayName = "Microsoft Graph PowerShell AppReg" RequiredResourceAccess = $requiredResourceAccess } $NewAADApp = New-AzureADApplication @AzureAdAppProperties foreach ($RoleAssignment in $targetSp.AppRoles) { Write-Output -InputObject ('Granting admin consent for App Role: {0}' -f $($RoleAssignment.Value)) New-AzureADServiceAppRoleAssignment -ObjectId $NewAADApp.ObjectId -Id $RoleAssignment.Id -PrincipalId $NewAADApp.ObjectId -ResourceId $targetSp.ObjectId -ErrorAction 0 # Start-Sleep -s 1 } # New-AzureADApplicationPasswordCredential -ObjectId $NewAADApp.ObjectId -CustomKeyIdentifier Secret01 -EndDate (Get-Date).AddYears(100) -OutVariable AppSecret | Out-Null New-AzureADApplicationPasswordCredential -ObjectId $NewAADApp.ObjectId -CustomKeyIdentifier "Jaap $(Get-Date)" -EndDate (Get-Date).AddYears(100) -OutVariable AppSecret $AppSecret | Format-List $cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 #create a new certificate object $cer.Import("$($env:OneDrive)\$($env:USERNAME)_$($env:COMPUTERNAME).cer") $bin = $cer.GetRawCertData() $base64Value = [System.Convert]::ToBase64String($bin) $bin = $cer.GetCertHash() $base64Thumbprint = [System.Convert]::ToBase64String($bin) # $keyid = [System.Guid]::NewGuid().ToString() New-AzureADApplicationKeyCredential -ObjectId $NewAADApp.ObjectId -CustomKeyIdentifier $base64Thumbprint -Type AsymmetricX509Cert -Usage Verify -Value $base64Value -StartDate $cer.NotBefore -EndDate $cer.NotAfter $ConsentURL = "https://login.microsoftonline.com/$($(Get-AzureADTenantDetail).Objectid)/adminconsent?client_id=$($NewAADApp.AppId)" Write-Warning "LET OP! Geef Admin Consent op de applicatie via deze URL:`n$($ConsentURL)" ########################################## # Create new self-signed certificate $ExportPath = "$($env:OneDrive)\$($env:USERNAME)_$($env:COMPUTERNAME).cer" $ExportPath = "$([Environment]::GetFolderPath("MyDocuments"))\$($env:USERNAME)_$($env:COMPUTERNAME).cer" $Certificate = New-SelfSignedCertificate -DnsName "$($env:USERNAME)_$($env:COMPUTERNAME)" -CertStoreLocation "Cert:\CurrentUser\My" -FriendlyName "$($env:USERNAME)_$($env:COMPUTERNAME)" -Subject "$($env:USERNAME)_$($env:COMPUTERNAME)" Get-ChildItem "Cert:\CurrentUser\My\$($Certificate.thumbprint)" Get-ChildItem "Cert:\CurrentUser\My\$($Certificate.thumbprint)" | Export-Certificate -FilePath $ExportPath Get-Item $ExportPath ########################################## # Store config in secret store $TenantConfig = @{} $TenantConfig.TenantId = "GUID" $TenantConfig.AppId = "GUID" $TenantConfig.TenantId = (Get-AzureADTenantDetail).ObjectId $TenantConfig.AppId = $NewAADApp.AppId $TenantConfig.AuthUrl = "https://login.windows.net/$($TenantConfig.TenantId)" # $TenantConfig.ClientSecret = $AppSecret.Value $TenantConfig.CertificateThumbprint = (Get-ChildItem "Cert:\CurrentUser\My" | Where-Object Subject -EQ "CN=$($env:USERNAME)_$($env:COMPUTERNAME)").Thumbprint $TenantConfig $CustomerName = "Test" Set-Secret "$CustomerName-Office365" -Secret $TenantConfig Get-SecretInfo *Office365 ########################################## # $TenantConfig = Get-Secret *-Office365 -AsPlainText |