I have a requirement to disable external sharing on SPOnline sites associated with new Groups (e.g., MS Teams, Planner, etc.). When an Office 365 user provisions a new Team, Planner, or Group an SPOnline site is provisioned in the background to store files for the associated Group. Be default, this "background" SPOnline site allows external sharing of content.
I have created an Azure Automation Runbook that creates a session to Exchange Online using a Stored Credential. I then get a list of the groups created in the past day.
$groups = Get-UnifiedGroup -Filter "WhenCreated -gt '$dt'"
With the list of Groups, I then iterate through them, connect to SPOnline with an AppId and AppSecret and disable sharing.
Connect-PnPOnline -AppId $appId -AppSecret $appSecret -Url $tenantUrl
$site = Get-PnPTenantSite -Url $group.SharePointSiteUrl
Write-Output "Sharing Capability: " $site.SharingCapability
if($site.SharingCapability -ne "Disabled")
{
#Set-PnPTenantSite -Url $site.Url -Sharing Disabled
Write-Output "Disabling external sharing"
}
else
{
Write-Output "External sharing already disabled"
}
My problem is that our production environment uses a PCS system to manage passwords for accounts. This would require more scripting to access the PCS, checkout the password, update the stored credential then do the work that I want to do.
I am able to get the list of Groups directly from Azure AD but the returned objects do not have the WhenCreated and SharePointSiteURL properties. Without these two pieces of information, I am not able to limit my script to the past day nor change the setting in SharePoint.
My goal is to explore any alternative that allow me to get the list of new Groups and the associated SPOnline site URL without using a stored credential in Azure Automation. Any ideas?
Thank you for your time.
Generally you only have 4 options:
hardcode credentials
use variables + certificates (you can make them secure string, so they are encrypted)
use run as account (allows use of certificates)
use credentials + certificates (pretty much the same as variables)
Related
I would like to automate the rollover of kerberos description keys used for seamless SSO. In doing this, I cannot use global administrator USER accounts, as they may receive spray attacks (I cannot use domain IDs as there are so many domains, and thus I will have to make so many Global Admins). I am thinking that by using application ID and certificates, I can securely automate this job.
The problem is, every sample code I could find has uses the "AuthenticationContext". Something like this:
New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCredentials
Update-AzureADSSOForest -OnPremCredentials $OnpremCredentials
Is it possible to use application IDs to automate this process? And if it is, how do i code it?
Thank you for your kind help.
I'm afraid you could not use the service principal(i.e. the application ID) to do that.
Currently, we could just use domain admin and tenant global admin credentials in a scheduled task.
You could refer to this sample:
# Requirements:
# Microsoft Online Services Sign-In Assistant.
# 64-bit Azure Active Directory module for Windows PowerShell.
$CloudUser = 'service_account#domain.com'
$CloudEncrypted = Get-Content "C:\Scripts\Cloud_Encrypted_Password.txt" | ConvertTo-SecureString
$CloudCred = New-Object System.Management.Automation.PsCredential($CloudUser,$CloudEncrypted)
$OnpremUser = 'DOMAIN\service_account'
$OnpremEncrypted = Get-Content "C:\Scripts\Onprem_Encrypted_Password.txt" | ConvertTo-SecureString
$OnpremCred = New-Object System.Management.Automation.PsCredential($OnpremUser,$OnpremEncrypted)
Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'
New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred
Update-AzureADSSOForest -OnPremCredentials $OnpremCred
Besides, Azure Team is also working on getting this automated, see the feedback:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/33773926-automate-seamless-sso-kerberos-decryption-key-roll
I am working on proofing out if there is a way to automate a Global administrator's Azure AD access for other User role accounts in the same tenant to grant access to OneDrive.
If you navigate to portal.office.com and then click on a user's name, that will bring up some settings for that user. The setting I am referring to is under the dropdown for OneDrive Settings, (see attached image).
Is there a way to automate this process via some PowerShell cmdlet?
Solved
I found an article that shows how to run PowerShell commands via the SharePoint Online Management Shell
Tutorial link has the section for Prerequisites for setup: Easy Manage Multiple Office 365 Tenants with Windows PowerShell
Actual PowerShell commands:
$site = Get-SPOSite -Identity https://mydemo-my.sharepoint.com/personal/sarad_mydemo_onmicrosoft_com
Set-SPOUser -Site $site.Url -LoginName admin#mydemo.onmicrosoft.com -IsSiteCollectionAdmin $true
Tutorial: How to Get Administrative Access to the OneDrive for Business Environment for a User
This may not even be possible without powershell (or Azure Powershell), but can I use a script to retrieve user information from AZURE active directory on a Windows 10 computer?
Since the user has already provided credentials and the user name has been pulled down from Azure, is there any other information pulled down that I can reference as a system object (for eg).
Example of code to show user name:
Set objSysInfo = CreateObject("ADSystemInfo")
wScript.Echo objSysInfo.UserName
I want to see other information such as users department(i.e. .department , so that I can map drives by identifying the users department rather than using the user name).
If I can't use vbs then is this possible with Azure powershell without re-entering user credentials and/or re-verifying user credentials?
It's possible with Azure PowerShell commandlets:
Connect-MsolService -CurrentCredential
Get-MsolUser -UserPrincipalName username#domain
I tried to use Login-AzureRmAccount and Add-AzureRmAccount to login to my Azure Accounts. I have two of them, it was easy to add both of them via Add-AzureAccount and manage the active and default one using Select-Azuresubscription.
With the RM cmdlets every time I do Add-AzureRmAccount it overrides the previous authenticated one. This makes it hard for me to switch between a private and a company azure account.
Are there any solutions for that ?
I am using the PowerShell Gallery to update the Azure and AzureRM Modules and using the latest ones.
The official way is to do something like this
$profile1 = Login-AzureRmAccount
$profile2 = Login-AzureRmAccount
Select-AzureRmProfile -Profile $profile2
You can then save the profiles to disk using
Save-AzureRmProfile -Profile $profile1 -Path e:\ps\profile1.json
You can then load with
Select-AzureRmProfile -Path e:\ps\profile1.json
My personal approach though was to create a module that gave a cmdlet with profile1,profile2 etc as parameters. It would then download and decrypt credentials and feed them into Add-AzureRMAccount (this way I can use the same credential file from assorted locations)
Use Login-AzureRMAccout to login two accounts respectively. Then use Get-AzureRmSubscription to check the subscription info and note down the two TenantIds.
To switch between a private and a company azure account, you can specify the TenantId parameter using
$loadersubscription = Get-AzureRmSubscription -SubscriptionName $YourSubscriptionName -TenantId $YourAssociatedSubscriptionTenantId
I am trying to remove deprecated cmdlets in a powershell script and one of the cmdlets is Select-AzureSubscription. I tried replacing it with Select-AzureRmSubscription but that requires user interaction to authenticate. Does anyone know what Azure-Rm cmdlet I should be using instead?
Select-AzureRmSubscription does change the approach that Azure uses for authentication. I had the same pain points when I converted my scripts.
The official way of approaching this via scripting is as follows -
$profile = Login-AzureRmAccount
Save-AzureRMProfile -Profile $profile -path $path
You can then use Select-AzureRmSubscription to none-interactively load those saved profiles.
Although ultimately I didn't go this route, I decided to add another layer of security and use a machine based certificate to encrypt / decrypt credentials to pass to Login-AzureRmAccount This way I could manage multiple sets of accounts and never have to be concerned about those tokens being exposed on vulnerable machines.