ScottMonolith/gist:f79e97fc0c43cd0cc1b8d6f8e5e3aebf

## gistfile1.txt
This is used in the OU Move Script but can apply to any situation you need to auth against a service principal in Azure for programmatic access

Create a self-signed cert assigned to the machine where task is running from (update password, DnsName, FilePath, and OutFile accordingly):

# Create self-signed cert for MS Graph Auth
$pass = "securepass"
$DnsName = "host.fqdn.local"
$FilePath = "c:\temp\azureadauth_cert.pfx"
$OutFile = "c:\temp\azureadauth_cert_base64.crt"
$thumb = (New-SelfSignedCertificate -DnsName $DnsName -CertStoreLocation "cert:\LocalMachine\My"  -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter (Get-Date).AddMonths(24)).Thumbprint
$pass = ConvertTo-SecureString -String $pass -Force -AsPlainText
Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath $FilePath -Password $pass

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate($FilePath, $pass)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) | Out-File $OutFile

Create AzureAD App, name it, select a platform, "Web".  Then after registering, 'Manage' --> 'API Permissions' and define what is needed.  This script required:
DeviceManagementManagedDevices.Read.All
User.Read.All

Now upload the certificate.  Manage --> Certificates & Secrets --> Certificates --> Upload certificate.  I would put a description, script name is good.

In the script, if the user running said script does not have admin rights on the machine (and the above cert is in the local machine store), the linked article below will not work.  Do this instead, and grant the user running the script permissions to 'read' the private key (in cert manager, personal certificates, find the cert you created - right click, 'All Tasks', 'Manage private keys', then give the user 'read' permission):

$tenantID = "Azure Tenant GUID"
$applicationID = "AppReg_ClientID"
$thumbprint = "Thumbprint"
$LocalMachineCert = Get-ChildItem -Path Cert:\LocalMachine\My -Recurse | Where-Object { $_.Thumbprint -eq $thumbprint }
Write-Host "Connecting to MS Graph as service principal..."
Connect-MgGraph -ClientID $applicationID -TenantId $tenantID -Certificate $LocalMachineCert -NoWelcome

Re cert issue: https://evotec.xyz/connect-mggraph-keyset-does-not-exist/

Reference for AzureAD auth: https://geekshangout.com/connect-mggraph-using-a-service-principal/
	This is used in the OU Move Script but can apply to any situation you need to auth against a service principal in Azure for programmatic access

	Create a self-signed cert assigned to the machine where task is running from (update password, DnsName, FilePath, and OutFile accordingly):

	# Create self-signed cert for MS Graph Auth
	$pass = "securepass"
	$DnsName = "host.fqdn.local"
	$FilePath = "c:\temp\azureadauth_cert.pfx"
	$OutFile = "c:\temp\azureadauth_cert_base64.crt"
	$thumb = (New-SelfSignedCertificate -DnsName $DnsName -CertStoreLocation "cert:\LocalMachine\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter (Get-Date).AddMonths(24)).Thumbprint
	$pass = ConvertTo-SecureString -String $pass -Force -AsPlainText
	Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath $FilePath -Password $pass

	$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate($FilePath, $pass)
	$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) \| Out-File $OutFile

	Create AzureAD App, name it, select a platform, "Web". Then after registering, 'Manage' --> 'API Permissions' and define what is needed. This script required:
	DeviceManagementManagedDevices.Read.All
	User.Read.All

	Now upload the certificate. Manage --> Certificates & Secrets --> Certificates --> Upload certificate. I would put a description, script name is good.

	In the script, if the user running said script does not have admin rights on the machine (and the above cert is in the local machine store), the linked article below will not work. Do this instead, and grant the user running the script permissions to 'read' the private key (in cert manager, personal certificates, find the cert you created - right click, 'All Tasks', 'Manage private keys', then give the user 'read' permission):

	$tenantID = "Azure Tenant GUID"
	$applicationID = "AppReg_ClientID"
	$thumbprint = "Thumbprint"
	$LocalMachineCert = Get-ChildItem -Path Cert:\LocalMachine\My -Recurse \| Where-Object { $_.Thumbprint -eq $thumbprint }
	Write-Host "Connecting to MS Graph as service principal..."
	Connect-MgGraph -ClientID $applicationID -TenantId $tenantID -Certificate $LocalMachineCert -NoWelcome

	Re cert issue: https://evotec.xyz/connect-mggraph-keyset-does-not-exist/

	Reference for AzureAD auth: https://geekshangout.com/connect-mggraph-using-a-service-principal/
No results found