batch-import-spn-app-proxy.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#-----------------------------------------------------------------------------------------------------------------------
# Copyright (c) Microsoft Corporation. All rights reserved.
#-----------------------------------------------------------------------------------------------------------------------
# PowerShell script to import on-premises service principal objects associated with
# Windows Integrated Authentication (WIA) single sign on configuration of the App Proxy application into the Azure
# Active Directory (AD).
#
# Usage Syntax
# .\batch-import-spn-app-proxy.ps1 -Domain {domain name} \
# -CloudUser {username for Azure AD} -CloudUserPwdFile {Path to encrypted password file for cloud account} \
# -DomainUser {domain AD username} -DomainUserPwdFile {Path to encrypted file for on-premises AD account}
#
# You must provide a Global Administrator privileged account using the -CloudUserName and -CloudUserPwdFile parameters
# for the Azure AD access. In addition, you have to use an encrypted file using Windows Data Protection API(DPAPI)
# for the password value.
#
# You must provide a Domain Administrator privileged account using -DomainUser and -DomainUserPwdFile parameters for
# the on-premises AD access.
# * If a Windows Scheduled Task were registered using a Domain administrative privileged account, you could skip
# these domain credential associated parameters. In this case, the script will automatically use the same
# service account with the Windows Scheduled Task for on-premises Active Directory access.
#
# * If you want to provide user credentials for the on-premises AD access, you must use an encrypted file using
# Windows Data Protection API(DPAPI) for the password value.
#
# NOTE:
# 1. Windows scheduled task running as a background service will call this script file to sync on-prem service
# principal object into the Azure AD periodically without any user interaction. The account used for the Azure AD
# access should be enabled using the username/password authentication method to call from a background service.
#
# 2. Credentials of high privileged accounts such as a Domain Administrative privileged account for your on-premises
# AD and a Global Administrator privileged account for the Azure AD is required to manage the secrets of
# associated service principal objects or registered Azure AD application. Therefore, you must provide credentials
# for these accounts via encrypted file using Windows Data Protection API (DPAPI) for security reasons.
#
# Encrypted file using Windows Data Protection API (DPAPI) only works for the same user on the same computer used
# to create this file. Therefore, you must make this encrypted password file under the domain-joined machine with
# the same Domain Admin privileged account used to register the Windows scheduled task.
#
# You can create a password file for cloud account and on-premises Active Directory access account like this:
# $cloudUserPwd = "password value"
# $filePath = "C:\ProgramData\AzureADKeberosHybrid\CloudUserCredential.txt"
#
# # Convert cloud user password to encrypted string and save to the destination file.
# $cloudUerPwd | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File $filePath
#
# Set the action parameter while creating a Windows Scheduled task:
# Action: Start a program
# Program/script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
# Add arguments:
# -Command "& '{Path to the Azure AD Kerberos PowerShell module}\batch-import-spn-app-proxy.ps1' \
# -Domain 'yokodc.nttest.microsoft.com' \
# -CloudUserName 'yoko@ymoon1972.onmicrosoft.com' \
# -CloudUserPwdFile 'C:\ProgramData\AzureADKeberosHybrid\CloudUserCredential.txt' \
# -DomainUserName 'YOKODC\yokoadmin' \
# -DomainUserPwdFile 'C:\ProgramData\AzureADKeberosHybrid\DomainUserCredential.txt'"
#
param ([Parameter(Mandatory)]$domain,
    [Parameter(Mandatory)]$cloudUserName,
    [Parameter(Mandatory)]$cloudUserPwdFile,
    $domainUserName = "",
    $domainUserPwdFile = "")

# Set credential to access the on-premises Active Directory (Uses a Domain Admin privileged account)
if (($domainUserName.length -gt 0) -And ($domainUserPwdFile.length -gt 0))
{
    # read secrets for the active directory domain account from Windows Data Protection API (DPAPI) encrypted file.
    $domainSecurePwd = (Get-Content $domainUserPwdFile | ConvertTo-SecureString)
    # Set credential to access the on-premises Active Directory.
    $domainCred = New-Object System.Management.Automation.PSCredential ($domainUserName, $domainSecurePwd)
}
else
{
    # use the current windows login credential (same service account running this scheduled job).
    $domainCred = $null
}

# read secrets for the cloud account from Windows Data Protection API (DPAPI) encrypted file.
$cloudSecurePwd = (Get-Content $cloudUserPwdFile | ConvertTo-SecureString)
# Set credential to access the Azure AD (Uses a Global Admin privileged account)
$cloudCred = New-Object System.Management.Automation.PSCredential ($cloudUserName, $cloudSecurePwd)

# Enables TLS1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

# Run batch import operation
Import-AzureADKerberosServicePrincipal -Domain $domain -DomainCredential $domainCred -CloudCredential $cloudCred