Share via

Azure SSO Using gMSA & PowerShell

  • Article

Password Management is always challenging work all the times. How to schedule a task on On-Prem & pulling the data from Azure without saving any local credentials & those could be achieved through PowerShell. In mentioned scenario gMSA & Azure Service Principle Name are two main components for Azure SSO.

Use-Case # SSO through PowerShell Code for Automation/Schedule Tasks. AzureAD PowerShell Module is required .

1.gMSA [group Managed Service account] for On-Prem schedule Task

https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/

**Code for Schedule a Task using gMSA.  **
$scriptfolder = "testcode" # Please change the Foldername.
$taskname = "testcode" # Please change TaskName.
$timeSpan = "6" # Change the Interval for run this multiple times If  needed.
$repetitionInterval = New-TimeSpan -Hours $timeSpan
$repetitionDuration = ([TimeSpan]::MaxValue)
$taskPath = "\Admintasks\"
$scriptCommand = "-File C:\TrustedCode\$scriptfolder\$taskname.ps1"
$settings = New-ScheduledTaskSettingsSet -Compatibility WIN8 -ExecutionTimeLimit "01:00"
$action = New-ScheduledTaskAction -Execute 'powershell.exe' -WorkingDirectory "C:\TrustedCode\$scriptfolder" -Argument $scriptCommand
$trigger = New-ScheduledTaskTrigger -Once -At "03:00:00" -RepetitionInterval $repetitionInterval -RepetitionDuration $repetitionDuration # Please change the Start Time
$principle = New-ScheduledTaskPrincipal -UserId contoso\Test-gMSA$ -LogonType Password # Please change the gMSA
Register-ScheduledTask $taskname -TaskPath $taskpath -Action $action -Trigger $trigger -Principal $principle -Settings $settings

 

2. Create Azure AD Service Principle Name

PS Code for creating the Azure SPN using internal Certificate.

$endDate  = $currentDate.AddYears(1)
$notAfter  = $endDate.AddYears(1)
  
$certtificate = Get-ChildItem "Cert:\LocalMachine\My"  | Where-Object  {$_.Subject -eq "CN=PSSSOApp"}
$keyValue = [System.Convert]::ToBase64String($certtificate.GetRawCertData())
  
# Create the Azure Active Directory Application
$application = New-AzureADApplication -DisplayName "PSSSOApp" -IdentifierUris "https://PSSSOApp"
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "PSSSOApp" -StartDate $currentDate -EndDate $endDate -Type AsymmetricX509Cert -Usage Verify -Value $keyValue
$sp = New-AzureADServicePrincipal -AppId $application.AppId
  
# Give the Service Principal Reader access to the current tenant (Get-AzureADDirectoryRole)
Add-AzureADDirectoryRoleMember -ObjectId 5997d714-c3b5-4d5b-9973-ec2f38fd49d5 -RefObjectId $sp.ObjectId
  
$tenant = Get-AzureADTenantDetail
Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId  $sp.AppId -CertificateThumbprint "7hg86713d8527874f945ff5bh67e605b18549f225a"

/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0

Enable the Azure AD Auth SSO by using the combination of gMSA & Azure SPN & Schedule tasks using of them.   

Note :

a]. Below command needs Global Admin access for creating the Azure AD SPN...
Add-AzureADDirectoryRoleMember -ObjectId 5997d714-c3b5-4d5b-9973-ec2f38fd49d5 -RefObjectId $sp.ObjectId
b]. Certificate EKUs : Client Authentication & Server Authentication.
c]. gMSA needs the password but admins/devs. don’t need to manage that or don’t need to store anywhere locally/remotely.