What Object Id Does This Belong to 00000002-0000-0000-c000-000000000000 Exchange Audit Log

Connect to delegated Office 365 tenants via PowerShell using the Secure App Model

To increase security, Microsoft is requiring that Microsoft Partners have Multi-Factor hallmark enabled on all partner accounts.

To ensure that delegated admin scripts continue to piece of work correctly, Microsoft Partners volition demand to authenticate using the secure app model.

This guide volition cover the iii steps to ready this up.

The secure app model requires the setup of a new Azure AD application with permission to access the Partner Center API.

2. Call back a refresh token using your delegated admin account and the new Azure AD Application

Once the new awarding is ready, we need to use the Partner Center PowerShell module to authenticate using this application and to retrieve a refresh token.

3. Alter your scripts to use the refresh token to retrieve access tokens to connect to tenants via PowerShell

Once nosotros've retrieved the Refresh Token, we can use it in our scripts in identify of credential objects. Since the refresh token is all you need to authenticate, it's very of import that information technology's stored and accessed securely. Microsoft recommends the use of Azure Key Vault for storing and retrieving the refresh token value.

In Microsoft's examples, the Partner Center PowerShell module is used to think access tokens using your refresh token. Since nosotros don't want to install or import the Partner Heart module on all of our Azure Functions/Azure Spider web Jobs/other schedulers, we are using our own PowerShell function to retrieve the access tokens.

Notation: Since the refresh token, client ID and hole-and-corner are a replacement for your credential objects, it'south very important that they are secured accordingly. Microsoft recommends using Azure Key Vault to secure these values.

Prerequisites

• To fix up the new Azure Advertizement Application, you'll demand to be a global admin in a Microsoft Partner tenant.
• To think the initial refresh token for employ in your scripts, you'll demand to use the Partner Center PowerShell module. You can install this by opening PowerShell as an administrator and running:

  Install-Module PartnerCenter

• For testing, you lot'll also need the MSOnline Module:

  Install-Module MSOnline

• And the AzureAD Module:

  Install-Module AzureAD

This script is a slightly modified version of the i found hither. Information technology will create a new Azure Advertisement Application in your organisation with access to the Partner Center API, your own Azure AD, and is pre-consented to access your customers' environments.

This script has also been updated due to recent changes with the Partner Centre Module. Thank you to Kelvin Tegelaar for the heads up.

How to run this PowerShell script

1. 1. Double click the beneath script to select it
   2. Copy and paste it into a new file in Visual Studio lawmaking and save information technology with a .ps1 extension.
   3. Install the recommended PowerShell Extension if you haven't already
   4. Printing F5 to run the script
   5. Sign into Azure Advertisement with the credentials of a global admin in your ain tenant.
   6. Await for the script to complete.
   7. The app/customer ID and secret will appear in the console, also every bit in an exported CSV at C:\temp\azureadapps.csv. Once you accept retrieved these details, be sure to delete the CSV.
   8. If you're running your scripts using an account that isn't a global admin in your own tenant, y'all will demand to provide consent for other users to use this application in the Azure Portal here.
   9. Find your application nether All applications, click API permissions, and then click the Grant admin consent button

$DisplayName = "Partner Middle Application" $ConfigurePreconsent = $truthful  $ErrorActionPreference = "Stop"  # Check if the Azure Advertising PowerShell module has already been loaded. if ( ! ( Get-Module AzureAD ) ) {     # Bank check if the Azure Advert PowerShell module is installed.     if ( Get-Module -ListAvailable -Name AzureAD ) {         # The Azure Advertizing PowerShell module is not load and it is installed. This module         # must be loaded for other operations performed by this script.         Write-Host -ForegroundColor Green "Loading the Azure AD PowerShell module..."         Import-Module AzureAD     }     else {         Install-Module AzureAD     } }  endeavour {     Write-Host -ForegroundColor Dark-green "When prompted please enter the appropriate credentials..."      if ([cord]::IsNullOrEmpty($TenantId)) {         Connect-AzureAD | Out-Null         $TenantName = (Get-AzureADTenantDetail).DisplayName         $TenantId = (Become-AzureADTenantDetail).ObjectId     }     else {         Connect-AzureAD -TenantId $TenantId | Out-Cipher     } } catch [Microsoft.Azure.Common.Authentication.AadAuthenticationCanceledException] {     # The authentication attempt was canceled by the end-user. Execution of the script should exist halted.     Write-Host -ForegroundColor Xanthous "The authentication attempt was canceled. Execution of the script will be halted..."     Exit } grab {     # An unexpected error has occurred. The stop-user should be notified and then that the appropriate action tin be taken.     Write-Mistake "An unexpected error has occurred. Delight review the following error bulletin and endeavour once more." `         "$($Error[0].Exception)" }  $adAppAccess = [Microsoft.Open up.AzureAD.Model.RequiredResourceAccess]@{     ResourceAppId  = "00000002-0000-0000-c000-000000000000";     ResourceAccess =     [Microsoft.Open.AzureAD.Model.ResourceAccess]@{         Id   = "5778995a-e1bf-45b8-affa-663a9f3f4d04";         Type = "Function"     },     [Microsoft.Open.AzureAD.Model.ResourceAccess]@{         Id   = "a42657d6-7f20-40e3-b6f0-cee03008a62a";         Type = "Scope"     },     [Microsoft.Open.AzureAD.Model.ResourceAccess]@{         Id   = "311a71cc-e848-46a1-bdf8-97ff7156d8e6";         Type = "Scope"     } }  $graphAppAccess = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{     ResourceAppId  = "00000003-0000-0000-c000-000000000000";     ResourceAccess =     [Microsoft.Open up.AzureAD.Model.ResourceAccess]@{         Id   = "bf394140-e372-4bf9-a898-299cfc7564e5";         Type = "Role"     },     [Microsoft.Open.AzureAD.Model.ResourceAccess]@{         Id   = "7ab1d382-f21e-4acd-a863-ba3e13f7da61";         Type = "Role"     } }  $partnerCenterAppAccess = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{     ResourceAppId  = "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd";     ResourceAccess =     [Microsoft.Open.AzureAD.Model.ResourceAccess]@{         Id   = "1cebfa2a-fb4d-419e-b5f9-839b4383e05a";         Type = "Telescopic"     } }  $SessionInfo = Get-AzureADCurrentSessionInfo  Write-Host -ForegroundColor Green "Creating the Azure AD application and related resource..."  $app = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName $DisplayName -IdentifierUris "https://$($SessionInfo.TenantDomain)/$((New-Guid).ToString())" -RequiredResourceAccess $adAppAccess, $graphAppAccess, $partnerCenterAppAccess -ReplyUrls @("urn:ietf:wg:oauth:2.0:oob","https://localhost","http://localhost") $password = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId $spn = New-AzureADServicePrincipal -AppId $app.AppId -DisplayName $DisplayName  if ($ConfigurePreconsent) {     $adminAgentsGroup = Go-AzureADGroup -Filter "DisplayName eq 'AdminAgents'"     Add together-AzureADGroupMember -ObjectId $adminAgentsGroup.ObjectId -RefObjectId $spn.ObjectId }  Write-Host "ApplicationId       = $($app.AppId)" Write-Host "ApplicationSecret   = $($password.Value)"  [pscustomobject][ordered]@{     ApplicationName = $DisplayName     TenantName      = $tenantname     TenantId        = $tenantid     clientId        = $app.AppId     clientSecret    = $countersign.value } | Export-Csv C:\temp\azureadapps.csv -NoTypeInformation -Append        

Stride two: Remember the initial refresh token using the Partner Center PowerShell Module

Now that nosotros have our application prepare upwardly, we can utilize it to retrieve our refresh token.

1. Ensure that you lot take installed the Partner Center PowerShell module by opening PowerShell every bit an administrator and running:

   Install-Module PartnerCenter

2. Double click the below script to select it
3. Re-create and paste it into a new file in Visual Studio code and salvage it with a .ps1 extension.
4. Update the $client_id, $client_secret and $tenant_id values with those exported from the previous script.
5. Printing F5 to run the script
6. Sign in to Azure Advertisement with the credentials of an account with permission to access customer tenants. Be sure to remember which business relationship this token belongs to. If y'all're using a global admin business relationship, y'all may be prompted to grant consent to the application.
7. Await for the script to consummate. A copy of the refresh token will be exported to C:\temp\refreshToken.txt. Be sure to delete this exported token once yous have secured information technology within your scripts

PowerShell Script to think your refresh token for the Secure App Model

$client_id = "EnterClientIDHere" $client_secret = "EnterClientSecretHere" $tenant_id = "EnterYourTenantIDHere" $secpasswd = ConvertTo-SecureString $client_secret -AsPlainText -Strength $mycreds = New-Object Organisation.Management.Automation.PSCredential ($client_id, $secpasswd)  $token = New-PartnerAccessToken -Consent -Credential $mycreds -Resources https://api.partnercenter.microsoft.com -TenantId $tenant_id $refreshToken = $token.RefreshToken $refreshToken | out-file C:\temp\refreshToken.txt        

Pace 3: Modify scripts to use the refresh token to retrieve access tokens to connect to tenants via PowerShell

Using the refresh token with the MSOnline PowerShell module

The refresh token, customer ID and secret essentially supercede your electric current credential object. Yous can supersede your credential objects and Connect-MSOnline cmdlets with the post-obit. Notation, that the post-obit example does not secure the refresh token at all, and so simply utilize it equally a test, so make sure y'all secure the refresh token.

Replace the lawmaking that builds your credential objects and connects to MSOnline with this

$client_id = "EnterClientIDHere" $client_secret = "EnterClientSecretHere" $refreshToken = "EnterRefreshTokenHere" $tenant_id = "EnterTenantIDHere" part Get-GCITSAccessTokenByResource($AppCredential, $tenantid, $Resource) {     $authority = "https://login.microsoftonline.com/$tenantid"     $tokenEndpointUri = "$dominance/oauth2/token"     $content = @{         grant_type = "refresh_token"         client_id = $appCredential.appID         client_secret = $appCredential.secret         resource = $resources         refresh_token = $appCredential.refreshToken     }     $tokenEndpointUri = "$authority/oauth2/token"      $response = Invoke-RestMethod -Uri $tokenEndpointUri -Trunk $content -Method Postal service -UseBasicParsing     $access_token = $response.access_token     return $access_token }  $AppCredential = @{     appId        = $client_id     surreptitious       = $client_secret     refreshToken = $refreshToken }  $MSGraphToken = Get-GCITSAccessTokenByResource -Resources "https://graph.microsoft.com" -tenantid $tenant_id -AppCredential $AppCredential $AadGraphToken = Get-GCITSAccessTokenByResource -Resource "https://graph.windows.net" -tenantid $tenant_id -AppCredential $AppCredential Connect-MsolService -MsGraphAccessToken $MSGraphToken -AdGraphAccessToken $AadGraphToken        

Using the refresh token with the AzureAD PowerShell module

In my testing, I can connect to our own tenant'southward Azure AD via the following script:

$client_id = "EnterClientIDHere" $client_secret = "EnterClientSecretHere" $refreshToken = "EnterRefreshTokenHere" $tenant_id = "EnterTenantIDHere" $delegatedAdmin = "[electronic mail protected]"  part Get-GCITSAccessTokenByResource($AppCredential, $tenantid, $Resource) {     $authority = "https://login.microsoftonline.com/$tenantid"     $tokenEndpointUri = "$say-so/oauth2/token"     $content = @{         grant_type = "refresh_token"         client_id = $appCredential.appID         client_secret = $appCredential.secret         resources = $resource         refresh_token = $appCredential.refreshToken     }     $tokenEndpointUri = "$authority/oauth2/token"      $response = Invoke-RestMethod -Uri $tokenEndpointUri -Body $content -Method Post -UseBasicParsing     $access_token = $response.access_token     return $access_token }  $AppCredential = @{     appId        = $client_id     secret       = $client_secret     refreshToken = $refreshToken }  $MSGraphToken = Get-GCITSAccessTokenByResource -Resources "https://graph.microsoft.com" -tenantid $tenant_id -AppCredential $AppCredential $AadGraphToken = Go-GCITSAccessTokenByResource -Resource "https://graph.windows.net" -tenantid $tenant_id -AppCredential $AppCredential Connect-AzureAD -AadAccessToken $AadGraphToken -MsAccessToken $MSGraphToken -AccountId $delegatedAdmin        

Can nosotros utilize this method to run commands in customer tenants with Azure Ad?

I have been able to complete the hallmark to connect to a customers' Azure AD, only have not been able to run commands. I receive an error related to an invalid domain that appears to be related to the TenantDomain property existence populated with the TenantId:

Connect-AzureAD -AadAccessToken $AadGraphToken -MsAccessToken $MSGraphToken -AccountId $delegatedAdmin -TenantId $customer.tenantid        

Can we employ the refresh token with Exchange Online?

At this phase,  we tin't use this method to connect to customers Exchange Online environments. I'm too not certain how the new requirements will affect delegated connections to Exchange Online.

Our current method is to whitelist our own IP for MFA and authenticate to customers' Commutation environments using basic auth. It'due south very possible that this method volition stop working once the new requirements are enforced. Unfortunately, the Exchange Online Remote PowerShell Module that supports MFA does non support delegated admin admission at this fourth dimension.

Remember to secure the refresh token

The refresh token, client Id and secret replaces the credentials you lot would commonly utilize to run your delegated admin scripts. Microsoft recommends you use Azure Key Vault to secure this token.

Thoughts on the secure app model for delegated administration via PowerShell

I remember increasing security of delegated admin accounts is a practiced move, however the model can exist difficult to implement when following the documentation. The new method also doesn't replace the connection methods that partners have relied on for some time – especially for delegated admin Exchange connections.

Although I've had issues getting the implementation right for the AzureAD module, likewise as the newer Azure 'Az' module, I think it'south worth posting this for the MSOnline model with a programme to update the article one time I've worked out the issues with the Azure Advertisement/Az module connections.

kaysertherrown74.blogspot.com

Source: https://gcits.com/knowledge-base/how-to-connect-to-delegated-office-365-tenants-using-the-secure-app-model/

Share this post