Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Password Management is always challenging work all the times. How to schedule a task on On-Prem & pulling the data from Azure without saving any local credentials & those could be achieved through PowerShell. In mentioned scenario gMSA & Azure Service Principle Name are two main components for Azure SSO.
Use-Case # SSO through PowerShell Code for Automation/Schedule Tasks. AzureAD PowerShell Module is required .
1.gMSA [group Managed Service account] for On-Prem schedule Task
**Code for Schedule a Task using gMSA. **
$scriptfolder = "testcode" # Please change the Foldername.
$taskname = "testcode" # Please change TaskName.
$timeSpan = "6" # Change the Interval for run this multiple times If needed.
$repetitionInterval = New-TimeSpan -Hours $timeSpan
$repetitionDuration = ([TimeSpan]::MaxValue)
$taskPath = "\Admintasks\"
$scriptCommand = "-File C:\TrustedCode\$scriptfolder\$taskname.ps1"
$settings = New-ScheduledTaskSettingsSet -Compatibility WIN8 -ExecutionTimeLimit "01:00"
$action = New-ScheduledTaskAction -Execute 'powershell.exe' -WorkingDirectory "C:\TrustedCode\$scriptfolder" -Argument $scriptCommand
$trigger = New-ScheduledTaskTrigger -Once -At "03:00:00" -RepetitionInterval $repetitionInterval -RepetitionDuration $repetitionDuration # Please change the Start Time
$principle = New-ScheduledTaskPrincipal -UserId contoso\Test-gMSA$ -LogonType Password # Please change the gMSA
Register-ScheduledTask $taskname -TaskPath $taskpath -Action $action -Trigger $trigger -Principal $principle -Settings $settings
2. Create Azure AD Service Principle Name
PS Code for creating the Azure SPN using internal Certificate.
$endDate = $currentDate.AddYears(1)
$notAfter = $endDate.AddYears(1)
$certtificate = Get-ChildItem "Cert:\LocalMachine\My" | Where-Object {$_.Subject -eq "CN=PSSSOApp"}
$keyValue = [System.Convert]::ToBase64String($certtificate.GetRawCertData())
# Create the Azure Active Directory Application
$application = New-AzureADApplication -DisplayName "PSSSOApp" -IdentifierUris "https://PSSSOApp"
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "PSSSOApp" -StartDate $currentDate -EndDate $endDate -Type AsymmetricX509Cert -Usage Verify -Value $keyValue
$sp = New-AzureADServicePrincipal -AppId $application.AppId
# Give the Service Principal Reader access to the current tenant (Get-AzureADDirectoryRole)
Add-AzureADDirectoryRoleMember -ObjectId 5997d714-c3b5-4d5b-9973-ec2f38fd49d5 -RefObjectId $sp.ObjectId
$tenant = Get-AzureADTenantDetail
Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint "7hg86713d8527874f945ff5bh67e605b18549f225a"
/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0
3. One Certificate [Self-signed in not recommended]
Enable the Azure AD Auth SSO by using the combination of gMSA & Azure SPN & Schedule tasks using of them.
Note :
a]. Below command needs Global Admin access for creating the Azure AD SPN...
Add-AzureADDirectoryRoleMember -ObjectId 5997d714-c3b5-4d5b-9973-ec2f38fd49d5 -RefObjectId $sp.ObjectId