1. 技术文章
  2. Connect to Azure AD from Powershell without prompt

Connect to Azure AD from Powershell without prompt

白昼怎懂夜的黑 提交于 2020-01-25 04:34:07

问题


We have an Azure AD account with Multi Factor Authentication enabled and are wondering if there is a way we connect to it without a prompt, that is without MFA, through Powershell.

We've tried Connect-AzureAD -Credentials however it doesn't proceed when MFA is setup:

AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access...

If there is any way to have MFA setup and connect through Powershell that would be much appreciated.


回答1:


No. If MFA is required, you cannot sign in programmatically as a user.

Interactive authentication is required in that case.

If you change your policies to allow authentication from that machine without MFA, then it will work.

You can also use a service principal for authentication instead of a user.




回答2:


There is a little complex workaround.

You can direct connect to Azure AD with an access token:

Connect-AzureAD
       [-AzureEnvironmentName <EnvironmentName>]
       [-TenantId <String>]
       -AadAccessToken <String>
       [-MsAccessToken <String>]
       -AccountId <String>
       [-LogLevel <LogLevel>]
       [-LogFilePath <String>]
       [-InformationAction <ActionPreference>]
       [-InformationVariable <String>]
       [-WhatIf]
       [-Confirm]
       [<CommonParameters>]

And you can get an access token with refresh token without a prompt.

To simply get a refresh token, a easy way is to use Fiddler. Open Fiddler, and run Connect-AzureAD. you will be able to find the refresh token:

Then you can get a new access token and use it to connect to AAD as following:

# The refresh token
$refresh_token="AQABAAAAAACQN9QBRU3jT6bcBQLZNUj7NLUSh_LtiE0dRWb-Vqb9RjUoNjK67G0DlSF65M_w6o1fAvQ******16Z4J0X-MEZSAA"

# Tenant id and account id
$tenant_id = "hanxia.onmicrosoft.com"
$account = "jack@hanxia.onmicrosoft.com"

# 1b730954-1685-4b74-9bfd-dac224a7b894 is a public client from Microsoft 
$clientId = "1b730954-1685-4b74-9bfd-dac224a7b894"
$uri = "https://login.microsoftonline.com/${tenant_id}/oauth2/token"
$body = @{grant_type='refresh_token';resource='https://graph.windows.net';client_id=$clientId;refresh_token=$refresh_token}
$result = Invoke-RestMethod -Method Post -Uri $uri -Body $body
$accessToken = $result.access_token

# Connect to AAD
Connect-AzureAD -TenantId $tenant_id -AadAccessToken $accessToken -AccountId $account

Result

Note

The refresh contains privacy information. You need to keep it safe.



来源:https://stackoverflow.com/questions/58552071/connect-to-azure-ad-from-powershell-without-prompt

标签
powershell
azure-active-directory
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!