创建帐户并完全从Powershell登录MSOL

时间:2016-04-18 01:07:26

标签: azure azure-powershell

通常,如果要创建帐户以登录MSOL(对于Azure AD - 因为您无法使用Live ID),请登录门户网站,创建帐户,使该帐户成为共同管理员,然后登录MSOL。

是否可以通过Powershell完全执行这些步骤?

我可以使用Live ID登录,然后创建一个我可以完全从Powershell登录AAD的帐户。即,我可以从全新的Azure订阅,登录到AAD而无需靠近门户网站。

到目前为止,我唯一想到的是创建一个服务主体,但我还没有想出如何在没有门户网站或MSOL管理员帐户的情况下授予该目录权限。

如果做不到这一点,那么为什么这是不可能的规范答案就足够了。

1 个答案:

答案 0 :(得分:2)

您可以使用Graph API将用户添加到订阅的默认AD,然后,您可以使用REST API将该用户指定为经典管理员。这是我写的PowerShell脚本。

$subscriptionID = "<the Subscription ID>"

# This is the tenant id of you subscription
$tenantID = "<the tenant id of your subscription>"

# The login endpoint. It can be https://login.microsoftonline.com/, too.    $loginEndpoint = "https://login.windows.net/"

# This is the resource URI for Graph API.
$graphResourceURI = "https://graph.windows.net/"

# This is the resource URI for Azure Management REST API. It can be https://management.azure.com/ for ARM
$managementResourceURI = "https://management.core.windows.net/"

# The redirect URI for PowerShell
$redirectURI = "urn:ietf:wg:oauth:2.0:oob"

# The common client id.
$clientID = "1950a258-227b-4e31-a9cf-717495945fc2"

# the URL for requesting the Authorization code.
$authorizeURLGraph = $loginEndpoint+$tenantID+"/oauth2/authorize?response_type=code&client_id="+$clientID+"&resource="+[system.uri]::EscapeDataString($graphResourceURI)+"&redirect_uri="+[system.uri]::EscapeDataString($redirectURI)

# Create an IE session in PowerShell
$ie = new-object -ComObject "InternetExplorer.Application"

# Set the IE session to be silent, so that it won't prompt for confirmation.
$ie.silent = $true

# Browsing the URL for requesting the Authorization code.
$ie.navigate($authorizeURLGraph)
while($ie.Busy) { Start-Sleep -Milliseconds 100 }

# Getting the Parameters from the redirect URL.
$parameters = $ie.LocationURL.Substring($redirectURI.length + 1).split("{&}")

# Identify Authorization code.
foreach ($parameter in $parameters){
    if ($parameter.substring(0,5) -eq "code="){
        $code = $parameter.substring(5)
        break
    }
}

# the URL for requesting access token.
$tokenURL = $loginEndpoint+$tenantID+"/oauth2/token"

# the token request body.
$body = "grant_type=authorization_code&client_id="+$clientID+"&code="+$code+"&redirect_uri="+[system.uri]::EscapeDataString($redirectURI)+"&resource="+[system.uri]::EscapeDataString($graphResourceURI)

# the token request headers.
$headers = @{"Content-Type"="application/x-www-form-urlencoded"}

# Acquiring an access token.
$authenticationResult = Invoke-RestMethod -Method POST -Uri $tokenURL -Headers $headers -Body $body

# Use the access token to setup headers for your http request.
$authHeader = $authenticationResult.token_type + " " + $authenticationResult.access_token
$headers = @{"Authorization"=$authHeader; "Content-Type"="application/json"}

# Create a user.
Invoke-RestMethod -Method POST -Uri "https://graph.windows.net/$tenantID/users?api-version=1.6-internal" `
                      -Headers $headers -InFile ./user.json

# The same as above, except the resource URI.
$authorizeURLGraph = $loginEndpoint+$tenantID+"/oauth2/authorize?response_type=code&client_id="+$clientID+"&resource="+[system.uri]::EscapeDataString($managementResourceURI)+"&redirect_uri="+[system.uri]::EscapeDataString($redirectURI)

$ie = new-object -ComObject "InternetExplorer.Application"

$ie.silent = $true

$ie.navigate($authorizeURLGraph)
while($ie.Busy) { Start-Sleep -Milliseconds 100 }

$parameters = $ie.LocationURL.Substring($redirectURI.length + 1).split("{&}")

foreach ($parameter in $parameters){
    if ($parameter.substring(0,5) -eq "code="){
        $code = $parameter.substring(5)
        break
    }
}

$tokenURL = $loginEndpoint+$tenantID+"/oauth2/token"

$body = "grant_type=authorization_code&client_id="+$clientID+"&code="+$code+"&redirect_uri="+[system.uri]::EscapeDataString($redirectURI)+"&resource="+[system.uri]::EscapeDataString($managementResourceURI)

$headers = @{"Content-Type"="application/x-www-form-urlencoded"}

$authenticationResult = Invoke-RestMethod -Method POST -Uri $tokenURL -Headers $headers -Body $body

$authHeader = $authenticationResult.token_type + " " + $authenticationResult.access_token
$headers = @{"Authorization"=$authHeader; "Content-Type"="application/json"}

# Assign the new user to be co-admin.
Invoke-RestMethod -Method PUT -Uri "https://management.azure.com/subscriptions/$subscriptionID/providers/Microsoft.Authorization/classicAdministrators/newAdmin?api-version=2015-06-01" `
                      -Headers $headers -InFile ./admin.json

以下是user.json和admin.json的示例。

user.json:

{
  "accountEnabled": true,
  "displayName": "graphtest",
  "mailNickname": "graphtest",
  "passwordProfile": {
    "password": "Test1234",
    "forceChangePasswordNextLogin": false
  },
  "userPrincipalName": "graphtest@<subdomain>.onmicrosoft.com"
}

admin.json 

{
  "properties": {
    "emailAddress": "graphtest@<subdomain>.onmicrosoft.com",
    "role": "CoAdministrator"
  },
  "type": "Microsoft.Authorization/classicAdministrators",
  "name": "newAdmin"
}

此PowerShell脚本取决于您的IE会话,因此在使用此脚本之前,您应该在IE中登录您的实时ID。我仍然在寻找隐私浏览。希望我能用PowerShell登录,而不是IE会话。

相关问题
最新问题