diff --git a/Modules/MSCloudLoginAssistant/ConnectionProfile.ps1 b/Modules/MSCloudLoginAssistant/ConnectionProfile.ps1 index 0b0692f..499d442 100644 --- a/Modules/MSCloudLoginAssistant/ConnectionProfile.ps1 +++ b/Modules/MSCloudLoginAssistant/ConnectionProfile.ps1 @@ -88,6 +88,10 @@ class Workload : ICloneable [ValidateSet('Credentials', 'CredentialsWithApplicationId', 'CredentialsWithTenantId', 'ServicePrincipalWithSecret', 'ServicePrincipalWithThumbprint', 'ServicePrincipalWithPath', 'Interactive', 'Identity', 'AccessTokens')] $AuthenticationType + [string] + [ValidateSet('Credentials', 'CredentialsWithApplicationId', 'CredentialsWithTenantId', 'ServicePrincipalWithSecret', 'ServicePrincipalWithThumbprint', 'ServicePrincipalWithPath', 'Interactive', 'Identity', 'AccessTokens')] + $RequestedAuthenticationType + [boolean] $Connected = $false @@ -227,43 +231,8 @@ class Workload : ICloneable } } - # Determine the Authentication Type - if ($this.ApplicationId -and $this.TenantId -and $this.CertificateThumbprint) - { - $this.AuthenticationType = 'ServicePrincipalWithThumbprint' - } - elseif ($this.ApplicationId -and $this.TenantId -and $this.ApplicationSecret) - { - $this.AuthenticationType = 'ServicePrincipalWithSecret' - } - elseif ($this.ApplicationId -and $this.TenantId -and $this.CertificatePath -and $this.CertificatePassword) - { - $this.AuthenticationType = 'ServicePrincipalWithPath' - } - elseif ($this.Credentials -and $this.ApplicationId) - { - $this.AuthenticationType = 'CredentialsWithApplicationId' - } - elseif ($this.Credentials -and $this.TenantId) - { - $this.AuthenticationType = 'CredentialsWithTenantId' - } - elseif ($this.Credentials) - { - $this.AuthenticationType = 'Credentials' - } - elseif ($this.Identity) - { - $this.AuthenticationType = 'Identity' - } - elseif ($this.AccessTokens -and -not [System.String]::IsNullOrEmpty($this.TenantId)) - { - $this.AuthenticationType = 'AccessTokens' - } - else - { - $this.AuthenticationType = 'Interactive' - } + # Update the AuthenticationType based on RequestedAuthenticationType + $this.AuthenticationType = $this.RequestedAuthenticationType Add-MSCloudLoginAssistantEvent -Message "`$this.AuthenticationType determined to be {$($this.AuthenticationType)}" -Source $source } } @@ -418,6 +387,7 @@ class DefenderForEndpoint:Workload DefenderForEndpoint() { + $this.ApplicationId = "1950a258-227b-4e31-a9cf-717495945fc2" } [void] Connect() @@ -608,6 +578,7 @@ class Fabric:Workload Fabric() { + $this.ApplicationId = "23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd" # Power BI PowerShell } [void] Connect() diff --git a/Modules/MSCloudLoginAssistant/MSCloudLoginAssistant.psm1 b/Modules/MSCloudLoginAssistant/MSCloudLoginAssistant.psm1 index 1d16348..5360010 100644 --- a/Modules/MSCloudLoginAssistant/MSCloudLoginAssistant.psm1 +++ b/Modules/MSCloudLoginAssistant/MSCloudLoginAssistant.psm1 @@ -110,29 +110,38 @@ function Connect-M365Tenant { $Script:MSCloudLoginConnectionProfile = New-Object MSCloudLoginConnectionProfile } - # Only validate the parameters if we are not already connected - elseif ($Script:MSCloudLoginConnectionProfile.$workloadInternalName.Connected ` - -and (Compare-InputParametersForChange -CurrentParamSet $PSBoundParameters)) - { - Add-MSCloudLoginAssistantEvent -Message "Resetting connection for workload $workloadInternalName" -Source $source - $Script:MSCloudLoginConnectionProfile.$workloadInternalName.Connected = $false - } Add-MSCloudLoginAssistantEvent -Message "Checking connection to platform {$Workload}" -Source $source + $authenticationParameters = @{} foreach ($parameter in $PSBoundParameters.GetEnumerator()) { if ($parameter.Key -eq 'Credential') { - $Script:MSCloudLoginConnectionProfile.$workloadInternalName.Credentials = $parameter.Value + $authenticationParameters.Add('Credentials', $parameter.Value) } else { if ($parameter.Key -in @('AccessTokens', 'ApplicationId', 'ApplicationSecret', 'CertificateThumbprint', 'CertificatePath', 'CertificatePassword', 'Identity', 'Endpoints', 'TenantId', 'TenantGUID')) { - $Script:MSCloudLoginConnectionProfile.$workloadInternalName.($parameter.Key) = $parameter.Value + $authenticationParameters.Add($parameter.Key, $parameter.Value) } } } + $Script:MSCloudLoginConnectionProfile.$workloadInternalName.RequestedAuthenticationType = Get-AuthenticationTypeFromParameters -AuthenticationObject $authenticationParameters + + # Only validate the parameters if we are not already connected + if ($Script:MSCloudLoginConnectionProfile.$workloadInternalName.Connected ` + -and (Compare-InputParametersForChange -CurrentParamSet $PSBoundParameters)) + { + Add-MSCloudLoginAssistantEvent -Message "Resetting connection for workload $workloadInternalName" -Source $source + $Script:MSCloudLoginConnectionProfile.$workloadInternalName.Connected = $false + } + + # Apply the parameters to the connection profile + foreach ($key in $authenticationParameters.Keys) + { + $Script:MSCloudLoginConnectionProfile.$workloadInternalName.($key) = $authenticationParameters[$key] + } switch ($Workload) { @@ -273,6 +282,58 @@ function Connect-M365Tenant } } +function Get-AuthenticationTypeFromParameters +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter(Mandatory = $true)] + [System.Object] + $AuthenticationObject + ) + + $authenticationType = '' + if ($AuthenticationObject.ApplicationId -and $AuthenticationObject.TenantId -and $AuthenticationObject.CertificateThumbprint) + { + $authenticationType = 'ServicePrincipalWithThumbprint' + } + elseif ($AuthenticationObject.ApplicationId -and $AuthenticationObject.TenantId -and $AuthenticationObject.ApplicationSecret) + { + $authenticationType = 'ServicePrincipalWithSecret' + } + elseif ($AuthenticationObject.ApplicationId -and $AuthenticationObject.TenantId -and $AuthenticationObject.CertificatePath -and $AuthenticationObject.CertificatePassword) + { + $authenticationType = 'ServicePrincipalWithPath' + } + elseif ($AuthenticationObject.Credentials -and $AuthenticationObject.ApplicationId) + { + $authenticationType = 'CredentialsWithApplicationId' + } + elseif ($AuthenticationObject.Credentials -and $AuthenticationObject.TenantId) + { + $authenticationType = 'CredentialsWithTenantId' + } + elseif ($AuthenticationObject.Credentials) + { + $authenticationType = 'Credentials' + } + elseif ($AuthenticationObject.Identity) + { + $authenticationType = 'Identity' + } + elseif ($AuthenticationObject.AccessTokens -and -not [System.String]::IsNullOrEmpty($AuthenticationObject.TenantId)) + { + $authenticationType = 'AccessTokens' + } + else + { + $authenticationType = 'Interactive' + } + + return $authenticationType +} + <# .SYNOPSIS This function returns the connection profile for a specific workload. @@ -486,7 +547,6 @@ function Compare-InputParametersForChange $currentParameters.Remove('ErrorAction') | Out-Null $globalParameters = @{} - $workloadProfile = $Script:MSCloudLoginConnectionProfile if ($null -eq $workloadProfile) @@ -499,7 +559,6 @@ function Compare-InputParametersForChange else { $workload = $currentParameters['Workload'] - if ($Workload -eq 'MicrosoftTeams') { $workloadInternalName = 'Teams' @@ -515,6 +574,13 @@ function Compare-InputParametersForChange $workloadProfile = $Script:MSCloudLoginConnectionProfile.$workloadInternalName } + if ($workloadProfile.RequestedAuthenticationType -ne $workloadProfile.AuthenticationType) + { + # Authentication type changed, so we need to reconnect + Add-MSCloudLoginAssistantEvent -Message "Authentication type changed from {$($workloadProfile.AuthenticationType)} to {$($workloadProfile.RequestedAuthenticationType)}" -Source $source + return $true + } + # Clean the global Params if (-not [System.String]::IsNullOrEmpty($workloadProfile.TenantId)) { @@ -585,7 +651,6 @@ function Compare-InputParametersForChange } # Clean the current parameters - # Remove the workload, as we don't need to compare that $currentParameters.Remove('Workload') | Out-Null @@ -624,12 +689,14 @@ function Compare-InputParametersForChange if ($null -ne $globalParameters) { - $diffKeys = Compare-Object -ReferenceObject @($currentParameters.Keys) -DifferenceObject @($globalParameters.Keys) -PassThru - $compareValues = @($currentParameters.Values) | Where-Object { $_ -ne $null } - $diffValues = Compare-Object -ReferenceObject $compareValues -DifferenceObject @($globalParameters.Values) -PassThru + # Only check the keys that exist in both hashtables because the authentication method is guaranteed to be the same + $keysToCheck = Compare-Object -ReferenceObject @($currentParameters.Keys) -DifferenceObject @($globalParameters.Keys) -PassThru -ExcludeDifferent + $currentValues = $currentParameters.GetEnumerator() | Where-Object { $keysToCheck -contains $_.Key } | ForEach-Object { $_.Value } + $globalValues = $globalParameters.GetEnumerator() | Where-Object { $keysToCheck -contains $_.Key } | ForEach-Object { $_.Value } + $diffValues = Compare-Object -ReferenceObject $currentValues -DifferenceObject @($globalValues) -PassThru } - if ($null -eq $diffKeys -and $null -eq $diffValues) + if ($null -eq $diffValues) { # no differences were found return $false @@ -1249,7 +1316,7 @@ function Get-AuthToken { $deviceEndpoint = "$AuthorizationUrl/$TenantId/oauth2/v2.0/devicecode" $deviceBody = @{ client_id = $ClientId - scope = $Scope + scope = $(if ($useResource) { $Resource } else { $Scope } ) } $deviceCodeResponse = Invoke-RestMethod -Method Post -Uri $deviceEndpoint -Body $deviceBody -ContentType 'application/x-www-form-urlencoded' @@ -1322,3 +1389,290 @@ function Get-AuthToken { return $response.access_token } + +<# +.SYNOPSIS + Generic connection function for REST API-based workloads that use OAuth tokens. + +.DESCRIPTION + This function handles the common authentication patterns for workloads that connect + via REST APIs and OAuth tokens. It supports Credentials, Credentials with MFA (DeviceCode), + ServicePrincipalWithSecret, ServicePrincipalWithThumbprint, ServicePrincipalWithPath, + Identity, and AccessTokens authentication methods. + +.PARAMETER WorkloadName + The name of the workload being connected to (used for logging and accessing connection profile). + +.PARAMETER AuthorizationUrl + The OAuth authorization URL endpoint. + +.PARAMETER Scope + The OAuth scope to request (for v2.0 endpoints). + +.PARAMETER Resource + The OAuth resource to request (for v1.0 endpoints). Either Scope or Resource should be provided. + +.PARAMETER ClientId + The client/application ID for delegated auth flows. + +.PARAMETER SupportedAuthMethods + An array of supported authentication methods for this workload. + +.PARAMETER TokenExpireCheckMinutes + Number of minutes before token expiration to trigger renewal. Default is 50. + +.EXAMPLE + Connect-MSCloudLoginRESTWorkload -WorkloadName 'AdminAPI' -AuthorizationUrl $authUrl -Resource $resource -ClientId $clientId +#> +function Connect-MSCloudLoginRESTWorkload +{ + [CmdletBinding()] + param( + [Parameter(Mandatory = $true)] + [System.String] + $WorkloadName, + + [Parameter()] + [System.String] + $AuthorizationUrl, + + [Parameter()] + [System.String] + $Scope, + + [Parameter()] + [System.String] + $Resource, + + [Parameter()] + [System.String] + $ClientId, + + [Parameter()] + [System.String[]] + $SupportedAuthMethods = @('Credentials', 'CredentialsWithApplicationId', 'CredentialsWithTenantId', 'ServicePrincipalWithThumbprint', 'ServicePrincipalWithSecret', 'ServicePrincipalWithPath', 'Identity', 'AccessTokens'), + + [Parameter()] + [System.Int32] + $TokenExpireCheckMinutes = 50 + ) + + $InformationPreference = 'SilentlyContinue' + $ProgressPreference = 'SilentlyContinue' + $source = "Connect-MSCloudLoginRESTWorkload ($WorkloadName)" + + $workloadProfile = $Script:MSCloudLoginConnectionProfile.$WorkloadName + $authType = $workloadProfile.AuthenticationType + + # Token expiration check for applicable auth types + if ($workloadProfile.Connected) + { + $tokenBasedAuthTypes = @('ServicePrincipalWithSecret', 'Identity') + if ($authType -in $tokenBasedAuthTypes -and ` + (Get-Date -Date $workloadProfile.ConnectedDateTime) -lt [System.DateTime]::Now.AddMinutes(-$TokenExpireCheckMinutes)) + { + Add-MSCloudLoginAssistantEvent -Message 'Token is about to expire, renewing' -Source $source + $workloadProfile.Connected = $false + } + else + { + return + } + } + + # Validate authentication method is supported + if ($authType -notin $SupportedAuthMethods) + { + throw "Authentication method '$authType' is not supported for workload '$WorkloadName'. Supported methods: $($SupportedAuthMethods -join ', ')" + } + + try + { + # Determine TenantId + $tenantId = $workloadProfile.TenantId + if ([System.String]::IsNullOrEmpty($tenantId) -and $null -ne $workloadProfile.Credentials) + { + $tenantId = $workloadProfile.Credentials.UserName.Split('@')[1] + } + + $accessToken = $null + $useMFA = $false + + switch ($authType) + { + { $_ -in @('Credentials', 'CredentialsWithApplicationId', 'CredentialsWithTenantId') } + { + Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect with user credentials' -Source $source + $authParams = @{ + AuthorizationUrl = $AuthorizationUrl + Credentials = $workloadProfile.Credentials + TenantId = $tenantId + ClientId = if ($workloadProfile.ApplicationId) { $workloadProfile.ApplicationId } else { $ClientId } + } + + if ($Resource) + { + $authParams.Resource = $Resource + } + else + { + $authParams.Scope = $Scope + } + + try + { + $tokenResponse = Get-AuthToken @authParams + $accessToken = "$($tokenResponse.token_type) $($tokenResponse.access_token)" + } + catch + { + if ($_.ErrorDetails.Message -like '*AADSTS50076*') + { + Add-MSCloudLoginAssistantEvent -Message 'Account requires MFA, using device code flow' -Source $source + $authParams.DeviceCode = $true + $tokenResponse = Get-AuthToken @authParams + $accessToken = "$($tokenResponse.token_type) $($tokenResponse.access_token)" + $useMFA = $true + } + else + { + throw + } + } + } + + 'ServicePrincipalWithThumbprint' + { + Add-MSCloudLoginAssistantEvent -Message "Attempting to connect using certificate thumbprint" -Source $source + $authParams = @{ + AuthorizationUrl = $AuthorizationUrl + CertificateThumbprint = $workloadProfile.CertificateThumbprint + TenantId = $tenantId + ClientId = $workloadProfile.ApplicationId + } + + if ($Resource) + { + $authParams.Resource = $Resource + } + else + { + $authParams.Scope = $Scope + } + + $tokenResponse = Get-AuthToken @authParams + $accessToken = "Bearer $($tokenResponse.access_token)" + } + + 'ServicePrincipalWithSecret' + { + Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect using application secret' -Source $source + $authParams = @{ + AuthorizationUrl = $AuthorizationUrl + ClientSecret = $workloadProfile.ApplicationSecret + TenantId = $tenantId + ClientId = $workloadProfile.ApplicationId + } + + if ($Resource) + { + $authParams.Resource = $Resource + } + else + { + $authParams.Scope = $Scope + } + + $tokenResponse = Get-AuthToken @authParams + $accessToken = "$($tokenResponse.token_type) $($tokenResponse.access_token)" + } + + 'ServicePrincipalWithPath' + { + Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect using certificate path' -Source $source + $authParams = @{ + AuthorizationUrl = $AuthorizationUrl + CertificatePath = $workloadProfile.CertificatePath + CertificatePassword = $workloadProfile.CertificatePassword + TenantId = $tenantId + ClientId = $workloadProfile.ApplicationId + } + + if ($Resource) + { + $authParams.Resource = $Resource + } + else + { + $authParams.Scope = $Scope + } + + $tokenResponse = Get-AuthToken @authParams + $accessToken = "Bearer $($tokenResponse.access_token)" + } + + 'Identity' + { + Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect using Managed Identity' -Source $source + $resourceValue = if ($Resource) { $Resource } else { $Scope -replace '/\.default$', '' } + $tokenValue = Get-AuthToken -Resource $resourceValue -Identity + $accessToken = "Bearer $tokenValue" + } + + 'AccessTokens' + { + Add-MSCloudLoginAssistantEvent -Message 'Using provided access token' -Source $source + $providedToken = $workloadProfile.AccessTokens[0] + $accessToken = if ($providedToken -like 'Bearer *') { $providedToken } else { "Bearer $providedToken" } + } + } + + # Set the access token and connection state + $workloadProfile.AccessToken = $accessToken + $workloadProfile.ConnectedDateTime = [System.DateTime]::Now.ToString() + $workloadProfile.Connected = $true + $workloadProfile.MultiFactorAuthentication = $useMFA + + Add-MSCloudLoginAssistantEvent -Message "Successfully connected to $WorkloadName" -Source $source + } + catch + { + $workloadProfile.Connected = $false + throw + } +} + +<# +.SYNOPSIS + Generic disconnect function for REST API-based workloads. + +.DESCRIPTION + This function handles the disconnect logic for workloads that use REST APIs. + +.PARAMETER WorkloadName + The name of the workload to disconnect from. +#> +function Disconnect-MSCloudLoginRESTWorkload +{ + [CmdletBinding()] + param( + [Parameter(Mandatory = $true)] + [System.String] + $WorkloadName + ) + + $source = "Disconnect-MSCloudLoginRESTWorkload ($WorkloadName)" + $workloadProfile = $Script:MSCloudLoginConnectionProfile.$WorkloadName + + if ($workloadProfile.Connected) + { + Add-MSCloudLoginAssistantEvent -Message "Attempting to disconnect from $WorkloadName" -Source $source + $workloadProfile.Connected = $false + $workloadProfile.AccessToken = $null + Add-MSCloudLoginAssistantEvent -Message "Successfully disconnected from $WorkloadName" -Source $source + } + else + { + Add-MSCloudLoginAssistantEvent -Message "No connections to $WorkloadName were found" -Source $source + } +} diff --git a/Modules/MSCloudLoginAssistant/Workloads/AdminAPI.ps1 b/Modules/MSCloudLoginAssistant/Workloads/AdminAPI.ps1 index df13292..1fc9c64 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/AdminAPI.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/AdminAPI.ps1 @@ -3,166 +3,9 @@ function Connect-MSCloudLoginAdminAPI [CmdletBinding()] param() - $InformationPreference = 'SilentlyContinue' - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginAdminAPI' - - if ($Script:MSCloudLoginConnectionProfile.AdminAPI.Connected) - { - if (($Script:MSCloudLoginConnectionProfile.AdminAPI.AuthenticationType -eq 'ServicePrincipalWithSecret' ` - -or $Script:MSCloudLoginConnectionProfile.AdminAPI.AuthenticationType -eq 'Identity') ` - -and (Get-Date -Date $Script:MSCloudLoginConnectionProfile.AdminAPI.ConnectedDateTime) -lt [System.DateTime]::Now.AddMinutes(-50)) - { - Add-MSCloudLoginAssistantEvent -Message 'Token is about to expire, renewing' -Source $source - $Script:MSCloudLoginConnectionProfile.AdminAPI.Connected = $false - } - } - - try - { - if ($Script:MSCloudLoginConnectionProfile.AdminAPI.AuthenticationType -eq 'CredentialsWithApplicationId' -or - $Script:MSCloudLoginConnectionProfile.AdminAPI.AuthenticationType -eq 'Credentials' -or - $Script:MSCloudLoginConnectionProfile.AdminAPI.AuthenticationType -eq 'CredentialsWithTenantId') - { - Add-MSCloudLoginAssistantEvent -Message 'Will try connecting with user credentials' -Source $source - Connect-MSCloudLoginAdminAPIWithUser - } - elseif ($Script:MSCloudLoginConnectionProfile.AdminAPI.AuthenticationType -eq 'ServicePrincipalWithThumbprint') - { - Add-MSCloudLoginAssistantEvent -Message "Attempting to connect to Admin API using AAD App {$ApplicationID}" -Source $source - Connect-MSCloudLoginAdminAPIWithCertificateThumbprint - } - elseif ($Script:MSCloudLoginConnectionProfile.AdminAPI.AuthenticationType -eq 'AccessTokens') - { - Add-MSCloudLoginAssistantEvent -Message 'Using provided access token to connect to Admin API' -Source $source - $accessToken = if ($Script:MSCloudLoginConnectionProfile.AdminAPI.AccessTokens[0] -like 'Bearer *') - { - $Script:MSCloudLoginConnectionProfile.AdminAPI.AccessTokens[0] - } - else - { - 'Bearer ' + $Script:MSCloudLoginConnectionProfile.AdminAPI.AccessTokens[0] - } - $Script:MSCloudLoginConnectionProfile.AdminAPI.AccessToken = $accessToken - } - elseif ($Script:MSCloudLoginConnectionProfile.AdminAPI.AuthenticationType -eq 'Identity') - { - Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect to Admin API using Managed Identity' -Source $source - $accessToken = Get-AuthToken -Resource $Script:MSCloudLoginConnectionProfile.AdminAPI.Resource -Identity - $Script:MSCloudLoginConnectionProfile.AdminAPI.AccessToken = 'Bearer ' + $accessToken - } - else - { - throw 'Specified authentication method is not supported.' - } - - $Script:MSCloudLoginConnectionProfile.AdminAPI.ConnectedDateTime = [System.DateTime]::Now.ToString() - $Script:MSCloudLoginConnectionProfile.AdminAPI.Connected = $true - $Script:MSCloudLoginConnectionProfile.AdminAPI.MultiFactorAuthentication = $false - Add-MSCloudLoginAssistantEvent -Message "Successfully connected to Admin API using AAD App {$ApplicationID}" -Source $source - } - catch - { - throw $_ - } -} - -function Connect-MSCloudLoginAdminAPIWithUser -{ - [CmdletBinding()] - param() - - $source = 'Connect-MSCloudLoginAdminAPIWithUser' - - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.AdminAPI.TenantId)) - { - $tenantId = $Script:MSCloudLoginConnectionProfile.AdminAPI.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.AdminAPI.TenantId - } - - try - { - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.AdminAPI.AuthorizationUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.AdminAPI.Credentials ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.AdminAPI.ApplicationId ` - -Resource $Script:MSCloudLoginConnectionProfile.AdminAPI.Resource - - $Script:MSCloudLoginConnectionProfile.AdminAPI.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() - $Script:MSCloudLoginConnectionProfile.AdminAPI.Connected = $true - $Script:MSCloudLoginConnectionProfile.AdminAPI.ConnectedDateTime = [System.DateTime]::Now.ToString() - } - catch - { - if ($_.ErrorDetails.Message -like '*AADSTS50076*') - { - Add-MSCloudLoginAssistantEvent -Message 'Account used required MFA' -Source $source - Connect-MSCloudLoginAdminAPIWithUserMFA - } - else - { - $Script:MSCloudLoginConnectionProfile.AdminAPI.Connected = $false - throw $_ - } - } -} -function Connect-MSCloudLoginAdminAPIWithUserMFA -{ - [CmdletBinding()] - param() - - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.AdminAPI.TenantId)) - { - $tenantid = $Script:MSCloudLoginConnectionProfile.AdminAPI.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.AdminAPI.TenantId - } - - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.AdminAPI.AuthorizationUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.AdminAPI.Credentials ` - -TenantId $tenantId ` + Connect-MSCloudLoginRESTWorkload -WorkloadName 'AdminAPI' ` + -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.AdminAPI.AuthorizationUrl ` + -Scope $Script:MSCloudLoginConnectionProfile.AdminAPI.Scope ` -ClientId $Script:MSCloudLoginConnectionProfile.AdminAPI.ApplicationId ` - -Resource $Script:MSCloudLoginConnectionProfile.AdminAPI.Resource ` - -DeviceCode - - $Script:MSCloudLoginConnectionProfile.AdminAPI.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() - $Script:MSCloudLoginConnectionProfile.AdminAPI.Connected = $true - $Script:MSCloudLoginConnectionProfile.AdminAPI.MultiFactorAuthentication = $true - $Script:MSCloudLoginConnectionProfile.AdminAPI.ConnectedDateTime = [System.DateTime]::Now.ToString() -} - -function Connect-MSCloudLoginAdminAPIWithCertificateThumbprint -{ - [CmdletBinding()] - param() - - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginAdminAPIWithCertificateThumbprint' - - Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect to AdminAPI using CertificateThumbprint' -Source $source - $tenantId = $Script:MSCloudLoginConnectionProfile.AdminAPI.TenantId - - try - { - $request = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.AdminAPI.AuthorizationUrl ` - -CertificateThumbprint $Script:MSCloudLoginConnectionProfile.AdminAPI.CertificateThumbprint ` - -ClientId $Script:MSCloudLoginConnectionProfile.AdminAPI.ApplicationId ` - -Resource $Script:MSCloudLoginConnectionProfile.AdminAPI.Resource ` - -TenantId $tenantId - - $Script:MSCloudLoginConnectionProfile.AdminAPI.AccessToken = 'Bearer ' + $Request.access_token - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to the Admin API using Certificate Thumbprint' -Source $source - - $Script:MSCloudLoginConnectionProfile.AdminAPI.Connected = $true - $Script:MSCloudLoginConnectionProfile.AdminAPI.ConnectedDateTime = [System.DateTime]::Now.ToString() - } - catch - { - throw $_ - } + -SupportedAuthMethods @('AccessTokens', 'Credentials', 'CredentialsWithApplicationId', 'CredentialsWithTenantId', 'Identity', 'ServicePrincipalWithPath', 'ServicePrincipalWithSecret', 'ServicePrincipalWithThumbprint') } diff --git a/Modules/MSCloudLoginAssistant/Workloads/Azure.ps1 b/Modules/MSCloudLoginAssistant/Workloads/Azure.ps1 index 1f34806..187654e 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/Azure.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/Azure.ps1 @@ -3,7 +3,6 @@ function Connect-MSCloudLoginAzure [CmdletBinding()] param() - $InformationPreference = 'SilentlyContinue' $ProgressPreference = 'SilentlyContinue' $source = 'Connect-MSCloudLoginAzure' # If the current profile is not the same we expect, make the switch. @@ -12,78 +11,89 @@ function Connect-MSCloudLoginAzure if (($Script:MSCloudLoginConnectionProfile.Azure.AuthenticationType -eq 'ServicePrincipalWithSecret' ` -or $Script:MSCloudLoginConnectionProfile.Azure.AuthenticationType -eq 'Identity') ` -and (Get-Date -Date $Script:MSCloudLoginConnectionProfile.Azure.ConnectedDateTime) -lt [System.DateTime]::Now.AddMinutes(-50)) - { - Add-MSCloudLoginAssistantEvent -Message 'Token is about to expire, renewing' -Source $source - $Script:MSCloudLoginConnectionProfile.Azure.Connected = $false - } - elseif ($null -eq (Get-azContext)) - { - $Script:MSCloudLoginConnectionProfile.Azure.Connected = $false - } - else - { - return - } - } - - if ($Script:MSCloudLoginConnectionProfile.Azure.AuthenticationType -eq 'ServicePrincipalWithThumbprint') - { - Add-MSCloudLoginAssistantEvent -Message "Attempting to connect to Azure using AAD App {$ApplicationID}" -Source $source - try { - Add-MSCloudLoginAssistantEvent -Message "Azure Connection Profile = $($Script:MSCloudLoginConnectionProfile.Azure | Out-String)" -Source $source - try - { - Connect-AzAccount -ApplicationId $Script:MSCloudLoginConnectionProfile.Azure.ApplicationId ` - -TenantId $Script:MSCloudLoginConnectionProfile.Azure.TenantId ` - -CertificateThumbprint $Script:MSCloudLoginConnectionProfile.Azure.CertificateThumbprint ` - -Environment $Script:MSCloudLoginConnectionProfile.Azure.EnvironmentName | Out-Null - } - catch - { - Add-MSCloudLoginAssistantEvent -Message $_ -Source $source -EntryType 'Error' - } - $Script:MSCloudLoginConnectionProfile.Azure.ConnectedDateTime = [System.DateTime]::Now.ToString() - $Script:MSCloudLoginConnectionProfile.Azure.Connected = $true - $Script:MSCloudLoginConnectionProfile.Azure.MultiFactorAuthentication = $false - Add-MSCloudLoginAssistantEvent -Message "Successfully connected to Azure using AAD App {$ApplicationID}" -Source $source + Add-MSCloudLoginAssistantEvent -Message 'Token is about to expire, renewing' -Source $source + $Script:MSCloudLoginConnectionProfile.Azure.Connected = $false } - catch + elseif ($null -eq (Get-AzContext)) + { + $Script:MSCloudLoginConnectionProfile.Azure.Connected = $false + } + else { - throw $_ + return } } + + if ($Script:MSCloudLoginConnectionProfile.Azure.AuthenticationType -eq 'ServicePrincipalWithThumbprint') + { + Add-MSCloudLoginAssistantEvent -Message 'Connecting to Azure using AAD App with Certificate Thumbprint' -Source $source + Connect-AzAccount -ServicePrincipal ` + -ApplicationId $Script:MSCloudLoginConnectionProfile.Azure.ApplicationId ` + -TenantId $Script:MSCloudLoginConnectionProfile.Azure.TenantId ` + -CertificateThumbprint $Script:MSCloudLoginConnectionProfile.Azure.CertificateThumbprint ` + -Environment $Script:MSCloudLoginConnectionProfile.Azure.EnvironmentName | Out-Null + $Script:MSCloudLoginConnectionProfile.Azure.ConnectedDateTime = [System.DateTime]::Now.ToString() + $Script:MSCloudLoginConnectionProfile.Azure.Connected = $true + $Script:MSCloudLoginConnectionProfile.Azure.MultiFactorAuthentication = $false + } + elseif ($Script:MSCloudLoginConnectionProfile.Azure.AuthenticationType -eq 'ServicePrincipalWithSecret') + { + Add-MSCloudLoginAssistantEvent -Message 'Connecting to Azure using AAD App with Client Secret' -Source $source + $secStringPassword = $Script:MSCloudLoginConnectionProfile.Azure.ApplicationSecret | ConvertTo-SecureString -AsPlainText -Force + $credential = [System.Management.Automation.PSCredential]::new($Script:MSCloudLoginConnectionProfile.Azure.ApplicationId, $secStringPassword) + Connect-AzAccount -ServicePrincipal ` + -Credential $credential ` + -TenantId $Script:MSCloudLoginConnectionProfile.Azure.TenantId ` + -Environment $Script:MSCloudLoginConnectionProfile.Azure.EnvironmentName | Out-Null + $Script:MSCloudLoginConnectionProfile.Azure.ConnectedDateTime = [System.DateTime]::Now.ToString() + $Script:MSCloudLoginConnectionProfile.Azure.Connected = $true + $Script:MSCloudLoginConnectionProfile.Azure.MultiFactorAuthentication = $false + } + elseif ($Script:MSCloudLoginConnectionProfile.Azure.AuthenticationType -eq 'ServicePrincipalWithPath') + { + Add-MSCloudLoginAssistantEvent -Message 'Connecting to Azure using AAD App with Certificate Path' -Source $source + Connect-AzAccount -ServicePrincipal ` + -ApplicationId $Script:MSCloudLoginConnectionProfile.Azure.ApplicationId ` + -TenantId $Script:MSCloudLoginConnectionProfile.Azure.TenantId ` + -CertificatePath $Script:MSCloudLoginConnectionProfile.Azure.CertificatePath ` + -CertificatePassword $Script:MSCloudLoginConnectionProfile.Azure.CertificatePassword ` + -Environment $Script:MSCloudLoginConnectionProfile.Azure.EnvironmentName | Out-Null + $Script:MSCloudLoginConnectionProfile.Azure.ConnectedDateTime = [System.DateTime]::Now.ToString() + $Script:MSCloudLoginConnectionProfile.Azure.Connected = $true + $Script:MSCloudLoginConnectionProfile.Azure.MultiFactorAuthentication = $false + } elseif ($Script:MSCloudLoginConnectionProfile.Azure.AuthenticationType -eq 'CredentialsWithApplicationId' -or $Script:MSCloudLoginConnectionProfile.Azure.AuthenticationType -eq 'Credentials' -or $Script:MSCloudLoginConnectionProfile.Azure.AuthenticationType -eq 'CredentialsWithTenantId') { + Add-MSCloudLoginAssistantEvent -Message 'Connecting to Azure using Credentials' -Source $source try { if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.Azure.TenantId)) { $Script:MSCloudLoginConnectionProfile.Azure.TenantId = $Script:MSCloudLoginConnectionProfile.Azure.Credentials.UserName.Split('@')[1] } - Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect to Azure using Credentials' -Source $source Connect-AzAccount -Credential $Script:MSCloudLoginConnectionProfile.Azure.Credentials ` + -TenantId $Script:MSCloudLoginConnectionProfile.Azure.TenantId ` -Environment $Script:MSCloudLoginConnectionProfile.Azure.EnvironmentName ` -ErrorAction Stop | Out-Null $Script:MSCloudLoginConnectionProfile.Azure.ConnectedDateTime = [System.DateTime]::Now.ToString() $Script:MSCloudLoginConnectionProfile.Azure.Connected = $true $Script:MSCloudLoginConnectionProfile.Azure.MultiFactorAuthentication = $false - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to Azure using Credentials' -Source $source } catch { - try + if ($_.Exception.Message -like '*AADSTS50076*') { - Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect to Azure using Credentials (MFA)' -Source $source - Connect-AzAccount -Environment $Script:MSCloudLoginConnectionProfile.Azure.EnvironmentName + Add-MSCloudLoginAssistantEvent -Message 'MFA is required. Fallback to interactive login.' -Source $source -EntryType 'Warning' + Connect-AzAccount -TenantId $Script:MSCloudLoginConnectionProfile.Azure.TenantId ` + -Environment $Script:MSCloudLoginConnectionProfile.Azure.EnvironmentName | Out-Null $Script:MSCloudLoginConnectionProfile.Azure.ConnectedDateTime = [System.DateTime]::Now.ToString() $Script:MSCloudLoginConnectionProfile.Azure.Connected = $true $Script:MSCloudLoginConnectionProfile.Azure.MultiFactorAuthentication = $true - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to Azure using Credentials (MFA)' -Source $source } - catch + else { throw $_ } @@ -91,52 +101,38 @@ function Connect-MSCloudLoginAzure } elseif ($Script:MSCloudLoginConnectionProfile.Azure.AuthenticationType -eq 'AccessTokens') { - Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect to Azure using Access Token' -Source $source - Connect-AzAccount -Tenant $Script:MSCloudLoginConnectionProfile.Azure.TenantId ` + Add-MSCloudLoginAssistantEvent -Message 'Connecting to Azure using Access Token' -Source $source + Connect-AzAccount -AccessToken $Script:MSCloudLoginConnectionProfile.Azure.AccessTokens[0]` + -AccountId $Script:MSCloudLoginConnectionProfile.Azure.TenantId ` -Environment $Script:MSCloudLoginConnectionProfile.Azure.EnvironmentName ` - -AccessToken $Script:MSCloudLoginConnectionProfile.Azure.AccessTokens[0] ` -AccountId "MSCloudLoginAssistant" | Out-Null $Script:MSCloudLoginConnectionProfile.Azure.ConnectedDateTime = [System.DateTime]::Now.ToString() $Script:MSCloudLoginConnectionProfile.Azure.Connected = $true $Script:MSCloudLoginConnectionProfile.Azure.MultiFactorAuthentication = $false - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to Azure using Access Token' -Source $source } elseif ($Script:MSCloudLoginConnectionProfile.Azure.AuthenticationType -eq 'Identity') { - Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect to Azure using Managed Identity' -Source $source - try - { - if ($NULL -eq $Script:MSCloudLoginConnectionProfile.OrganizationName) - { - $Script:MSCloudLoginConnectionProfile.OrganizationName = Get-MSCloudLoginOrganizationName -Identity - } - - Connect-AzAccount-TenantId $Script:MSCloudLoginConnectionProfile.OrganizationName ` - -Identity ` - -EnvironmentName $Script:MSCloudLoginConnectionProfile.Azure.EnvironmentName | Out-Null - - $Script:MSCloudLoginConnectionProfile.Azure.ConnectedDateTime = [System.DateTime]::Now.ToString() - $Script:MSCloudLoginConnectionProfile.Azure.Connected = $true - $Script:MSCloudLoginConnectionProfile.Azure.MultiFactorAuthentication = $false - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to Azure using Managed Identity' -Source $source - } - catch - { - throw $_ - } + Add-MSCloudLoginAssistantEvent -Message 'Connecting to Azure using Managed Identity' -Source $source + Connect-AzAccount -Identity ` + -Environment $Script:MSCloudLoginConnectionProfile.Azure.EnvironmentName | Out-Null + $Script:MSCloudLoginConnectionProfile.Azure.ConnectedDateTime = [System.DateTime]::Now.ToString() + $Script:MSCloudLoginConnectionProfile.Azure.Connected = $true + $Script:MSCloudLoginConnectionProfile.Azure.MultiFactorAuthentication = $false } else { throw 'Specified authentication method is not supported.' } - #if the connection to azure was successful update the management URL + # If the connection to Azure was successful update the management URL if ($Script:MSCloudLoginConnectionProfile.Azure.Connected) { $managementUrl = (Get-AzContext).Environment.ResourceManagerUrl - Add-MSCloudLoginAssistantEvent -Message "Setting Azure management URL to $managementUrl" -Source $source - $Script:MSCloudLoginConnectionprofile.Azure.ManagementUrl = $managementUrl + Add-MSCloudLoginAssistantEvent -Message "Setting Azure Management URL to $managementUrl" -Source $source + $Script:MSCloudLoginConnectionProfile.Azure.ManagementUrl = $managementUrl } + + Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to Azure' -Source $source } function Disconnect-MSCloudLoginAzure diff --git a/Modules/MSCloudLoginAssistant/Workloads/AzureDevOPS.ps1 b/Modules/MSCloudLoginAssistant/Workloads/AzureDevOPS.ps1 index 88d1c93..ebe11e8 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/AzureDevOPS.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/AzureDevOPS.ps1 @@ -3,132 +3,9 @@ function Connect-MSCloudLoginAzureDevOPS [CmdletBinding()] param() - $InformationPreference = 'SilentlyContinue' - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginAzureDevOPS' - - if ($Script:MSCloudLoginConnectionProfile.AzureDevOPS.AuthenticationType -eq 'ServicePrincipalWithThumbprint') - { - Add-MSCloudLoginAssistantEvent -Message "Attempting to connect to Azure DevOPS using AAD App {$ApplicationID}" -Source $source - try - { - Connect-MSCloudLoginAzureDevOPSWithCertificateThumbprint - $Script:MSCloudLoginConnectionProfile.AzureDevOPS.ConnectedDateTime = [System.DateTime]::Now.ToString() - $Script:MSCloudLoginConnectionProfile.AzureDevOPS.Connected = $true - $Script:MSCloudLoginConnectionProfile.AzureDevOPS.MultiFactorAuthentication = $false - Add-MSCloudLoginAssistantEvent -Message "Successfully connected to Azure DevOPS using AAD App {$ApplicationID}" -Source $source - } - catch - { - throw $_ - } - } - elseif ($Script:MSCloudLoginConnectionProfile.AzureDevOPS.AuthenticationType -eq 'CredentialsWithApplicationId' -or - $Script:MSCloudLoginConnectionProfile.AzureDevOPS.AuthenticationType -eq 'Credentials' -or - $Script:MSCloudLoginConnectionProfile.AzureDevOPS.AuthenticationType -eq 'CredentialsWithTenantId') - { - Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect to Azure DevOPS using Credentials.' -Source $source - Connect-MSCloudAzureDevOPSWithUser - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to Azure DevOPS using Credentials' -Source $source - } - else - { - throw 'Specified authentication method is not supported.' - } -} -function Connect-MSCloudAzureDevOPSWithUser -{ - [CmdletBinding()] - param() - - $source = 'Connect-MSCloudAzureDevOPSWithUser' - - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.AzureDevOPS.TenantId)) - { - $tenantId = $Script:MSCloudLoginConnectionProfile.AzureDevOPS.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.AzureDevOPS.TenantId - } - - try - { - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.AzureDevOPS.AuthorizationUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.AzureDevOPS.Credentials ` - -TenantId $tenantId ` - -Resource $Script:MSCloudLoginConnectionProfile.AzureDevOPS.Resource ` - -ClientId $Script:MSCloudLoginConnectionProfile.AzureDevOPS.ApplicationId - - $Script:MSCloudLoginConnectionProfile.AzureDevOPS.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() - $Script:MSCloudLoginConnectionProfile.AzureDevOPS.Connected = $true - $Script:MSCloudLoginConnectionProfile.AzureDevOPS.ConnectedDateTime = [System.DateTime]::Now.ToString() - } - catch - { - if ($_.ErrorDetails.Message -like '*AADSTS50076*') - { - Add-MSCloudLoginAssistantEvent -Message 'Account used required MFA' -Source $source - Connect-MSCloudLoginAzureDevOPSWithUserMFA - } - else - { - $Script:MSCloudLoginConnectionProfile.AzureDevOPS.Connected = $false - throw $_ - } - } -} - -function Connect-MSCloudAzureDevOPSWithUserMFA -{ - [CmdletBinding()] - param() - - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.AzureDevOPS.TenantId)) - { - $tenantId = $Script:MSCloudLoginConnectionProfile.AzureDevOPS.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.AzureDevOPS.TenantId - } - - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.AzureDevOPS.AuthorizationUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.AzureDevOPS.Credentials ` - -TenantId $tenantId ` + Connect-MSCloudLoginRESTWorkload -WorkloadName 'AzureDevOPS' ` + -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.AzureDevOPS.AuthorizationUrl ` + -Scope $Script:MSCloudLoginConnectionProfile.AzureDevOPS.Scope ` -ClientId $Script:MSCloudLoginConnectionProfile.AzureDevOPS.ApplicationId ` - -Resource $Script:MSCloudLoginConnectionProfile.AzureDevOPS.Resource ` - -DeviceCode - - $Script:MSCloudLoginConnectionProfile.AzureDevOPS.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() - $Script:MSCloudLoginConnectionProfile.AzureDevOPS.Connected = $true - $Script:MSCloudLoginConnectionProfile.AzureDevOPS.MultiFactorAuthentication = $true - $Script:MSCloudLoginConnectionProfile.AzureDevOPS.ConnectedDateTime = [System.DateTime]::Now.ToString() -} - -function Connect-MSCloudLoginAzureDevOPSWithCertificateThumbprint -{ - [CmdletBinding()] - param() - - $source = 'Connect-MSCloudLoginAzureDevOPSWithCertificateThumbprint' - - Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect to Azure DevOPS using CertificateThumbprint' -Source $source - $tenantId = $Script:MSCloudLoginConnectionProfile.AzureDevOPS.TenantId - - try - { - $request = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.AzureDevOPS.AuthorizationUrl ` - -CertificateThumbprint $Script:MSCloudLoginConnectionProfile.AzureDevOPS.CertificateThumbprint ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.AzureDevOPS.ApplicationId ` - -Resource $Script:MSCloudLoginConnectionProfile.AzureDevOPS.Resource - - $Script:MSCloudLoginConnectionProfile.AzureDevOPS.AccessToken = 'Bearer ' + $Request.access_token - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to the Azure DevOPS API using Certificate Thumbprint' -Source $source - } - catch - { - throw $_ - } + -SupportedAuthMethods @('AccessTokens', 'Credentials', 'CredentialsWithApplicationId', 'CredentialsWithTenantId', 'Identity', 'ServicePrincipalWithPath', 'ServicePrincipalWithSecret', 'ServicePrincipalWithThumbprint') } diff --git a/Modules/MSCloudLoginAssistant/Workloads/DefenderForEndpoint.ps1 b/Modules/MSCloudLoginAssistant/Workloads/DefenderForEndpoint.ps1 index 7c509ff..73db78b 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/DefenderForEndpoint.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/DefenderForEndpoint.ps1 @@ -3,68 +3,9 @@ function Connect-MSCloudLoginDefenderForEndpoint [CmdletBinding()] param() - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginDefenderForEndpoint' - - if ($Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.AuthenticationType -eq 'ServicePrincipalWithSecret') - { - Add-MSCloudLoginAssistantEvent -Message 'Will try connecting with Application Secret' -Source $source - Connect-MSCloudLoginDefenderForEndpointWithAppSecret - } - elseif ($Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.AuthenticationType -eq 'ServicePrincipalWithThumbprint') - { - Add-MSCloudLoginAssistantEvent -Message 'Will try connecting with Application Secret' -Source $source - Connect-MSCloudLoginDefenderForEndpointWithCertificateThumbprint - } - elseif ($Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.AuthenticationType -eq 'AccessToken') - { - Add-MSCloudLoginAssistantEvent -Message 'Will try connecting with Access Token' -Source $source - $Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.AccessTokens[0]) - $AccessTokenValue = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr) - [System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr) - $Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.AccessToken = $AccessTokenValue - } -} - -function Connect-MSCloudLoginDefenderForEndpointWithAppSecret -{ - [CmdletBinding()] - param() - - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginDefenderForEndpointWithAppSecret' - - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.AuthorizationUrl ` + Connect-MSCloudLoginRESTWorkload -WorkloadName 'DefenderForEndpoint' ` + -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.AuthorizationUrl ` -ClientId $Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.ApplicationId ` - -ClientSecret $Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.ApplicationSecret ` - -TenantId $Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.TenantId ` - -Scope $Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.Scope - - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to the DefenderForEndpoint API using Application Secret' -Source $source - $Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() -} - -function Connect-MSCloudLoginDefenderForEndpointWithCertificateThumbprint -{ - [CmdletBinding()] - param() - - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginDefenderForEndpointWithCertificateThumbprint' - - try - { - $request = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.AuthorizationUrl ` - -CertificateThumbprint $Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.CertificateThumbprint ` - -TenantId $Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.TenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.ApplicationId ` - -Scope $Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.Scope - - $Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.AccessToken = 'Bearer ' + $request.access_token - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to the DefenderForEndpoint API using Certificate Thumbprint' -Source $source - } - catch - { - throw $_ - } + -Scope $Script:MSCloudLoginConnectionProfile.DefenderForEndpoint.Scope ` + -SupportedAuthMethods @('AccessTokens', 'Credentials', 'CredentialsWithApplicationId', 'CredentialsWithTenantId', 'Identity', 'ServicePrincipalWithSecret', 'ServicePrincipalWithPath', 'ServicePrincipalWithThumbprint') } diff --git a/Modules/MSCloudLoginAssistant/Workloads/EngageHub.ps1 b/Modules/MSCloudLoginAssistant/Workloads/EngageHub.ps1 index e119684..9fa920c 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/EngageHub.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/EngageHub.ps1 @@ -3,141 +3,11 @@ function Connect-MSCloudLoginEngageHub [CmdletBinding()] param() - $InformationPreference = 'SilentlyContinue' - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginEngageHub' - - if (-not $Script:MSCloudLoginConnectionProfile.EngageHub.AccessToken) - { - try - { - if ($Script:MSCloudLoginConnectionProfile.EngageHub.AuthenticationType -eq 'CredentialsWithApplicationId' -or - $Script:MSCloudLoginConnectionProfile.EngageHub.AuthenticationType -eq 'Credentials' -or - $Script:MSCloudLoginConnectionProfile.EngageHub.AuthenticationType -eq 'CredentialsWithTenantId') - { - Add-MSCloudLoginAssistantEvent -Message 'Will try connecting with user credentials' -Source $source - Connect-MSCloudLoginEngageHubWithUser - } - elseif ($Script:MSCloudLoginConnectionProfile.EngageHub.AuthenticationType -eq 'ServicePrincipalWithThumbprint') - { - Add-MSCloudLoginAssistantEvent -Message "Attempting to connect to Admin API using AAD App {$ApplicationID}" -Source $source - Connect-MSCloudLoginEngageHubWithCertificateThumbprint - } - else - { - throw 'Specified authentication method is not supported.' - } - - $Script:MSCloudLoginConnectionProfile.EngageHub.ConnectedDateTime = [System.DateTime]::Now.ToString() - $Script:MSCloudLoginConnectionProfile.EngageHub.Connected = $true - $Script:MSCloudLoginConnectionProfile.EngageHub.MultiFactorAuthentication = $false - Add-MSCloudLoginAssistantEvent -Message "Successfully connected to Admin API using AAD App {$ApplicationID}" -Source $source - } - catch - { - throw $_ - } - } -} - -function Connect-MSCloudLoginEngageHubWithUser -{ - [CmdletBinding()] - param() - - $source = 'Connect-MSCloudLoginEngageHubWithUser' - - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.EngageHub.TenantId)) - { - $tenantId = $Script:MSCloudLoginConnectionProfile.EngageHub.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.EngageHub.TenantId - } - - # Request token through ROPC - try - { - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.EngageHub.AuthorizationUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.EngageHub.Credentials ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.EngageHub.ApplicationId ` - -Scope $Script:MSCloudLoginConnectionProfile.EngageHub.Scope - - $Script:MSCloudLoginConnectionProfile.EngageHub.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() - $Script:MSCloudLoginConnectionProfile.EngageHub.Connected = $true - $Script:MSCloudLoginConnectionProfile.EngageHub.ConnectedDateTime = [System.DateTime]::Now.ToString() - } - catch - { - if ($_.ErrorDetails.Message -like '*AADSTS50076*') - { - Add-MSCloudLoginAssistantEvent -Message 'Account used required MFA' -Source $source - Connect-MSCloudLoginEngageHubWithUserMFA - } - else - { - $Script:MSCloudLoginConnectionProfile.EngageHub.Connected = $false - throw $_ - } - } -} -function Connect-MSCloudLoginEngageHubWithUserMFA -{ - [CmdletBinding()] - param() - - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.EngageHub.TenantId)) - { - $tenantId = $Script:MSCloudLoginConnectionProfile.EngageHub.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.EngageHub.TenantId - } - - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.EngageHub.AuthorizationUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.EngageHub.Credentials ` - -TenantId $tenantId ` + Connect-MSCloudLoginRESTWorkload -WorkloadName 'EngageHub' ` + -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.EngageHub.AuthorizationUrl ` + -Scope $Script:MSCloudLoginConnectionProfile.EngageHub.Scope ` -ClientId $Script:MSCloudLoginConnectionProfile.EngageHub.ApplicationId ` - -Scope $Script:MSCloudLoginConnectionProfile.EngageHub.Scope - - $Script:MSCloudLoginConnectionProfile.EngageHub.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() - $Script:MSCloudLoginConnectionProfile.EngageHub.Connected = $true - $Script:MSCloudLoginConnectionProfile.EngageHub.MultiFactorAuthentication = $true - $Script:MSCloudLoginConnectionProfile.EngageHub.ConnectedDateTime = [System.DateTime]::Now.ToString() -} - -function Connect-MSCloudLoginEngageHubWithCertificateThumbprint -{ - [CmdletBinding()] - param() - - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginEngageHubWithCertificateThumbprint' - - Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect to EngageHub using CertificateThumbprint' -Source $source - $tenantId = $Script:MSCloudLoginConnectionProfile.EngageHub.TenantId - - try - { - $request = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.EngageHub.AuthorizationUrl ` - -CertificateThumbprint $Script:MSCloudLoginConnectionProfile.EngageHub.CertificateThumbprint ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.EngageHub.ApplicationId - -Scope $Script:MSCloudLoginConnectionProfile.EngageHub.Scope - - $Script:MSCloudLoginConnectionProfile.EngageHub.AccessToken = 'Bearer ' + $Request.access_token - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to the Admin API API using Certificate Thumbprint' -Source $source - - $Script:MSCloudLoginConnectionProfile.EngageHub.Connected = $true - $Script:MSCloudLoginConnectionProfile.EngageHub.ConnectedDateTime = [System.DateTime]::Now.ToString() - } - catch - { - throw $_ - } + -SupportedAuthMethods @('AccessTokens', 'Credentials', 'CredentialsWithApplicationId', 'CredentialsWithTenantId', 'Identity', 'ServicePrincipalWithPath', 'ServicePrincipalWithSecret', 'ServicePrincipalWithThumbprint') } function Disconnect-MSCloudLoginEngageHub @@ -145,16 +15,5 @@ function Disconnect-MSCloudLoginEngageHub [CmdletBinding()] param() - $source = 'Disconnect-MSCloudLoginEngageHub' - - if ($Script:MSCloudLoginConnectionProfile.EngageHub.Connected) - { - Add-MSCloudLoginAssistantEvent -Message 'Attempting to disconnect from EngageHub API' -Source $source - $Script:MSCloudLoginConnectionProfile.EngageHub.Connected = $false - Add-MSCloudLoginAssistantEvent -Message 'Successfully disconnected from EngageHub API' -Source $source - } - else - { - Add-MSCloudLoginAssistantEvent -Message 'No connections to EngageHub API were found' -Source $source - } + Disconnect-MSCloudLoginRESTWorkload -WorkloadName 'EngageHub' } diff --git a/Modules/MSCloudLoginAssistant/Workloads/ExchangeOnline.ps1 b/Modules/MSCloudLoginAssistant/Workloads/ExchangeOnline.ps1 index 7703c45..2555ab6 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/ExchangeOnline.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/ExchangeOnline.ps1 @@ -288,7 +288,7 @@ function Connect-MSCloudLoginExchangeOnline @CommandName | Out-Null $Script:MSCloudLoginConnectionProfile.ExchangeOnline.ConnectedDateTime = [System.DateTime]::Now.ToString() - $Script:MSCloudLoginConnectionProfile.ExchangeOnline.Connected = $false + $Script:MSCloudLoginConnectionProfile.ExchangeOnline.Connected = $true $Script:MSCloudLoginConnectionProfile.ExchangeOnline.MultiFactorAuthentication = $true Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to Exchange Online using Managed Identity' -Source $source } @@ -319,7 +319,7 @@ function Connect-MSCloudLoginExchangeOnline @CommandName | Out-Null $Script:MSCloudLoginConnectionProfile.ExchangeOnline.ConnectedDateTime = [System.DateTime]::Now.ToString() - $Script:MSCloudLoginConnectionProfile.ExchangeOnline.Connected = $false + $Script:MSCloudLoginConnectionProfile.ExchangeOnline.Connected = $true $Script:MSCloudLoginConnectionProfile.ExchangeOnline.MultiFactorAuthentication = $false Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to Exchange Online using Access Token' -Source $source } diff --git a/Modules/MSCloudLoginAssistant/Workloads/Fabric.ps1 b/Modules/MSCloudLoginAssistant/Workloads/Fabric.ps1 index 239dd44..fc82266 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/Fabric.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/Fabric.ps1 @@ -3,54 +3,8 @@ function Connect-MSCloudLoginFabric [CmdletBinding()] param() - $InformationPreference = 'SilentlyContinue' - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginFabric' - - if ($Script:MSCloudLoginConnectionProfile.Fabric.AuthenticationType -eq 'ServicePrincipalWithThumbprint') - { - Add-MSCloudLoginAssistantEvent -Message "Attempting to connect to Fabric using AAD App {$ApplicationID}" -Source $source - try - { - Connect-MSCloudLoginFabricWithCertificateThumbprint - $Script:MSCloudLoginConnectionProfile.Fabric.ConnectedDateTime = [System.DateTime]::Now.ToString() - $Script:MSCloudLoginConnectionProfile.Fabric.Connected = $true - $Script:MSCloudLoginConnectionProfile.Fabric.MultiFactorAuthentication = $false - Add-MSCloudLoginAssistantEvent -Message "Successfully connected to Fabric using AAD App {$ApplicationID}" -Source $source - } - catch - { - throw $_ - } - } - else - { - throw 'Specified authentication method is not supported.' - } -} - -function Connect-MSCloudLoginFabricWithCertificateThumbprint -{ - [CmdletBinding()] - param() - - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginFabricWithCertificateThumbprint' - - try - { - Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect to Fabric using CertificateThumbprint' -Source $source - $request = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.Fabric.AuthorizationUrl ` - -CertificateThumbprint $Script:MSCloudLoginConnectionProfile.Fabric.CertificateThumbprint ` - -TenantId $Script:MSCloudLoginConnectionProfile.Fabric.TenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.Fabric.ApplicationId ` - -Scope $Script:MSCloudLoginConnectionProfile.Fabric.Scope - - $Script:MSCloudLoginConnectionProfile.Fabric.AccessToken = 'Bearer ' + $request.access_token - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to the Fabric API using Certificate Thumbprint' -Source $source - } - catch - { - throw $_ - } + Connect-MSCloudLoginRESTWorkload -WorkloadName 'Fabric' ` + -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.Fabric.AuthorizationUrl ` + -Scope $Script:MSCloudLoginConnectionProfile.Fabric.Scope ` + -SupportedAuthMethods @('AccessTokens', 'Credentials', 'CredentialsWithApplicationId', 'CredentialsWithTenantId', 'Identity', 'ServicePrincipalWithPath', 'ServicePrincipalWithSecret', 'ServicePrincipalWithThumbprint') } diff --git a/Modules/MSCloudLoginAssistant/Workloads/Licensing.ps1 b/Modules/MSCloudLoginAssistant/Workloads/Licensing.ps1 index 4ce88ed..47055e4 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/Licensing.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/Licensing.ps1 @@ -3,142 +3,11 @@ function Connect-MSCloudLoginLicensing [CmdletBinding()] param() - $InformationPreference = 'SilentlyContinue' - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginLicensing' - - if (-not $Script:MSCloudLoginConnectionProfile.Licensing.AccessToken) - { - try - { - if ($Script:MSCloudLoginConnectionProfile.Licensing.AuthenticationType -eq 'CredentialsWithApplicationId' -or - $Script:MSCloudLoginConnectionProfile.Licensing.AuthenticationType -eq 'Credentials' -or - $Script:MSCloudLoginConnectionProfile.Licensing.AuthenticationType -eq 'CredentialsWithTenantId') - { - Add-MSCloudLoginAssistantEvent -Message 'Will try connecting with user credentials' -Source $source - Connect-MSCloudLoginLicensingWithUser - } - elseif ($Script:MSCloudLoginConnectionProfile.Licensing.AuthenticationType -eq 'ServicePrincipalWithThumbprint') - { - Add-MSCloudLoginAssistantEvent -Message "Attempting to connect to Licensing API using AAD App {$ApplicationID}" -Source $source - Connect-MSCloudLoginLicensingWithCertificateThumbprint - } - else - { - throw 'Specified authentication method is not supported.' - } - - $Script:MSCloudLoginConnectionProfile.Licensing.ConnectedDateTime = [System.DateTime]::Now.ToString() - $Script:MSCloudLoginConnectionProfile.Licensing.Connected = $true - $Script:MSCloudLoginConnectionProfile.Licensing.MultiFactorAuthentication = $false - Add-MSCloudLoginAssistantEvent -Message "Successfully connected to Licensing API using AAD App {$ApplicationID}" -Source $source - } - catch - { - throw $_ - } - } -} - -function Connect-MSCloudLoginLicensingWithUser -{ - [CmdletBinding()] - param() - - $source = 'Connect-MSCloudLoginLicensingWithUser' - - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.Licensing.TenantId)) - { - $tenantId = $Script:MSCloudLoginConnectionProfile.Licensing.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.Licensing.TenantId - } - - try - { - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.Licensing.AuthorizationUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.Licensing.Credentials ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.Licensing.ApplicationId ` - -Resource $Script:MSCloudLoginConnectionProfile.Licensing.Resource - - $Script:MSCloudLoginConnectionProfile.Licensing.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() - $Script:MSCloudLoginConnectionProfile.Licensing.Connected = $true - $Script:MSCloudLoginConnectionProfile.Licensing.ConnectedDateTime = [System.DateTime]::Now.ToString() - } - catch - { - if ($_.ErrorDetails.Message -like '*AADSTS50076*') - { - Add-MSCloudLoginAssistantEvent -Message 'Account used required MFA' -Source $source - Connect-MSCloudLoginLicensingWithUserMFA - } - else - { - $Script:MSCloudLoginConnectionProfile.Licensing.Connected = $false - throw $_ - } - } -} - -function Connect-MSCloudLoginLicensingWithUserMFA -{ - [CmdletBinding()] - param() - - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.Licensing.TenantId)) - { - $tenantId = $Script:MSCloudLoginConnectionProfile.Licensing.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.Licensing.TenantId - } - - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.Licensing.AuthorizationUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.Licensing.Credentials ` - -TenantId $tenantId ` + Connect-MSCloudLoginRESTWorkload -WorkloadName 'Licensing' ` + -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.Licensing.AuthorizationUrl ` -ClientId $Script:MSCloudLoginConnectionProfile.Licensing.ApplicationId ` - -Resource $Script:MSCloudLoginConnectionProfile.Licensing.Resource ` - -DeviceCode - - $Script:MSCloudLoginConnectionProfile.Licensing.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() - $Script:MSCloudLoginConnectionProfile.Licensing.Connected = $true - $Script:MSCloudLoginConnectionProfile.Licensing.MultiFactorAuthentication = $true - $Script:MSCloudLoginConnectionProfile.Licensing.ConnectedDateTime = [System.DateTime]::Now.ToString() -} - -function Connect-MSCloudLoginLicensingWithCertificateThumbprint -{ - [CmdletBinding()] - param() - - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginLicensingWithCertificateThumbprint' - - Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect to Licensing using CertificateThumbprint' -Source $source - $tenantId = $Script:MSCloudLoginConnectionProfile.Licensing.TenantId - - try - { - $request = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.Licensing.AuthorizationUrl ` - -CertificateThumbprint $Script:MSCloudLoginConnectionProfile.Licensing.CertificateThumbprint ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.Licensing.ApplicationId ` - -Resource $Script:MSCloudLoginConnectionProfile.Licensing.Resource - - $Script:MSCloudLoginConnectionProfile.Licensing.AccessToken = 'Bearer ' + $Request.access_token - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to the Licensing API using Certificate Thumbprint' -Source $source - - $Script:MSCloudLoginConnectionProfile.Licensing.Connected = $true - $Script:MSCloudLoginConnectionProfile.Licensing.ConnectedDateTime = [System.DateTime]::Now.ToString() - } - catch - { - throw $_ - } + -Scope $Script:MSCloudLoginConnectionProfile.Licensing.Scope ` + -SupportedAuthMethods @('AccessTokens', 'Credentials', 'CredentialsWithApplicationId', 'CredentialsWithTenantId', 'Identity', 'ServicePrincipalWithPath', 'ServicePrincipalWithSecret', 'ServicePrincipalWithThumbprint') } function Disconnect-MSCloudLoginLicensing @@ -146,16 +15,5 @@ function Disconnect-MSCloudLoginLicensing [CmdletBinding()] param() - $source = 'Disconnect-MSCloudLoginLicensing' - - if ($Script:MSCloudLoginConnectionProfile.Licensing.Connected) - { - Add-MSCloudLoginAssistantEvent -Message 'Attempting to disconnect from Licensing API' -Source $source - $Script:MSCloudLoginConnectionProfile.Licensing.Connected = $false - Add-MSCloudLoginAssistantEvent -Message 'Successfully disconnected from Licensing API' -Source $source - } - else - { - Add-MSCloudLoginAssistantEvent -Message 'No connections to Licensing API were found' -Source $source - } + Disconnect-MSCloudLoginRESTWorkload -WorkloadName 'Licensing' } diff --git a/Modules/MSCloudLoginAssistant/Workloads/O365Portal.ps1 b/Modules/MSCloudLoginAssistant/Workloads/O365Portal.ps1 index c860fb4..643fe60 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/O365Portal.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/O365Portal.ps1 @@ -3,124 +3,9 @@ function Connect-MSCloudLoginO365Portal [CmdletBinding()] param() - $InformationPreference = 'SilentlyContinue' - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginO365Portal' - - if ($Script:MSCloudLoginConnectionProfile.O365Portal.Connected) - { - if (($Script:MSCloudLoginConnectionProfile.O365Portal.AuthenticationType -eq 'ServicePrincipalWithSecret' ` - -or $Script:MSCloudLoginConnectionProfile.O365Portal.AuthenticationType -eq 'Identity') ` - -and (Get-Date -Date $Script:MSCloudLoginConnectionProfile.O365Portal.ConnectedDateTime) -lt [System.DateTime]::Now.AddMinutes(-50)) - { - Add-MSCloudLoginAssistantEvent -Message 'Token is about to expire, renewing' -Source $source - $Script:MSCloudLoginConnectionProfile.O365Portal.Connected = $false - } - } - - try - { - if ($Script:MSCloudLoginConnectionProfile.O365Portal.AuthenticationType -eq 'CredentialsWithApplicationId' -or - $Script:MSCloudLoginConnectionProfile.O365Portal.AuthenticationType -eq 'Credentials' -or - $Script:MSCloudLoginConnectionProfile.O365Portal.AuthenticationType -eq 'CredentialsWithTenantId') - { - Add-MSCloudLoginAssistantEvent -Message 'Will try connecting with user credentials' -Source $source - Connect-MSCloudLoginO365PortalWithUser - } - elseif ($Script:MSCloudLoginConnectionProfile.O365Portal.AuthenticationType -eq 'AccessTokens') - { - Add-MSCloudLoginAssistantEvent -Message 'Using provided access token to connect to O365 Portal' -Source $source - $accessToken = if ($Script:MSCloudLoginConnectionProfile.O365Portal.AccessTokens[0] -like 'Bearer *') - { - $Script:MSCloudLoginConnectionProfile.O365Portal.AccessTokens[0] - } - else - { - 'Bearer ' + $Script:MSCloudLoginConnectionProfile.O365Portal.AccessTokens[0] - } - $Script:MSCloudLoginConnectionProfile.O365Portal.AccessToken = $accessToken - } - else - { - throw 'Specified authentication method is not supported.' - } - - $Script:MSCloudLoginConnectionProfile.O365Portal.ConnectedDateTime = [System.DateTime]::Now.ToString() - $Script:MSCloudLoginConnectionProfile.O365Portal.Connected = $true - $Script:MSCloudLoginConnectionProfile.O365Portal.MultiFactorAuthentication = $false - Add-MSCloudLoginAssistantEvent -Message "Successfully connected to O365 Portal using AAD App {$ApplicationID}" -Source $source - } - catch - { - throw $_ - } -} - -function Connect-MSCloudLoginO365PortalWithUser -{ - [CmdletBinding()] - param() - - $source = 'Connect-MSCloudLoginO365PortalWithUser' - - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.O365Portal.TenantId)) - { - $tenantId = $Script:MSCloudLoginConnectionProfile.O365Portal.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.O365Portal.TenantId - } - - try - { - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.O365Portal.AuthorizationUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.O365Portal.Credentials ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.O365Portal.ApplicationId ` - -Scope $Script:MSCloudLoginConnectionProfile.O365Portal.Scope - - $Script:MSCloudLoginConnectionProfile.O365Portal.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() - $Script:MSCloudLoginConnectionProfile.O365Portal.Connected = $true - $Script:MSCloudLoginConnectionProfile.O365Portal.ConnectedDateTime = [System.DateTime]::Now.ToString() - } - catch - { - if ($_.ErrorDetails.Message -like '*AADSTS50076*') - { - Add-MSCloudLoginAssistantEvent -Message 'Account used required MFA' -Source $source - Connect-MSCloudLoginO365PortalWithUserMFA - } - else - { - $Script:MSCloudLoginConnectionProfile.O365Portal.Connected = $false - throw $_ - } - } -} -function Connect-MSCloudLoginO365PortalWithUserMFA -{ - [CmdletBinding()] - param() - - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.O365Portal.TenantId)) - { - $tenantid = $Script:MSCloudLoginConnectionProfile.O365Portal.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.O365Portal.TenantId - } - - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.O365Portal.AuthorizationUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.O365Portal.Credentials ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.O365Portal.ApplicationId ` + Connect-MSCloudLoginRESTWorkload -WorkloadName 'O365Portal' ` + -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.O365Portal.AuthorizationUrl ` -Scope $Script:MSCloudLoginConnectionProfile.O365Portal.Scope ` - -DeviceCode - - $Script:MSCloudLoginConnectionProfile.O365Portal.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() - $Script:MSCloudLoginConnectionProfile.O365Portal.Connected = $true - $Script:MSCloudLoginConnectionProfile.O365Portal.MultiFactorAuthentication = $true - $Script:MSCloudLoginConnectionProfile.O365Portal.ConnectedDateTime = [System.DateTime]::Now.ToString() + -ClientId $Script:MSCloudLoginConnectionProfile.O365Portal.ApplicationId ` + -SupportedAuthMethods @('Credentials', 'CredentialsWithTenantId', 'AccessTokens') } diff --git a/Modules/MSCloudLoginAssistant/Workloads/PnP.ps1 b/Modules/MSCloudLoginAssistant/Workloads/PnP.ps1 index e48f4fc..12f631d 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/PnP.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/PnP.ps1 @@ -309,33 +309,6 @@ function Connect-MSCloudLoginPnP $Script:MSCloudLoginConnectionProfile.PnP.Connected = $true } elseif ($Script:MSCloudLoginConnectionProfile.PnP.AuthenticationType -eq 'Credentials') - { - if ($Script:MSCloudLoginConnectionProfile.PnP.ConnectionUrl -or $ForceRefreshConnection) - { - Add-MSCloudLoginAssistantEvent -Message 'Connecting with Credentials and application id' -Source $source - Add-MSCloudLoginAssistantEvent -Message "URL: $($Script:MSCloudLoginConnectionProfile.PnP.ConnectionUrl)" -Source $source - Add-MSCloudLoginAssistantEvent -Message "ConnectionUrl: $($Script:MSCloudLoginConnectionProfile.PnP.ConnectionUrl)" -Source $source - Connect-PnPOnline -Url $Script:MSCloudLoginConnectionProfile.PnP.ConnectionUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.PnP.Credentials ` - -ClientId $Script:MSCloudLoginConnectionProfile.PnP.ApplicationId ` - -AzureEnvironment $Script:MSCloudLoginConnectionProfile.PnP.PnPAzureEnvironment - } - else - { - Add-MSCloudLoginAssistantEvent -Message 'Connecting with Credentials and application id' -Source $source - Add-MSCloudLoginAssistantEvent -Message "URL: $($Script:MSCloudLoginConnectionProfile.PnP.ConnectionUrl)" -Source $source - Add-MSCloudLoginAssistantEvent -Message "AdminUrl: $($Script:MSCloudLoginConnectionProfile.PnP.AdminUrl)" -Source $source - Connect-PnPOnline -Url $Script:MSCloudLoginConnectionProfile.PnP.AdminUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.PnP.Credentials ` - -ClientId $Script:MSCloudLoginConnectionProfile.PnP.ApplicationId ` - -AzureEnvironment $Script:MSCloudLoginConnectionProfile.PnP.PnPAzureEnvironment - } - - $Script:MSCloudLoginConnectionProfile.PnP.ConnectedDateTime = [System.DateTime]::Now.ToString() - $Script:MSCloudLoginConnectionProfile.PnP.MultiFactorAuthentication = $false - $Script:MSCloudLoginConnectionProfile.PnP.Connected = $true - } - elseif ($Script:MSCloudLoginConnectionProfile.PnP.AuthenticationType -eq 'Credentials') { if ($Script:MSCloudLoginConnectionProfile.PnP.ConnectionUrl -or $ForceRefreshConnection) { @@ -349,7 +322,7 @@ function Connect-MSCloudLoginPnP } else { - Add-MSCloudLoginAssistantEvent -Message 'Connecting with Credentials using SPOManagementShell' -Source $source + Add-MSCloudLoginAssistantEvent -Message 'Connecting with Credentials using SPOManagementShell and AdminUrl' -Source $source Add-MSCloudLoginAssistantEvent -Message "URL: $($Script:MSCloudLoginConnectionProfile.PnP.ConnectionUrl)" -Source $source Add-MSCloudLoginAssistantEvent -Message "AdminUrl: $($Script:MSCloudLoginConnectionProfile.PnP.AdminUrl)" -Source $source Connect-PnPOnline -Url $Script:MSCloudLoginConnectionProfile.PnP.AdminUrl ` diff --git a/Modules/MSCloudLoginAssistant/Workloads/PowerPlatform.ps1 b/Modules/MSCloudLoginAssistant/Workloads/PowerPlatform.ps1 index e2dc460..99ef190 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/PowerPlatform.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/PowerPlatform.ps1 @@ -91,7 +91,7 @@ function Connect-MSCloudLoginPowerPlatform if ($Script:MSCloudLoginConnectionProfile.PowerPlatform.AuthenticationType -eq 'ServicePrincipalWithThumbprint') { Add-PowerAppsAccount -ApplicationId $Script:MSCloudLoginConnectionProfile.PowerPlatform.ApplicationId ` - -TenantID Global:MSCloudLoginConnectionProfile.PowerPlatform.$TenantId ` + -TenantID $Script:MSCloudLoginConnectionProfile.PowerPlatform.TenantId ` -CertificateThumbprint $Script:MSCloudLoginConnectionProfile.PowerPlatform.CertificateThumbprint ` -Endpoint 'preview' ` -ErrorAction Stop | Out-Null diff --git a/Modules/MSCloudLoginAssistant/Workloads/PowerPlatformREST.ps1 b/Modules/MSCloudLoginAssistant/Workloads/PowerPlatformREST.ps1 index 1dc63aa..0b7e5b6 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/PowerPlatformREST.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/PowerPlatformREST.ps1 @@ -27,137 +27,11 @@ function Connect-MSCloudLoginPowerPlatformREST $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.AccessToken = $null } - if (-not $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.AccessToken) - { - try - { - if ($Script:MSCloudLoginConnectionProfile.PowerPlatformREST.AuthenticationType -eq 'CredentialsWithApplicationId' -or - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.AuthenticationType -eq 'Credentials' -or - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.AuthenticationType -eq 'CredentialsWithTenantId') - { - Add-MSCloudLoginAssistantEvent -Message 'Will try connecting with user credentials' -Source $source - Connect-MSCloudLoginPowerPlatformRESTWithUser - } - elseif ($Script:MSCloudLoginConnectionProfile.PowerPlatformREST.AuthenticationType -eq 'ServicePrincipalWithThumbprint') - { - Add-MSCloudLoginAssistantEvent -Message "Attempting to connect to Admin API using AAD App {$ApplicationID}" -Source $source - Connect-MSCloudLoginPowerPlatformRESTWithCertificateThumbprint - } - else - { - throw 'Specified authentication method is not supported.' - } - - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.ConnectedDateTime = [System.DateTime]::Now.ToString() - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.Connected = $true - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.MultiFactorAuthentication = $false - Add-MSCloudLoginAssistantEvent -Message "Successfully connected to Admin API using AAD App {$ApplicationID}" -Source $source - } - catch - { - throw $_ - } - } -} - -function Connect-MSCloudLoginPowerPlatformRESTWithUser -{ - [CmdletBinding()] - param() - - $source = 'Connect-MSCloudLoginPowerPlatformRESTWithUser' - - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.PowerPlatformREST.TenantId)) - { - $tenantId = $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.TenantId - } - - try - { - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.AuthorizationUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.Credentials ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.ClientId ` - -Scope $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.Scope - - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.Connected = $true - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.ConnectedDateTime = [System.DateTime]::Now.ToString() - } - catch - { - if ($_.ErrorDetails.Message -like '*AADSTS50076*') - { - Add-MSCloudLoginAssistantEvent -Message 'Account used required MFA' -Source $source - Connect-MSCloudLoginPowerPlatformRESTWithUserMFA - } - else - { - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.Connected = $false - throw $_ - } - } -} -function Connect-MSCloudLoginPowerPlatformRESTWithUserMFA -{ - [CmdletBinding()] - param() - - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.PowerPlatformREST.TenantId)) - { - $tenantId = $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.TenantId - } - - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.AuthorizationUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.Credentials ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.ClientId ` + Connect-MSCloudLoginRESTWorkload -WorkloadName 'PowerPlatformREST' ` + -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.AuthorizationUrl ` -Scope $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.Scope ` - -DeviceCode - - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.Connected = $true - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.MultiFactorAuthentication = $true - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.ConnectedDateTime = [System.DateTime]::Now.ToString() -} - -function Connect-MSCloudLoginPowerPlatformRESTWithCertificateThumbprint -{ - [CmdletBinding()] - param() - - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginPowerPlatformRESTWithCertificateThumbprint' - - Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect to PowerPlatformREST using CertificateThumbprint' -Source $source - $tenantId = $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.TenantId - - try - { - $request = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.AuthorizationUrl ` - -CertificateThumbprint $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.CertificateThumbprint ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.ApplicationId ` - -Scope $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.Scope - - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.AccessToken = 'Bearer ' + $Request.access_token - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to the Admin API API using Certificate Thumbprint' -Source $source - - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.Connected = $true - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.ConnectedDateTime = [System.DateTime]::Now.ToString() - } - catch - { - throw $_ - } + -ClientId $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.ClientId ` + -SupportedAuthMethods @('AccessTokens', 'Credentials', 'CredentialsWithApplicationId', 'CredentialsWithTenantId', 'Identity', 'ServicePrincipalWithPath', 'ServicePrincipalWithSecret', 'ServicePrincipalWithThumbprint') } function Disconnect-MSCloudLoginPowerPlatformREST @@ -165,16 +39,5 @@ function Disconnect-MSCloudLoginPowerPlatformREST [CmdletBinding()] param() - $source = 'Disconnect-MSCloudLoginPowerPlatformREST' - - if ($Script:MSCloudLoginConnectionProfile.PowerPlatformREST.Connected) - { - Add-MSCloudLoginAssistantEvent -Message 'Attempting to disconnect from PowerPlatformREST API' -Source $source - $Script:MSCloudLoginConnectionProfile.PowerPlatformREST.Connected = $false - Add-MSCloudLoginAssistantEvent -Message 'Successfully disconnected from PowerPlatformREST API' -Source $source - } - else - { - Add-MSCloudLoginAssistantEvent -Message 'No connections to PowerPlatformREST API were found' -Source $source - } + Disconnect-MSCloudLoginRESTWorkload -WorkloadName 'PowerPlatformREST' } diff --git a/Modules/MSCloudLoginAssistant/Workloads/SecurityCompliance.ps1 b/Modules/MSCloudLoginAssistant/Workloads/SecurityCompliance.ps1 index 8e2eab8..05a1644 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/SecurityCompliance.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/SecurityCompliance.ps1 @@ -131,6 +131,19 @@ function Connect-MSCloudLoginSecurityCompliance $Script:MSCloudLoginConnectionProfile.SecurityComplianceCenter.MultiFactorAuthentication = $false $Script:MSCloudLoginConnectionProfile.SecurityComplianceCenter.Connected = $true } + elseif ($Script:MSCloudLoginConnectionProfile.SecurityComplianceCenter.AuthenticationType -eq 'Identity') + { + Add-MSCloudLoginAssistantEvent -Message 'Connecting to Security & Compliance with Managed Identity' -Source $source + Connect-IPPSSession -ManagedIdentity ` + -EnableSearchOnlySession:$Script:MSCloudLoginConnectionProfile.SecurityComplianceCenter.EnableSearchOnlySession ` + -ConnectionUri $Script:MSCloudLoginConnectionProfile.SecurityComplianceCenter.ConnectionUrl ` + -AzureADAuthorizationEndpointUri $Script:MSCloudLoginConnectionProfile.SecurityComplianceCenter.AzureADAuthorizationEndpointUri ` + -ShowBanner:$false ` + -ErrorAction Stop | Out-Null + $Script:MSCloudLoginConnectionProfile.SecurityComplianceCenter.ConnectedDateTime = [System.DateTime]::Now.ToString() + $Script:MSCloudLoginConnectionProfile.SecurityComplianceCenter.MultiFactorAuthentication = $false + $Script:MSCloudLoginConnectionProfile.SecurityComplianceCenter.Connected = $true + } else { try diff --git a/Modules/MSCloudLoginAssistant/Workloads/SharePointOnlineREST.ps1 b/Modules/MSCloudLoginAssistant/Workloads/SharePointOnlineREST.ps1 index 5388871..08fbc11 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/SharePointOnlineREST.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/SharePointOnlineREST.ps1 @@ -3,137 +3,9 @@ function Connect-MSCloudLoginSharePointOnlineREST [CmdletBinding()] param() - $InformationPreference = 'SilentlyContinue' - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginSharePointOnlineREST' - - if (-not $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.AccessToken) - { - try - { - if ($Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.AuthenticationType -eq 'CredentialsWithApplicationId' -or - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.AuthenticationType -eq 'Credentials' -or - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.AuthenticationType -eq 'CredentialsWithTenantId') - { - Add-MSCloudLoginAssistantEvent -Message 'Will try connecting with user credentials' -Source $source - Connect-MSCloudLoginSharePointOnlineRESTWithUser - } - elseif ($Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.AuthenticationType -eq 'ServicePrincipalWithThumbprint') - { - Add-MSCloudLoginAssistantEvent -Message "Attempting to connect to SharePoint Online REST using AAD App {$ApplicationID}" -Source $source - Connect-MSCloudLoginSharePointOnlineRESTWithCertificateThumbprint - } - else - { - throw 'Specified authentication method is not supported.' - } - - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.ConnectedDateTime = [System.DateTime]::Now.ToString() - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.Connected = $true - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.MultiFactorAuthentication = $false - Add-MSCloudLoginAssistantEvent -Message "Successfully connected to SharePoint Online REST using AAD App {$ApplicationID}" -Source $source - } - catch - { - throw $_ - } - } -} - -function Connect-MSCloudLoginSharePointOnlineRESTWithUser -{ - [CmdletBinding()] - param() - - $source = 'Connect-MSCloudLoginSharePointOnlineRESTWithUser' - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.TenantId)) - { - $tenantId = $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.TenantId - } - - try - { - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.AuthorizationUrl ` - -Credential $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.Credentials ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.ApplicationId ` - -Scope $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.Scope ` - - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.Connected = $true - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.ConnectedDateTime = [System.DateTime]::Now.ToString() - } - catch - { - if ($_.ErrorDetails.Message -like '*AADSTS50076*') - { - Add-MSCloudLoginAssistantEvent -Message 'Account used required MFA' -Source $source - Connect-MSCloudLoginSharePointOnlineRESTWithUserMFA - } - else - { - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.Connected = $false - throw $_ - } - } -} - -function Connect-MSCloudLoginSharePointOnlineRESTWithUserMFA -{ - [CmdletBinding()] - param() - - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.TenantId)) - { - $tenantId = $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.TenantId - } - - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.AuthorizationUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.Credentials ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.ApplicationId ` + Connect-MSCloudLoginRESTWorkload -WorkloadName 'SharePointOnlineREST' ` + -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.AuthorizationUrl ` -Scope $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.Scope ` - -DeviceCode - - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.Connected = $true - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.MultiFactorAuthentication = $true - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.ConnectedDateTime = [System.DateTime]::Now.ToString() -} - -function Connect-MSCloudLoginSharePointOnlineRESTWithCertificateThumbprint -{ - [CmdletBinding()] - param() - - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginSharePointOnlineRESTWithCertificateThumbprint' - - Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect to SharePointOnlineREST using CertificateThumbprint' -Source $source - - try - { - $request = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.AuthorizationUrl ` - -CertificateThumbprint $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.CertificateThumbprint ` - -TenantId $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.TenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.ApplicationId ` - -Scope $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.Scope - - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to the SharePoint Online REST API using Certificate Thumbprint' -Source $source - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.AccessToken = 'Bearer ' + $Request.access_token - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.Connected = $true - $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.ConnectedDateTime = [System.DateTime]::Now.ToString() - } - catch - { - throw $_ - } + -ClientId $Script:MSCloudLoginConnectionProfile.SharePointOnlineREST.ApplicationId ` + -SupportedAuthMethods @('AccessTokens', 'Credentials', 'CredentialsWithApplicationId', 'CredentialsWithTenantId', 'Identity', 'ServicePrincipalWithPath', 'ServicePrincipalWithSecret', 'ServicePrincipalWithThumbprint') } diff --git a/Modules/MSCloudLoginAssistant/Workloads/Tasks.ps1 b/Modules/MSCloudLoginAssistant/Workloads/Tasks.ps1 index cb20979..5829ea8 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/Tasks.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/Tasks.ps1 @@ -3,172 +3,9 @@ function Connect-MSCloudLoginTasks [CmdletBinding()] param() - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginTasks' - - if ($Script:MSCloudLoginConnectionProfile.Tasks.AuthenticationType -eq 'CredentialsWithApplicationId' -or - $Script:MSCloudLoginConnectionProfile.Tasks.AuthenticationType -eq 'Credentials' -or - $Script:MSCloudLoginConnectionProfile.Tasks.AuthenticationType -eq 'CredentialsWithTenantId') - { - Add-MSCloudLoginAssistantEvent -Message 'Will try connecting with user credentials' -Source $source - Connect-MSCloudLoginTasksWithUser - } - elseif ($Script:MSCloudLoginConnectionProfile.Tasks.AuthenticationType -eq 'ServicePrincipalWithSecret') - { - Add-MSCloudLoginAssistantEvent -Message 'Will try connecting with Application Secret' -Source $source - Connect-MSCloudLoginTasksWithAppSecret - } - elseif ($Script:MSCloudLoginConnectionProfile.Tasks.AuthenticationType -eq 'ServicePrincipalWithThumbprint') - { - Add-MSCloudLoginAssistantEvent -Message 'Will try connecting with Application Secret' -Source $source - Connect-MSCloudLoginTasksWithCertificateThumbprint - } - elseif ($Script:MSCloudLoginConnectionProfile.Tasks.AuthenticationType -eq 'ServicePrincipalWithPath') - { - Add-MSCloudLoginAssistantEvent -Message 'Will try connecting with Application Certificate Path' -Source $source - Connect-MSCloudLoginTasksWithCertificatePath - } - elseif ($Script:MSCloudLoginConnectionProfile.Tasks.AuthenticationType -eq 'AccessToken') - { - Add-MSCloudLoginAssistantEvent -Message 'Will try connecting with Access Token' -Source $source - $Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($Script:MSCloudLoginConnectionProfile.Tasks.AccessTokens[0]) - $AccessTokenValue = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr) - [System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr) - $Script:MSCloudLoginConnectionProfile.Tasks.AccessToken = $AccessTokenValue - } -} - -function Connect-MSCloudLoginTasksWithUser -{ - [CmdletBinding()] - param() - - $source = 'Connect-MSCloudLoginTasksWithUser' - - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.Tasks.TenantId)) - { - $tenantId = $Script:MSCloudLoginConnectionProfile.Tasks.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.Tasks.TenantId - } - - try - { - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.Tasks.AuthorizationUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.Tasks.Credentials ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.Tasks.ApplicationId ` - -Scope $Script:MSCloudLoginConnectionProfile.Tasks.Scope - - $Script:MSCloudLoginConnectionProfile.Tasks.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() - } - catch - { - if ($_.ErrorDetails.Message -like '*AADSTS50076*') - { - Add-MSCloudLoginAssistantEvent -Message 'Account used required MFA' -Source $source - Connect-MSCloudLoginTasksWithUserMFA - } - else - { - $Script:MSCloudLoginConnectionProfile.Tasks.Connected = $false - throw $_ - } - } -} - -function Connect-MSCloudLoginTasksWithUserMFA -{ - [CmdletBinding()] - param() - - if ([System.String]::IsNullOrEmpty($Script:MSCloudLoginConnectionProfile.Tasks.TenantId)) - { - $tenantId = $Script:MSCloudLoginConnectionProfile.Tasks.Credentials.UserName.Split('@')[1] - } - else - { - $tenantId = $Script:MSCloudLoginConnectionProfile.Tasks.TenantId - } - - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.Tasks.AuthorizationUrl ` - -Credentials $Script:MSCloudLoginConnectionProfile.Tasks.Credentials ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.Tasks.ApplicationId ` - -Scope $Script:MSCloudLoginConnectionProfile.Tasks.Scope - - $Script:MSCloudLoginConnectionProfile.Tasks.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() -} - -function Connect-MSCloudLoginTasksWithAppSecret -{ - [CmdletBinding()] - param() - - $managementToken = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.Tasks.AuthorizationUrl ` - -ClientSecret $Script:MSCloudLoginConnectionProfile.Tasks.ApplicationSecret ` - -TenantId $tenantId ` + Connect-MSCloudLoginRESTWorkload -WorkloadName 'Tasks' ` + -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.Tasks.AuthorizationUrl ` + -Scope $Script:MSCloudLoginConnectionProfile.Tasks.Scope ` -ClientId $Script:MSCloudLoginConnectionProfile.Tasks.ApplicationId ` - -Scope $Script:MSCloudLoginConnectionProfile.Tasks.Scope - - $Script:MSCloudLoginConnectionProfile.Tasks.AccessToken = $managementToken.token_type.ToString() + ' ' + $managementToken.access_token.ToString() -} - -function Connect-MSCloudLoginTasksWithCertificateThumbprint -{ - [CmdletBinding()] - param() - - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginTasksWithCertificateThumbprint' - - Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect to Whiteboard using CertificateThumbprint' -Source $source - $tenantId = $Script:MSCloudLoginConnectionProfile.Tasks.TenantId - - try - { - $request = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.Tasks.AuthorizationUrl ` - -CertificateThumbprint $Script:MSCloudLoginConnectionProfile.Tasks.CertificateThumbprint ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.Tasks.ApplicationId ` - -Scope $Script:MSCloudLoginConnectionProfile.Tasks.Scope - - $Script:MSCloudLoginConnectionProfile.Tasks.AccessToken = 'Bearer ' + $Request.access_token - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to the Tasks API using Certificate Thumbprint' -Source $source - } - catch - { - throw $_ - } -} - -function Connect-MSCloudLoginTasksWithCertificatePath -{ - [CmdletBinding()] - param() - - $ProgressPreference = 'SilentlyContinue' - $source = 'Connect-MSCloudLoginTasksWithCertificatePath' - - Add-MSCloudLoginAssistantEvent -Message 'Attempting to connect to Tasks using CertificatePath' -Source $source - $tenantId = $Script:MSCloudLoginConnectionProfile.Tasks.TenantId - - try - { - $request = Get-AuthToken -AuthorizationUrl $Script:MSCloudLoginConnectionProfile.Tasks.AuthorizationUrl ` - -CertificatePath $Script:MSCloudLoginConnectionProfile.Tasks.CertificatePath ` - -CertificatePassword $Script:MSCloudLoginConnectionProfile.Tasks.CertificatePassword ` - -TenantId $tenantId ` - -ClientId $Script:MSCloudLoginConnectionProfile.Tasks.ApplicationId ` - -Scope $Script:MSCloudLoginConnectionProfile.Tasks.Scope - - $Script:MSCloudLoginConnectionProfile.Tasks.AccessToken = 'Bearer ' + $Request.access_token - Add-MSCloudLoginAssistantEvent -Message 'Successfully connected to the Tasks API using Certificate Path' -Source $source - } - catch - { - throw $_ - } + -SupportedAuthMethods @('AccessTokens', 'Credentials', 'CredentialsWithApplicationId', 'CredentialsWithTenantId', 'Identity', 'ServicePrincipalWithSecret', 'ServicePrincipalWithThumbprint', 'ServicePrincipalWithPath') } diff --git a/Modules/MSCloudLoginAssistant/Workloads/Teams.ps1 b/Modules/MSCloudLoginAssistant/Workloads/Teams.ps1 index ccb7a8c..5125acd 100644 --- a/Modules/MSCloudLoginAssistant/Workloads/Teams.ps1 +++ b/Modules/MSCloudLoginAssistant/Workloads/Teams.ps1 @@ -197,7 +197,7 @@ function Connect-MSCloudLoginTeams $Script:MSCloudLoginConnectionProfile.Teams.MultiFactorAuthentication = $false $Script:MSCloudLoginConnectionProfile.Teams.Connected = $true } - elseif ($Script:MSCloudLoginConnectionProfile.Teams.AuthenticationType -eq 'AccessToken') + elseif ($Script:MSCloudLoginConnectionProfile.Teams.AuthenticationType -eq 'AccessTokens') { $tokenValues = @() foreach ($tokenInfo in $Script:MSCloudLoginConnectionProfile.Teams.AccessTokens)