Comments (9)
Hey, that’s all I needed to know. Thank you so much, this is going to be tremendously valuable!
from aadinternals.
You can do a "normal" PRT with AADInternals, but I don't think it works in your case. But I'll take a look at this later this week.
from aadinternals.
@dkattan, I was able to create a BPRT but I haven't been able to test it.
Could you kindly test the following code?
To test, first open the AccessToken_utils.ps1 file from the AADInternals installation location with PowerShell ISE. The location can be found:
Get-Module AADInternals | select path
When the file is opened, run it by pressing F5.
After that, create a new file with the following content and run it.
$AccessToken = Get-AccessToken -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -Resource "urn:ms-drs:enterpriseregistration.windows.net" -Credentials $cred
$headers = @{
"Authorization" = "Bearer $AccessToken"
}
$guid = (New-Guid).ToString()
$body = @{
"pid" = $guid
"name" = "package_$guid"
"exp" = (Get-Date).AddMonths(1).ToString("MM/dd/yyyy")
}
# Make the first request to get flowToken
$response = Invoke-RestMethod -Method Post -UseBasicParsing -Uri "https://login.microsoftonline.com/webapp/bulkaadjtoken/begin" -Headers $headers -Body ($body | ConvertTo-Json) -ContentType "application/json"
if($response.state -like "*Error*")
{
$resultData = $response.resultData | ConvertFrom-Json
throw $resultData.error_description
}
# Get the BPRT
$response = Invoke-RestMethod -Method Get -UseBasicParsing -Uri "https://login.microsoftonline.com/webapp/bulkaadjtoken/poll?flowToken=$($response.flowToken)" -Headers $headers
$response.resultData | ConvertFrom-Json
from aadinternals.
This totally worked! I'm wondering if it would be possible to do this without needing to use the PowerShell Module ClientID + Username and Password and instead use my own App Registration with a Client Secret.
from aadinternals.
Good to hear!
Sure, you should be able to do this with an App.
Before you begin, you need to register an app with permissions (or scope) "policy_management". See this link for more details. After registering your app, you can get an access token and use it in the script.
from aadinternals.
Is that policy_management scope in the Add API Permission UI in Azure?
Closest I could find is Policy.ReadWrite.PermissionGrant
Googling, I can't seem to find much on this policy_management permission.
I know that there are permissions not listed there, for example when I use Kelvin's script to generate an App Registration, 1cebfa2a-fb4d-419e-b5f9-839b4383e05a correlates to a Partner Center API permission that isn't listed in the UI, but you can add it to the manifest and it shows up:
$partnerCenterAppAccess = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{
ResourceAppId = "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd";
ResourceAccess =
[Microsoft.Open.AzureAD.Model.ResourceAccess]@{
Id = "1cebfa2a-fb4d-419e-b5f9-839b4383e05a";
Type = "Scope"}
}
Do you perhaps know the Guid for the permission/scope in question?
Out of curiosity, how'd you determine the policy_management permission/scope is what's required?
from aadinternals.
I found the scope from the access token used to create the BPRT token:
I'll check which API permissions are required from the app.
from aadinternals.
Is it possible to retrieve the manifest for well-known appids like 1b730954-1685-4b74-9bfd-dac224a7b894?
from aadinternals.
This seems to be un-doable as the service doing the registration requires an access token with a scope (or resource) of "urn:ms-drs:enterpriseregistration.windows.net" and upn claim to be present ☹ So, I'm afraid you need to stick to a user.
What comes to manifests, I haven't find a to retrieve them (besides the apps you've registered your self).
from aadinternals.
Related Issues (20)
- Rename Repo from AADInternals to MSEntraIDInternals 🤣 HOT 2
- Possible authentication issue with “TROOPERS23 edition”. HOT 1
- Dependencies - List HOT 1
- Install getting blocked by AV HOT 1
- Get MFA token HOT 1
- Allow suppression of import-module message HOT 2
- Add Support for SQL(Express) for Get-AADIntSyncCredentials HOT 1
- Authentication issue after updating to 0.9.1 HOT 3
- Support AAD device token flows
- aadsync_client_build = 1.5.29.0 broken
- Cannot login to tenant with Get-AADIntAccessTokenForAADGraph HOT 1
- Does AADInternals works in macOS?
- Incompatible parameter sets in Open-AADIntOffice365Portal
- KeySignTest : FAILED (transport key) HOT 1
- AccessToken_utils.ps1 - ConvergedProofUpRedirect HOT 1
- Create-LoginForm
- Open-AADIntOWA - Windows.Forms.Form and Clear-WebBrowser
- get-aadintaccesstokenForAADgraph: Error You cannot call a method on a null-valued expression. HOT 2
- 2 bugs in New-AADIntP2PDeviceCertificate, function seems currently broken
- Get-AADIntAccessToken not working anymore HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aadinternals.