Sunday, February 11, 2018

Azure Active Directory App Only Authentication with PnP PowerShell

Why do we need app only authentication? Well, if you want to execute some code without the permissions of a user or without an authentication token of a user, your only option is App Only authentication. In simple terms, if you want to execute a task by a daemon, App Only authentication is your best option.

This post is the 1st post of a series of blog posts, in building a solution which executes some PowerShell code in an Azure Function to manipulate some data which resides in SharePoint Online.

This blog post focuses on creating an Azure Active Directory App and granting permissions to the App to communicate with SharePoint Online.

In your Office 365 Admin Center, select Azure Active Directory. On the left side menu, select Azure Active Directory. Select App Registration and click on "+ New application registration". Provide a meaningful name for the "Name", select Application type as "Web app/API" and a Sign-on URL. The Sign-on URL can be any URL and I will discuss in a future post where it will be used. Also, this can be changed later.

Once the App is created, Azure will provide an Unique Application ID for the App. 
Next, select Settings, Required permissions and Add.
Then you can select the APIs you need to access to. Let's select Office 365 SharePoint Online.
You need to configure the following permissions.

  • Have full control of all site collections (Application permissions)

The required permission level depends on your requirements of the final solution. I'm planning to create new sites within site collections, so I've granted the above permissions. Remember, it's an "Application Permission". Application permissions granted to the applications when running as App Only.
Next, click the Grant Permission button on the required permissions tab. This will provide non-tenant admin users access to the application.
Now we need to create a self signed certificate (or a commercial certificate) and update the Azure AD Application manifest.

Use the below PowerShell script to create a self signed certificate. Make sure you have installed OfficeDev PnP PowerShell.
1
2
3
4
5
6
7
8
9
$certroot = 'C:\Site Creator'
$certname = "IntelAi-Cert-1"
$password = ConvertTo-SecureString "P@$$w0rd" -AsPlainText -Force
$startdate = Get-Date
$enddate = $startdate.AddYears(4)
makecert.exe -r -pe -n "CN=$certname" -b ($startdate.ToString("MM/dd/yyyy")) -e ($enddate.ToString("MM/dd/yyyy")) -ss my -len 2048
$cert = Get-ChildItem Cert:\CurrentUser\My | ? {$_.Subject -eq "CN=$certname"}
Export-Certificate -Type CERT -FilePath "$certroot\$certname.cer" -Cert $cert -Force
Export-PfxCertificate -FilePath "$certroot\$certname.pfx" -Cert $cert -Password $password -Force

Now execute the below script. It will copy a string to your clipboard.
Get-PnPAzureADManifestKeyCredentials -CertPath 'C:\Site Creator\IntelAi-Cert-1.cer' | clip

The copied string would look similar to the below. We need to add this string in to the manifest file of the Azure AD Application. (I've trimmed the value property)
"keyCredentials": [
 {
  "customKeyIdentifier": "5lca+kziogw7T6MB4kUrxseK5m8=",
  "keyId": "84153f1a-90b7-4802-b99a-bb75d4f9a35b",
  "type": "AsymmetricX509Cert",
  "usage": "Verify",
  "value": "MIIDAjCCAe6gAwIBAgIQkawCJU0cWYxH8RamKNuqqTAJBgUrDgMCHQUAMBkx
 }
],

Select you application within App registrations under Azure Active Directory. Replace the "keyCredentials":[], section, as shown below.

Now we can test whether the application has enough permission to connect to the SharePoint Online site. For the ClientID, you need to provide the Application ID of the application you have created.
1
2
3
4
$password = ConvertTo-SecureString "P@$$w0rd" -AsPlainText -Force
Connect-PnPOnline -Url https://intelai.sharepoint.com/ -ClientId 0c01f61e-ba27-4ae7-ab19-174884a949fc -CertificatePath 'C:\Site Creator\IntelAi-Cert-1.pfx' -CertificatePassword $password -Tenant intelai.onmicrosoft.com
$myWeb = Get-PnPWeb
$myWeb.Title


No comments: