-
Notifications
You must be signed in to change notification settings - Fork 119
/
Copy pathAzureRM - Service Principal Certificate.ps1
157 lines (87 loc) · 5.24 KB
/
AzureRM - Service Principal Certificate.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# Define certificate start and end dates
$currentDate = Get-Date
$endDate = $currentDate.AddYears(1)
$notAfter = $endDate.AddYears(1)
# Generate new self-signed certificate from "Run as Administrator" PowerShell session
$certName = Read-Host "Enter FQDN Subject Name for certificate:"
$certStore = "Cert:\LocalMachine\My"
$certThumbprint = (New-SelfSignedCertificate -DnsName "$certName" -CertStoreLocation $CertStore -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint
# Export password-protected pfx file
$pfxPassword = Read-Host -Prompt "Enter password to protect exported certificate:" -AsSecureString
$pfxFilepath = Read-Host -Prompt "Enter full path to export certificate (ex C:\folder\filename.pfx)"
Export-PfxCertificate -Cert "$($certStore)\$($certThumbprint)" -FilePath $pfxFilepath -Password $pfxPassword
# Login to Azure Account
Login-AzureRmAccount
# Create Key Credential Object
$cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate -ArgumentList @($pfxFilepath, $pfxPassword)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$keyId = [guid]::NewGuid()
Import-Module AzureRM.Resources
$keyCredential = New-Object Microsoft.Azure.Commands.Resources.Models.ActiveDirectory.PSADKeyCredential
$keyCredential.StartDate = $currentDate
$keyCredential.EndDate= $endDate
$keyCredential.KeyId = $keyId
$keyCredential.Type = "AsymmetricX509Cert"
$keyCredential.Usage = "Verify"
$keyCredential.Value = $keyValue
# Create Azure AD Application
$adAppName = Read-Host "Enter unique Azure AD App name"
$adAppHomePage = Read-Host "Enter unique Azure AD App Homepage URI"
$adAppIdentifierUri = Read-Host "Enter unique Azure AD App Identifier URI"
$adApp = New-AzureRmADApplication -DisplayName $adAppName -HomePage $adAppHomePage -IdentifierUris $adAppIdentifierUri -KeyCredentials $keyCredential
Write-Output "New Azure AD App Id: $($adApp.ApplicationId)"
# Create Azure AD Service Principal
New-AzureRmADServicePrincipal -ApplicationId $adApp.ApplicationId
# Add the Service Principal as Owner to selected subscription
$subscriptionId =
(Get-AzureRmSubscription |
Out-GridView `
-Title "Select an Azure Subscription ..." `
-PassThru).SubscriptionId
Select-AzureRmSubscription `
-SubscriptionId $subscriptionId
New-AzureRmRoleAssignment -RoleDefinitionName Owner -ServicePrincipalName $adApp.ApplicationId
# Test authenticating as Service Principal to Azure
$tenantId = (Get-AzureRmContext).Tenant.TenantId
Login-AzureRmAccount -ServicePrincipal -TenantId $tenantId -ApplicationId $adApp.ApplicationId -CertificateThumbprint $certThumbprint
# Create Azure Automation Assets
$automationAccount =
Get-AzureRmAutomationAccount |
Out-GridView `
-Title "Select an existing Azure Automation account ..." `
-PassThru
New-AzureRmAutomationVariable -Name "AutomationAppId" -Value $adApp.ApplicationId -AutomationAccountName $automationAccount.AutomationAccountName -ResourceGroupName $automationAccount.ResourceGroupName -Encrypted:$false
New-AzureRmAutomationVariable -Name "AutomationTenantId" -Value $tenantId -AutomationAccountName $automationAccount.AutomationAccountName -ResourceGroupName $automationAccount.ResourceGroupName -Encrypted:$false
New-AzureRmAutomationCertificate -Name "AutomationCertificate" -Path $pfxFilepath -Password $pfxPassword -AutomationAccountName $automationAccount.AutomationAccountName -ResourceGroupName $automationAccount.ResourceGroupName
New-AzureRmAutomationVariable -Name "AutomationSubscriptionId" -Value $subscriptionId -AutomationAccountName $automationAccount.AutomationAccountName -ResourceGroupName $automationAccount.ResourceGroupName -Encrypted:$false
# ----- Code to add to Azure Automation runbook ----
# Get Azure Automation Assets
$adAppId = Get-AutomationVariable -Name "AutomationAppId"
Write-Output "Azure AD Application Id: $($adAppId)"
$tenantId = Get-AutomationVariable -Name "AutomationTenantId"
Write-Output "Azure AD Tenant Id: $($tenantId)"
$subscriptionId = Get-AutomationVariable -Name "AutomationSubscriptionId"
Write-Output "Azure Subscription Id: $($subscriptionId)"
$cert = Get-AutomationCertificate -Name "AutomationCertificate"
$certThumbprint = ($cert.Thumbprint).ToString()
Write-Output "Service Principal Certificate Thumbprint: $($certThumbprint)"
# Install Service Principal Certificate
Write-Output "Install Service Principal certificate..."
if ((Test-Path "Cert:\CurrentUser\My\$($certThumbprint)") -eq $false) {
InlineScript {
$certStore = new-object System.Security.Cryptography.X509Certificates.X509Store("My", "CurrentUser")
$certStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$certStore.Add($Using:cert)
$certStore.Close()
}
}
# Login to Azure
Write-Output "Login to Azure as Service Principal..."
Login-AzureRmAccount -ServicePrincipal -TenantId $tenantId -ApplicationId $adAppId -CertificateThumbprint $certThumbprint
# Select Azure Subscription
Write-Output "Select Azure subscription..."
Select-AzureRmSubscription -SubscriptionId $subscriptionId -TenantId $tenantId