项目作者: Tools4everBV

项目描述 :
Azure Active Directory - Reset password & enable user
高级语言: PowerShell
项目地址: git://github.com/Tools4everBV/HelloID-Conn-SA-Full-AzureAD-AccountPasswordResetEnable.git


Description

This HelloID Service Automation Delegated Form can reset the password of and/or enable Azure users. The following options are available:

  1. Search and select the target user
  2. Optional, Select the switch for Reset Password
      1. Enter the new password
      1. Optional, Select the switch for Change password at next sign in
  3. Optional, Select the switch for Enable account
  4. After confirmation the password is reset and optionally, the user is enabled

Versioning

Version Description Date
1.0.2 Updated to use id instead of upn to get correct user 2022/10/11
1.0.2 Added version number and updated code for SA-agent and auditlogging 2022/08/16
1.0.1 Added version number and updated all-in-one script 2021/11/08
1.0.0 Initial release 2021/09/02

Requirements

This script uses the Microsoft Graph API and requires an App Registration with App permissions:

  • Read and Write all user’s full profiles by using User.ReadWrite.All
  • Read and Write all groups in an organization’s directory by using Group.ReadWrite.All
  • Read and Write data to an organization’s directory by using Directory.ReadWrite.All

Apart from the App Permissions, to reset a password one fo the following roles (from least to most privileged) is requires as well:

  • Helpdesk (Password) administrator
  • User Administrator
  • Global Administrator

Table of Contents

Introduction

The interface to communicate with Microsoft Azure AD is through the Microsoft Graph API.

Getting the Azure AD graph API access

By using this connector you will have the ability to reset the password of and/or enable an Azure AD User.

Application Registration

The first step to connect to Graph API and make requests, is to register a new Azure Active Directory Application. The application is used to connect to the API and to manage permissions.

  • Navigate to App Registrations in Azure, and select “New Registration” (Azure Portal > Azure Active Directory > App Registration > New Application Registration).
  • Next, give the application a name. In this example we are using “HelloID PowerShell” as application name.
  • Specify who can use this application (Accounts in this organizational directory only).
  • Specify the Redirect URI. You can enter any url as a redirect URI value. In this example we used http://localhost because it doesn’t have to resolve.
  • Click the “Register” button to finally create your new application.

Some key items regarding the application are the Application ID (which is the Client ID), the Directory ID (which is the Tenant ID) and Client Secret.

Configuring App Permissions

The Microsoft Graph documentation provides details on which permission are required for each permission type.

To assign your application the right permissions, navigate to Azure Portal > Azure Active Directory >App Registrations.
Select the application we created before, and select “API Permissions” or “View API Permissions”.
To assign a new permission to your application, click the “Add a permission” button.
From the “Request API Permissions” screen click “Microsoft Graph”.
For this connector the following permissions are used as Application permissions:

  • Read and Write all user’s full profiles by using User.ReadWrite.All
  • Read and Write all groups in an organization’s directory by using Group.ReadWrite.All
  • Read and Write data to an organization’s directory by using Directory.ReadWrite.All

Some high-privilege permissions can be set to admin-restricted and require an administrators consent to be granted.

To grant admin consent to our application press the “Grant admin consent for TENANT” button.

Authentication and Authorization

There are multiple ways to authenticate to the Graph API with each has its own pros and cons, in this example we are using the Authorization Code grant type.

  • First we need to get the Client ID, go to the Azure Portal > Azure Active Directory > App Registrations.
  • Select your application and copy the Application (client) ID value.
  • After we have the Client ID we also have to create a Client Secret.
  • From the Azure Portal, go to Azure Active Directory > App Registrations.
  • Select the application we have created before, and select “Certificates and Secrets“.
  • Under “Client Secrets” click on the “New Client Secret” button to create a new secret.
  • Provide a logical name for your secret in the Description field, and select the expiration date for your secret.
  • It’s IMPORTANT to copy the newly generated client secret, because you cannot see the value anymore after you close the page.
  • At least we need to get is the Tenant ID. This can be found in the Azure Portal by going to Azure Active Directory > Custom Domain Names, and then finding the .onmicrosoft.com domain.

Password Reset Permissions

Additionally you might need to add the User administrator role

  • From the Azure Portal, Under Manage, select Roles and administrators.
  • Select the application we have created before, and select “Certificates and Secrets“.
  • Search and select the User administrator role.
  • Select Add assignments.
  • In the Select text box, enter the name or the ID of the application you registered earlier. When it appears in the search results, select your application.
  • Select Add. It might take a few minutes to for the permissions to fully propagate

All-in-one PowerShell setup script

The PowerShell script “createform.ps1” contains a complete PowerShell script using the HelloID API to create the complete Form including user defined variables, tasks and data sources.

Please note that this script asumes none of the required resources do exists within HelloID. The script does not contain versioning or source control

Getting started

Please follow the documentation steps on HelloID Docs in order to setup and run the All-in one Powershell Script in your own environment.

Post-setup configuration

After the all-in-one PowerShell script has run and created all the required resources. The following items need to be configured according to your own environment

  1. Update the following user defined variables




    Variable nameExample valueDescription
    AADtenantIDAzure AD Tenant IdId of the Azure tenant
    AADAppIdAzure AD App IdId of the Azure app
    AADAppSecretAzure AD App SecretSecreat of the Azure app

Manual resources

This Delegated Form uses the following resources in order to run

Powershell data source ‘Azure-AD-User-Reset-Password-generate-table-attributes-basic’

Powershell data source ‘Azure-AD-User-Reset-Password-generate-table-wildcard’

Delegated form task ‘Azure AD Account - Reset password & Unlock’

Getting help

If you need help, feel free to ask questions on our forum

HelloID Docs

The official HelloID documentation can be found at: https://docs.helloid.com/