My Profile Photo

${Graham Beer} = blog


System Engineer, PowerShell Developer, WinOps and a huge automation fan!


Working with Azure Active Directory part 1

This article, which will be in two parts, is about getting started with Azure Active Directory.

So what is Azure Active Directory? Microsoft themselves say:

“Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud based directory and identity management service.”

These two articles will contain the following content:
Workflow

  1. Connect to Azure
  2. Make connection to Azure Active Directory
  3. Create a Security group
  4. Create a user
  5. Create a new RBAC
  6. Assign role to group
  7. assign user to group

Connecting to Azure

As I said at the start, this blog is really about getting started in Azure AD and performing some straight forward tasks with PowerShell.

Connecting to Azure is done by the cmdlet Login-AzureRmAccount from the AzureRM.Profile module, which is found in the PSGallery. A window will appear prompting you to add your username and password. Once entered you will see the following returned to the console.

1
2
3
4
5
6
Environment           : AzureCloud
Account               : Graham.Beer@domain.com
TenantId              : xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
SubscriptionId        : xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
SubscriptionName      : Visual Studio Dev Essentials
CurrentStorageAccount :

Now to make a connection to Azure AD. From the connection to Azure we can now obtain our tenant ID to pass to the Connect-AzureAD cmdlet, which is in the module, AzureADPreview (Again, you can get this from the PSGallery). To get your tenant ID type $TenantId = (Get-AzureRmTenant).Id. Now we have our ID, lets connect to AzureAD. After typing in Connect-AzureAD -TenantId $TenantId you will have a window popup asking for your password and ID again. Awesome, we are now connected to AzureAD !

For the rest of pt1 we shall look at creating a security group and an user.

Lets create our group. To do this we will use the New-AzureADGroup cmdlet. This cmdlet is part of the AzureADPreview module. This is the code

1
2
3
4
5
6
7
8
9
# Create a group
$ADGroup = @{
    Description     = 'A Test Group' 
    DisplayName     = 'Test Group' 
    SecurityEnabled = $true 
    MailEnabled     = $false 
    MailNickName    = "NotSet"
}
New-AzureADGroup @ADGroup

I’ve used PowerShell’s splatting technique here as I think it looks neat and clear. The parameters themselves are pretty self-explanatory. Even though i’ve said I don’t want mail to be enabled, it still requires a ‘MailNickName’. To check our group has been added either look in the portal or by Get-AzureADGroup -Filter "DisplayName eq 'Test Group'"

Great. We have our group. Now lets create a user.
First, lets create a password. For this, we need to create a new object. $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
Now we need to add something to the password property of the object, $PasswordProfile.Password = "P@ssw0rd123"
Now we have our password object. But in addition to the password property contained in the object we created are two boolean values which can be set. They are a value indicating that the change password policy is enabled or disabled and another indicating that the user must change the password at the next sign in. Set either true or false for these values by simply assign them to the object like so,

1
2
$PasswordProfile.EnforceChangePasswordPolicy = $true
$PasswordProfile.ForceChangePasswordNextLogin = $true

Now we need to add the required details to the parameters. Here is an example i’ve done:

1
2
3
4
5
6
7
8
$NewUser = @{
    DisplayName       = "Test User" 
    PasswordProfile   = $PasswordProfile 
    UserPrincipalName = "TestUser@Domain.com"
    AccountEnabled    = $true 
    MailNickName      = "Testuser"
}
New-AzureADUser @NewUser

I’ve continued to ‘splat’ the parameters to the cmdlet. To make sure our user exists we could try the following:

1
2
Get-AzureADUser -Filter "DisplayName eq 'Test User'"    
Get-AzureADUser -Filter "startswith(displayName,'Test')"

I’m using the filter parameter which does allow use of Open Data Protocol (OData), although the Startswith( only really seemed to work.

Hope this helped get you started in AzureAD, in pt2 I will continue on with creating a custom RBAC and assign to our test group which we will move our user into.