search

microsoft / Partner-Center-PowerShell

PowerShell module for managing Partner Center resources.
https://docs.microsoft.com/powershell/partnercenter/
MIT License
132 stars 60 forks source link

Connect-AzAccount with PartnerAccessToken not granting access to Azure #344

Open Agazoth opened 3 years ago

Agazoth commented 3 years ago

Steps to reproduce

Follow the instructions for creating Application Account and generating refresh tokens based on an AdminAgent MFA account here: https://docs.microsoft.com/en-us/powershell/partnercenter/multi-factor-auth?view=partnercenterps-3.0

Then run:

$credential = Get-Credential
$refreshToken = '<RefreshToken>'

$azureToken = New-PartnerAccessToken -ApplicationId 'xxxx-xxxx-xxxx-xxxx' -Credential $credential -RefreshToken $refreshToken -Scopes 'https://management.azure.com//user_impersonation' -ServicePrincipal -Tenant 'yyyy-yyyy-yyyy-yyyy'
$graphToken = New-PartnerAccessToken -ApplicationId 'xxxx-xxxx-xxxx-xxxx' -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant 'yyyy-yyyy-yyyy-yyyy'

# Az Module
Connect-AzAccount -AccessToken $token.AccessToken -AccountId 'azureuser@contoso.com' -GraphAccessToken $graphToken.AccessToken -TenantId 'xxxx-xxxx-xxxx-xxxx'

Get-AzADUser

Expected behavior

A list of AzureAD Users

Actual behavior

Get-AzADUser: Invalid domain name in the request url.

Diagnostic logs

Get-AzADUser -debug DEBUG: 18.26.21 - GetAzureADUserCommand begin processing with ParameterSet 'EmptyParameterSet'. DEBUG: 18.26.21 - using account id 'myAOBOaccount@MyCSP.onmicrosoft.com'... DEBUG: ============================ HTTP REQUEST ============================

HTTP Method: GET

Absolute Uri: https://graph.windows.net/xxxx-xxxx-xxxx-xxxx/users?api-version=1.6

Headers: x-ms-client-request-id : 62f5c991-3f57-4635-81bd-caac6949c666 Accept-Language : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code: BadRequest

Headers: Cache-Control : no-cache Pragma : no-cache ocp-aad-diagnostics-server-name: Wmx083OXiPIJnS+ATxVj8FKDxnOdfY+vxXZqnViWCic= request-id : 1abd463e-5406-4cba-8d72-4b26352ca9e2 client-request-id : 65425039-3495-4fa6-96ac-e18034058838 x-ms-dirapi-data-contract-version: 1.6 ocp-aad-session-key : D2Tj4BrdeTX58pWUIqe90NHXbc5W1Td4ZmHAJd4VsrQAnQ6Y5w53yAw37aAAb9-pz3HrCv-2P8_gLUqaZOqYAGVurAMDwowqMjIDxfLPed6q5TNBGS3-RhmhxMgFf1JA.a3r_XNsoLwI9cuKFkOBdVlp_NmodtYQRQEnRlxq6cRw Duration : 225487 DataServiceVersion : 3.0; X-AspNet-Version : 4.0.30319 X-Powered-By : ASP.NET Strict-Transport-Security : max-age=31536000; includeSubDomains Access-Control-Allow-Origin : * Date : Wed, 09 Dec 2020 17:26:20 GMT

Body: { "odata.error": { "code": "Request_BadRequest", "message": { "lang": "en", "value": "Invalid domain name in the request url." }, "requestId": "1abd463e-5406-4cba-8d72-4b26352ca9e2", "date": "2020-12-09T17:26:21" } }

DEBUG: Caught exception, type: Microsoft.Azure.Graph.RBAC.Models.GraphErrorException Get-AzADUser: Invalid domain name in the request url. DEBUG: AzureQoSEvent: CommandName - Get-AzADUser; IsSuccess - False; Duration - 00:00:00.2036844;; Exception - System.Exception: Invalid domain name in the request url.; DEBUG: Finish sending metric. DEBUG: 18.26.21 - GetAzureADUserCommand end processing.

Environment

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.1.0
PSEdition                      Core
GitCommitId                    7.1.0
OS                             Microsoft Windows 10.0.19042
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Get-Command Get-AzAdUser

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Get-AzADUser                                       3.0.1      Az.Resources

Get-Module -ListAvailable Az

    Directory: C:\Users\Me\Documents\PowerShell\Modules

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Script     5.1.0                 Az                                  Core,Desk
Agazoth commented 3 years ago

The issue is the same on Windows PowerShell. If someone could please comment on this, I would be very grateful.

morcinim commented 3 years ago

The intention of the “Azure” section of the article Partner Center multi-factor authentication using PowerShell | Microsoft Docs https://docs.microsoft.com/en-us/powershell/partnercenter/multi-factor-auth?view=partnercenterps-3.0#azure is to address the ABO for Azure subscriptions related operations with Azure Resource Manager.

You should be successful with ARM commands like

$azureToken = New-PartnerAccessToken -ApplicationId $appId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://management.azure.com/user_impersonation' -ServicePrincipal -Tenant $customerTenantId $graphToken = New-PartnerAccessToken -ApplicationId $appId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $customerTenantId

using Az.Accounts module for Azure Resource Manager operations

Connect-AzAccount -AccountId $graphToken.Account.Username -AccessToken $azureToken.AccessToken -GraphAccessToken $graphToken.AccessToken -TenantId $customerTenantId $subscription = Get-AzSubscription -TenantId $customerTenantId Set-AzContext -Subscription $subscription.Id

list resource Groups of subscription

Get-AzResourceGroup Disconnect-AzAccount

If you want to manipulate Azure Active Directory objects you should have success with the Connect-AzureAD command that Partner Center API team mentioned in the section “Microsoft 365-Azure Active Directory” - Partner Center multi-factor authentication using PowerShell | Microsoft Docs https://docs.microsoft.com/en-us/powershell/partnercenter/multi-factor-auth?view=partnercenterps-3.0#azure-active-directory which tries to address ABO scenario with Azure Active Directory:

$graphToken = New-PartnerAccessToken -ApplicationId $appId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $customerTenantId $aadGraphToken = New-PartnerAccessToken -ApplicationId $appId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant $customerTenantId

Test use of AzureAD module operating on customer tenant

Connect-AzureAD -AadAccessToken $aadGraphToken.AccessToken -MsAccessToken $graphToken.AccessToken -AccountId $graphToken.Account.Username -TenantId $customerTenantId Get-AzureADGroup | Sort DisplayName Get-AzureADUser -All $true Disconnect-AzureAD

Though this is undocumented officially, I did test that following will work with Get-AzADUser command and the Connect-AzAccount parameterized as follows:

$aadGraphToken = New-PartnerAccessToken -ApplicationId $appId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant $customerTenantId

Connect-AzAccount -AccountId $aadGraphToken.Account.Username -AccessToken $aadGraphToken.AccessToken -GraphAccessToken $aadGraphToken.AccessToken -TenantId $customerTenantId Get-AzADUser Get-AzADGroup Disconnect-AzureAD

In summary depending on which REST API does the powershell commandlet use the Connect-AzAccount parametrization is different. You also need to ensure that you granted permissions to these APIs (Azure AD Graph, Azure Resource Manager, MS Graph) in your application registation that you are using.