search

soteria-security / 365Inspect

A PowerShell script that automates the security assessment of Microsoft 365 environments.
https://soteria.io/solutions/soteria-inspect/
MIT License
577 stars 109 forks source link

Using Oauth access token to run script on behalf of client #75

Closed mark-kone closed 10 months ago

mark-kone commented 11 months ago

Is your feature request related to a problem? Please describe. I want to create an automation task which can run this script using an access token against the respective Microsoft account.

Describe the solution you'd like I want to run this script on behalf of clients, hence using the access token generated using OAuth. Hence, we can just pass access token and have the script run against the respective Microsoft account.

Describe alternatives you've considered I need to perform this action on behalf of my clients. I am considering the approach of using access tokens generated using OAuth authorization code flow, but I am unable to find any documentation which helps establishing connection using access tokens. Is this even the right way? Could anyone guide on how one should run this tool on behalf of clients in an automated way.

Currently I have managed to use access token only for Connect-MgGraph by modifying the Connect-Services function

Function Connect-Services {
    # Log into every service prior to the analysis.
    If ($auth -EQ "MFA") {
        Try {
            Write-Output "Connecting to Microsoft Graph"
            Connect-MgGraph -AccessToken $access_token
            If ((Get-Module -Name Microsoft.Graph.Authentication) -lt [version]2.0.0){
                Select-MgProfile -Name beta -Verbose
            }
            $global:orgInfo = Get-MgOrganization
            $global:tenantDomain = (($global:orgInfo).VerifiedDomains |  Where-Object { ($_.Name -like "*.onmicrosoft.com") -and ($_.Name -notlike "*mail.onmicrosoft.com") }).Name
            Write-Output "Connected via Graph to $(($global:orgInfo).DisplayName)"
        }
        Catch {
            Write-Output "Connecting to Microsoft Graph Failed."
            Write-Error $_.Exception.Message
            Break
        }
    }

How can we achieve the same for Connect-SPOService, Connect-MicrosoftTeams, Connect-IPPSSession and Connect-ExchangeOnline.

ThoughtContagion commented 11 months ago

Thank you for your feature request, we are in the process of testing the changes we made that were necessary for this functionality. It should be complete and pushed in a few days.