[英]How do I store a MFA credential in Powershell
Under Basic authentication you used to be able to store credentials in a variable在基本身份验证下,您曾经能够将凭据存储在变量中
$cred = Get-Credential
Now we are using Modern Auth and our Multi Factor Authentication is Duo.现在我们正在使用现代身份验证,我们的多重身份验证是 Duo。
How do I store my credentials for MFA into a variable so I can plug them into a script?如何将 MFA 的凭据存储到变量中,以便将它们插入脚本中?
Example例子
$mfacred = *whateverthecodeis*
Connect-MsolService -Credential $mfacred
Connect-AzureAD -Credential $mfacred
Edit I do not want to bypass MFA, I want to prompt for it and store the credentials and token in such a way that the rest of the script can make use of the credentials and token.编辑我不想绕过 MFA,我想提示它并以脚本的其余部分可以使用凭据和令牌的方式存储凭据和令牌。
As far as my experience with MFA-enabled accounts within scripts.
就我在脚本中启用 MFA 帐户的经验而言。 The only way you'll be able to bypass MFA is using cmdlets without the '-Credential' parameter.
您能够绕过 MFA 的唯一方法是使用不带“-Credential”参数的 cmdlet。
The main use case for MFA is to protect against things like this: scripts running on a compromised account.
MFA 的主要用例是防止以下情况:在受感染帐户上运行的脚本。
UPDATE:更新:
So, there is a way to hack your way into programmatically getting the token.因此,有一种方法可以通过编程方式获取令牌。 This is done by utilizing the ADAL binaries that come with the install of the Azure Modules and/or other O365 Modules.
这是通过使用 Azure 模块和/或其他 O365 模块安装附带的 ADAL 二进制文件来完成的。 There is no easy way to prompt and store the token in a variable.
没有简单的方法来提示并将令牌存储在变量中。
You will need to load the DLL in your script to start caching the token:您需要在脚本中加载 DLL 以开始缓存令牌:
Add-Type -Path 'C:\Program Files\WindowsPowerShell\Modules\AzureAD\2.0.x.x\Microsoft.IdentityModel.Clients.ActiveDirectory.dll'
You can acquire the access tokens beforehand by using the AcquireTokenAsync Method.您可以使用AcquireTokenAsync方法预先获取访问令牌。
$accesstoken = [Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache]::DefaultShared
$accesstoken.ReadItems() | select DisplayableId, Authority, ClientId, Resource
The above ReadItem() method will give you all the information you need to store the token in a variable.上面的 ReadItem() 方法将为您提供将令牌存储在变量中所需的所有信息。
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList #PLACE AUTHORITY URL HERE#
$client_id = "CLIENT_ID INFO"
$Credential = Get-Credential YOURUSERNAME@COMPANY.COM
$AzureADCred = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserPasswordCredential" -ArgumentList $Credential.UserName,$Credential.Password
$authResult = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions]::AcquireTokenAsync($authContext,"https://RESOURCE-URL.COM",$client_Id,$AzureADCred)
Once you have the token, you can use that to connect to your session, may it be exchange online, Azure, or Office.获得令牌后,你可以使用它连接到你的会话,它可以是在线交换、Azure 或 Office。
$Authorization = "Bearer {0}" -f $authResult.Result.AccessToken
$Password = ConvertTo-SecureString -AsPlainText $Authorization -Force
$Ctoken = New-Object System.Management.Automation.PSCredential -ArgumentList "YourCompanyUserAccount@COMPANY.COM", $Password
There is a caveat, these are only applying to the access tokens and does not take into account of refresh token.有一个警告,这些仅适用于访问令牌,不考虑刷新令牌。 You might not even get the refresh token returned based on which ADAL binaries you use.
根据您使用的 ADAL 二进制文件,您甚至可能无法获得返回的刷新令牌。
To learn more about access tokens, you can research more about it here要了解有关访问令牌的更多信息,您可以在此处研究更多信息
You can try EXO V2 preview module that supports modern auth and unattended script.您可以尝试支持现代身份验证和无人值守脚本的 EXO V2 预览模块。
Instead of storing password, you can use certificate or existing service principal and client secret.您可以使用证书或现有的服务主体和客户端机密,而不是存储密码。
https://o365reports.com/2020/07/04/modern-auth-and-unattended-scripts-in-exchange-online-powershell-v2/ https://o365reports.com/2020/07/04/modern-auth-and-unattended-scripts-in-exchange-online-powershell-v2/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.