skip to Main Content

My company implemented Privileged Identity Management and I’m trying to make my life a bit easier by requesting a role straight from a Powershell script. I’m logging in with Connect-AzureAD Connect-MGGraph but it doesn’t ask for my MFA which is a requirement to request a role assignement (and that’s good thing, too). Yes, I want this to run interactively!

I’ve read through this guys post but it requires setting up an application registration which is completely stupid: http://www.anujchaudhary.com/2020/02/connect-to-azure-ad-powershell-with-mfa.html

There must be a way to request a login with MFA through Powershell/Microsoft Graph without having to create an app registration. Anybody have any idea?

edit: removed my script because I learned that the AzureAD Powershell Module’s days are numbered. Trying the same thing through Microsoft Graph but I still need to force MFA on the session:

To run this request, the calling user must have multi-factor authentication (MFA) enforced, and running the query in a session in which they were challenged for MFA – (Source)

2

Answers


  1. Chosen as BEST ANSWER

    The way 'Anuj Chandhary' (see link in post) does it, is not stupid. He's connecting to a well-known client ID representing the Graph API. Only too bad he doesn't explain that in his article. It didn't work for me because the version of my MSAL.PS Powershell module was too old. Updated that and it works now, now I only need to port the script to the Graph API

    tldr: update MSAL.PS module


  2. The AzureAD PowerShell module is going to be depreciated.
    https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-change-management-simplified/ba-p/2967456

    It looks like you can do what you want through Microsoft Graph. I found this on a quick Google search: https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-assign-graph

    Graph Explorer is a fantastic tool for testing things out:
    https://developer.microsoft.com/en-us/graph/graph-explorer

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search