My company implemented Privileged Identity Management and I’m trying to make my life a bit easier by requesting a role straight from a Powershell script. I’m logging in with Connect-AzureAD Connect-MGGraph but it doesn’t ask for my MFA which is a requirement to request a role assignement (and that’s good thing, too). Yes, I want this to run interactively!
I’ve read through this guys post but it requires setting up an application registration which is completely stupid: http://www.anujchaudhary.com/2020/02/connect-to-azure-ad-powershell-with-mfa.html
There must be a way to request a login with MFA through Powershell/Microsoft Graph without having to create an app registration. Anybody have any idea?
edit: removed my script because I learned that the AzureAD Powershell Module’s days are numbered. Trying the same thing through Microsoft Graph but I still need to force MFA on the session:
To run this request, the calling user must have multi-factor authentication (MFA) enforced, and running the query in a session in which they were challenged for MFA – (Source)
2
Answers
The way 'Anuj Chandhary' (see link in post) does it, is not stupid. He's connecting to a well-known client ID representing the Graph API. Only too bad he doesn't explain that in his article. It didn't work for me because the version of my MSAL.PS Powershell module was too old. Updated that and it works now, now I only need to port the script to the Graph API
tldr: update MSAL.PS module
The AzureAD PowerShell module is going to be depreciated.
https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-change-management-simplified/ba-p/2967456
It looks like you can do what you want through Microsoft Graph. I found this on a quick Google search: https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-assign-graphGraph Explorer is a fantastic tool for testing things out:
https://developer.microsoft.com/en-us/graph/graph-explorer