Latest version: v2.56
Submit Request
WhatsApp: 0623684723

Articles in this section

Other Sections

2. Create client application in Azure for the AD Synctool

Follow
Note: The synctool and support is available to our Partners. Are you a New Day at Work Partner and interested? Please contact support@newdayatwork.com

Be aware that you need to install Microsoft SQL Server Compact 4.0
https://www.microsoft.com/en-US/download/details.aspx?id=17876

 These are the steps to create the Client App in AAD:

  • Open: "Provision AAD Sync application.ps1" (provided with the synctool) or listed below.
  • Run this script as Admin.
  • Fill in the Admin credentials of the corresponding Office365 tenant.
  • Save and copy all the related information.

 

We recommend to create the required Azure AD application via PowerShell. Therefore PowerShell will create the application and displays the required information.

 

$Credentials = Get-Credential
 Login-AzureRmAccount $Credentials
# Convert the password for W365 format
 $SecurePassword = $Credentials.Password
 $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
 $W365Password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
$o365user = $Credentials.UserName
 $o365password = "$W365Password"
 
 # Get the tenantname from Microsoft
 Connect-MsolService -Credential $Credentials
 $TenantName = (Get-MsolDomain | Where-Object {$_.Name -like '*.onmicrosoft.com'}).Name.Split('.')[0]
 
 #Fill parameters oAuth2 application
 $Operation = "add" #
 $Name="Workspace365 AAD Sync" # Name of the application which is created in the Azure AD.
 $Tenant="$TenantName" 
 $AppUrl="https://AADSynctool.com" 
 [Parameter(Mandatory=$True)][string[]]$ReplyUrl=@("https://AADSynctool.com")
# Check if we are in the correct AD Tenant
 $adTenant = ""
 if ( $Tenant -like "*.*") {
 $adTenant = $Tenant
 } else {
 $adTenant = "$Tenant.onmicrosoft.com" 
 }
 $authority = "https://login.microsoftonline.com/$adTenant"
 $authorizationEndpoint = ""
# Get the AAD tenant ID. The below url can be accessed anonymously
 $url="$authority/.well-known/openid-configuration"
 $resp = Invoke-WebRequest $url
 if ( $resp.StatusCode -ne "200") {
 write-error "Non-existing AAD tenant name - $adtenant"
 exit 2
 }
 $json = ($resp.Content | ConvertFrom-Json)
 $tenantId = $json.authorization_endpoint.Split("/")[3]
 $authorizationEndpoint = $json.authorization_endpoint
# Get the Graph headers
 function GetGraphAuthHeader() {
$clientId = "1950a258-227b-4e31-a9cf-717495945fc2" # Set well-known client ID for AzurePowerShell
 $resourceAppIdURI = "https://graph.windows.net/" # Resource we want to use
 # Create Authentication Context tied to Azure AD Tenant
 $creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList $o365user,$o365password
 $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
 # Acquire token
 $authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId, $creds)
 $authHeader = $authResult.CreateAuthorizationHeader()
 $headers = @{"Authorization" = $authHeader; "Content-Type"="application/json"} 
 return $headers
 }
 function DisplayApplication($app) {
 write-output "Tenant: $adtenant"
 write-output "TenantID: $tenantID"
 write-output "Authorization Endpoint: $authorizationEndpoint"
 $app
 write-output "Client ID is the ApplicationId"
 }
 function AddApplication() {
 # Create a client secret based on a guid
 $clientSecret = [System.Guid]::NewGuid().toString()
 $SecureClientSecret = ConvertTo-SecureString -String $clientSecret -AsPlainText -Force
 if ( $app -ne $null ) {
 write-output "Application already exists. ObjectID $($app.ObjectID)"
 } else {
 write-output "Creating Application $Name"
 Try {
$keyDuration = (Get-Date).AddYears(5).ToString('MM-dd-yyyy')
 $app = New-AzureRmADApplication -DisplayName $Name -HomePage $AppUrl -IdentifierUris $AppUrl -ReplyUrls $ReplyUrl -Password $SecureClientSecret -EndDate "$keyDuration 00:00:00"
} Catch {
$keyDuration = (Get-Date).AddYears(5).ToString('dd-MM-yyyy')
 $app = New-AzureRmADApplication -DisplayName $Name -HomePage $AppUrl -IdentifierUris $AppUrl -ReplyUrls $ReplyUrl -Password $SecureClientSecret -EndDate "$keyDuration 00:00:00"
 }
 write-output "Adding oAuth2 permissions to the application so app can service oAuth2 authentications"
 # Add "permissions to other applications" via the Graph API. No Azure Powershell exists (yet)
 $headers = GetGraphAuthHeader 
 $url = "https://graph.windows.net/$adTenant/applications/$($app.ObjectID)?api-version=1.6"
 $postData = "{`"requiredResourceAccess`": [
 {
 `"resourceAppId`": `"00000002-0000-0000-c000-000000000000`",
 `"resourceAccess`": [
 {
 `"id`": `"311a71cc-e848-46a1-bdf8-97ff7156d8e6`",
 `"type`": `"Scope`"
 },
 {
 `"id`": `"78c8a3c8-a07e-4b9e-af1b-b5ccab50a175`",
 `"type`": `"Role`"
 }
 ]
 }
 ]
 }";
 write-output $url
 $result = Invoke-RestMethod -Uri $url -Method "PATCH" -Headers $headers -Body $postData
 DisplayApplication $app
 write-output "ClientSecret: $clientSecret"
 Write-Host "Please go to the Azure portal -> Active Directory -> App registrations -> Workspace365 AAD Sync -> Required permissions -> Click the `"Grant Permission`" button" -ForegroundColor Cyan
 }
 }
# Create the switch for the Operations
switch ( $Operation.ToLower() )
{
 "add" { AddApplication }
 default { Write-Host "Operation must be get, add, delete, update" }
 }
Was this article helpful?

Have more questions? Submit a request

Comments