2. Create client application in Azure for the AD Synctool
FollowNote: The synctool and support is available to our Partners. Are you a New Day at Work Partner and interested? Please contact support@newdayatwork.com
Requirements
Microsoft SQL Server Compact 4.0
https://www.microsoft.com/en-US/download/details.aspx?id=17876
Microsoft Online Services Sign-In Assistant
https://www.microsoft.com/en-us/download/details.aspx?id=28177
Install PowerShell 5.0
Install module in PowerShell 5.0:
"install-module Azure"
"install-module msonline"
"install-module AzureRm"
An active Azure subscription is required.
These are the steps to create the Client App in AAD:
- Open: "Provision AAD Sync application.ps1" (provided with the synctool) or listed below.
- Run this script as Admin.
- Fill in the Admin credentials of the corresponding Office365 tenant.
- Save and copy all the related information.
We recommend to create the required Azure AD application via PowerShell. Therefore PowerShell will create the application and displays the required information.
This script will output you the following info:
- Tenant ID
- Tenant Name
- Client ID
- ClientSecretKey
You need these value's in the next step. Make sure to save/copy these value's.
#Set TLS communication to only 1.2. Other is not supported.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$Credentials = Get-Credential
Login-AzureRmAccount $Credentials # Convert the password for W365 format
$SecurePassword = $Credentials.Password
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
$W365Password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) $o365user = $Credentials.UserName
$o365password = "$W365Password"
# Get the tenantname from Microsoft
Connect-MsolService -Credential $Credentials
$TenantName = (Get-MsolDomain | Where-Object {$_.Name -like '*.onmicrosoft.com'}).Name.Split('.')[0]
#Fill parameters oAuth2 application
$Operation = "add" #
$Name="Workspace365 AAD Sync" # Name of the application which is created in the Azure AD.
$Tenant="$TenantName"
$AppUrl="https://AADSynctool.com"
[Parameter(Mandatory=$True)][string[]]$ReplyUrl=@("https://AADSynctool.com") # Check if we are in the correct AD Tenant
$adTenant = ""
if ( $Tenant -like "*.*") {
$adTenant = $Tenant
} else {
$adTenant = "$Tenant.onmicrosoft.com"
}
$authority = "https://login.microsoftonline.com/$adTenant"
$authorizationEndpoint = "" # Get the AAD tenant ID. The below url can be accessed anonymously
$url="$authority/.well-known/openid-configuration"
$resp = Invoke-WebRequest $url
if ( $resp.StatusCode -ne "200") {
write-error "Non-existing AAD tenant name - $adtenant"
exit 2
}
$json = ($resp.Content | ConvertFrom-Json)
$tenantId = $json.authorization_endpoint.Split("/")[3]
$authorizationEndpoint = $json.authorization_endpoint # Get the Graph headers
function GetGraphAuthHeader() { $clientId = "1950a258-227b-4e31-a9cf-717495945fc2" # Set well-known client ID for AzurePowerShell
$resourceAppIdURI = "https://graph.windows.net/" # Resource we want to use
# Create Authentication Context tied to Azure AD Tenant
$creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList $o365user,$o365password
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# Acquire token
$authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId, $creds)
$authHeader = $authResult.CreateAuthorizationHeader()
$headers = @{"Authorization" = $authHeader; "Content-Type"="application/json"}
return $headers
}
function DisplayApplication($app) {
write-output "Tenant: $adtenant"
write-output "TenantID: $tenantID"
write-output "Authorization Endpoint: $authorizationEndpoint"
$app
write-output "Client ID is the ApplicationId"
}
function AddApplication() {
# Create a client secret based on a guid
$clientSecret = [System.Guid]::NewGuid().toString()
$SecureClientSecret = ConvertTo-SecureString -String $clientSecret -AsPlainText -Force
if ( $app -ne $null ) {
write-output "Application already exists. ObjectID $($app.ObjectID)"
} else {
write-output "Creating Application $Name"
Try { $keyDuration = (Get-Date).AddYears(5).ToString('MM-dd-yyyy')
$app = New-AzureRmADApplication -DisplayName $Name -HomePage $AppUrl -IdentifierUris $AppUrl -ReplyUrls $ReplyUrl -Password $SecureClientSecret -EndDate "$keyDuration 00:00:00" } Catch { $keyDuration = (Get-Date).AddYears(5).ToString('dd-MM-yyyy')
$app = New-AzureRmADApplication -DisplayName $Name -HomePage $AppUrl -IdentifierUris $AppUrl -ReplyUrls $ReplyUrl -Password $SecureClientSecret -EndDate "$keyDuration 00:00:00"
}
write-output "Adding oAuth2 permissions to the application so app can service oAuth2 authentications"
# Add "permissions to other applications" via the Graph API. No Azure Powershell exists (yet)
$headers = GetGraphAuthHeader
$url = "https://graph.windows.net/$adTenant/applications/$($app.ObjectID)?api-version=1.6"
$postData = "{`"requiredResourceAccess`": [
{
`"resourceAppId`": `"00000002-0000-0000-c000-000000000000`",
`"resourceAccess`": [
{
`"id`": `"311a71cc-e848-46a1-bdf8-97ff7156d8e6`",
`"type`": `"Scope`"
},
{
`"id`": `"78c8a3c8-a07e-4b9e-af1b-b5ccab50a175`",
`"type`": `"Role`"
}
]
}
]
}";
write-output $url
$result = Invoke-RestMethod -Uri $url -Method "PATCH" -Headers $headers -Body $postData
DisplayApplication $app
write-output "ClientSecret: $clientSecret"
Write-Host "Please go to the Azure portal -> Active Directory -> App registrations -> Workspace365 AAD Sync -> Required permissions -> Click the `"Grant Permission`" button" -ForegroundColor Cyan
}
} # Create the switch for the Operations
switch ( $Operation.ToLower() )
{
"add" { AddApplication }
default { Write-Host "Operation must be get, add, delete, update" }
}
Have more questions? Submit a request