Latest version:
Submit Support Request
WhatsApp: +31 (0)623684723

Articles in this section

Other Sections

2. Create client application in Azure for the AD Synctool

Follow
Created:
Updated:
Note: Please make sure you meet the requirements found here.
We recommend creating the required Azure AD application via PowerShell. Therefore, PowerShell will create the application and displays the required information.

The sync tool requires you to create an application for it in Azure.
This can be done very easily by a script in PowerShell.
We will explain how to do this in this article.

  • Start PowerShell ISE as Admin.
  • Copy the script from the section below and paste it in PowerShell.
  • Let it run.
  • Fill in the Admin credentials of the corresponding Office 365 tenant.
  • Save and copy all the related information.
    The important information from the script is:
    • Tenant ID
    • Tenant Name
    • Client ID
    • Client Secret Key

This information is needed for the next step.

 

The PowerShell Script as described above:

#Set TLS communication to only 1.2. Other is not supported.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$Credentials = Get-Credential
 Login-AzureRmAccount $Credentials
# Convert the password for W365 format
 $SecurePassword = $Credentials.Password
 $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
 $W365Password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
$o365user = $Credentials.UserName
 $o365password = "$W365Password"
 
 # Get the tenantname from Microsoft
 Connect-MsolService -Credential $Credentials
 $TenantName = (Get-MsolDomain | Where-Object {$_.Name -like '*.onmicrosoft.com'}).Name.Split('.')[0]
 
 #Fill parameters oAuth2 application
 $Operation = "add" #
 $Name="Workspace365 AAD Sync" # Name of the application which is created in the Azure AD.
 $Tenant="$TenantName" 
 $AppUrl="https://AADSynctool.com" 
 [Parameter(Mandatory=$True)][string[]]$ReplyUrl=@("https://AADSynctool.com")
# Check if we are in the correct AD Tenant
 $adTenant = ""
 if ( $Tenant -like "*.*") {
 $adTenant = $Tenant
 } else {
 $adTenant = "$Tenant.onmicrosoft.com" 
 }
 $authority = "https://login.microsoftonline.com/$adTenant"
 $authorizationEndpoint = ""
# Get the AAD tenant ID. The below url can be accessed anonymously
 $url="$authority/.well-known/openid-configuration"
 $resp = Invoke-WebRequest $url
 if ( $resp.StatusCode -ne "200") {
 write-error "Non-existing AAD tenant name - $adtenant"
 exit 2
 }
 $json = ($resp.Content | ConvertFrom-Json)
 $tenantId = $json.authorization_endpoint.Split("/")[3]
 $authorizationEndpoint = $json.authorization_endpoint
# Get the Graph headers
 function GetGraphAuthHeader() {
$clientId = "1950a258-227b-4e31-a9cf-717495945fc2" # Set well-known client ID for AzurePowerShell
 $resourceAppIdURI = "https://graph.windows.net/" # Resource we want to use
 # Create Authentication Context tied to Azure AD Tenant
 $creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList $o365user,$o365password
 $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
 # Acquire token
 $authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId, $creds)
 $authHeader = $authResult.CreateAuthorizationHeader()
 $headers = @{"Authorization" = $authHeader; "Content-Type"="application/json"} 
 return $headers
 }
 function DisplayApplication($app) {
 write-output "Tenant: $adtenant"
 write-output "TenantID: $tenantID"
 write-output "Authorization Endpoint: $authorizationEndpoint"
 $app
 write-output "Client ID is the ApplicationId"
 }
 function AddApplication() {
 # Create a client secret based on a guid
 $clientSecret = [System.Guid]::NewGuid().toString()
 $SecureClientSecret = ConvertTo-SecureString -String $clientSecret -AsPlainText -Force
 if ( $app -ne $null ) {
 write-output "Application already exists. ObjectID $($app.ObjectID)"
 } else {
 write-output "Creating Application $Name"
 Try {
$keyDuration = (Get-Date).AddYears(5).ToString('MM-dd-yyyy')
 $app = New-AzureRmADApplication -DisplayName $Name -HomePage $AppUrl -IdentifierUris $AppUrl -ReplyUrls $ReplyUrl -Password $SecureClientSecret -EndDate "$keyDuration 00:00:00"
} Catch {
$keyDuration = (Get-Date).AddYears(5).ToString('dd-MM-yyyy')
 $app = New-AzureRmADApplication -DisplayName $Name -HomePage $AppUrl -IdentifierUris $AppUrl -ReplyUrls $ReplyUrl -Password $SecureClientSecret -EndDate "$keyDuration 00:00:00"
 }
 write-output "Adding oAuth2 permissions to the application so app can service oAuth2 authentications"
 # Add "permissions to other applications" via the Graph API. No Azure Powershell exists (yet)
 $headers = GetGraphAuthHeader 
 $url = "https://graph.windows.net/$adTenant/applications/$($app.ObjectID)?api-version=1.6"
 $postData = "{`"requiredResourceAccess`": [
 {
 `"resourceAppId`": `"00000002-0000-0000-c000-000000000000`",
 `"resourceAccess`": [
 {
 `"id`": `"311a71cc-e848-46a1-bdf8-97ff7156d8e6`",
 `"type`": `"Scope`"
 },
 {
 `"id`": `"78c8a3c8-a07e-4b9e-af1b-b5ccab50a175`",
 `"type`": `"Role`"
 }
 ]
 }
 ]
 }";
 write-output $url
 $result = Invoke-RestMethod -Uri $url -Method "PATCH" -Headers $headers -Body $postData
 DisplayApplication $app
 write-output "ClientSecret: $clientSecret"
 Write-Host "Please go to the Azure portal -> Active Directory -> App registrations -> Workspace365 AAD Sync -> API Permissions -> Click the `"Grant admin consent...`" button on the bottom" -ForegroundColor Cyan
 }
 }
# Create the switch for the Operations
switch ( $Operation.ToLower() )
{
 "add" { AddApplication }
 default { Write-Host "Operation must be get, add, delete, update" }
 }
Was this article helpful?

Have more questions? Submit a request