WhatsApp: 0623684723

2. Create client application in Azure for the AD Synctool

Follow
Note: The synctool and support is available to our Partners. Are you a New Day at Work Partner and interested? Please contact support@newdayatwork.com

Be aware that you need to install Microsoft SQL Server Compact 4.0
https://www.microsoft.com/en-US/download/details.aspx?id=17876

 These are the steps to create the Client App in AAD:

  • Open: "Provision AAD Sync application.ps1" (provided with the synctool) or listed below.
  • Run this script as Admin.
  • Fill in the Admin credentials of the corresponding Office365 tenant.
  • Save and copy all the related information.

 

We recommend to create the required Azure AD application via PowerShell. Therefore PowerShell will create the application and displays the required information.

 

$Credentials = Get-Credential
Login-AzureRmAccount $Credentials # Convert the password for W365 format
$SecurePassword = $Credentials.Password
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
$W365Password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) $o365user = $Credentials.UserName
$o365password = "$W365Password"

# Get the tenantname from Microsoft
Connect-MsolService -Credential $Credentials
$TenantName = (Get-MsolDomain | Where-Object {$_.Name -like '*.onmicrosoft.com'}).Name.Split('.')[0]

#Fill parameters oAuth2 application
$Operation = "add" #
$Name="Workspace365 AAD Sync" # Name of the application which is created in the Azure AD.
$Tenant="$TenantName"
$AppUrl="https://AADSynctool.com"
[Parameter(Mandatory=$True)][string[]]$ReplyUrl=@("https://AADSynctool.com") # Check if we are in the correct AD Tenant
$adTenant = ""
if ( $Tenant -like "*.*") {
$adTenant = $Tenant
} else {
$adTenant = "$Tenant.onmicrosoft.com"
}
$authority = "https://login.microsoftonline.com/$adTenant"
$authorizationEndpoint = "" # Get the AAD tenant ID. The below url can be accessed anonymously
$url="$authority/.well-known/openid-configuration"
$resp = Invoke-WebRequest $url
if ( $resp.StatusCode -ne "200") {
write-error "Non-existing AAD tenant name - $adtenant"
exit 2
}
$json = ($resp.Content | ConvertFrom-Json)
$tenantId = $json.authorization_endpoint.Split("/")[3]
$authorizationEndpoint = $json.authorization_endpoint # Get the Graph headers
function GetGraphAuthHeader() { $clientId = "1950a258-227b-4e31-a9cf-717495945fc2" # Set well-known client ID for AzurePowerShell
$resourceAppIdURI = "https://graph.windows.net/" # Resource we want to use
# Create Authentication Context tied to Azure AD Tenant
$creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList $o365user,$o365password
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# Acquire token
$authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId, $creds)
$authHeader = $authResult.CreateAuthorizationHeader()
$headers = @{"Authorization" = $authHeader; "Content-Type"="application/json"}
return $headers
}
function DisplayApplication($app) {
write-output "Tenant: $adtenant"
write-output "TenantID: $tenantID"
write-output "Authorization Endpoint: $authorizationEndpoint"
$app
write-output "Client ID is the ApplicationId"
}
function AddApplication() {
# Create a client secret based on a guid
$clientSecret = [System.Guid]::NewGuid().toString()
$SecureClientSecret = ConvertTo-SecureString -String $clientSecret -AsPlainText -Force
if ( $app -ne $null ) {
write-output "Application already exists. ObjectID $($app.ObjectID)"
} else {
write-output "Creating Application $Name"
Try { $keyDuration = (Get-Date).AddYears(5).ToString('MM-dd-yyyy')
$app = New-AzureRmADApplication -DisplayName $Name -HomePage $AppUrl -IdentifierUris $AppUrl -ReplyUrls $ReplyUrl -Password $SecureClientSecret -EndDate "$keyDuration 00:00:00" } Catch { $keyDuration = (Get-Date).AddYears(5).ToString('dd-MM-yyyy')
$app = New-AzureRmADApplication -DisplayName $Name -HomePage $AppUrl -IdentifierUris $AppUrl -ReplyUrls $ReplyUrl -Password $SecureClientSecret -EndDate "$keyDuration 00:00:00"
}
write-output "Adding oAuth2 permissions to the application so app can service oAuth2 authentications"
# Add "permissions to other applications" via the Graph API. No Azure Powershell exists (yet)
$headers = GetGraphAuthHeader
$url = "https://graph.windows.net/$adTenant/applications/$($app.ObjectID)?api-version=1.6"
$postData = "{`"requiredResourceAccess`": [
{
`"resourceAppId`": `"00000002-0000-0000-c000-000000000000`",
`"resourceAccess`": [
{
`"id`": `"311a71cc-e848-46a1-bdf8-97ff7156d8e6`",
`"type`": `"Scope`"
},
{
`"id`": `"78c8a3c8-a07e-4b9e-af1b-b5ccab50a175`",
`"type`": `"Role`"
}
]
}
]
}";
write-output $url
$result = Invoke-RestMethod -Uri $url -Method "PATCH" -Headers $headers -Body $postData
DisplayApplication $app
write-output "ClientSecret: $clientSecret"
Write-Host "Please go to the Azure portal -> Active Directory -> App registrations -> Workspace365 AAD Sync -> Required permissions -> Click the `"Grant Permission`" button" -ForegroundColor Cyan
}
} # Create the switch for the Operations
switch ( $Operation.ToLower() )
{
"add" { AddApplication }
default { Write-Host "Operation must be get, add, delete, update" }
}
Have more questions? Submit a request

Comments