-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Doc update to explain the PnP Management Shell app cannot be used any…
…more
- Loading branch information
bjansen
committed
Sep 10, 2024
1 parent
33ec8c6
commit 4143bee
Showing
1 changed file
with
16 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,16 +1,13 @@ | ||
| # Configure authentication | ||
|
|
||
| The Microsoft 365 Assessment tool uses Azure AD based authentication and requires a configured Azure AD application to run. The Microsoft 365 Assessment tool supports both application permissions (app-only) and delegated (user) permissions and various ways to authenticate. | ||
| The Microsoft 365 Assessment tool uses Entra (Azure AD) based authentication and requires a configured Entra application to run. The Microsoft 365 Assessment tool supports both application permissions (app-only) and delegated (user) permissions and various ways to authenticate. | ||
|
|
||
| > [!Important] | ||
| > If you want the assessment tool to read all sites in your tenant then using application permissions is strongly recommended as that's the only way to guarantee that the Microsoft 365 Assessment tool can read all the sites. When you want to only assess a couple of sites and your account has permissions to these sites then using delegated permissions is an option. | ||
| ## Setting up the Azure AD application | ||
| ## Setting up the Entra application | ||
|
|
||
| A configured Azure AD application is a pre-requisite for using the Microsoft 365 Assessment tool. When you [start an assessment](assess-start.md) you'll be able to specify the Azure AD application to use and how you want to authenticate. When you don't specify an Azure AD application when starting an assessment the **PnP Management Shell** application will be assumed, if you're using a recent [PnP PowerShell](https://pnp.github.io/powershell/) version then this application most likely was setup. | ||
|
|
||
| > [!Note] | ||
| > It's strongly recommended to create a dedicated Azure AD application so you can limit the needed permissions to what's needed by the module you're using in the Microsoft 365 Assessment tool. Also as throttling rules are bound to applications there's less throttling impact if you use a dedicated Azure AD application for the assessments. | ||
| A [configured Entra application](https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType~/null/sourceType/Microsoft_AAD_IAM) is a pre-requisite for using the Microsoft 365 Assessment tool. When you [start an assessment](assess-start.md) you'll have to specify the Entra application to use and how you want to authenticate. It's strongly recommended to create a dedicated Entra application over re-using an existing one so you can limit the needed permissions to what's needed by the module you're using in the Microsoft 365 Assessment tool. Also as throttling rules are bound to applications there's less throttling impact if you use a dedicated Entra application for the assessments. | ||
|
|
||
| ### Permissions required | ||
|
|
||
|
|
@@ -24,12 +21,12 @@ The Microsoft 365 Assessment tool aims to be able to perform the assessment task | |
| > [!Important] | ||
| > Cross check the minimally required permissions are granted, if not the scan might fail or might return inaccurate results. | ||
| ### Creating an Azure AD application using PnP PowerShell | ||
| ### Creating an Entrq application using PnP PowerShell | ||
|
|
||
| Using [PnP PowerShell](https://pnp.github.io/powershell/) creating an Azure AD application becomes really simple. The [Register-PnPAzureADApp](https://pnp.github.io/powershell/cmdlets/Register-PnPAzureADApp.html) cmdlet will create a new Azure AD application, will create a new self-signed certificate inside the **Personal** node (= **My**) of the **CurrentUser** certificate store, and will hookup that cert with the created Azure AD application. Finally the right permissions are configured and you're prompted to consent these permissions. | ||
| Using [PnP PowerShell](https://pnp.github.io/powershell/) creating an Entra application becomes really simple. The [Register-PnPAzureADApp](https://pnp.github.io/powershell/cmdlets/Register-PnPAzureADApp.html) cmdlet will create a new Entra application, will create a new self-signed certificate inside the **Personal** node (= **My**) of the **CurrentUser** certificate store, and will hookup that cert with the created Entra application. Finally the right permissions are configured and you're prompted to consent these permissions. | ||
|
|
||
| > [!Important] | ||
| > If you encounter errors during below steps it's likely that you do not have the needed permissions. Please contact your tenant / Azure AD admins for help. | ||
| > If you encounter errors during below steps it's likely that you do not have the needed permissions. Please contact your tenant / Entra admins for help. | ||
| ```PowerShell | ||
| # Sample for the Microsoft Syntex adoption module. | ||
|
|
@@ -55,9 +52,9 @@ Register-PnPAzureADApp -ApplicationName Microsoft365AssessmentToolForSyntex ` | |
| ``` | ||
|
|
||
| > [!Note] | ||
| > Replace `contoso.onmicrosoft.com` with your Azure AD tenant name and ensure you replace `[email protected]` with the user id that's an Azure AD admin (or global admin). If you're unsure what your Azure AD tenant name is then go to https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview and check for the value of **Primary domain**. | ||
| > Replace `contoso.onmicrosoft.com` with your Entra tenant name and ensure you replace `[email protected]` with the user id that's an Entra admin (or global admin). If you're unsure what your Entra tenant name is then go to https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView and check for the value of **Primary domain**. | ||
| Once you've pressed enter on above command, you'll be prompted to sign-in and you should sign-in using the user you've specified for the `Username` parameter. After that's done the Azure AD application will be created and configured, followed by a wait of 60 seconds to ensure the creation has been propagated across all systems. The final step is the admin consent flow: you'll again be prompted to sign-in with the specified admin user, followed by a consent dialog showing the permissions that are being granted to the application. Press **Accept** to finalize the consent flow. In the resulting output you'll get some key information: | ||
| Once you've pressed enter on above command, you'll be prompted to sign-in and you should sign-in using the user you've specified for the `Username` parameter. After that's done the Entra application will be created and configured, followed by a wait of 60 seconds to ensure the creation has been propagated across all systems. The final step is the admin consent flow: you'll again be prompted to sign-in with the specified admin user, followed by a consent dialog showing the permissions that are being granted to the application. Press **Accept** to finalize the consent flow. In the resulting output you'll get some key information: | ||
|
|
||
| ```text | ||
| Pfx file : D:\assessment\Microsoft365AssessmentTool.pfx | ||
|
|
@@ -66,25 +63,25 @@ AzureAppId/ClientId : 95610f5d-729a-4cd1-9ad7-1fa9052e50dd | |
| Certificate Thumbprint : 165CCE93E08FD3CD85B7B25D5E91C05B1D1E49FE | ||
| ``` | ||
|
|
||
| Running the `Register-PnPAzureADApp` did not only create and configure the Azure AD application, it also did create a certificate for the application permission flow. This certificate has been added to the current user's certificate store, under the personal node. You can use `certmgr` on the command line to open up the local user's certificate store. | ||
| Running the `Register-PnPAzureADApp` did not only create and configure the Entra application, it also did create a certificate for the application permission flow. This certificate has been added to the current user's certificate store, under the personal node. You can use `certmgr` on the command line to open up the local user's certificate store. | ||
|
|
||
| > [!Note] | ||
| > The certificate is also exported as PFX file and cer file on the file system, feel free to delete these exported files as it's easier to use the certificate from the certificate store. | ||
| When you now want to use the certificate for starting an assessment, you need to set `--authmode` to `application` and tell the Microsoft 365 Assessment tool which certificate to use via the certificate path parameter: `--certpath "My|CurrentUser|165CCE93E08FD3CD85B7B25D5E91C05B1D1E49FE"`. Next to that you also need to specify the Azure AD application to use via the `--applicationid` parameter. More details on how to configure authentication when starting an assessment can be found [here](assess-start.md#authentication-configuration). | ||
| When you now want to use the certificate for starting an assessment, you need to set `--authmode` to `application` and tell the Microsoft 365 Assessment tool which certificate to use via the certificate path parameter: `--certpath "My|CurrentUser|165CCE93E08FD3CD85B7B25D5E91C05B1D1E49FE"`. Next to that you also need to specify the Entra application to use via the `--applicationid` parameter. More details on how to configure authentication when starting an assessment can be found [here](assess-start.md#authentication-configuration). | ||
|
|
||
| > [!Important] | ||
| > Notice that the last part in the `--certpath` string is the certificate thumbprint to use. If you've not captured that thumbprint earlier on you can get it by looking up your certificate via `certmgr`, opening it to the **Details** tab and scrolling down to the **Thumbprint** field. Select the shown value and press `CTRL-C` to copy it. | ||
| ### Creating an Azure AD application using the Azure AD Portal | ||
| ### Creating an Entra application using the Entra Portal | ||
|
|
||
| Previous chapter described approach that creates and configures an Azure AD application by using [PnP PowerShell](https://pnp.github.io/powershell/). If you want to manually create the Azure AD application that's an option as well. Follow below steps to create and configure your Azure AD application: | ||
| Previous chapter described approach that creates and configures an Entra application by using [PnP PowerShell](https://pnp.github.io/powershell/). If you want to manually create the Entra application that's an option as well. Follow below steps to create and configure your Entra application: | ||
|
|
||
| 1. Navigate to [Azure AD Portal](https://aad.portal.azure.com/) and click on **Azure Active Directory** from the left navigation | ||
| 2. Click on **Add** in the toolbar and choose **App registration**, this will open up the **Register an application** page | ||
| 3. Provide a **Name** for your Azure AD application (e.g. Microsoft365AssessmentToolForWorkflow) | ||
| 1. Navigate to [Entra Portal](https://entra.microsoft.com) and click on **Applications**, followed by **App registrations** from the left navigation | ||
| 2. Click on **New registration** page | ||
| 3. Provide a **Name** for your Entra application (e.g. Microsoft365AssessmentToolForWorkflow) | ||
| 4. Select **Public client/native (mobile & desktop)** and enter **http://localhost** as redirect URI | ||
| 5. Click on **Register** and the Azure AD application gets created and opened | ||
| 5. Click on **Register** and the Entra application gets created and opened | ||
| 6. Choose **API permissions** from the left navigation and add the needed delegated and/or application permissions. See the requirements page of the module you want to use for the exact permissions | ||
| 7. Click on **Grant admin consent for...** to consent the added permissions | ||
|
|
||
|
|
||