Interact with Azure AD without using Online Service Sign-In assistant

Interact with Azure AD without using Online Service Sign-In assistant

Q. How can I interact with Azure AD from PowerShell without having to install the Online Services Sign-In assistant?

A. For the full set of capabilities for Azure AD management via PowerShell you need to install the Microsoft Online Services Sign-In Assistant for IT Professionals and the Azure Active Directory module which is documented at https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx#bkmk_installmodule. If you do not want to or cannot install the Sign-In Assistant another option is to create a session to the Office PowerShell environment which exposes MOST of the Office functionality but not the Azure AD full set of features. To use this approach use:

$MyCredentials = Get-Credential
$OffSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ `
    -Credential $MyCredentials -Authentication Basic -AllowRedirection
Import-PSSession $OffSession

For full Azure AD functionality without using the online sign-in assistant the Graph API can be used which is like LDAP for Azure AD. While you can directly interact with Graph API from PowerShell since its a REST API (I covered this at http://windowsitpro.com/azure/communicate-azure-rest-powershell) there is also a PowerShell module that provides a thin wrapper for the Graph API which makes it much easier to use. This can be downloaded from https://github.com/tiander/OMSsearchAPI which also contains instructions for how to use and a good blog is available at http://azure.microsoft.com/en-us/blog/powershell-module-for-the-oms-search-api/ https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/users-operations provides a list of REST operations available for user operations via the Graph API. Below is an example usage to reset a password. Note you need a credential who will make the change then the user whose password will be changed.

$user = "[email protected]"
$userpass = "Password5"
$APIVersion = "1.5"
$AppIdURI = "https://graph.windows.net"
$usertochange = "[email protected]"
$NewPassword = "NewPa55word"

# Set up connection object to pass into Invoke-AzureADMethod
$ADConnection = @{"Username"=$user;"AzureADDomain"=$AzureADDomain;"Password"=$userpass;"APPIdURI"=$AppIdURI;"APIVersion"=$APIVersion}
$URI = "https://graph.windows.net/$AzureADDomain/users/$usertochange" 
$body = @"
{
    "passwordProfile": {
    "password": "$NewPassword",
    "forceChangePasswordNextLogin": false
    }
}
"@ 

$UserUpdate = Invoke-AzureADMethod -URI $URI -Connection $ADConnection -Body $body -Method PATCH

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish