Automating with PowerShell: Deploying passwordless Authentication

So passwordless authentication is something pretty awesome – It removes the need for users to know their own password because you can replace the password with a multifactor authentication prompt. Microsoft has taken Passwordless out of preview after about 2 years. Microsoft’s implementation of passwordless prompts the user to click the right number on their screen. This also prevents users from just hitting on “OK” for random push prompts, so again a little bit of extra safety.

We really like using Passwordless at our MSP and for our clients, we often combine Passwordless with FIDO keys or with other forms of Conditional Access and Multi Factor authentication. Deploying passwordless in all your tenants can be done with executing the script below. This doesn’t really make any changes for users yet, as they have to register for passwordless themselves.

The Script

######### Secrets #########
$ApplicationId = 'YourAPPID'
$ApplicationSecret = 'YourAppPassword' | Convertto-SecureString -AsPlainText -Force
$TenantID = 'YourTenantID'
$RefreshToken = 'Refreshtoken'
$UPN = "Valid-upn"
######### Secrets #########
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)

$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant $tenantID
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $tenantID

Install-module AzureADPreview -AllowClobber
import-module AzureADPreview
Connect-AzureAD -AadAccessToken $aadGraphToken.AccessToken -AccountId $upn -MsAccessToken $graphToken.AccessToken -TenantId $tenantID | Out-Null
$tenants = Get-AzureAdContract -All:$true
Disconnect-AzureAD

foreach ($tenant in $tenants) {

    write-host "Working on client $($tenant.defaultdomainname)"
    try {
        $CustAadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes "https://graph.windows.net/.default" -ServicePrincipal -Tenant $tenant.CustomerContextId
        $CustGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes "https://graph.microsoft.com/.default" -ServicePrincipal -Tenant $tenant.CustomerContextId
        Connect-AzureAD -AadAccessToken $CustAadGraphToken.AccessToken -AccountId $upn -MsAccessToken $CustGraphToken.AccessToken -TenantId $tenant.CustomerContextId | out-null
        $exists = Get-AzureADPolicy | Where-Object -Property type -eq AuthenticatorAppSignInPolicy
        if ($exists) { write-host  "Policy exists for $($tenant.DefaultDomainName)"; continue }
        New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition '{"AuthenticatorAppSignInPolicy":{"Enabled":true}}' -isOrganizationDefault $true -DisplayName 'PasswordlessSignin'
    }
    catch {
        Write-Warning "Could not log into tenant $($tenant.DefaultDomainName) or retrieve policy. Error: $($_.Exception.Message)"
    }

}

Now, that’s the scripting part, lets move over to the user part.

User Setup

The user still has to perform some tasks themselves if they want to use passwordless. First off, the user has to be registered for Multi-factor authentication already, using the Microsoft Authenticator app. If they are not, have them do that.

When the user is completely registered, have them open the application and click on their username, then click on “Enable Phone Signin” – From that moment forward, the user will no longer be prompted for their password, but get the following pop-up

![](../uploads/2021/04/image.png)And that’s it! as always, Happy PowerShelling. ```

Recent Articles

The return of CyberDrain CTF

CyberDrain CTF returns! (and so do I!)

It’s been since september that I actually picked up a digital pen equivalent and wrote anything down. This was due to me being busy with life but also my side projects like CIPP. I’m trying to get back into the game of scripting and blogging about these scripts. There’s still so much to automate and so little time, right? ;)

Monitoring with PowerShell: Monitoring Acronis Backups

Intro

This is a monitoring script requested via Reddit, One of the reddit r/msp users wondered how they can monitor Acronis a little bit easier. I jumped on this because it happened pretty much at the same time that I was asked to speak at the Acronis CyberSummit so it kinda made sense to script this so I have something to demonstrate at my session there.

Monitoring with PowerShell: Monitoring VSS Snapshots

Intro

Wow! It’s been a while since I’ve blogged. I’ve just been so swamped with CIPP that I’ve just let the blogging go entirely. It’s a shame because I think out of all my hobbies it’s one I enjoy the most. It’s always nice helping others achieve their scripting target. I even got a couple of LinkedIn questions asking if I was done with blogging but I’m not. Writing always gives me some more piece of mind so I’ll try to catch up again. I know I’ve said that before but this time I’ll follow through. I’m sitting down right now and scheduling the release of 5 blogs in one go. No more whining and no more waiting.