-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use BPRT for AzureAD Join #2
Comments
You can do a "normal" PRT with AADInternals, but I don't think it works in your case. But I'll take a look at this later this week. |
@dkattan, I was able to create a BPRT but I haven't been able to test it.
When the file is opened, run it by pressing F5. After that, create a new file with the following content and run it.
|
This totally worked! I'm wondering if it would be possible to do this without needing to use the PowerShell Module ClientID + Username and Password and instead use my own App Registration with a Client Secret. |
Good to hear! Sure, you should be able to do this with an App. Before you begin, you need to register an app with permissions (or scope) "policy_management". See this link for more details. After registering your app, you can get an access token and use it in the script. |
Is that policy_management scope in the Add API Permission UI in Azure? Closest I could find is Policy.ReadWrite.PermissionGrant Googling, I can't seem to find much on this policy_management permission. I know that there are permissions not listed there, for example when I use Kelvin's script to generate an App Registration, 1cebfa2a-fb4d-419e-b5f9-839b4383e05a correlates to a Partner Center API permission that isn't listed in the UI, but you can add it to the manifest and it shows up: $partnerCenterAppAccess = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{
ResourceAppId = "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd";
ResourceAccess =
[Microsoft.Open.AzureAD.Model.ResourceAccess]@{
Id = "1cebfa2a-fb4d-419e-b5f9-839b4383e05a";
Type = "Scope"}
} Do you perhaps know the Guid for the permission/scope in question? Out of curiosity, how'd you determine the policy_management permission/scope is what's required? |
Is it possible to retrieve the manifest for well-known appids like 1b730954-1685-4b74-9bfd-dac224a7b894? |
This seems to be un-doable as the service doing the registration requires an access token with a scope (or resource) of "urn:ms-drs:enterpriseregistration.windows.net" and upn claim to be present ☹ So, I'm afraid you need to stick to a user. What comes to manifests, I haven't find a to retrieve them (besides the apps you've registered your self). |
Hey, that’s all I needed to know. Thank you so much, this is going to be tremendously valuable! |
Hey @NestoriSyynimaa
I'm looking for a programmatic way to join real devices to AzureAD. Playing with your module, it appears that Join-AADIntDeviceToAzureAD creates a "fake" device and doesn't actual join your device.
Outside of Autopilot, the only supported way to programmatically join AzureAD is by creating and applying a provisioning profile using Windows Configuration Designer.
Windows Configuration Designer creates and accepts a "BPRT"
During creation you do this:
![image](https://user-images.githubusercontent.com/1424395/96498742-153d9200-1212-11eb-82f1-f3e6597a25e4.png)
Then you get a BPRT value that starts with 0.
![image](https://user-images.githubusercontent.com/1424395/96498855-3d2cf580-1212-11eb-841c-e4132d4e9249.png)
However when I run Get-AADIntAccessTokenForAADJoin I get a token that starts with eyJ
![image](https://user-images.githubusercontent.com/1424395/96499011-71081b00-1212-11eb-9a14-0bd2a3c79cae.png)
I believe the one it wants is encrypted as I'm not able to decode it using jwt.io
Is there a way your library can produce the BPRT in the format necessary for Windows Configuration Designer?
If it helps, it appears that Windows Configuration Designer spawns Microsoft.AAD.BrokerPlugin.exe to generate this token.
C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe -ServerName:App.AppXgvz9wxd0frjs1prgz5kvtcz083996jyv.mca
The text was updated successfully, but these errors were encountered: