Use BPRT for AzureAD Join #2
Comments
|
You can do a "normal" PRT with AADInternals, but I don't think it works in your case. But I'll take a look at this later this week. |
|
@dkattan, I was able to create a BPRT but I haven't been able to test it. When the file is opened, run it by pressing F5. After that, create a new file with the following content and run it. |
|
This totally worked! I'm wondering if it would be possible to do this without needing to use the PowerShell Module ClientID + Username and Password and instead use my own App Registration with a Client Secret. |
|
Good to hear! Sure, you should be able to do this with an App. Before you begin, you need to register an app with permissions (or scope) "policy_management". See this link for more details. After registering your app, you can get an access token and use it in the script. |
|
Is that policy_management scope in the Add API Permission UI in Azure? Closest I could find is Policy.ReadWrite.PermissionGrant Googling, I can't seem to find much on this policy_management permission. I know that there are permissions not listed there, for example when I use Kelvin's script to generate an App Registration, 1cebfa2a-fb4d-419e-b5f9-839b4383e05a correlates to a Partner Center API permission that isn't listed in the UI, but you can add it to the manifest and it shows up: $partnerCenterAppAccess = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{
ResourceAppId = "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd";
ResourceAccess =
[Microsoft.Open.AzureAD.Model.ResourceAccess]@{
Id = "1cebfa2a-fb4d-419e-b5f9-839b4383e05a";
Type = "Scope"}
}
Do you perhaps know the Guid for the permission/scope in question? Out of curiosity, how'd you determine the policy_management permission/scope is what's required? |
|
I found the scope from the access token used to create the BPRT token:
I'll check which API permissions are required from the app. |
|
Is it possible to retrieve the manifest for well-known appids like 1b730954-1685-4b74-9bfd-dac224a7b894? |
|
This seems to be un-doable as the service doing the registration requires an access token with a scope (or resource) of "urn:ms-drs:enterpriseregistration.windows.net" and upn claim to be present ☹ So, I'm afraid you need to stick to a user. What comes to manifests, I haven't find a to retrieve them (besides the apps you've registered your self). |
|
Hey, that’s all I needed to know. Thank you so much, this is going to be tremendously valuable! |
Hey @NestoriSyynimaa
I'm looking for a programmatic way to join real devices to AzureAD. Playing with your module, it appears that Join-AADIntDeviceToAzureAD creates a "fake" device and doesn't actual join your device.
Outside of Autopilot, the only supported way to programmatically join AzureAD is by creating and applying a provisioning profile using Windows Configuration Designer.
Windows Configuration Designer creates and accepts a "BPRT"
During creation you do this:
Then you get a BPRT value that starts with 0.
However when I run Get-AADIntAccessTokenForAADJoin I get a token that starts with eyJ
I believe the one it wants is encrypted as I'm not able to decode it using jwt.io
Is there a way your library can produce the BPRT in the format necessary for Windows Configuration Designer?
If it helps, it appears that Windows Configuration Designer spawns Microsoft.AAD.BrokerPlugin.exe to generate this token.
C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe -ServerName:App.AppXgvz9wxd0frjs1prgz5kvtcz083996jyv.mca
The text was updated successfully, but these errors were encountered: