-
-
Notifications
You must be signed in to change notification settings - Fork 33
Authentication
When using client credentials to authenticate, the environment variables for TENANT_NAME, CLIENT_ID and client CLIENT_SECRET be set or a JSON must be provided.
If the mode is set to 0 (default), add the tenant to the environment variable as well, for example DEV_CLIENT_ID.
When using --localauth, the JSON provided must have the following format,
{
"params":{
"TENANT_NAME": "",
"CLIENT_ID": "",
"CLIENT_SECRET": ""
}
}You can choose to authenticate with a certificate uploaded to your Azure AD App Registration by adding the -c parameter. In addition you must set ENV variables for KEY_FILE and specify the path to the private key of the certificate, and, THUMBPRINT and specify the thumbprint of the certificate added to the app registration. If using this option, do not specify the -m parameter.
Additional information can be found here.
If you are running the tool interactively and want to authenticate with your own account, add the -i parameter. When the tool is run a browser window will open asking you to authenticate. If using this option, do not specify the -m parameter. If using interactive mode, a Mobile and desktop applications Redirect URI need to be added to the app registration with the value http://localhost.
Additionally, TENANT_NAME and CLIENT_ID must be set as environment variables.
Not everything in Entra is using Graph API, some resources are using an internal API to get and update payloads.
The first authentication to Azure APIs (main.iam.ad.ext.azure.com) is manual and requires you to go to a URL and put in a device code and sign in. The refresh token that is obtained upon authenticating can be stored in an encrypted local cache however so that subsequent runs are authenticated silently.
To save the refresh token in a local cache, you must create a key that will be used from encryption and decryption. The key can be created in two ways,
macOS or any other UNIX based system with openssl,
openssl rand -base64 32 | tr -d '\n' | tr '+/' '-_'Windows and PowerShell,
$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$base64 = [System.Convert]::ToBase64String($bytes)
$urlSafeBase64 = $base64.Replace('+', '-').Replace('/', '_')
$urlSafeBase64If you are using local auth when running IntuneCD, add this key and tenant id to the json,
{
"params": {
"TENANT_NAME": "",
"CLIENT_ID": "",
"CLIENT_SECRET": "",
"TENANT_ID": "",
"KEY": ""
}
}If not using local auth, set TENANT_ID and KEY as ENV vars.
Pass an authentication token during run time. This allows for use of other authentications methods such as Workload Identity federation in Azure DevOps pipelines. Obtain the token and pass it during run time using the --token argument.