Help Center
< All Topics
Print
Updated

Introduction

This article provides information on the resources needed to register a new Powershell application in Azure to run without needing to prompt for username and password credentials

Instructions

In order for Azure to be able to run PowerShell scripts which connect to Exchange and Sharepoint without being prompted to supply username and password details, several configuration steps must first be undertaken. These include registering an application (in this case the app is the PowerShell script) and creating digital certificates that give the application access to various resources.

Important: this is a complex area – do not edit any existing configurations unless you are absolutely sure that you know what you are doing! By all means use these scripts to create a new app with a separate digital certificate – just don’t change any existing configurations.

Complete instructions on how to register the app and give the app various access can be found on the following excellent website:
The script snippets provided in the above link have been copied into PowerShell scripts which can be run, not from Azure, but from a user’s desktop. That user must be a global administrator of the Speakeasy environment and must open the scripts using PowerShell ISE, which must have been launched using administrator privileges.
The script files can be found in Microsoft Teams, under the Files section of the “Speakeasy IT…General” channel.  For obvious reasons, this Team has severely restricted membership. If, as is recommended best practice,  Microsoft Teams files have been synchronised with File Explorer (see Configuring Access to Microsoft Teams Files from File Explorer), simply navigate to:
{Bury Speakeasy Root}\Speakeasy IT – General\PowerShellAzureResources
The scripts are described in more detail below.

CreatePowershellAppInAzure.ps1

The first script file CreatePowershellAppInAzure.ps1 contains most of the snippets mentioned by the article. However, these have been heavily edited to make the process of creation much simpler. In general, the script does the following:
  • Register a new Azure Application
  • Assign permissions to the Azure application so that it can connect to Exchange and Sharepoint
  • Create a digital certificate that facilitates connection to Exchange and Sharepoint without prompting for username and password details (so it is ideally suited to the execution of automated tasks which involve interaction with Exchange or Sharepoint). Note: in order to create the certificate, the user is initially prompted for a certificate password – use the password stored in Bitwarden under the title “Azure Digital Certificate Password”
  • Loads the certificate into the following places:
    (a) the personal certificate store on the local PC, for use by PowerShell scripts which are executed on that PC
    (b) into Azure, for use by PowerShell scripts executed as part of an Azure runbook.
  • Generates and automatically executes two additional example PowerShell scripts, one to verify that the registered app can connect to Exchange using the newly created digital certificate, and the other to check that the app can connect to Sharepoint using the same certificate.
Take a look at the script file to gain more of an understanding of how it works. Use the “Adam the Automator” web site mentioned above to get more information on what the script is doing.  The script itself generates progress messages and waits when some manual operation is required.
The two generated connection scripts can also be used as follows:
  1. Executed via PowerShell ISE. In this case, the digital certificate is retrieved from the personal certificate store
  2. Executed via a PowerShell run book. In this case, the digital certificate is retrieved from the Azure certificate store. The existing PowerShell script for Distribution List Provisioning uses this code as it needs access to both Exchange and Sharepoint in order to populate distribution lists from the membership and volunteer Sharepoint lists.

Create-SelfSignedCertificate.ps1

The second script Create-SelfSignedCertificate.ps1 is invoked by CreatePowershellAppInAzure.ps1. It is used to create digital certificates with a certain expiry time (specified in years).