Introduction
So. You’ve switched over to using Certificate Based Authentication and maybe you have a production tenant and a QA or test tenant that you manage, sometimes even with PowerShell … Do you remember all of your app Ids, tenant Ids, certificate thumbprints and so on? Why not just create a script that handles all of that for you? In this blog post we will go over what you need, how to code it and then, the most important part, how to make that script SECURE.
Building the Script
For this script we need to gather some information. Simply put, we need this from each Microsoft 365 tenant:
- Domain name of the tenant – domain.onmicrosoft.com – for example
- Nickname for tenant (prod, QA, corp, etc.)
- Tenant ID
- Thumbprint of certificate
- Application Id
We first need to prompt the user to enter the tenant they wish to connect to and then the workload to connect to as well. Like so:
$Tenant = Read-Host -Prompt 'Choose your tenant [ PROD / QA ]' $Connection = Read-Host -Prompt 'Choose your workload [ ExO / SCC / Teams / Graph ]'
We then need to code a function for each workload, taking into account that each will need a certificate thumbprint, application id and organization domain, Teams needs the tenant ID as well. Graph will be added to this example with some basic permissions, but you may wish to tweak that for your own usage.
Function GraphConnection { Param ($Tenant) $Perm = "User.ReadWrite.All","Group.ReadWrite.All","Mail.ReadWrite" Connect-MgGraph -Scopes $Perm -TenantId $TenantID } Function ExchangeConnection { Param ( $Thumbprint,$AppID,$Org ) Connect-ExchangeOnline -CertificateThumbPrint $Thumbprint -AppID $AppID -Organization $Org } Function SecurityAndComplianceCenterConnection { Param ( $Thumbprint,$AppID,$Org ) Connect-IPPSSession -CertificateThumbPrint $Thumbprint -AppID $AppID -Organization $Org } Function MicrosoftTeams { Param ( $Thumbprint,$AppID,$Org ) Import-Module MicrosoftTeams Connect-MicrosoftTeams -Credential $LiveCred }
Below, PowerShell checks for which tenant was selected (the previous $Tenant variable) and then preloads some values for our connections:
If ($Tenant -eq 'PROD') { $TenantID = '6842b5a3-0a43-4279-ac3a-fce8e334710f' $Thumbprint = '34cb1a7a0b6186493a7b9850b90edb1308267554' $AppID = '5cb78d29-fdd9-455c-98a7-1628b421a119' $TeamsAppId = '06c59fa4-1d8e-4fb8-99c9-78b45477c0c5' $TeamsThumbprint = '3be4d42db762293ca9a73cac3a3c3466e5e172b8' $Org = 'proddomain.onmicrosoft.com' } If ($Tenant -eq 'QA') { $TenantID = '14ec33ee-5159-4b70-8a22-bf2b35f7af62' $Thumbprint = '395C1053E6147BDE3A64959C117710A03CAE2834' $AppID = 'f8a98ed6-9e70-45a8-9db8-1d378b91b3a4' $TeamsAppId = 'b0af88d0-1145-4d94-858d-e543012993b0' $TeamsThumbprint = 'b52edc57961524ec7874abb9dd009ecb07885957' $Org = 'qadomain.onmicrosoft.com' }
With these values set, the next step is to connect using the appropriate function which is determined by the $Connection variable, which is fed the values needed for the connection cmdlet to fun in our function.
If ($Connection -eq 'ExO') { ExchangeConnection $Thumbprint $AppID $Org } If ($Connection -eq 'SCC') { SecurityAndComplianceCenterConnection $Thumbprint $AppID $Org } If ($Connection -eq 'Teams') { MicrosoftTeams $TeamsThumbprint $TeamsAppID $Org } If ($Connection -eq 'Graph') { GraphConnection }
Sample Connection
Conclusion
There you have it. A simple script that can be used to connect to a workload in a specified tenant. The script can be further tweaked with additional tenants or workloads, depending on the need.
———————————————————————————————————–
Comments? Questions?
Feel free to leave your Comments below! Learn to more efficiently utilize PowerShell to manage Exchange Server, Exchange Online, Microsoft Defender for Office or Microsoft Purview Compliance portals by picking up frequently updated eBooks: