Interact with Azure AD without using Online Service Sign-In assistant

Interact with Azure AD from PowerShell without the sign-in assistant.

John Savill

September 10, 2015

2 Min Read
Interact with Azure AD without using Online Service Sign-In assistant

Q. How can I interact with Azure AD from PowerShell without having to install the Online Services Sign-In assistant?

A. For the full set of capabilities for Azure AD management via PowerShell you need to install the Microsoft Online Services Sign-In Assistant for IT Professionals and the Azure Active Directory module which is documented at https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx#bkmk_installmodule. If you do not want to or cannot install the Sign-In Assistant another option is to create a session to the Office PowerShell environment which exposes MOST of the Office functionality but not the Azure AD full set of features. To use this approach use:

$MyCredentials = Get-Credential$OffSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ `    -Credential $MyCredentials -Authentication Basic -AllowRedirectionImport-PSSession $OffSession

For full Azure AD functionality without using the online sign-in assistant the Graph API can be used which is like LDAP for Azure AD. While you can directly interact with Graph API from PowerShell since its a REST API (I covered this at http://windowsitpro.com/azure/communicate-azure-rest-powershell) there is also a PowerShell module that provides a thin wrapper for the Graph API which makes it much easier to use. This can be downloaded from https://github.com/tiander/OMSsearchAPI which also contains instructions for how to use and a good blog is available at http://azure.microsoft.com/en-us/blog/powershell-module-for-the-oms-search-api/https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/users-operations provides a list of REST operations available for user operations via the Graph API. Below is an example usage to reset a password. Note you need a credential who will make the change then the user whose password will be changed.

$user = "[email protected]"$userpass = "Password5"$APIVersion = "1.5"$AppIdURI = "https://graph.windows.net"$usertochange = "[email protected]"$NewPassword = "NewPa55word"# Set up connection object to pass into Invoke-AzureADMethod$ADConnection = @{"Username"=$user;"AzureADDomain"=$AzureADDomain;"Password"=$userpass;"APPIdURI"=$AppIdURI;"APIVersion"=$APIVersion}$URI = "https://graph.windows.net/$AzureADDomain/users/$usertochange" $body = @"{    "passwordProfile": {    "password": "$NewPassword",    "forceChangePasswordNextLogin": false    }}"@ $UserUpdate = Invoke-AzureADMethod -URI $URI -Connection $ADConnection -Body $body -Method PATCH

 

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like