top of page
  • Writer's pictureWill Francillette

M365DSC: Use Azure Arc and Managed Identities to authenticate on-premises and 3rd party cloud

Updated: Mar 7


Microsoft 365 DSC and Arc

The latest release of MSCloudLoginAssistant (1.0.112), used by M365DSC to connect to Microsoft 365 workloads, supports system-managed identities for Azure Arc Connected devices. and can be used with any M365DSC resources based on the Graph API such as Intune, Azure AD, and Planner workloads.


Azure Arc is a technology connecting your on-premises and 3rd party cloud environment to Azure for monitoring, governance and in our case authentication.

When a device is connected to Azure Arc, a System-Managed Identity also called Managed Service Identity (MSI) is automatically provisioned. It allows the device to authenticate to any Azure resources such as Key Vault, Storage account or the Graph API without the need to manage a client secret or a certificate. It will securely obtain an Azure AD token. This identity is bound to the machine and its assigned permissions.


In this blog, we will walk through onboarding a local virtual machine to Azure Arc and use its managed identity to extract an Intune Administrative Template configuration profile.


Table of content

Pre-Requisites

I will only mention the pre-requisites relevant to M365DSC:

  • An Azure subscription

  • Azure Arc connectivity

  • Windows Server 2012R2 and later

  • Windows 10,11

  • .Net 4.6 or later

  • PowerShell 4.0 or later

  • Azure resource providers enabled on the subscription:

    • Microsoft.HybridCompute

    • Microsoft.GuestConfiguration

    • Microsoft.HybridConnectivity

Connect server to Azure Arc

First step is to connect our server to Azure with Azure Arc.

1- From the Azure Portal > Azure Arc > Servers > and press Add

Arc portal

2- There are 2 onboarding options are available:

  • Add a single server: this option is interactive and will require to log in with your credentials

  • Add multiple server: this option is for scale deployment using a Service Principal and Client Secret

Arc manual install

3- Fill in the resource details

  • Subscription

  • Resource group

  • Region

  • OS

  • Connectivity:

    • Public endpoint: directly connect to Azure Arc via the internet

    • Proxy server: connect to Azure Arc via a proxy server

    • Private endpoint: connect to Azure Arc using private IP - this option requires connectivity between Azure and the device either via VPN (Point-2-Site or Site-2-Site) or Express Route

Arc manual install 2

4- Copy or download the generated script

Arc manual install 3

5- Finally, run the script on your machine from an administrative PowerShell window. The server should shortly appear in the Azure Arc portal.

Arc manual install 4


Warning sign


​Make sure to restart your VM/device to validate the Managed Identity connection to the VM


Configure Managed Identity permissions

The managed identity permissions are granted by adding an AppRoleAssignment to the Microsoft Graph built-in application


manged identity setup

1- Retrieve your managed identity object ID

From the Azure Portal > Enterprise Applications > Managed Identities


managed identity setup 2
managed identity setup 3
managed identity setup 4

2- Run the following PowerShell script to create a new Service Principal App Role Assignment for permissions.

The assignment requires Application.Read.All and AppRoleAssignment.ReadWrite.All.

$managedIdentityObjectId = "3da75678-1234-1234-123456789012" # Your Managed Identity Object Id here

# Connect to Grah SD with required permissions
Connect-MgGraph -Scopes 'Application.Read.All','AppRoleAssignment.ReadWrite.All' 

$serverApplicationName = "Microsoft Graph"
$serverServicePrincipalObjectId = (Get-MgServicePrincipal -Filter "DisplayName eq '$serverApplicationName'").Id

#Retrieving required permission to run our M365DSC resource
$ResourceName="IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10" 
$appRoleName = (Get-M365DSCCompiledPermissionList -ResourceNameList $ResourceName -PermissionType Application -AccessType Update).PermissionName
$appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id

# Assign the managed identity access to the app role.
New-MgServicePrincipalAppRoleAssignment `
    -ServicePrincipalId $managedIdentityObjectId `
    -PrincipalId $managedIdentityObjectId `
    -ResourceId $serverServicePrincipalObjectId `
    -AppRoleId $appRoleId

The permission will be visible in the managed identity Permissions page

managed identity setup 5

Export your M365DSC export resource

The final part is to simply run your export with the ManagedIdentity switch

Export-M365DSCConfiguration -ManagedIdentity -Components $ResourceName -TenantId "mytenant.onmicrosoft.com"


export via managed identity result

Bonus

In the background, a web request is sent to the Graph API endpoint (https://graph.microsoft.com) from the Azure Arc agent IMDS Endpoint (http://localhost:40342).

The token is then retrieved directly from the agent and exploited as required.

This solution can easily be implemented for any Azure resource and run in most Windows and Linux environments.

$apiVersion = "2020-06-01"
$resource = "https://$resourceEndpoint"
$endpoint = "{0}?resource={1}&api-version={2}" -f $env:IDENTITY_ENDPOINT,$resource,$apiVersion
$secretFile = ""
try
{
    Invoke-WebRequest -Method GET -Uri $endpoint -Headers @{Metadata='True'} -UseBasicParsing
}
catch
{
    $wwwAuthHeader = $_.Exception.Response.Headers["WWW-Authenticate"]
     if ($wwwAuthHeader -match "Basic realm=.+")
     {
         $secretFile = ($wwwAuthHeader -split "Basic realm=")[1]
    }
}
$secret = Get-Content -Raw $secretFile
$response = Invoke-WebRequest -Method GET -Uri $endpoint -Headers @{Metadata='True'; Authorization="Basic $secret"} -UseBasicParsing
if ($response)
{
    $accessToken = (ConvertFrom-Json -InputObject $response.Content).access_token
}

warning sign

​You should always:

  • Use the least privilege permissions assigned to your Managed Identity

  • Restrict and monitor login to your worker node


Conclusion

This feature is very easy to configure and will allow you to take the full advantage of Microsoft 365 DSC following best security practices and simplify your authentication requirements and management.


Like always, don't hesitate to visit the M365DSC official website, YouTube channel and GitHub repository to learn more about the solution.


804 views0 comments

Comentários


bottom of page