The latest release of MSCloudLoginAssistant (1.0.112), used by M365DSC to connect to Microsoft 365 workloads, supports system-managed identities for Azure Arc Connected devices. and can be used with any M365DSC resources based on the Graph API such as Intune, Azure AD, and Planner workloads.
Azure Arc is a technology connecting your on-premises and 3rd party cloud environment to Azure for monitoring, governance and in our case authentication.
When a device is connected to Azure Arc, a System-Managed Identity also called Managed Service Identity (MSI) is automatically provisioned. It allows the device to authenticate to any Azure resources such as Key Vault, Storage account or the Graph API without the need to manage a client secret or a certificate. It will securely obtain an Azure AD token. This identity is bound to the machine and its assigned permissions.
In this blog, we will walk through onboarding a local virtual machine to Azure Arc and use its managed identity to extract an Intune Administrative Template configuration profile.
Table of content
Pre-Requisites
I will only mention the pre-requisites relevant to M365DSC:
An Azure subscription
Windows Server 2012R2 and later
Windows 10,11
.Net 4.6 or later
PowerShell 4.0 or later
Azure resource providers enabled on the subscription:
Microsoft.HybridCompute
Microsoft.GuestConfiguration
Microsoft.HybridConnectivity
Connect server to Azure Arc
First step is to connect our server to Azure with Azure Arc.
1- From the Azure Portal > Azure Arc > Servers > and press Add
2- There are 2 onboarding options are available:
Add a single server: this option is interactive and will require to log in with your credentials
Add multiple server: this option is for scale deployment using a Service Principal and Client Secret
3- Fill in the resource details
Subscription
Resource group
Region
OS
Connectivity:
Public endpoint: directly connect to Azure Arc via the internet
Proxy server: connect to Azure Arc via a proxy server
Private endpoint: connect to Azure Arc using private IP - this option requires connectivity between Azure and the device either via VPN (Point-2-Site or Site-2-Site) or Express Route
4- Copy or download the generated script
5- Finally, run the script on your machine from an administrative PowerShell window. The server should shortly appear in the Azure Arc portal.
 | ​Make sure to restart your VM/device to validate the Managed Identity connection to the VM |
Configure Managed Identity permissions
The managed identity permissions are granted by adding an AppRoleAssignment to the Microsoft Graph built-in application
1- Retrieve your managed identity object ID
From the Azure Portal > Enterprise Applications > Managed Identities
2- Run the following PowerShell script to create a new Service Principal App Role Assignment for permissions.
The assignment requires Application.Read.All and AppRoleAssignment.ReadWrite.All.
$managedIdentityObjectId = "3da75678-1234-1234-123456789012" # Your Managed Identity Object Id here
# Connect to Grah SD with required permissions
Connect-MgGraph -Scopes 'Application.Read.All','AppRoleAssignment.ReadWrite.All'
$serverApplicationName = "Microsoft Graph"
$serverServicePrincipalObjectId = (Get-MgServicePrincipal -Filter "DisplayName eq '$serverApplicationName'").Id
#Retrieving required permission to run our M365DSC resource
$ResourceName="IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10"
$appRoleName = (Get-M365DSCCompiledPermissionList -ResourceNameList $ResourceName -PermissionType Application -AccessType Update).PermissionName
$appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id
# Assign the managed identity access to the app role.
New-MgServicePrincipalAppRoleAssignment `
-ServicePrincipalId $managedIdentityObjectId `
-PrincipalId $managedIdentityObjectId `
-ResourceId $serverServicePrincipalObjectId `
-AppRoleId $appRoleIdThe permission will be visible in the managed identity Permissions page
Export your M365DSC export resource
The final part is to simply run your export with the ManagedIdentity switch
Export-M365DSCConfiguration -ManagedIdentity -Components $ResourceName -TenantId "mytenant.onmicrosoft.com"
Bonus
In the background, a web request is sent to the Graph API endpoint (https://graph.microsoft.com) from the Azure Arc agent IMDS Endpoint (http://localhost:40342).
The token is then retrieved directly from the agent and exploited as required.
This solution can easily be implemented for any Azure resource and run in most Windows and Linux environments.
$apiVersion = "2020-06-01"
$resource = "https://$resourceEndpoint"
$endpoint = "{0}?resource={1}&api-version={2}" -f $env:IDENTITY_ENDPOINT,$resource,$apiVersion
$secretFile = ""
try
{
Invoke-WebRequest -Method GET -Uri $endpoint -Headers @{Metadata='True'} -UseBasicParsing
}
catch
{
$wwwAuthHeader = $_.Exception.Response.Headers["WWW-Authenticate"]
if ($wwwAuthHeader -match "Basic realm=.+")
{
$secretFile = ($wwwAuthHeader -split "Basic realm=")[1]
}
}
$secret = Get-Content -Raw $secretFile
$response = Invoke-WebRequest -Method GET -Uri $endpoint -Headers @{Metadata='True'; Authorization="Basic $secret"} -UseBasicParsing
if ($response)
{
$accessToken = (ConvertFrom-Json -InputObject $response.Content).access_token
} | ​You should always:
|
Conclusion
This feature is very easy to configure and will allow you to take the full advantage of Microsoft 365 DSC following best security practices and simplify your authentication requirements and management.
Like always, don't hesitate to visit the M365DSC official website, YouTube channel and GitHub repository to learn more about the solution.