-
Notifications
You must be signed in to change notification settings - Fork 0
/
ConfigureSCP.ps1
192 lines (145 loc) · 4.96 KB
/
ConfigureSCP.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
<#PSScriptInfo
.VERSION 1.0
.GUID 1c3815d8-144f-4681-8323-b32bef6965c5
.AUTHOR John D Pell
.COMPANYNAME Mayflower IS&T
.COPYRIGHT Original (c) Microsoft Corporation. Improvements (c) gaelicWizard.LLC.
.TAGS
.LICENSEURI
.PROJECTURI
.ICONURI
.EXTERNALMODULEDEPENDENCIES
.REQUIREDSCRIPTS
.EXTERNALSCRIPTDEPENDENCIES
.RELEASENOTES
Original imported from Azure AD Connect Seamless Single Sign-On manual script.
.PRIVATEDATA
#>
<#
.SYNOPSIS
Configures the service connection point for Hybrid Azure AD join in the current forest.
.DESCRIPTION
The ConfigureSCP.ps1 script inspects your on-premises Active Directory Domain Services forest and updates or creates the service connection point for Hybrid Azure AD join and Single Sign-On.
.PARAMETER AADDomain
Specifies the original "default" domain used to configure Azure AD, usually <contoso>.onmicrosoft.com.
.PARAMETER AADTenant
Specifies the GUID for the Azure AD tenant.
.PARAMETER ADDSForest
Specifies the distinguished name for your on-premises Active Directory Domain Services root domain.
#>
Param(
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[String]$AADDomain,
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[Guid]$AADTenant,
[String]$ADDSForest
)
function funHelp()
{
$helpTxt = @"
NAME: ConfigureSCP.ps1
PURPOSE: Configures the service connection point for Hybrid Azure AD join in the current forest
REQUIREMENT: Must be run by an Enterprise Admin of the current forest
PARAMETERS:
-Domain <NAME> Specifies the Azure AD domain to use for device authentication
If you are using federation to authenticate with Azure AD, enter a federated domain name.
If you are not using federation, enter your primary *.onmicrosoft.com domain name.
-Help Prints the help file
EXAMPLES:
1. ConfigureSCP.ps1 -Domain contoso.com
2. ConfigureSCP.ps1 -Domain contoso.onmicrosoft.com
"@
$helpTxt
exit 1
}
<#
.SYNOPSIS
Converts DNS-style domain name to X.500 style distinguished name.
.Description
Function to convert a fully qualified domain name into a distinguished name format.
.Example
ConvertTo-DistinguishedName -DomainName "Mayflower.IT"
.Example
ConvertTo-DistinguishedName -Name "Mayflower.IT"
#>
Function ConvertTo-DistinguishedName()
{ Param(
[Parameter(Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[Alias(‘Name’)]
[String]$DomainName,
[Switch]$PassThru
)
$DomainSplit = $DomainName.split(“.”)
#TODO: validate that single-domain-component name would be valid
[X500DistinguishedName]$DistinguishedName = "DC=" + ($DomainSplit -join ",DC=")
if($PassThru)
{
Write-Verbose "Passing thru [X500DistinguishedName]$DistinguishedName"
return $DistinguishedName
}
else
{
return $DistinguishedName.Name
}
}
Write-Verbose "Configuring the SCP for Hybrid Azure AD join in your Active Directory forest."
## Set variables
$azureADId = "azureADId:" + $AADTenant
$azureADName = "azureADName:" + $AADDomain
$keywords = "keywords"
$ldap = "LDAP://"
if(-not($ADDSForest))
{
$rootDSE = New-Object System.DirectoryServices.DirectoryEntry($ldap + "RootDSE")
}
else
{
$rootDSE = New-Object System.DirectoryServices.DirectoryEntry($ldap + (ConvertTo-DistinguishedName -name $ADDSForest))
}
$configCN = $rootDSE.Properties["configurationNamingContext"][0].ToString()
$servicesCN = "CN=Services," + $configCN
$drcCN = "CN=Device Registration Configuration," + $servicesCN
$scpCN = "CN=62a0ff2e-97b9-4513-943f-0d221bd30080," + $drcCN
## Get/Create: CN=Device Registration Configuration,CN=Services
if ([System.DirectoryServices.DirectoryEntry]::Exists($ldap + $drcCN))
{
$deDRC = New-Object System.DirectoryServices.DirectoryEntry($ldap + $drcCN)
}
else
{
$de = New-Object System.DirectoryServices.DirectoryEntry($ldap + $servicesCN)
$deDRC = $de.Children.Add("CN=Device Registration Configuration", "container")
$deDRC.CommitChanges()
}
## Edit/Create: CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services
if ([System.DirectoryServices.DirectoryEntry]::Exists($ldap + $scpCN))
{
$deSCP = New-Object System.DirectoryServices.DirectoryEntry($ldap + $scpCN)
foreach ($value in $deSCP.Properties[$keywords].Value)
{
$deSCP.Properties[$keywords].Remove($value)
}
$deSCP.Properties[$keywords].Add($azureADName)
$deSCP.Properties[$keywords].Add($azureADId)
$deScp.CommitChanges()
}
else
{
$deSCP = $deDRC.Children.Add("CN=62a0ff2e-97b9-4513-943f-0d221bd30080", "serviceConnectionPoint")
$deSCP.Properties[$keywords].Add($azureADName)
$deSCP.Properties[$keywords].Add($azureADId)
$deScp.CommitChanges()
}
if ($Error)
{
Write-Error "Configuration could not be completed."
Write-Error $Error
}
else
{
Write-Verbose "Configuration complete!"
}