Created
November 18, 2024 07:20
-
-
Save hazcod/733cc4cf49516f93f529b9f8ceb79714 to your computer and use it in GitHub Desktop.
PowerShell script to add a FIDO2 security key to an Entra account.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Register FIDO2 on behalf of another user | |
.DESCRIPTION | |
This script registers a FIDO2 key on behalf of another user. The script requires the admin to have a FIDO2 key and the user's UPN. | |
The script will connect to Microsoft Graph and register the FIDO2 key on behalf of the user. | |
The script will also register the FIDO2 key in Entra ID. | |
#> | |
param ( | |
[string]$TenantId = "xyz.onmicrosoft.com", # Your tenant ID | |
[string]$DisplayName = "YubiKey PowerShell", # Display name of the FIDO2 key | |
[string]$UPN = "[email protected]" # UPN of the user you want to register the FIDO2 key for | |
) | |
# Function to ensure a module is installed | |
function Ensure-Module { | |
param ( | |
[string]$ModuleName | |
) | |
if (-not (Get-Module -Name $ModuleName -ListAvailable)) { | |
Install-Module -Name $ModuleName -Scope CurrentUser -Force -ErrorAction Stop | |
} | |
} | |
# Function to connect to Microsoft Graph | |
function Connect-ToMicrosoftGraph { | |
param ( | |
[string]$TenantId | |
) | |
try { | |
Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All" -TenantId $TenantId -ErrorAction Stop | |
} catch { | |
Write-Error "Failed to connect to Microsoft Graph: $_" | |
exit 1 | |
} | |
} | |
# Function to register the passkey on the FIDO2 key | |
function Register-Passkey { | |
param ( | |
[string]$UPN, | |
[string]$DisplayName | |
) | |
try { | |
$FIDO2Options = Get-PasskeyRegistrationOptions -UserId $UPN -ErrorAction Stop | |
$FIDO2 = New-Passkey -Options $FIDO2Options -DisplayName $DisplayName -ErrorAction Stop | |
return $FIDO2 | |
} catch { | |
Write-Error "Failed to register the passkey: $_" | |
exit 1 | |
} | |
} | |
# Function to register the FIDO2 key in Entra ID | |
function Register-FIDO2KeyInEntraID { | |
param ( | |
[string]$UPN, | |
[string]$DisplayName, | |
[PSCustomObject]$FIDO2 | |
) | |
try { | |
$URI = "https://graph.microsoft.com/beta/users/$UPN/authentication/fido2Methods" | |
$FIDO2JSON = $FIDO2 | ConvertFrom-Json | |
$AttestationObject = $FIDO2JSON.publicKeyCredential.response.attestationObject | |
$ClientDataJson = $FIDO2JSON.publicKeyCredential.response.clientDataJSON | |
$Id = $FIDO2JSON.publicKeyCredential.id | |
$Body = @{ | |
displayName = $DisplayName | |
publicKeyCredential = @{ | |
id = $Id | |
response = @{ | |
clientDataJSON = $ClientDataJson | |
attestationObject = $AttestationObject | |
} | |
} | |
} | |
Invoke-MgGraphRequest -Method 'POST' ` | |
-Body $Body ` | |
-OutputType 'Json' ` | |
-ContentType 'application/json' ` | |
-Uri $URI | |
} catch { | |
Write-Error "Failed to register the FIDO2 key in Entra ID: $_" | |
exit 1 | |
} | |
} | |
# Function to verify the registration | |
function Verify-Registration { | |
param ( | |
[string]$UPN, | |
[string]$DisplayName | |
) | |
try { | |
$RegisteredKey = Get-MgBetaUserAuthenticationFido2Method -UserId $UPN | Where-Object { $_.DisplayName -eq $DisplayName } | |
if ($RegisteredKey) { | |
Write-Host "Passkey registered successfully for user $UPN." | |
} else { | |
Write-Error "Failed to verify the registration of the passkey." | |
} | |
} catch { | |
Write-Error "Failed to verify the registration: $_" | |
exit 1 | |
} | |
} | |
# Main script execution | |
Ensure-Module -ModuleName "DSInternals.Passkeys" | |
Ensure-Module -ModuleName "Microsoft.Graph.Beta" | |
Connect-ToMicrosoftGraph -TenantId $TenantId | |
$FIDO2 = Register-Passkey -UPN $UPN -DisplayName $DisplayName | |
Register-FIDO2KeyInEntraID -UPN $UPN -DisplayName $DisplayName -FIDO2 $FIDO2 | |
Verify-Registration -UPN $UPN -DisplayName $DisplayName |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment