Last active
May 10, 2019 08:42
-
-
Save naamancampbell/4576f8b32ec4a67ef63459768e37237c to your computer and use it in GitHub Desktop.
aws-cloudformation-awsmad - Automating the setup of an Office 365-enabled AWS Directory Services Microsoft Active Directory - as per https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-microsoft-active-directory-credentials/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ADMgmt | |
| ## install chocolatey | |
| Set-ExecutionPolicy Bypass; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) | |
| ## install firefox | |
| choco install -y firefox | |
| ## install AD Tools | |
| Import-Module ServerManager | |
| Add-WindowsFeature RSAT-AD-Tools | |
| ## create testing accounts | |
| New-ADOrganizationalUnit -Name "Groups" -Path "OU=CLANCAMPBELL,DC=clancampbell,DC=id,DC=au" | |
| New-ADGroup -Name "Sales" -GroupCategory Security -GroupScope Global -DisplayName "Sales Department" -Path "OU=Groups,OU=CLANCAMPBELL,DC=clancampbell,DC=id,DC=au" -Description "Members of the Sales Department" | |
| New-ADUser -Name "Naaman Campbell" -GivenName "Naaman" -Surname "Campbell" -SamAccountName naaman -UserPrincipalName [email protected] -AccountPassword (ConvertTo-SecureString -AsPlainText ‘Pa$$w0rd’ -Force) -PassThru | Enable-ADAccount | |
| New-ADUser -Name "Glen Campbell" -GivenName "Glen" -Surname "Campbell" -SamAccountName glen -UserPrincipalName [email protected] -AccountPassword (ConvertTo-SecureString -AsPlainText ‘Pa$$w0rd’ -Force) -PassThru | Enable-ADAccount | |
| New-ADUser -Name "Preston Campbell" -GivenName "Preston" -Surname "Campbell" -SamAccountName preston -UserPrincipalName [email protected] -AccountPassword (ConvertTo-SecureString -AsPlainText ‘Pa$$w0rd’ -Force) -PassThru | Enable-ADAccount | |
| New-ADUser -Name "Naomi Campbell" -GivenName "Naomi" -Surname "Campbell" -SamAccountName naomi -UserPrincipalName [email protected] -AccountPassword (ConvertTo-SecureString -AsPlainText ‘Pa$$w0rd’ -Force) -PassThru | Enable-ADAccount | |
| Add-ADGroupMember Sales naaman,glen,preston,naomi | |
| ## create ADFSSVC user | |
| New-ADUser -Name "ADFS Service Account" -SamAccountName ADFSSVC -UserPrincipalName [email protected] -AccountPassword (ConvertTo-SecureString -AsPlainText ‘Pa$$w0rd1’ -Force) -PassThru | Enable-ADAccount | |
| ## create ADFS AD Containers | |
| $ContainerGUID = (New-Guid).Guid | |
| New-ADObject -Name "ADFS" -Type Container -Path "OU=CLANCAMPBELL,DC=clancampbell,DC=id,DC=au" | |
| New-ADObject -Name $ContainerGUID -Type Container -Path "CN=ADFS,OU=CLANCAMPBELL,DC=clancampbell,DC=id,DC=au" | |
| ## add and verify Office 365 domain | |
| New-MsolDomain -Name "clancampbell.id.au" | |
| Get-MsolDomainVerificationDNS -DomainName "clancampbell.id.au" -Mode "DnsTxtRecord" # retrieve "Text : MS=ms30483840" | |
| ## create TXT records within Route 53 | |
| Install-Module AWSPowerShell | |
| $hostedZoneID = "XXXX" | |
| $recordName = "clancampbell.id.au" | |
| $MSTXTValue = """MS=ms30483840""" | |
| $existingRecs = (Get-R53ResourceRecordSet -HostedZoneId $hostedZoneID -StartRecordName $recordName -StartRecordType "TXT" -MaxItem "1").ResourceRecordSets.ResourceRecords | |
| $change1 = New-Object Amazon.Route53.Model.Change | |
| $change1.Action = "UPSERT" | |
| $change1.ResourceRecordSet = New-Object Amazon.Route53.Model.ResourceRecordSet | |
| $change1.ResourceRecordSet.Name = $recordName | |
| $change1.ResourceRecordSet.Type = "TXT" | |
| $change1.ResourceRecordSet.TTL = 3600 | |
| if ($existingRecs) { | |
| ForEach ($Value in $existingRecs.Value) { | |
| $change1.ResourceRecordSet.ResourceRecords.Add($Value) | |
| } | |
| } | |
| $change1.ResourceRecordSet.ResourceRecords.Add(@{Value=$MSTXTValue}) | |
| $params = @{ | |
| HostedZoneId="$hostedZoneID" | |
| ChangeBatch_Comment="Create Office 365 Verification TXT Record" | |
| ChangeBatch_Change=$change1 | |
| } | |
| Edit-R53ResourceRecordSet @params | |
| ## Confirm Office 365 domain | |
| Confirm-MsolDomain -DomainName "clancampbell.id.au" | |
| # ADFS | |
| ## Generate and install SSL Certificate for sts.clancampbell.id.au | |
| acmecert.ps1 | |
| ## Setup ADFS | |
| $Thumbprint = (Get-ACMECertificate -VaultProfile ':sys').Thumbprint | |
| $ADFSCred = .\CloudFormation-PowerShell-Creds.ps1 -AccessCredential "ADFSSVC" -CredentialPath "C:\Admin\Keys\CF-Creds-20171018T0954207027" | |
| $AdminCred = .\CloudFormation-PowerShell-Creds.ps1 -AccessCredential "Admin" -CredentialPath "C:\Admin\Keys\CF-Creds-20171018T0954207027" | |
| $GUID = "ddaf01c1-f1b5-4b2b-8778-97a0fa7be8b6" | |
| $FedServiceName = "sts.clancampbell.id.au" | |
| $adminConfig = @{"DKMContainerDn"="CN=$GUID,CN=ADFS,OU=CLANCAMPBELL,DC=clancampbell,DC=id,DC=au"} | |
| Install-AdfsFarm -CertificateThumbprint $Thumbprint -FederationServiceName $FedServiceName -ServiceAccountCredential $ADFSCred -Credential $AdminCred -OverwriteConfiguration -AdminConfiguration $adminConfig -SigningCertificateThumbprint $Thumbprint -DecryptionCertificateThumbprint $Thumbprint | |
| ## Create Public DNS A Record via Route 53 | |
| $publicIP = Invoke-RestMethod "http://169.254.169.254/latest/meta-data/public-ipv4" | |
| $hostedZoneID = "XXXX" | |
| $change = New-Object Amazon.Route53.Model.Change | |
| $change.Action = "CREATE" | |
| $change.ResourceRecordSet = New-Object Amazon.Route53.Model.ResourceRecordSet | |
| $change.ResourceRecordSet.Name = "$FedServiceName" | |
| $change.ResourceRecordSet.Type = "A" | |
| $change.ResourceRecordSet.TTL = 3600 | |
| $change.ResourceRecordSet.ResourceRecords.Add(@{Value="$publicIP"}) | |
| $params = @{ | |
| HostedZoneId="$hostedZoneID" | |
| ChangeBatch_Comment="Create ADFS Federation Service Name A Record" | |
| ChangeBatch_Change=$change | |
| } | |
| Edit-R53ResourceRecordSet @params | |
| ## Enable IDP Sign On Page | |
| Set-ADFSProperties -EnableIdpInitiatedSignonPage $true | |
| ## Connect to Azure AD | |
| Install-Module MSOnline | |
| $MSOLCred = Get-Credential # TO-DO: retrieve from CF-PS-Creds.ps1 | |
| Connect-MsolService -Credential $MSOLCred | |
| ## Connect ADFS to Azure AD | |
| Set-MsolADFSContext -Computer $FQDN | |
| Convert-MsolDomainToFederated -Domain ($env:USERDNSDOMAIN).ToLower() | |
| # ADSYNC | |
| $AADConnectURL = "https://download.microsoft.com/download/B/0/0/B00291D0-5A83-4DE7-86F5-980BC00DE05A/AzureADConnect.msi" | |
| $Installers = "C:\Admin\Software" | |
| Invoke-WebRequest -Uri $AADConnectURL -OutFile "$Installers\AzureADConnect.msi" | |
| # Verify Azure AD Domain before running Azure AD Connect | |
| # | |
| # AZURE AD CONNECT DOES NOT SUPPORT UNATTENDED INSTALLATION :( | |
| # | |
| # https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-faq | |
| # Follow: https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-microsoft-active-directory-credentials/ | |
| ### RUN AS ADMIN ### | |
| Import-Module ADSync | |
| Get-ADSyncScheduler | |
| # | |
| # To ensure AD Groups are synchronised to AAD/O365, the group must have an email address | |
| # and the Groups folder must be selected for synchronisation within Azure AD Connect | |
| $GlobalAdmin = Get-Credential | |
| Set-PSRepository -InstallationPolicy Trusted -Name "PSGallery" | |
| Install-Module MSOnline -Scope CurrentUser | |
| Connect-MsolService -Credential $GlobalAdmin | |
| $SKU = Get-MsolAccountSku | Select-String -InputObject { $_.AccountSkuId } -Pattern "DESKLESS" | |
| $GroupOID = Get-MsolGroup -SearchString Sales | ForEach { $_.Objectid } | |
| # UsageLocation required before setting user licenses - review all common settings for new users | |
| Get-MsolGroupMember -GroupObjectId $GroupOID | Set-MsolUser -UsageLocation AU | |
| Get-MsolGroupMember -GroupObjectId $GroupOID | Set-MsolUserLicense -AddLicenses $SKU | |
| ### GTG -> https://portal.office.com | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment