Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save ssprasad100/6c1f9f041698cb95de2b1e6bf3cd459c to your computer and use it in GitHub Desktop.
Save ssprasad100/6c1f9f041698cb95de2b1e6bf3cd459c to your computer and use it in GitHub Desktop.
aws-cloudformation-awsmad - Automating the setup of an Office 365-enabled AWS Directory Services Microsoft Active Directory - as per https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-microsoft-active-directory-credentials/
# ADMgmt
## install chocolatey
Set-ExecutionPolicy Bypass; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
## install firefox
choco install -y firefox
## install AD Tools
Import-Module ServerManager
Add-WindowsFeature RSAT-AD-Tools
## create testing accounts
New-ADOrganizationalUnit -Name "Groups" -Path "OU=CLANCAMPBELL,DC=clancampbell,DC=id,DC=au"
New-ADGroup -Name "Sales" -GroupCategory Security -GroupScope Global -DisplayName "Sales Department" -Path "OU=Groups,OU=CLANCAMPBELL,DC=clancampbell,DC=id,DC=au" -Description "Members of the Sales Department"
New-ADUser -Name "Naaman Campbell" -GivenName "Naaman" -Surname "Campbell" -SamAccountName naaman -UserPrincipalName naaman@clancampbell.id.au -AccountPassword (ConvertTo-SecureString -AsPlainText ‘Pa$$w0rd’ -Force) -PassThru | Enable-ADAccount
New-ADUser -Name "Glen Campbell" -GivenName "Glen" -Surname "Campbell" -SamAccountName glen -UserPrincipalName glen@clancampbell.id.au -AccountPassword (ConvertTo-SecureString -AsPlainText ‘Pa$$w0rd’ -Force) -PassThru | Enable-ADAccount
New-ADUser -Name "Preston Campbell" -GivenName "Preston" -Surname "Campbell" -SamAccountName preston -UserPrincipalName preston@clancampbell.id.au -AccountPassword (ConvertTo-SecureString -AsPlainText ‘Pa$$w0rd’ -Force) -PassThru | Enable-ADAccount
New-ADUser -Name "Naomi Campbell" -GivenName "Naomi" -Surname "Campbell" -SamAccountName naomi -UserPrincipalName naomi@clancampbell.id.au -AccountPassword (ConvertTo-SecureString -AsPlainText ‘Pa$$w0rd’ -Force) -PassThru | Enable-ADAccount
Add-ADGroupMember Sales naaman,glen,preston,naomi
## create ADFSSVC user
New-ADUser -Name "ADFS Service Account" -SamAccountName ADFSSVC -UserPrincipalName adfssvc@clancampbell.id.au -AccountPassword (ConvertTo-SecureString -AsPlainText ‘Pa$$w0rd1’ -Force) -PassThru | Enable-ADAccount
## create ADFS AD Containers
$ContainerGUID = (New-Guid).Guid
New-ADObject -Name "ADFS" -Type Container -Path "OU=CLANCAMPBELL,DC=clancampbell,DC=id,DC=au"
New-ADObject -Name $ContainerGUID -Type Container -Path "CN=ADFS,OU=CLANCAMPBELL,DC=clancampbell,DC=id,DC=au"
## add and verify Office 365 domain
New-MsolDomain -Name "clancampbell.id.au"
Get-MsolDomainVerificationDNS -DomainName "clancampbell.id.au" -Mode "DnsTxtRecord" # retrieve "Text : MS=ms30483840"
## create TXT records within Route 53
Install-Module AWSPowerShell
$hostedZoneID = "XXXX"
$recordName = "clancampbell.id.au"
$MSTXTValue = """MS=ms30483840"""
$existingRecs = (Get-R53ResourceRecordSet -HostedZoneId $hostedZoneID -StartRecordName $recordName -StartRecordType "TXT" -MaxItem "1").ResourceRecordSets.ResourceRecords
$change1 = New-Object Amazon.Route53.Model.Change
$change1.Action = "UPSERT"
$change1.ResourceRecordSet = New-Object Amazon.Route53.Model.ResourceRecordSet
$change1.ResourceRecordSet.Name = $recordName
$change1.ResourceRecordSet.Type = "TXT"
$change1.ResourceRecordSet.TTL = 3600
if ($existingRecs) {
ForEach ($Value in $existingRecs.Value) {
$change1.ResourceRecordSet.ResourceRecords.Add($Value)
}
}
$change1.ResourceRecordSet.ResourceRecords.Add(@{Value=$MSTXTValue})
$params = @{
HostedZoneId="$hostedZoneID"
ChangeBatch_Comment="Create Office 365 Verification TXT Record"
ChangeBatch_Change=$change1
}
Edit-R53ResourceRecordSet @params
## Confirm Office 365 domain
Confirm-MsolDomain -DomainName "clancampbell.id.au"
# ADFS
## Generate and install SSL Certificate for sts.clancampbell.id.au
acmecert.ps1
## Setup ADFS
$Thumbprint = (Get-ACMECertificate -VaultProfile ':sys').Thumbprint
$ADFSCred = .\CloudFormation-PowerShell-Creds.ps1 -AccessCredential "ADFSSVC" -CredentialPath "C:\Admin\Keys\CF-Creds-20171018T0954207027"
$AdminCred = .\CloudFormation-PowerShell-Creds.ps1 -AccessCredential "Admin" -CredentialPath "C:\Admin\Keys\CF-Creds-20171018T0954207027"
$GUID = "ddaf01c1-f1b5-4b2b-8778-97a0fa7be8b6"
$FedServiceName = "sts.clancampbell.id.au"
$adminConfig = @{"DKMContainerDn"="CN=$GUID,CN=ADFS,OU=CLANCAMPBELL,DC=clancampbell,DC=id,DC=au"}
Install-AdfsFarm -CertificateThumbprint $Thumbprint -FederationServiceName $FedServiceName -ServiceAccountCredential $ADFSCred -Credential $AdminCred -OverwriteConfiguration -AdminConfiguration $adminConfig -SigningCertificateThumbprint $Thumbprint -DecryptionCertificateThumbprint $Thumbprint
## Create Public DNS A Record via Route 53
$publicIP = Invoke-RestMethod "http://169.254.169.254/latest/meta-data/public-ipv4"
$hostedZoneID = "XXXX"
$change = New-Object Amazon.Route53.Model.Change
$change.Action = "CREATE"
$change.ResourceRecordSet = New-Object Amazon.Route53.Model.ResourceRecordSet
$change.ResourceRecordSet.Name = "$FedServiceName"
$change.ResourceRecordSet.Type = "A"
$change.ResourceRecordSet.TTL = 3600
$change.ResourceRecordSet.ResourceRecords.Add(@{Value="$publicIP"})
$params = @{
HostedZoneId="$hostedZoneID"
ChangeBatch_Comment="Create ADFS Federation Service Name A Record"
ChangeBatch_Change=$change
}
Edit-R53ResourceRecordSet @params
## Enable IDP Sign On Page
Set-ADFSProperties -EnableIdpInitiatedSignonPage $true
## Connect to Azure AD
Install-Module MSOnline
$MSOLCred = Get-Credential # TO-DO: retrieve from CF-PS-Creds.ps1
Connect-MsolService -Credential $MSOLCred
## Connect ADFS to Azure AD
Set-MsolADFSContext -Computer $FQDN
Convert-MsolDomainToFederated -Domain ($env:USERDNSDOMAIN).ToLower()
# ADSYNC
$AADConnectURL = "https://download.microsoft.com/download/B/0/0/B00291D0-5A83-4DE7-86F5-980BC00DE05A/AzureADConnect.msi"
$Installers = "C:\Admin\Software"
Invoke-WebRequest -Uri $AADConnectURL -OutFile "$Installers\AzureADConnect.msi"
# Verify Azure AD Domain before running Azure AD Connect
#
# AZURE AD CONNECT DOES NOT SUPPORT UNATTENDED INSTALLATION :(
#
# https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-faq
# Follow: https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-microsoft-active-directory-credentials/
### RUN AS ADMIN ###
Import-Module ADSync
Get-ADSyncScheduler
#
# To ensure AD Groups are synchronised to AAD/O365, the group must have an email address
# and the Groups folder must be selected for synchronisation within Azure AD Connect
$GlobalAdmin = Get-Credential
Set-PSRepository -InstallationPolicy Trusted -Name "PSGallery"
Install-Module MSOnline -Scope CurrentUser
Connect-MsolService -Credential $GlobalAdmin
$SKU = Get-MsolAccountSku | Select-String -InputObject { $_.AccountSkuId } -Pattern "DESKLESS"
$GroupOID = Get-MsolGroup -SearchString Sales | ForEach { $_.Objectid }
# UsageLocation required before setting user licenses - review all common settings for new users
Get-MsolGroupMember -GroupObjectId $GroupOID | Set-MsolUser -UsageLocation AU
Get-MsolGroupMember -GroupObjectId $GroupOID | Set-MsolUserLicense -AddLicenses $SKU
### GTG -> https://portal.office.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment