First published on MSDN on Oct 30, 2018
How to create a native app registration
This guide assumes that you already own an Azure Subscription, an Azure Active Directory properly setup and your PowerShell environment properly set for running scripts.
You might want to refer to this article first: https://blogs.msdn.microsoft.com/azuresqldbsupport/2018/10/26/azure-sql-database-token-base-authent...
Problem summary:
There might be a time when we you will want to create a PowerShell script that can perform some management operations against your Azure SQL Database, therefore you would want to have a trustworthy app that could connect to your Azure SQL DB instance and so it for you.
Explanation of this guide:
This guide will explain how to register your PowerShell script as a native application registration in AAD, so that you are able to run automated tasks from your PowerShell script.
Step 1: Create your native PowerShell application registration in Azure Active Directory
Go to your Azure portal and navigate all the way to your Azure Active Directory resource.
Once you are there, you should proceed to App Registrations under the "Manage" section.
Now proceed to click on +New application registration .
Once you are here, you will be prompted for some configurations and settings.
Under this configuration, please make sure you give your application a name, an application type and a redirect uri.
Once you have created the application, you should see a screen like this one below.
After you see this screen, there is some additional configuring we need to do.
Step 2: Configuring the Native app in AAD to connect to an Azure SQL DB endpoint.
Now that we have our app registered and created in AAD, please proceed to click on the "Settings" button, as show in the image above.
You should be able to see a blade with these options:
Now, we will need to configure the Redirect URIs, Owners and Required Permissions.
Step 3: Configuring your PowerShell script in your personal computer.
Fire up your PowerShell ISE window or Visual Studio code and make sure you add the following lines of code to your script.
Now, we must make sure to configure the following variables in our script:
Script
$tenantName = "{AAD DIRECTORY ID}" # Tenant Name this is found in AAD > Properties > Directory ID
$clientId = "{APPLICATION ID}" # Application ID is found in AAD > App Registrations > Application ID
$redirectUri = "{REDIRECT URI}" # Rediret URI is found in AAD > App Registrations > Settings > Redirect URIs
$resourceUri = "https://database.windows.net/" # Resource URI > Found in AAD > App Registrations > Settings > Required Permissions >
# Add > Search Bar *Type in* > Azure SQL DB > Add Rights > OK > OK > Grant permissions
$authorityUri = "https://login.microsoftonline.com/$tenantName" # Authority URI https://login.microsoftonline.com/{DirectoryId|TenantName}
function GetAuthToken {
# 64 bit make sure to change the version to the one available on your machine
$adalPath = "${env:ProgramFiles}\WindowsPowerShell\Modules\AzureRM.profile\5.5.1"
# 32 bit uncomment if this is your scenario
# adalPath = "${env:ProgramFiles(x86)}\WindowsPowerShell\Modules\AzureRM.profile\5.3.4"
$adal = "$adalPath\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = "$adalPath\Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll"
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authorityUri
$authResult = $authContext.AcquireToken($resourceUri, $clientId, $redirectUri, "Always") # Not sure when to use AcquireToken() or AcquireTokenAsync()
return $authResult
}
# Call GetAuthToken to acquire token based on credentials entered in prompt
$authResult = GetAuthToken
$authResult.AccessToken
# Server name, database name and the connection string that will be used to open connection
$sqlServerUrl = "fcobo.database.windows.net"
$database = "TESTDB"
$connectionString = "Server=tcp:$sqlServerUrl,1433;Initial Catalog=$database;Persist Security Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;"
# Create the connection object
$connection = New-Object System.Data.SqlClient.SqlConnection($connectionString)
# Set AAD generated token to SQL connection token
$connection.AccessToken = $authResult.AccessToken
$connection.AccessToken
# prints the connection information, it's still closed at this point, will open later on. The token is already attached.
$connection
# Query that will be sent when the connection is open. I had a 4,000 record table and I was able to truncate with this script
$query = "TRUNCATE TABLE TEST1"
# Opens connection to Azure SQL Database and executes a query
$connection.Open()
# After this, the token is no longer there, I believe this is because the authentication went through already, so it gets rid of it.
$connection
$command = New-Object -Type System.Data.SqlClient.SqlCommand($query, $connection)
$command.ExecuteNonQuery()
$connection.Close()
Now feel free to modify the script and adapt it to your particular needs! :)
Hope this guide helps you on your endeavors.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.