Jan 02 2023 02:52 AM - edited Jan 02 2023 02:52 AM
Greetings,
recently we have migrated a locally hosted website to Azure. That website, let's call it "KM" is only used for displaying information, which are queried from a MS SQL Database. KM moved to the cloud along with the database itself, is accessable via App Proxy and is working smoothly.
Now for the problem: I have a powershell script that fetched the information on the webpage for me and automated a couple of task i had to manually. Now that KM is gated behind the App Proxy, i have problems properly interacting with it. I always just grabbed the web html code, did a bit or parsing and had everything set up, but no matter what kind of authentication i try, i cannot get through to KM itself.
No matter what i do, the only result i got so far is the Microsoft Authentication page:
<!-- Copyright (C) Microsoft Corporation. All rights reserved. -->
<!DOCTYPE html>
<html dir="ltr" class="" lang="en">
<head>
<title>Sign in to your account</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
rest omitted
i already tried various ways for the request, but all lead to the same result:
#The previous request
$Results = Invoke-RestMethod -Method Get -Uri https://km.domainname -UseDefaultCredentials
#WebClient
$WC = New-Object System.Net.WebClient
$WC.UseDefaultCredentials = $true
$Results = $WC.DownloadString("https://km.domainname")
#Creating a Auth Token via OAuth Device Auth Grant Flow
#https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
#i did omit the first stages of the process for readability
$RequestParams = @{
Method = 'GET'
Uri = 'https://km.domainname'
Headers = @{
'Authorization' = "Bearer $Token"
}
}
$Results = Invoke-RestMethod @RequestParams
All of these have yielded nothing so far. Since the result is so consistently the sign in page, i suppose the correct path is a fundamentally different approach. Is there a way to properly authenticate so i can access KM via PowerShell again?
Jan 05 2023 12:27 AM
SolutionIf anyone finds this later on, i found a solution myself:
Main help was this documentation Accessing API through AppProxy
You need an App Registration and then request a token through that AppReg using the MSAL.
# Preconfiguration:
# https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-secure-api-access
$AppRegClientID = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$TenantID = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Import-module MSAL.ps
$mytoken = Get-MsalToken -ClientId $AppRegClientID -TenantId $TenantID -scope https://km.<domain>/user_impersonation
$accessToken = @{Authorization = "Bearer $($mytoken.AccessToken)" }
$request = Invoke-WebRequest -Method Get -Headers $accessToken -Uri https://km.<domain>
Jan 05 2023 12:27 AM
SolutionIf anyone finds this later on, i found a solution myself:
Main help was this documentation Accessing API through AppProxy
You need an App Registration and then request a token through that AppReg using the MSAL.
# Preconfiguration:
# https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-secure-api-access
$AppRegClientID = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$TenantID = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Import-module MSAL.ps
$mytoken = Get-MsalToken -ClientId $AppRegClientID -TenantId $TenantID -scope https://km.<domain>/user_impersonation
$accessToken = @{Authorization = "Bearer $($mytoken.AccessToken)" }
$request = Invoke-WebRequest -Method Get -Headers $accessToken -Uri https://km.<domain>