Oliver Script: A Holiday Tale–Part 6


Summary: Oliver manages Azure and Office 365 with Windows PowerShell and discovers how to store credentials securely.

   Note This is the sixth post in a series. To catch up, read:

When we last left Oliver, he was heading out to begin his new job for a Microsoft Gold Partner in a wintery hell. All he could remember after arriving in his new home was that he had never seen so much snow in his entire life. A simple four hour drive turned into a twenty hour crawl through a blizzard. He could see trucks flipped over everywhere along the side of the road.

He also neglected to take care of some small, but critical, details in this venture. These included preparing for the far colder temperatures and getting proper footwear for this environment.

His new boss, Mr. Brownlow, greeted Oliver at his car and looked him over, “You know you’ll need something a little better than that for up here, right?”

Oliver was puzzled. Sneakers and a light but durable black jacket that he got at Microsoft TechNet had always served him well, and he could not understand the need for anything more.

And then he walked to the office through the two-foot high snow drifts…

The laughing from his new coworkers as the poor fellow walked in, freezing and soaked deep from the melting snow, were too much to bear. New boots were definitely in order, and perhaps a good coat.

His new boss drove him to a local shop and bought Oliver a fine coat to keep the elements out and a decent pair of Kamik boots. “My young fellow, we’re making money from your brain, so it's best to protect that good investment,” said the balding fellow as he patted Oliver on the back.

Work in the new company began well for our young IT champion. Challenges began to be thrown to him from left, right, and center for each key technology from Microsoft, including a surprise that he hadn’t expected…

“Oliver, any chance you know anything about Lync 2013?” the question came one day.

In his previous environment, he had managed Microsoft Office Communications Server 2007 R2, which was Lync’s cousin. “I might be able to figure it out.”

“Excellent! Our Lync expert recently left us, and he had a pile of projects he was in the midst of and…errr…he forget to leave us his documentation.”

Oliver promised he would see what he could do. The young fellow set about to play with Lync 2013 in a lab environment over the next few weeks to understand the basics of the environment. He found it similar enough to what he had to manage earlier, and he was able to teach himself enough of the missing pieces.

He even managed to finish the company’s on-premise Lync 2013 server and fix some minor issues it had.

Impressed with Oliver’s skill set, Mr. Brownlow came forward with a proposition for Oliver, “We’re going to be doing a lot of migrations to Office 365. I understand that you love automation. I heard you mention that you think we can have a simpler approach than navigating the web-based console to configure everything.”

Oliver smiled, “Oh yes! Absolutely! The entire environment can be managed by using Windows PowerShell cmdlets!”

Mr. Brownlow tapped his nose. “Good. I think for this we’ll invest some time and send you to Azure University! I think with proper training, we can really take advantage of your skills—especially if you learn the Azure environment.”

So it happened. Oliver was off to school again, if only for a few days to learn more about Microsoft Azure. It was there that Oliver met his teacher, who introduced some interesting trivia. “I wrote the Windows PowerShell cmdlets for Azure,” he said as introductions to the class began.

The course was interesting, but this made Oliver pay that much more attention. He began to immediately dive-in to courseware and modules to learn how to access information and data for Azure through Windows PowerShell.

When Oliver returned from his training, he began to speak faster than a squirrel on coffee. He was so excited about all the things he could do with Office 365 and Azure through Windows PowerShell. Mr. Brownlow actually had to record him with Windows Sound Recorder and play it back at one-tenth of the normal speed to understand what he was saying.

Mr. Brownlow asked Oliver to show him some of the features they could automate for Azure and Office 365 through Windows PowerShell. “First, I’ve been told that managing the Exchange component is the same as managing Exchange Server 2013. How true is this?”

“Very true!” piped up Oliver, “It leverages a Windows PowerShell feature called Implicit Remoting to allow use of the cmdlets. But it’s really just Exchange Server 2013 that we’re managing remotely.”

Oliver launched a Windows PowerShell console and initiated a cmdlet to connect to Office 365 through Windows PowerShell:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential (Get-Credential) -Authentication Basic -AllowRedirection

As soon as he run the cmdlet, a popup box appeared on the screen in which Oliver entered his credentials to manage Office 365:

Image of text box

After a few moments the prompt returned. Oliver continued, “…and now we import the remote session to the Windows Powershell console:”

Import-PsSession $Session

Image of command output

“We can now access the back-end environment as we would in Exchange Server 2013. I can run the Get-Mailbox cmdlet as before. But if we download and install the Azure PowerShell module, we can manage the users for Office 365 in addition to the other features.”

Oliver launched Import-Module to load the Azure cmdlets and began to connect to Office 365:

Import-Module MSonline

Connect-MSolService –credential (GET-Credential)

The authentication prompt popped up as it did previously. Mr. Brownlow noted, “Is there a way to store that information away so we can use it again?”

Oliver saw the dilemma. “We can store the information in a Windows PowerShell object such as $Credential in this manner:”

$Credential=(GET-Credential)

“OK. That’s good, but I still see a problem, Oliver. If we are to automate these solutions, in some cases it will be a scheduled task at night, and prompting for credentials cannot happen. Can you build-in those credentials?”

Oliver did a quick search online through Bing and found that he could build the credentials in the following manner:

$user='oliverscript@contoso.com'

$password=ConvertTo-SecureString -String 'MySuperSecretPassword!' -AsPlainText -Force

$credential=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$password

“Oliver, this is good, but I see a massive security hole in this approach. The password is in a clear and easy-to-read format. If this script was compromised in some fashion, the client site in Office 365 would be exposed.”

“You are correct but we can control this," said Oliver confidently. "I can store that data in a slightly more scrambled format in a text file that the script can read.” Oliver ran a different cmdlet on the console to store the clear text password in a text file, but in a slightly more hidden fashion:

ConvertTo-SecureString -String 'MySuperSecretPassword!' -AsPlainText –Force |
ConvertFrom-SecureString | Out-File o365.txt

“Now the password is no longer stored as clear text. Because this is still a password, but in a visually different format, we should store this file in a secure location. But the script can access it in this way now.”

Oliver made a slight change to the script to pull the password from the file instead:

$user='oliverscript@contoso.com'

$password=Get-Content o365.txt | ConvertFrom-SecureString

$credential=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$password

“We can now automate connecting to Office 365 by passing the object called $Credential to the –Credential parameter in our Azure and Office 365 cmdlets.”

Oliver proceeded to demonstrate. He connected to Azure Active Directory to pull the names of all users in his Office 365 lab environment as a single script, with no interaction on his part:

Import-Module msonline

$user='oliverscript@contoso.com'

$password=Get-Content o365.txt | ConvertFrom-SecureString

$credential=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$password

Connect-MsolService –credential $credential

Get-Msoluser

Mr. Brownlow watched as the script automatically pulled a list of users from Office 365:

Image of command output

Mr. Brownlow slapped Oliver on the back with congratulations, “Excellent job, my boy! Let’s get started on these migration projects!"

So the plan went on. Oliver developed scripts for various components of automation. Integration flowed seamlessly as he began to simplify each component of the Office 365 migrations for the various clients. Praise for his excellent work came back in droves. Windows PowerShell came along and Oliver smiled as his skills grew.

But the yin and the yang must show, and the balance of life must occur. As the projects hit their peaks, Oliver found an illness crossing over his body that he did not understand. Worried about Oliver's health, Mr. Brownlow pulled him from his work and sent him immediately to the hospital. Oliver could barely see, and his mouth was as dry as the Sahara.

After a long day of doctors and examinations, Oliver was given some medication and told to rest for the next few weeks.

Mr. Brownlow gave him the time to rest. “Your job will be here when you feel better. You rest up—that’s the important part,” he said with a smile.

Oliver stayed home and began to rest. He took the opportunity to improve his diet at the same time. He began to feel much better—even somehow more energetic than he was before. He was happy to be working for a company that treated him so well. He thought things could not get much better…

What is coming around the corner for Oliver? What does the future hold? Will he be opening up to a roaring crowd singing Windows PowerShell tunes off key? Stay tuned to tomorrow’s episode of Oliver Script: A Holiday Tale on the Hey, Scripting Guys! Blog.

We invite you to follow The Scripting Guys on Twitter and Facebook. If you have any questions, send an email to The Scripting Guys at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, remember eat your cmdlets every day with a dash of creativity.

Sean Kearney, Windows PowerShell MVP and Honorary Scripting Guy 

Comments (4)

  1. @Ryan Yates

    I see the spirit of PowerShell is strong within you Ryan! You are ABSOLUTELY correct!

    There was a typo in the one line that read

    $password=Get-Content o365.txt | ConvertFrom-SecureString

    SHOULD read

    $password=Get-Content o365.txt | ConvertTo-SecureString

    …as the data in the text file is the content that can CREATE a secure string but is not the .NET object ‘System.Security.SecureString’

    Thanks for catching that and glad you’re enjoying the series 🙂

    Sean

  2. AvalonNYC says:

    Thanks for the post! We are MS Partners with delegated administration for our customers. Is there a way for us to use our own (Partner) credentials and specify which o365 domain we’re managing with Powershell?

  3. I am still on it. On to the final chapter.

  4. Ryan Yates says:

    Such a great storyline and I’m really enjoying reading this however should
    Import-Module msonline

    $user=’oliverscript@contoso.com’

    $password=Get-Content o365.txt | ConvertFrom-SecureString

    $credential=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$password

    Connect-MsolService –credential $credential

    Get-Msoluser

    not be

    ConvertTo-SecureString

    as it had been coverted from a secure string before being written to the o365.txt file as seen in this snippet

    ConvertTo-SecureString -String ‘MySuperSecretPassword!’ -AsPlainText –Force |
    ConvertFrom-SecureString | Out-File o365.txt

    Or am i completely wrong here?? (new to credential storing)

Skip to main content