Anybody who has worked with Office 365 and PowerShell is probably all too familiar with this prompt.

image

This is your standard popup to ask for a user id and password.  

But if you do this work daily or more importantly you’re trying to schedule this as a task, that little popup can just slow you right down.   So you’ll need some way to stream line that task.

The first way technically works but is a big NO NO from your security friends.   You can encode the ID and password in clear text within a PowerShell script and create the PSCredentials Object needed for the Cmdlets.

 

$UserID=’john@contoso.onmicrosoft.com’

$Password=’NotSoSecretAnymore!’

$SecurePassword=ConvertTo-SecureString –asplaintext –force $Password

$Credential=New-object –typename System.Management.Automation.PSCredential –arguments ($UserId,$Securepassword)

 

This works but as you can see the password is CLEAR as a bell.   From a security standpoint you’re about as naked a somebody streaking a Baseball game.

 

The other option you have which is a BIT better is to store that Secure password as a special text file on a hard drive.   Now I do NOT mean a text file which contains the actual password in Clear Text but more correctly a text file with contains the password in a more obfuscated form.

We can create this file in a simple process

  • Get-Credential for Office365 and store as Object
  • Obtain the Secure Password from the Object and Convert From Secure String
  • Store the converted Secure string as a Text file

This will take all of two lines in PowerShell

 

# Get the credentials through the traditional popup box

$Credentials=Get-Credential

$Credentials.Password | Convertfrom-Securestring | Out-File o365pass.txt

 

You’ll now have a file on the Hard drive which contains the password in an obfuscated form.   You can now read and use this password in the following manner.

$SecurePassword=Get-Content o365pass.txt | ConvertTo-Securestring

Now you can build the credentials from that Password in the same manner as before with the exception of leaving the password in Clear text.

$UserID=’john@contoso.onmicrosoft.com’

$SecurePassword=Get-Content o365pass.txt | ConvertTo-Securestring

$Credential=New-object –typename System.Management.Automation.PSCredential –arguments ($UserId,$Securepassword)

Now understand, this file is still a weak point.   Without much difficulty I can still extract the clear text password.   This file still needs to be stored on a secured folder (possibly even as an encypted file)

But using this same process (once you have the password converted to obfuscated text) we can store this into an encrypted SQL database as a possibility.   We could then manage the credentials in a much more secure manner.

 

However at least now you have some options on how to build those credentials into something you CAN automate, which is one step further than last time.

Sean

The EnergizedTech

Advertisements