MSFTScripts/New-EncryptedAppCredential.ps1 at main · DotWav01/MSFTScripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
<#
.SYNOPSIS
    Creates an encrypted credential file for app registration authentication.

.DESCRIPTION
    This helper script securely encrypts and stores app registration client secret
    using Windows DPAPI. The encrypted file can only be decrypted by the same user
    on the same machine.

.PARAMETER OutputPath
    Path where the encrypted credential file will be saved.

.PARAMETER ClientSecret
    The client secret from your app registration (will be prompted securely if not provided).

.EXAMPLE
    .\New-EncryptedAppCredential.ps1 -OutputPath "C:\Scripts\Config\AppCred_GraphReports.xml"

    Prompts for client secret and creates encrypted credential file.

.EXAMPLE
    $secret = Read-Host "Enter secret" -AsSecureString
    .\New-EncryptedAppCredential.ps1 -OutputPath "C:\Scripts\Config\AppCred_UserGroup.xml" -ClientSecret $secret

    Creates encrypted credential file using provided SecureString.

.NOTES
    Author: Alexander
    Version: 1.1

    The encrypted credential can ONLY be decrypted by:
    - The same user account that created it
    - On the same computer where it was created
#>

[CmdletBinding()]
param(
    [Parameter(Mandatory = $true)]
    [string]$OutputPath,

    [Parameter(Mandatory = $false)]
    [SecureString]$ClientSecret
)

try {
    Write-Host "`n========================================" -ForegroundColor Cyan
    Write-Host "App Registration Credential Encryption" -ForegroundColor Cyan
    Write-Host "========================================`n" -ForegroundColor Cyan

    # Prompt for client secret if not provided
    if (-not $ClientSecret) {
        Write-Host "Enter the App Registration Client Secret" -ForegroundColor Yellow
        $ClientSecret = Read-Host "Client Secret" -AsSecureString

        # Verify secret was entered
        $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($ClientSecret)
        $plainCheck = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
        [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($BSTR)

        if ([string]::IsNullOrWhiteSpace($plainCheck)) {
            throw "Client secret cannot be empty"
        }
        $plainCheck = $null
    }

    # Create credential object
    $credObject = [PSCustomObject]@{
        ClientSecret = $ClientSecret
        CreatedDate = Get-Date
        CreatedBy = $env:USERNAME
        ComputerName = $env:COMPUTERNAME
    }

    # Ensure output directory exists
    $outputDir = Split-Path -Path $OutputPath -Parent
    if ($outputDir -and -not (Test-Path -Path $outputDir)) {
        Write-Host "Creating directory: $outputDir" -ForegroundColor Yellow
        New-Item -Path $outputDir -ItemType Directory -Force | Out-Null
    }

    # Export encrypted credential
    Write-Host "Encrypting and saving credential..." -ForegroundColor Yellow
    $credObject | Export-Clixml -Path $OutputPath -Force

    Write-Host "`n========================================" -ForegroundColor Green
    Write-Host "Credential Encrypted Successfully!" -ForegroundColor Green
    Write-Host "========================================" -ForegroundColor Green

    Write-Host "`nFile Details:" -ForegroundColor Cyan
    Write-Host "  Output Path: $OutputPath" -ForegroundColor White
    Write-Host "  Created By: $($credObject.CreatedBy)" -ForegroundColor White
    Write-Host "  Computer: $($credObject.ComputerName)" -ForegroundColor White
    Write-Host "  Created: $($credObject.CreatedDate)" -ForegroundColor White

    Write-Host "`nSecurity Information:" -ForegroundColor Yellow
    Write-Host "  This credential file can ONLY be decrypted by:" -ForegroundColor Yellow
    Write-Host "    - User: $env:USERNAME" -ForegroundColor White
    Write-Host "    - Computer: $env:COMPUTERNAME" -ForegroundColor White

    Write-Host "`nNext Steps:" -ForegroundColor Cyan
    Write-Host "  1. Update your configuration JSON file with this credential path" -ForegroundColor White
    Write-Host "  2. Ensure the app registration has the required permissions" -ForegroundColor White
    Write-Host "  3. Test the credential with your automation script`n" -ForegroundColor White

}
catch {
    Write-Host "`n========================================" -ForegroundColor Red
    Write-Host "Error Creating Encrypted Credential" -ForegroundColor Red
    Write-Host "========================================" -ForegroundColor Red
    Write-Error $_.Exception.Message
    exit 1
}