Merge pull request #1642 from KoenZomers/AddNewPnPAzureADUserTemporar…

…yAccessPass Added cmdlet `New-PnPAzureADUserTemporaryAccessPass`
pnp · Mar 25, 2022 · e85b4f7 · e85b4f7
2 parents 39e113b + ab10a72
commit e85b4f7
Show file tree

Hide file tree

Showing 4 changed files with 165 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -39,6 +39,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - Added `Set-PnPMessageCenterAnnouncementAsNotFavorite` which allows setting one or more message center announcements as not favorite for the current user [#1151](https://github.com/pnp/powershell/pull/1151)
 - Added `-AsMemoryStream` option to `Get-PnPFile` to allow for downloading of a file from SharePoint Online in memory for further processing [#1638](https://github.com/pnp/powershell/pull/1638)
 - Added `-Stream` option to `Read-PnPSiteTemplate` to allow for processing on a PnP Provisioning Template coming from memory [#1638](https://github.com/pnp/powershell/pull/1638)
+- Added `New-PnPAzureADUserTemporaryAccessPass` which allows creation of a Temporary Access Pass for a specific user in Azure Active Directory
 - Added `-Force` option to `Set-PnPTenant` to allow skipping the confirmation question for certain other parameters like `SignInAccelerationDomain,EnableGuestSignInAcceleration,BccExternalSharingInvitations,OrphanedPersonalSitesRetentionPeriod,OneDriveForGuestsEnabled,AllowDownloadingNonWebViewableFiles`.
 - Added `Get-PnPCompatibleHubContentTypes` which allows the list of content types present in the content type hub site that can be added to the root web or a list on a target site to be returned [#1678](https://github.com/pnp/powershell/pull/1678)
 

diff --git a/documentation/New-PnPAzureADUserTemporaryAccessPass.md b/documentation/New-PnPAzureADUserTemporaryAccessPass.md
@@ -0,0 +1,123 @@
+---
+Module Name: PnP.PowerShell
+title: New-PnPAzureADUserTemporaryAccessPass
+schema: 2.0.0
+applicable: SharePoint Online
+external help file: PnP.PowerShell.dll-Help.xml
+online version: https://pnp.github.io/powershell/cmdlets/New-PnPAzureADUserTemporaryAccessPass.html
+---
+
+# New-PnPAzureADUserTemporaryAccessPass
+
+## SYNOPSIS
+
+**Required Permissions**
+
+  * Microsoft Graph API : UserAuthenticationMethod.ReadWrite.All
+
+Creates a temporary access pass to authenticate with for a certain user
+
+## SYNTAX
+
+```powershell
+New-PnPAzureADUserTemporaryAccessPass -DisplayName <String> -Description <String> -MailNickname <String> [-Owners <String[]>] [-Members <String[]>] [-IsSecurityEnabled <SwitchParameter>] [-IsMailEnabled <SwitchParameter>] [-Force] [<CommonParameters>]
+```
+
+## DESCRIPTION
+This cmdlet allows creation of a temporary access pass for a specific user to allow the user to log on once using the generated token. This can be used i.e. when the user needs to sign in to replace the multi factor authentication token.
+
+You can read more on how to enable Temporary Access Pass in Azure Active Directory in [this article](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-temporary-access-pass). It is disabled by default on Azure Active Directory.
+
+## EXAMPLES
+
+### EXAMPLE 1
+```powershell
+New-PnPAzureADUserTemporaryAccessPass -Identity johndoe@contoso.onmicrosoft.com
+```
+
+Creates a temporary access pass for the user with the provided user principal name following the default configuration in Azure Active Directory towards the access pass its lifetime, password length and reusability which can directly be used.
+
+### EXAMPLE 2
+```powershell
+New-PnPAzureADUserTemporaryAccessPass -Identity 72e2eb87-c124-4bd9-8e01-a447a1752058 -IsUseableOnce:$true
+```
+
+Creates a temporary access pass for the user with the provided user Id following the default configuration in Azure Active Directory towards the access pass its lifetime and password length. The token will only be able to be used once and will then immediately expire and can directly be used.
+
+### EXAMPLE 3
+```powershell
+New-PnPAzureADUserTemporaryAccessPass -Identity johndoe@contoso.onmicrosoft.com -StartDateTime (Get-Date).AddHours(2) -LifeTimeInMinutes 10 -IsUseableOnce:$true
+```
+
+Creates a temporary access pass for the user with the provided user principal name which will not become valid for use until 2 hours from now has passed. It will then only be valid for 10 minutes and only can be used once to login after which it will immediately expire, regardless if there are minutes left in the `-LifeTimeInMinutes` parameter.
+
+### EXAMPLE 4
+```powershell
+Get-PnPAzureADUser -Identity johndoe@contoso.onmicrosoft.com | New-PnPAzureADUserTemporaryAccessPass -StartDateTime (Get-Date).AddMinutes(10) -LifeTimeInMinutes 15 -IsUseableOnce:$false
+```
+
+Creates a temporary access pass for the user with the provided user principal name which will not become valid for use until 10 minutes from now has passed. It will then only be valid for 15 minutes and only can be used repeatedly to login while there are minutes left in the `-LifeTimeInMinutes` parameter.
+
+## PARAMETERS
+
+### -Identity
+The user principal name, user Id or user instance for which to generate a temporary access pass.
+
+```yaml
+Type: AzureADUserPipeBind
+Parameter Sets: (All)
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True
+Accept wildcard characters: False
+```
+
+### -StartDateTime
+Date and time at which the access pass should become valid. If not provided, the access pass will immediately be valid.
+
+```yaml
+Type: DateTime
+Parameter Sets: (All)
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LifeTimeInMinutes
+Time in minutes counting from the moment the access pass has become active, how long it will be valid until it will expire and cannot be used anymore. IF not provided, the configured default in Azure Active Directory will be used.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -IsUseableOnce
+Allows defining if the access token can only be used once to log on after which it will directly expire. This takes presedence over the `-LifeTimeInMinutes` option. If not provided, the configured default in Azure Active Directory will be used.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## RELATED LINKS
+
+[Microsoft 365 Patterns and Practices](https://aka.ms/m365pnp)
+[Microsoft Graph documentation](https://docs.microsoft.com/graph/api/temporaryaccesspassauthenticationmethod-post)
+[Feature description](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-temporary-access-pass)
diff --git a/src/Commands/AzureAD/NewAzureADUserTemporaryAccessPass.cs b/src/Commands/AzureAD/NewAzureADUserTemporaryAccessPass.cs
@@ -0,0 +1,38 @@
+using PnP.Framework.Graph;
+using PnP.PowerShell.Commands.Attributes;
+using PnP.PowerShell.Commands.Base;
+using PnP.PowerShell.Commands.Base.PipeBinds;
+using System;
+using System.Management.Automation;
+
+namespace PnP.PowerShell.Commands.Graph
+{
+    [Cmdlet(VerbsCommon.New, "PnPAzureADUserTemporaryAccessPass")]
+    [RequiredMinimalApiPermissions("UserAuthenticationMethod.ReadWrite.All")]
+    public class NewAzureADUserTemporaryAccessPass : PnPGraphCmdlet
+    {
+        [Parameter(Mandatory = true, ValueFromPipeline = true)]
+        public AzureADUserPipeBind Identity;
+
+        [Parameter(Mandatory = false)]
+        public DateTime? StartDateTime;
+
+        [Parameter(Mandatory = false)]
+        public int? LifeTimeInMinutes;
+
+        [Parameter(Mandatory = false)]
+        public SwitchParameter IsUsableOnce;
+
+        protected override void ExecuteCmdlet()
+        {
+            var accessPass = UsersUtility.RequestTemporaryAccessPass(
+                                accessToken: AccessToken,
+                                userId: Identity.User?.Id?.ToString() ?? Identity.Upn ?? Identity.UserId,
+                                startDateTime: StartDateTime,
+                                lifeTimeInMinutes: LifeTimeInMinutes,
+                                isUsableOnce: IsUsableOnce);
+
+            WriteObject(accessPass);
+        }
+    }
+}
diff --git a/src/Commands/Base/PipeBinds/AzureADUserPipeBind.cs b/src/Commands/Base/PipeBinds/AzureADUserPipeBind.cs
@@ -1,4 +1,4 @@
-using PnP.Framework.Graph.Model;
+using PnP.PowerShell.Commands.Model.AzureAD;
 using System;
 using System.Net;
 
@@ -63,11 +63,11 @@ public User GetUser(string accessToken)
             }
             if (_userId != null)
             {
-                return PnP.Framework.Graph.UsersUtility.GetUser(accessToken, _userId);
+                return User.CreateFrom(PnP.Framework.Graph.UsersUtility.GetUser(accessToken, _userId));
             }
             if (_upn != null)
             {                
-                return PnP.Framework.Graph.UsersUtility.GetUser(accessToken, WebUtility.UrlEncode(_upn));
+                return User.CreateFrom(PnP.Framework.Graph.UsersUtility.GetUser(accessToken, WebUtility.UrlEncode(_upn)));
             }
             return null;
         }