Pages

Tuesday, December 6, 2022

Automating the creation of a new user in Duo with Azure Automation Account and Admin API

I was recently asked if I had written any scripts for provisioning Duo accounts with the Admin API and realized that I had but never wrote a blog post so I decided to write this post to demonstrate the following:

  1. Edit Matt Egan’s Duo PowerShell module (https://github.com/mbegan/Duo-PSModule) to include a duoSendSMSActivation function that is a copy of duoCreateActivationCode with the URL /activation_url changed to /send_sms_activation so it can be used to send an SMS activation to a user account’s phone
  2. Create an Automation Account that will accept the following inputs in JSON format via a webhook:
    1. samAccountName
    2. email
    3. fullname
    4. mobile
  3. Upload modified Duo module into Automation Account
  4. Create a Protected Application in Duo and add authentication information as Automation Account encrypted variables
  5. Create a runbook to host a PowerShell script that will take the input from the webhook to:
    1. Create the user account in Duo
    2. If a mobile number is passed, create a new phone
    3. If a mobile number is passed, associate new phone to the new Duo user account
    4. If a mobile number is passed, send a SMS txt message to phone number for Duo activation
  6. Create a webhook for the Automation Account
  7. Test Automation Account with PowerShell

Note that I won’t go into as much detail for some components but feel free to have a look at one of my previous posts where I set up an Automation Account to generate and send out a report for Duo accounts:

Using an Azure Automation Account Runbook to create and email a Duo report with SendGrid

http://terenceluk.blogspot.com/2022/09/using-azure-automation-account-runbook.html

Modifying Matt Egan’s Duo PowerShell module to include a function that will send an SMS activation

Matt Egan’s Duo PowerShell module does not have a function that allows us to send an SMS activation message so the easiest way provide this functionality is to open the Duo.psm1 file, duplicate the duoCreateActivationCode function, then edit the URL /activation_url and change it to /send_sms_activation as shown in the following screenshot:

image

The modified module can be found here at my GitHub repo: https://github.com/terenceluk/Azure/tree/main/Automation%20Runbook/Duo

Download the two files and create a Duo.zip package that we will be uploading later.

image

Create an Automation Account that will accept the following inputs in JSON format via a webhook

Create an Automation Account that we’ll be using to host the Runbook that will help us provision the new Duo user account:

image

Upload modified Duo module into Automation Account

Rather than attempting to write the PowerShell code required to authenticate with the Duo Admin API (https://duo.com/docs/adminapi) with a HMAC signature, then call the API methods, we’ll be using Matt Egan’s PowerShell module he has shared with the community years ago that still works today https://github.com/mbegan/Duo-PSModule

The Duo PowerShell module Matt Egan provided does not simply upload into Azure Automation’s Modules blade as the psd1 file references to the Duo_org.ps1 file that is mean to store the information required to connect to the Duo API.

Neil Sabol has a great write up that explains this and how to workaround the issue so I’ll be using his method to demonstrate the configuration: https://blog.neilsabol.site/post/importing-duo-psmodule-mfa-powershell-module-azure-automation/

The method I’ll be using is not to upload a blank Duo_org.ps1 file but rather comment all references to it in the Duo.psd1 file. You can find the updated file here in my GitHub: https://github.com/terenceluk/Azure/blob/main/Automation%20Runbook/Duo/Duo.psd1

Proceed to import the Duo.zip package we created earlier into the Automation Account Modules:

image

Select the package, leave the name configured as Duo, select 5.1 as the Runtime version then click Import:

image

Confirm the module has successfully imported:

image

One of the ways to check and see if the module imported properly is by clicking into the module and verify that the available cmdlets are displayed:

image

Create a Protected Application in Duo and add authentication information as Automation Account encrypted variables

Using the Duo Admin API requires authentication so we’ll need to create a protected application in the Duo Admin portal as described in the document here: https://duo.com/docs/adminapi

imageimage

Copy the Integration key, Secret key, and API hostname as we’ll need them to create the encrypted variables in the following steps, and grant the application the required permissions:

image

Proceed to the Automation Account, navigate to create the following variables:

  1. MyDuoDirectoryID
  2. MyDuoIntegrationKey
  3. MyDuoSecretKey
  4. MyDuoAPIHostname
image

**Note that the Duo Directory ID can be located by navigating to: Users > Directory Syncs, select the configured directory then copy the key under the heading Admin API directory key:

imageimage

Create a runbook to host a PowerShell script that will take the input from the webhook to provision the new user account

With all the components configured, create the runbook and put the code in that will provision the Duo user account. From within the Automation Account, navigate to the Runbooks blade and click on Create a runbook:

image

Fill in the required fields:

image

The following PowerShell Runbook will be displayed where we can paste the PowerShell script to be executed:

image

The script I will be using to generate and email the report can be found here: https://github.com/terenceluk/Azure/blob/main/Automation%20Runbook/Create-New-Duo-User.ps1

image

Proceed to publish the Runbook:

image

Create a webhook for the Automation Account

Proceed to create a webhook for the Automation Account by clicking on the Add webhook button in the runbook:

image

Click on Create new webhook:

image

Fill in a name for the webhook, enable it, set an expiry date for the webhook, and then copy the URL. Note that the URL will not get displayed again so if you forget or misplace the URL then you’ll need to create a new one.

image

I noticed that the Create button would remain greyed out until I clicked into the Configure parameters and run settings options even if I wasn’t going to change any of the configuration:

image

Click OK to exit the parameters and run settings:

image

Proceed to create the webhook:

image

image

Test Automation Account with PowerShell

Rather than using the test feature in the runbook, I prefer to use the following PowerShell cmdlets to test the webhook:

https://github.com/terenceluk/Azure/blob/main/Automation%20Runbook/Test-Web-Hook.ps1

$uri = 'https://d36f1e53-eabe-4b85-82d1-4710b90d5b52.webhook.eus.azure-automation.net/webhooks?token=x1WEKX%2f%2bL%2f%2fz2pX%2fBcJx3UqNii7GTU3T8lxAVIhA0PU%3d'

$headerMessage = @{ message = "Testing Webhook"}

$data = @(

@{ samAccountName="jsmith"},

@{ email = "jsmith@contoso.com"},

@{ fullname = "John Smith"},

@{ mobile = "+14165553445"}

)

$body = ConvertTo-Json -InputObject $data

$response = Invoke-Webrequest -method Post -uri $uri -header $headerMessage -Body $body -UseBasicParsing

$response

The following is a status code of 202 accepted from the test:

image

You should be able to find the newly created account in the Duo Admin console.

No comments: