Hey folks!
As you find yourself doing more and more with PowerShell, you may want to automate some tasks on servers you're running on-premises. A big reason behind this is to potentially establish a remote PowerShell session to something like Exchange Online, SharePoint Online, or Azure Active Directory (for example). Any on-premises automation authentication can be handled by domain controllers and the Task Scheduler.
There are a number of ways to automate and authenticate to your environments: Azure Automation Runbooks, Power Automate, and establishing a remote PowerShell session are some of the ways I can think of. Have I missed anything? I've even seen customers use this method for Pester testing. Each method has its own advantages and disadvantages. One thing is clear though, you want to be as safe as possible when you're introducing authentication into the mix in terms of automation.
Today, I'm going to talk about the ConvertFrom-SecureString PowerShell cmdlet. This cmdlet converts a secure string (i.e. a password) into an encrypted standard string. The encrypted standard string can be saved into a file for later use, which becomes important for automations that need to run on a schedule and may need to authenticate remotely to Azure or M365. Note the encrypted standard string can always be converted back to its secure string format by using the ConvertTo-SecureString cmdlet.
Without further ado, here's how you convert your secure string into an encrypted standard string for credentials:
$onPrem = Get-Credential
$onPrem.Password | ConvertFrom-SecureString | Set-Content c:\onprem.txt
$azureAd = Get-Credential
$azureAd.Password | ConvertFrom-SecureString | Set-Content c:\azuread.txt
If you want to see where I've stored this on GitHub, check out the following link. I'm in the middle of vetting something and this script may come in handy (which is why it's in the Seamless SSO repository within my GitHub account). It made me wonder if folks even knew you could do this for some of the work you may find yourself needing to automate on-premises related to hybrid tooling. I've seen this used most often as a scheduled task that required authentication to some service that was outside the regular Active Directory domain.
My hope is this helps you out a bit with ways to automate tasks from your remote environments on-premises. Enjoy!
Hi Shannon,
From a security perspective, how do you ensure c:\onprem.txt is protected?
If someone has that text file, can't they just run Get-content and use the privileges of the creds?