top of page
Search
  • Writer's pictureShannon

ConvertFrom-SecureString Explained!

Hey folks!


As you find yourself doing more and more with PowerShell, you may want to automate some tasks on servers you're running on-premises. A big reason behind this is to potentially establish a remote PowerShell session to something like Exchange Online, SharePoint Online, or Azure Active Directory (for example). Any on-premises automation authentication can be handled by domain controllers and the Task Scheduler.


There are a number of ways to automate and authenticate to your environments: Azure Automation Runbooks, Power Automate, and establishing a remote PowerShell session are some of the ways I can think of. Have I missed anything? I've even seen customers use this method for Pester testing. Each method has its own advantages and disadvantages. One thing is clear though, you want to be as safe as possible when you're introducing authentication into the mix in terms of automation.


Today, I'm going to talk about the ConvertFrom-SecureString PowerShell cmdlet. This cmdlet converts a secure string (i.e. a password) into an encrypted standard string. The encrypted standard string can be saved into a file for later use, which becomes important for automations that need to run on a schedule and may need to authenticate remotely to Azure or M365. Note the encrypted standard string can always be converted back to its secure string format by using the ConvertTo-SecureString cmdlet.


Without further ado, here's how you convert your secure string into an encrypted standard string for credentials:

$onPrem = Get-Credential
$onPrem.Password | ConvertFrom-SecureString | Set-Content c:\onprem.txt
$azureAd = Get-Credential
$azureAd.Password | ConvertFrom-SecureString | Set-Content c:\azuread.txt

If you want to see where I've stored this on GitHub, check out the following link. I'm in the middle of vetting something and this script may come in handy (which is why it's in the Seamless SSO repository within my GitHub account). It made me wonder if folks even knew you could do this for some of the work you may find yourself needing to automate on-premises related to hybrid tooling. I've seen this used most often as a scheduled task that required authentication to some service that was outside the regular Active Directory domain.


My hope is this helps you out a bit with ways to automate tasks from your remote environments on-premises. Enjoy!

Recent Posts

See All

5 Comments


Jay Harper
Jul 26, 2022

Hi Shannon,

From a security perspective, how do you ensure c:\onprem.txt is protected?


If someone has that text file, can't they just run Get-content and use the privileges of the creds?

Like
Shannon
Shannon
Jul 26, 2022
Replying to

You could still lock down where that file resides so that ONLY a service account can access the file and make use of the password (as an example). It's all a matter of what's easiest. Sometimes what I talk about may not 100% work unless you think about some of the different ways to manipulate server objects. Let me know if I can help strategize further. Always down to help strategize and develop a proverbial game plan!

Like
bottom of page