I was recently asked if I had written any scripts for provisioning Duo accounts with the Admin API and realized that I had but never wrote a blog post so I decided to write this post to demonstrate the following:
- Edit Matt Egan’s Duo PowerShell module (https://github.com/mbegan/Duo-PSModule) to include a duoSendSMSActivation function that is a copy of duoCreateActivationCode with the URL /activation_url changed to /send_sms_activation so it can be used to send an SMS activation to a user account’s phone
- Create an Automation Account that will accept the following inputs in JSON format via a webhook:
- samAccountName
- fullname
- mobile
- Upload modified Duo module into Automation Account
- Create a Protected Application in Duo and add authentication information as Automation Account encrypted variables
- Create a runbook to host a PowerShell script that will take the input from the webhook to:
- Create the user account in Duo
- If a mobile number is passed, create a new phone
- If a mobile number is passed, associate new phone to the new Duo user account
- If a mobile number is passed, send a SMS txt message to phone number for Duo activation
- Create a webhook for the Automation Account
- Test Automation Account with PowerShell
Note that I won’t go into as much detail for some components but feel free to have a look at one of my previous posts where I set up an Automation Account to generate and send out a report for Duo accounts:
Using an Azure Automation Account Runbook to create and email a Duo report with SendGrid
https://blog.terenceluk.com/2022/09/using-azure-automation-account-runbook.html
Modifying Matt Egan’s Duo PowerShell module to include a function that will send an SMS activation
Matt Egan’s Duo PowerShell module does not have a function that allows us to send an SMS activation message so the easiest way provide this functionality is to open the Duo.psm1 file, duplicate the duoCreateActivationCode function, then edit the URL /activation_url and change it to /send_sms_activation as shown in the following screenshot:
The modified module can be found here at my GitHub repo: https://github.com/terenceluk/Azure/tree/main/Automation%20Runbook/Duo
Download the two files and create a Duo.zip package that we will be uploading later.
Create an Automation Account that will accept the following inputs in JSON format via a webhook
Create an Automation Account that we’ll be using to host the Runbook that will help us provision the new Duo user account:
Upload modified Duo module into Automation Account
Rather than attempting to write the PowerShell code required to authenticate with the Duo Admin API (https://duo.com/docs/adminapi) with a HMAC signature, then call the API methods, we’ll be using Matt Egan’s PowerShell module he has shared with the community years ago that still works today https://github.com/mbegan/Duo-PSModule
The Duo PowerShell module Matt Egan provided does not simply upload into Azure Automation’s Modules blade as the psd1 file references to the Duo_org.ps1 file that is mean to store the information required to connect to the Duo API.
Neil Sabol has a great write up that explains this and how to workaround the issue so I’ll be using his method to demonstrate the configuration: https://blog.neilsabol.site/post/importing-duo-psmodule-mfa-powershell-module-azure-automation/
The method I’ll be using is not to upload a blank Duo_org.ps1 file but rather comment all references to it in the Duo.psd1 file. You can find the updated file here in my GitHub: https://github.com/terenceluk/Azure/blob/main/Automation%20Runbook/Duo/Duo.psd1
Proceed to import the Duo.zip package we created earlier into the Automation Account Modules:
Select the package, leave the name configured as Duo, select 5.1 as the Runtime version then click Import:
Confirm the module has successfully imported:
One of the ways to check and see if the module imported properly is by clicking into the module and verify that the available cmdlets are displayed:
Create a Protected Application in Duo and add authentication information as Automation Account encrypted variables
Using the Duo Admin API requires authentication so we’ll need to create a protected application in the Duo Admin portal as described in the document here: https://duo.com/docs/adminapi
Copy the Integration key, Secret key, and API hostname as we’ll need them to create the encrypted variables in the following steps, and grant the application the required permissions:
Proceed to the Automation Account, navigate to create the following variables:
- MyDuoDirectoryID
- MyDuoIntegrationKey
- MyDuoSecretKey
- MyDuoAPIHostname
**Note that the Duo Directory ID can be located by navigating to: Users > Directory Syncs, select the configured directory then copy the key under the heading Admin API directory key:
Create a runbook to host a PowerShell script that will take the input from the webhook to provision the new user account
With all the components configured, create the runbook and put the code in that will provision the Duo user account. From within the Automation Account, navigate to the Runbooks blade and click on Create a runbook:
Fill in the required fields:
The following PowerShell Runbook will be displayed where we can paste the PowerShell script to be executed:
The script I will be using to generate and email the report can be found here: https://github.com/terenceluk/Azure/blob/main/Automation%20Runbook/Create-New-Duo-User.ps1
Proceed to publish the Runbook:
Create a webhook for the Automation Account
Proceed to create a webhook for the Automation Account by clicking on the Add webhook button in the runbook:
Click on Create new webhook:
Fill in a name for the webhook, enable it, set an expiry date for the webhook, and then copy the URL. Note that the URL will not get displayed again so if you forget or misplace the URL then you’ll need to create a new one.
I noticed that the Create button would remain greyed out until I clicked into the Configure parameters and run settings options even if I wasn’t going to change any of the configuration:
Click OK to exit the parameters and run settings:
Proceed to create the webhook:
Test Automation Account with PowerShell
Rather than using the test feature in the runbook, I prefer to use the following PowerShell cmdlets to test the webhook:
https://github.com/terenceluk/Azure/blob/main/Automation%20Runbook/Test-Web-Hook.ps1
$uri = ‘https://d36f1e53-eabe-4b85-82d1-4710b90d5b52.webhook.eus.azure-automation.net/webhooks?token=x1WEKX%2f%2bL%2f%2fz2pX%2fBcJx3UqNii7GTU3T8lxAVIhA0PU%3d’
$headerMessage = @{ message = “Testing Webhook”}
$data = @(
@{ samAccountName=”jsmith”},
@{ email = “jsmith@contoso.com”},
@{ fullname = “John Smith”},
@{ mobile = “+14165553445”}
)
$body = ConvertTo-Json -InputObject $data
$response = Invoke-Webrequest -method Post -uri $uri -header $headerMessage -Body $body -UseBasicParsing
$response
The following is a status code of 202 accepted from the test:
You should be able to find the newly created account in the Duo Admin console.
