azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2fcdc5fb1361ba42ed867c09b54d7945ac477275
claudetools/clients/cascades-tucson/scripts/ConfigureSCP.ps1
Howard Enos f5bdec125a sync: auto-sync from HOWARD-HOME at 2026-06-05 16:17:06 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-05 16:17:06
2026-06-05 16:17:18 -07:00

112 lines
3.6 KiB
PowerShell
Raw Blame History

#
# Windows PowerShell script to configure the SCP for Hybrid Azure AD join
#
# CASCADES OF TUCSON - preconfigured copy (from Entra Connect, 2026-06-05)
# Tenant (azureADId) is baked in below: 207fa277-e9d8-4eb7-ada1-1064d2221498
# -Domain defaults to cascadestucson.com so this runs self-contained.
#
# HOW TO RUN: on a Domain Controller (CS-SERVER) in an ELEVATED PowerShell,
# as an ENTERPRISE ADMIN of cascades.local:
# .\ConfigureSCP.ps1
# (idempotent - creates the SCP if missing, updates the keywords if present)
#
# WHY: writes the Service Connection Point into AD's Configuration partition so
# domain-joined devices can discover the Entra tenant and Hybrid Entra Join.
#
param([string]$Domain = "cascadestucson.com", [switch]$Help)
function funHelp()
{
$helpTxt = @"
NAME: ConfigureSCP.ps1
PURPOSE: Configures the service connection point for Hybrid Azure AD join in the current forest
REQUIREMENT: Must be run by an Enterprise Admin of the current forest
PARAMETERS:
-Domain <NAME> Specifies the Azure AD domain to use for device authentication
If you are using federation to authenticate with Azure AD, enter a federated domain name.
If you are not using federation, enter your primary *.onmicrosoft.com domain name.
(Cascades default: cascadestucson.com)
-Help Prints the help file
EXAMPLES:
1. ConfigureSCP.ps1 (uses cascadestucson.com)
2. ConfigureSCP.ps1 -Domain cascadestucson.com
"@
$helpTxt
exit 1
}
if ($Help)
{
funHelp
}
if (-not($Domain))
{
Write-Output "You must specify a value for -Domain"
funhelp
}
Write-Output "Configuring the SCP for Hybrid Azure AD join in your Active Directory forest."
## Set variables
$azureADId = "azureADId:207fa277-e9d8-4eb7-ada1-1064d2221498"
$azureADName = "azureADName:" + $Domain
$keywords = "keywords"
$ldap = "LDAP://"
$rootDSE = New-Object System.DirectoryServices.DirectoryEntry($ldap + "RootDSE")
$configCN = $rootDSE.Properties["configurationNamingContext"][0].ToString()
$servicesCN = "CN=Services," + $configCN
$drcCN = "CN=Device Registration Configuration," + $servicesCN
$scpCN = "CN=62a0ff2e-97b9-4513-943f-0d221bd30080," + $drcCN
## Get/Create: CN=Device Registration Configuration,CN=Services
if ([System.DirectoryServices.DirectoryEntry]::Exists($ldap + $drcCN))
{
$deDRC = New-Object System.DirectoryServices.DirectoryEntry($ldap + $drcCN)
}
else
{
$de = New-Object System.DirectoryServices.DirectoryEntry($ldap + $servicesCN)
$deDRC = $de.Children.Add("CN=Device Registration Configuration", "container")
$deDRC.CommitChanges()
}
## Edit/Create: CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services
if ([System.DirectoryServices.DirectoryEntry]::Exists($ldap + $scpCN))
{
$deSCP = New-Object System.DirectoryServices.DirectoryEntry($ldap + $scpCN)
foreach ($value in $deSCP.Properties[$keywords].Value)
{
$deSCP.Properties[$keywords].Remove($value)
}
$deSCP.Properties[$keywords].Add($azureADName)
$deSCP.Properties[$keywords].Add($azureADId)
$deScp.CommitChanges()
}
else
{
$deSCP = $deDRC.Children.Add("CN=62a0ff2e-97b9-4513-943f-0d221bd30080", "serviceConnectionPoint")
$deSCP.Properties[$keywords].Add($azureADName)
$deSCP.Properties[$keywords].Add($azureADId)
$deScp.CommitChanges()
}
if ($Error)
{
Write-Output "Configuration could not be completed."
Write-Output $Error
}
else
{
Write-Output "Configuration complete!"
}
Reference in New Issue View Git Blame Copy Permalink