PowerShell script that provides two main options for setting up a Kerberos Server object

Below is a streamlined PowerShell script that provides two main options for setting up a Kerberos Server object in Active Directory and publishing it to Microsoft Entra ID. This approach simplifies the process by offering distinct choices, ensuring clarity and ease of use.

Options:

1. Option 1:
   • Install the Azure AD Hybrid Authentication Management PowerShell module and its dependencies.
2. Option 2:
   • Publish the Kerberos Server object to Microsoft Entra ID and initiate Azure AD Connect synchronization.

Prerequisites:

• Run as Administrator: Ensure you execute this script in a PowerShell session with administrative privileges.
• Azure AD Connect Installed: Azure AD Connect must be installed and properly configured to synchronize your on-premises Active Directory with Microsoft Entra ID.
• Required Permissions: You must have administrative rights in both your on-premises Active Directory and Microsoft Entra ID.

---

Complete PowerShell Script

Save the following script as Setup-EntraIDKerberosServer.ps1:

<#
.SYNOPSIS
    Automates the installation of necessary PowerShell modules and publishes a Kerberos Server object to Microsoft Entra ID.

.DESCRIPTION
    This script provides two main options:
    1. Install the Azure AD Hybrid Authentication Management PowerShell module along with its dependencies.
    2. Publish the Kerberos Server object to Microsoft Entra ID and initiate Azure AD Connect synchronization.

.PARAMETER None
    The script presents a menu to the user to choose between Option 1 and Option 2.

.EXAMPLE
    To run the script:
    .\Setup-EntraIDKerberosServer.ps1

.NOTES
    Ensure that you run the script with administrative privileges.
#>

# ================================================
# Function: Install-RequiredModules
# Description: Installs necessary PowerShell modules and providers.
# ================================================
function Install-RequiredModules {
    Write-Output "===== Installing Required Modules ====="

    try {
        # Enable TLS 1.2 for secure communication
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        Write-Output "Enabled TLS 1.2."

        # Install the NuGet package provider
        Write-Output "Installing NuGet package provider..."
        Install-PackageProvider -Name NuGet -Force -ErrorAction Stop
        Write-Output "NuGet package provider installed."

        # Register PSGallery repository if not already registered
        $psRepo = Get-PSRepository -Name "PSGallery" -ErrorAction SilentlyContinue
        if (-not $psRepo) {
            Write-Output "Registering PSGallery repository..."
            Register-PSRepository -Default -Name "PSGallery" -InstallationPolicy Trusted -ErrorAction Stop
            Write-Output "PSGallery repository registered."
        }
        else {
            Write-Output "PSGallery repository is already registered."
        }

        # Install or update PowerShellGet module
        Write-Output "Installing/Updating PowerShellGet module..."
        Install-Module -Name PowerShellGet -Force -ErrorAction Stop
        Write-Output "PowerShellGet module installed/updated."

        # Install the Azure AD Hybrid Authentication Management module with AllowClobber to prevent conflicts
        Write-Output "Installing Azure AD Hybrid Authentication Management PowerShell module..."
        Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber -Force -ErrorAction Stop
        Write-Output "AzureADHybridAuthenticationManagement module installed."

        # Import the module
        Import-Module -Name AzureADHybridAuthenticationManagement -ErrorAction Stop
        Write-Output "AzureADHybridAuthenticationManagement module imported."

        # Verify the module is installed
        $moduleCheck = Get-Module -ListAvailable | Where-Object { $_.Name -eq "AzureADHybridAuthenticationManagement" }
        if ($moduleCheck) {
            Write-Output "AzureADHybridAuthenticationManagement module is available."
        }
        else {
            throw "AzureADHybridAuthenticationManagement module installation failed."
        }

        Write-Output "===== Module Installation Completed Successfully =====`n"
    }
    catch {
        Write-Error "Error during module installation: $_"
        exit 1
    }
}

# ================================================
# Function: Publish-KerberosServer
# Description: Publishes the Kerberos Server object to Microsoft Entra ID.
# ================================================
function Publish-KerberosServer {
    Write-Output "===== Publishing Kerberos Server to Microsoft Entra ID ====="

    try {
        # Prompt for necessary information
        Write-Output "Please provide the following information:"

        # Domain information
        $domain = Read-Host -Prompt "Enter your Active Directory domain (e.g., yourdomain.com)"
        if (-not $domain) {
            throw "Active Directory domain cannot be empty."
        }

        # Prompt for credentials
        Write-Output "Please enter your credentials:"

        # Cloud (Microsoft Entra ID) credentials
        $cloudCred = Get-Credential -Message "Enter your Microsoft Entra ID (Azure AD) credentials"

        # Domain (Active Directory) credentials
        $domainCred = Get-Credential -Message "Enter your Active Directory domain credentials"

        # Execute the Set-AzureADKerberosServer cmdlet
        Write-Output "Executing Set-AzureADKerberosServer cmdlet..."
        Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred -ErrorAction Stop
        Write-Output "Kerberos Server published to Microsoft Entra ID successfully."

        Write-Output "===== Kerberos Server Publication Completed Successfully =====`n"
    }
    catch {
        Write-Error "Error during Kerberos Server publication: $_"
        exit 1
    }
}

# ================================================
# Function: Sync-AzureADConnect
# Description: Initiates Azure AD Connect synchronization.
# ================================================
function Sync-AzureADConnect {
    Write-Output "===== Initiating Azure AD Connect Synchronization ====="

    try {
        # Import the ADSync module
        Import-Module ADSync -ErrorAction Stop
        Write-Output "ADSync module imported successfully."

        # Start a Delta synchronization (only changes)
        Write-Output "Starting a Delta synchronization cycle..."
        Start-ADSyncSyncCycle -PolicyType Delta
        Write-Output "Azure AD Connect Delta synchronization initiated."

        Write-Output "===== Azure AD Connect Synchronization Completed Successfully =====`n"
    }
    catch {
        Write-Error "Error during Azure AD Connect synchronization: $_"
        exit 1
    }
}

# ================================================
# Function: Show-Menu
# Description: Displays the menu and captures user choice.
# ================================================
function Show-Menu {
    Clear-Host
    Write-Output "========================================"
    Write-Output "  Entra ID Kerberos Server Setup Script  "
    Write-Output "========================================"
    Write-Output ""
    Write-Output "Please select an option:"
    Write-Output "1. Install Azure AD Hybrid Authentication Management PowerShell module and dependencies"
    Write-Output "2. Publish Kerberos Server to Microsoft Entra ID and synchronize"
    Write-Output "3. Exit"
    Write-Output ""
}

# ================================================
# Main Script Execution
# ================================================

# Ensure the script is run as Administrator
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    Write-Warning "You do not have Administrator rights to run this script. Please run PowerShell as an Administrator."
    exit 1
}

do {
    Show-Menu
    $choice = Read-Host -Prompt "Enter your choice (1-3)"
    switch ($choice) {
        "1" {
            Install-RequiredModules
            Pause
        }
        "2" {
            Publish-KerberosServer
            Sync-AzureADConnect
            Pause
        }
        "3" {
            Write-Output "Exiting script. Goodbye!"
            break
        }
        default {
            Write-Output "Invalid selection. Please choose 1, 2, or 3."
            Pause
        }
    }
} while ($choice -ne "3")

# ================================================
# Verification Steps (Optional)
# ================================================

Write-Output "===== Verification Steps ====="
Write-Output "1. Log in to the Azure Portal and navigate to Microsoft Entra ID > Hybrid Identity > Azure AD Kerberos to verify the server is listed."
Write-Output "2. Ensure that Azure AD Connect synchronization has completed successfully."
Write-Output "3. Verify the Kerberos Server object exists in Active Directory under CN=System."

Write-Output "===== Script Execution Completed Successfully ====="

---

Usage Instructions

1. Save the Script:
   • Copy the above script into a text editor and save it with a .ps1 extension, e.g., Setup-EntraIDKerberosServer.ps1.
2. Open PowerShell as Administrator:
   • Right-click on the PowerShell icon and select “Run as Administrator”.
3. Navigate to the Script Directory:powershellCopy codecd "C:\Path\To\Script\Directory"
4. Execute the Script:powershellCopy code.\Setup-EntraIDKerberosServer.ps1
5. Interact with the Menu:
   • Upon running, the script will display a menu with the following options:
     • Entra ID Kerberos Server Setup Script Please select an option: 1. Install Azure AD Hybrid Authentication Management PowerShell module and dependencies 2. Publish Kerberos Server to Microsoft Entra ID and synchronize 3. Exit
   • Option 1: Install necessary modules.
     • Select 1 and press Enter.
     • The script will install the required PowerShell modules and dependencies.
   • Option 2: Publish the Kerberos Server and synchronize.
     • Select 2 and press Enter.
     • The script will prompt for your Active Directory domain and credentials for both Microsoft Entra ID and Active Directory.
     • It will then execute the Set-AzureADKerberosServer cmdlet and initiate a delta synchronization with Azure AD Connect.
   • Option 3: Exit the script.
     • Select 3 and press Enter.
6. Provide Prompts:
   • For Option 2:
     • Domain: When prompted, enter your Active Directory domain (e.g., yourdomain.com).
     • Credentials: Enter your Microsoft Entra ID (Azure AD) credentials and Active Directory domain credentials when prompted. Ensure these accounts have the necessary administrative privileges.
7. Monitor Execution:
   • The script will output the progress of each step. If any step fails, it will provide an error message and halt execution.
8. Post-Script Verification:
   • After the script completes, perform the verification steps outlined in the script’s output to ensure everything is set up correctly:
     • Azure Portal: Log in to the Azure Portal and navigate to Microsoft Entra ID > Hybrid Identity > Azure AD Kerberos to verify that the Kerberos Server is listed.
     • Azure AD Connect: Ensure that Azure AD Connect synchronization has completed successfully by checking the synchronization status.
     • Active Directory: Verify that the Kerberos Server object exists in Active Directory under the CN=System container.

---

Script Breakdown and Explanation

1. Function: Install-RequiredModules

• Purpose: Installs and updates necessary PowerShell modules and providers required for managing Azure AD Hybrid Authentication and Entra ID Kerberos Server.
• Steps:
  • Enable TLS 1.2: Ensures secure communication with repositories.
  • Install NuGet Package Provider: Required for fetching packages from PSGallery.
  • Register PSGallery Repository: If not already registered, it registers PSGallery as a trusted repository.
  • Install/Update PowerShellGet Module: Essential for managing PowerShell modules.
  • Install AzureADHybridAuthenticationManagement Module: With the -AllowClobber flag to avoid conflicts with existing AzureAD modules.
  • Import and Verify Module: Ensures that the module is correctly installed and available.

2. Function: Publish-KerberosServer

• Purpose: Publishes the Kerberos Server object to Microsoft Entra ID using the Set-AzureADKerberosServer cmdlet.
• Steps:
  • Prompt for Active Directory Domain: Asks the user to enter their AD domain (e.g., yourdomain.com).
  • Prompt for Credentials: Securely captures credentials for both Microsoft Entra ID and Active Directory.
  • Execute Set-AzureADKerberosServer Cmdlet: Publishes the Kerberos Server object to Entra ID using the provided information and credentials.

3. Function: Sync-AzureADConnect

• Purpose: Initiates a delta synchronization cycle with Azure AD Connect to push the changes to Microsoft Entra ID immediately.
• Steps:
  • Import ADSync Module: Required for managing Azure AD Connect synchronization.
  • Start Delta Synchronization Cycle: Uses Start-ADSyncSyncCycle -PolicyType Delta to sync only the changes.

4. Function: Show-Menu

• Purpose: Displays the menu options to the user.
• Options:
  • 1: Install required modules.
  • 2: Publish Kerberos Server and synchronize.
  • 3: Exit.

5. Main Script Execution

• Administrator Check: Ensures the script is being run with administrative privileges.
• Menu Handling: Continuously displays the menu until the user chooses to exit. Based on the user’s choice, it calls the appropriate function:
  • Option 1: Calls Install-RequiredModules.
  • Option 2: Calls Publish-KerberosServer and Sync-AzureADConnect.
  • Option 3: Exits the script.
  • Invalid Input: Prompts the user to select a valid option.

6. Verification Steps

• Guidance: After script execution, provides steps to verify that the Kerberos Server object is correctly set up in both Active Directory and Microsoft Entra ID, and that Azure AD Connect synchronization has completed successfully.

---

Best Practices and Notes

• Secure Credential Handling:
  • The script uses Get-Credential to securely capture user credentials. Avoid hardcoding credentials within scripts to maintain security.
• Error Handling:
  • The script includes try-catch blocks to handle errors gracefully, providing meaningful error messages and exiting if critical steps fail.
• Module Updates:
  • The script forces updates for PowerShellGet and other modules to ensure compatibility.
• Testing:
  • Always test the script in a controlled environment before running it in production to ensure it behaves as expected.
• Logging:
  • For production scenarios, consider adding logging mechanisms to capture detailed execution logs for auditing and troubleshooting purposes.
• Permissions:
  • Ensure that the credentials used have the necessary administrative privileges in both Active Directory and Microsoft Entra ID.
• Internet Access:
  • The script requires internet access to download modules from PSGallery. Ensure that your environment allows outbound connections to the required repositories.

---

Additional Information

• Set-AzureADKerberosServer Cmdlet:
  • Part of the AzureADHybridAuthenticationManagement module.
  • Verify its availability with:powershellCopy codeGet-Command -Module AzureADHybridAuthenticationManagement
  • Ensure the module is up-to-date.
• Azure AD Connect Synchronization Types:
  • Delta Sync (-PolicyType Delta): Synchronizes only changes since the last sync.
  • Full Sync (-PolicyType Initial): Synchronizes all objects, regardless of changes. Use this if you need to ensure that all objects are in sync.

---

By using this script with its two primary options, you can efficiently manage the installation of necessary modules and the publication of the Kerberos Server object to Microsoft Entra ID, along with ensuring synchronization between your on-premises environment and the cloud. This modular approach provides flexibility and ease of use, allowing you to perform only the steps you need at any given time.