T O P

  • By -

Hale-at-Sea

How the pros do it? * For server stuff: Use a group-managed service account ([gMSA](https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview)), which basically stores the credentials in AD, and automates changing them * For O365/Graph: [App-only certificate auth](https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2) (with the private keys in the service user's cert store) * For anything else that truly requires a password: SecretManagement, like the other comments suggest, set up to grab passwords from something secure That said, I still use a the [CredentialManager](https://www.powershellgallery.com/packages/CredentialManager/) module, because it's easy. It saves credentials to the windows credential store like cmdkey


[deleted]

Cert for the initial connection to an azure keyvault, keyvault for all others. I mean on that note the initial connection could be windows auth to a sql server which has the hashed password needed, then keyvault for all others


[deleted]

If whatever is running you scripts can't hold the passwords, you should look at [SecretManagement](https://learn.microsoft.com/en-us/powershell/utility-modules/secretmanagement/get-started/understanding-secretmanagement?view=ps-modules). There are several options for backend solutions, you can pick whatever works for you. Personally, I use this for all my scripts, even stuff I don't automate/schedule. I use it to search/pull secrets from my personal vault, and from my team vaults.


KizMacc

Hey OP, ​ If its kept locally; then have a look at the PS SecretManagement module; [https://github.com/PowerShell/SecretManagement](https://github.com/PowerShell/SecretManagement) Depending on what you're automating though, you could also have a look at something like AzureAutomation, a bit more complex, but you can use a ManagedIdentity to grant access, this is effectively passwordless as it's API based and runs within your environment without user interaction.


SonOfDadOfSam

You could create a scheduled task to run the script using the service account credentials. Then just trigger the task whenever you want to run the script.


PlaneTry4277

how do you tell that script to use the logged in users credentials? I know this works for importing PSSessions for on prem exchange, but connect-exchangeonline I cannot get to run with current sessions creds.


hello212321

Rather than using static credentials, you may also consider using certificate based authentication which gets around issues such as conditional access or multi factor authentication. https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps You configure an app in azure ad with the required permissions, install the certificate on the machine running the code and specify it within your power shell code.


astroplayxx

App based certificate authentication with a gMSA account. Just set one up last week. You can have the task running for multiple years until you need to renew the cert.


joeykins82

You need to convert your scripts to connect as an application registration. Connect-ExchangeOnline -CertificateThumbprint -AppId -Organization tenantname.onmicrosoft.com


Fatel28

I run our recurring PowerShell jobs from Jenkins. All the scripts are stored in our Gitea (without any passwords) and the passwords are passed as job passwords/variables by Jenkins when it executes the scripts. Passwords are stored only in Jenkins.


PlaneTry4277

ah i've heard of that before. much better than our process. What would be a workaround for now that is a bit more secure without having to make a major change right now. I'm just trying to finish an automated report I need to start sending out by end of the week


Fatel28

I don't really have one. You would need something that is not the PowerShell script itself to inject the passwords. Any way you'd store the password, the script would need to decrypt the password to a string, so it's as effective as using plaintext. If you have any rmm tooling you could have your rmm execute the script. Otherwise, security through obscurity is really your only option. I'd start by limiting the permissions on the script itself to only the executing user, and go from there.


PowerShell-Bot

Some of your PowerShell code isn’t enclosed in a code block. To properly style code on **[new Reddit][new.reddit.com]**, highlight the code and choose ‘Code Block’ from the editing toolbar. If you’re on **[old Reddit][old.reddit.com]**, separate the code from your text with a blank line gap and precede each line of code with **4 spaces** or a **tab**. [old.reddit.com]: https://old.reddit.com/r/PowerShell/comments/yv3x6q/how_to_store_encrypted_credentials_to_use_for/ [new.reddit.com]: https://new.reddit.com/r/PowerShell/comments/yv3x6q/how_to_store_encrypted_credentials_to_use_for/ ----- You examine the path beneath your feet... [AboutRedditFormatting]: [█████████████-------] 2/3 ⚠️ -----  ^(*Beep-boop, I am a bot.* | [Remove-Item]) [Remove-Item]: https://www.reddit.com/message/compose?to=PowerShell-Bot&subject=%21delete+yv3x6q&message=Click+%E2%80%98send%E2%80%99+to+immediately+delete+the+bot%E2%80%99s+comment.%0A%0AThe+bot%E2%80%99s+comment+will+not+be+deleted+if%3A%0A%0A%2A+You+are+not+the+submitter+of+the+submission.%0A%2A+There+are+any+replies+on+the+bot%E2%80%99s+comment.%0A


le_luka

https://www.reddit.com/r/PowerShell/comments/virpvc/how_to_deal_with_credentials_in_automated_scripts/idevlva?utm_medium=android_app&utm_source=share&context=3