Skip to content

Instantly share code, notes, and snippets.

@azurekid

azurekid/TokenHeader.ps1

Last active May 18, 2022 21:01
Show Gist options
  • Save azurekid/081d0a0128bd10ad24cae544b4388888 to your computer and use it in GitHub Desktop.
Save azurekid/081d0a0128bd10ad24cae544b4388888 to your computer and use it in GitHub Desktop.
Download ZIP
TokenHeader
Raw
TokenHeader.ps1
$authenticationHeader = @{
"Sec-Fetch-Dest" = "empty";
"Sec-Fetch-Mode" = "cors";
"accept-encoding" = "gzip, deflate, br";
"accept-language" = "en";
"x-ms-effective-locale" = "en.en-us"
"Authorization" = "Bearer <#TokenValuePlainText#>";
"Content-Type" = "application/json";
"x-ms-client-request-id" = (New-Guid).Guid;
"x-ms-session-id" = "12345678910111213141516";
"Accept" = "*/*";
"x-requested-with" = "XMLHttpRequest";
"user-agent" = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3829.0 Safari/537.36 Edg/77.0.197.1";
"method" = "GET"
}
@azurekid
Copy link
Author

azurekid commented May 18, 2022
edited
Loading

logo

Maintenance

Description

This Header can be used to authenticate against the 'hidden' Azure AD API

  • Replace the <#TokenValuePlainText#> with your own token value

Example

# ObjectId of target user
$targetObjectId = 'b88545d6-0cef-4502-9549-5398e01ca24b'

# Uri of _hidden_ API endpoint for identity
$baseUri = 'https://canary.iam.ad.ext.azure.com/api/'

$uri = '{0}PasswordReset/IsResetPasswordByObjectIdAllowed?objectId={1}' -f $baseUri, $targetObjectId
Invoke-RestMethod -Uri $uri -Headers $authenticationHeader

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment