Last active
May 2, 2022 12:33
-
-
Save azurekid/5d068c0d90dd69e17e740476e3c81b5b to your computer and use it in GitHub Desktop.
Create Azure Access token for Microsoft Graph
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-AccessToken { | |
<# | |
.Synopsis | |
Creates an Access token for Microsoft Graph | |
.DESCRIPTION | |
This function can be used to create an Access Token to query the Microsoft Graph API. | |
.PARAMETER ApplicationId [string] | |
Enter the Application ID | |
.PARAMETER ApplicationSecret [string] | |
Enter the Application Secret | |
.PARAMETER TenantId [string] | |
Enter the tenant id which looks like a guid | |
.EXAMPLE | |
This will request the access token on behalf of the current user and create a http header called $aadRequestHeader | |
Get-AccessToken | |
Invoke-RestMethod -Uri https://graph.microsoft.com/beta/users @aadRequestHeader | |
.EXAMPLE | |
This will request the access token for an App Registration and create a http header called $aadRequestHeader | |
Get-AccessToken -ApplicationId 'MyApplicationId' -ApplicationSecret 'MySecretValue' -TenantId '3efd0d14-d94c-4cd2-8fe9-cef8616e3703' | |
Invoke-RestMethod -Uri https://graph.microsoft.com/beta/users @aadRequestHeader | |
#> | |
[CmdletBinding()] | |
param ( | |
[Parameter(Mandatory = $false, ValueFromPipeline = $true)] | |
[string]$ApplicationId, | |
[Parameter(Mandatory = $false, ValueFromPipeline = $true)] | |
[string]$ApplicationSecret, | |
[Parameter(Mandatory = $false, ValueFromPipeline = $true)] | |
[string]$TenantId, | |
[Parameter(Mandatory = $false, ValueFromPipeline = $true)] | |
[switch]$SecurityGraph | |
) | |
begin { | |
Write-Output "[+] Get-AccessToken : Checking if the Access Token in not expired " | |
$startDate = (Get-Date).ToLocalTime() | |
if (!([string]::IsNullOrEmpty($endDate))) { | |
$valid = (New-TimeSpan –Start $startDate –End $endDate).Minutes | |
} | |
if ($valid -le 5) { | |
Write-Output "[-] Get-AccessToken : The access token has been expired" | |
$invalidToken = $true | |
} else { | |
Write-Output "[-] Get-AccessToken : Access token is valid until $endDate" | |
$invalidToken = $false | |
} | |
} | |
process { | |
if ($invalidToken) { | |
if (-not($ApplicationId)) { | |
# Get Access Token from current context | |
Write-Output "[-] Get-AccessToken : Get access token from current context" | |
$graphToken = Get-AzAccessToken -ResourceTypeName MSGraph | |
$script:endDate = ($graphToken.ExpiresOn).LocalDateTime | |
$script:aadRequestHeader = @{ | |
"Token" = ($graphToken.Token | ConvertTo-SecureString -AsPlainText -Force) | |
"Authentication" = $graphToken.Type | |
"Method" = 'GET' | |
} | |
} | |
else { | |
Write-Output "[-] Get-AccessToken : Get access token from App Registration" | |
if ([string]::IsNullOrEmpty($ApplicationId) -or [string]::IsNullOrEmpty($ApplicationSecret) -or [string]::IsNullOrEmpty($TenantId)) { | |
Write-Error "Not all required parameters are provided" | |
return | |
} | |
$payload = @{ | |
Grant_Type = "client_credentials" | |
client_id = "$ApplicationId" | |
client_secret = "$ApplicationSecret" | |
} | |
if ($SecurityGraph) { | |
$authUri = "https://login.windows.net/39c255b1-21ea-4674-835b-79fe8e6f3525/oauth2/token" | |
$payload.resource = 'https://api.security.microsoft.com' | |
} else { | |
$authUri = "https://login.microsoftonline.com/39c255b1-21ea-4674-835b-79fe8e6f3525/oauth2/v2.0/token" | |
$payload.scope = 'https://graph.microsoft.com/.default' | |
} | |
try { | |
Write-Output "[-] Get-AccessToken : Requesting token from the Azure Active Directory" | |
$requestHash = @{ | |
"Uri" = $authUri | |
"Method" = 'POST' | |
"Body" = $payload | |
"ErrorVariable" = 'ErrMsg' | |
} | |
$graphToken = Invoke-RestMethod @requestHash #-Uri $authUri -Method POST -Body $payload -ErrorVariable ErrMsg | |
$script:endDate = (Get-Date).AddSeconds($graphToken.expires_in) | |
$script:aadRequestHeader = @{ | |
"Token" = ($graphToken.access_token | ConvertTo-SecureString -AsPlainText -Force) | |
"Authentication" = $graphToken.token_type | |
"Method" = 'GET' | |
} | |
Write-Output "[-] Get-AccessToken : Succesfully created access token" | |
} catch { | |
Write-Error ((($ErrMsg.ErrorRecord | ConvertFrom-Json).error_description) -split ("`r"))[0] | |
} | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
This Azure function can be used to create a authentication header to use for requests to the Microsoft Graph or Security Graph
When running the script an environment variable
aadRequestHeader
will be created that can be used in theInvoke-RestMethod
call.Example 1
Request an Access Token for the current PowerShell context
Get-AccessToken
Example 2
Request an Access Token in the current PowerShell context for the Security Graph
Example 3
Request an Access Token for an App Registration
Output Usage
Example 4