Create Azure Access token for Microsoft Graph

Get-AccessToken.ps1

function Get-AccessToken {
    <#
    .Synopsis
      Creates an Access token for Microsoft Graph
    .DESCRIPTION
      This function can be used to create an Access Token to query the Microsoft Graph API.
    .PARAMETER ApplicationId [string]
      Enter the Application ID
    .PARAMETER ApplicationSecret [string]
      Enter the Application Secret
    .PARAMETER TenantId [string]
      Enter the tenant id which looks like a guid
    .EXAMPLE
      This will request the access token on behalf of the current user and create a http header called $aadRequestHeader
    Get-AccessToken
      Invoke-RestMethod -Uri https://graph.microsoft.com/beta/users @aadRequestHeader
    .EXAMPLE
      This will request the access token for an App Registration and create a http header called $aadRequestHeader
      Get-AccessToken -ApplicationId 'MyApplicationId' -ApplicationSecret 'MySecretValue' -TenantId '3efd0d14-d94c-4cd2-8fe9-cef8616e3703'
      Invoke-RestMethod -Uri https://graph.microsoft.com/beta/users @aadRequestHeader
#>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $false, ValueFromPipeline = $true)]
        [string]$ApplicationId,

        [Parameter(Mandatory = $false, ValueFromPipeline = $true)]
        [string]$ApplicationSecret,

        [Parameter(Mandatory = $false, ValueFromPipeline = $true)]
        [string]$TenantId,

        [Parameter(Mandatory = $false, ValueFromPipeline = $true)]
        [switch]$SecurityGraph
    )
    begin {
        Write-Output "[+] Get-AccessToken : Checking if the Access Token in not expired "
        $startDate = (Get-Date).ToLocalTime()

        if (!([string]::IsNullOrEmpty($endDate))) {
            $valid = (New-TimeSpan –Start $startDate –End $endDate).Minutes
        }


        if ($valid -le 5) {
            Write-Output "[-] Get-AccessToken : The access token has been expired"
            $invalidToken = $true
        } else {
            Write-Output "[-] Get-AccessToken : Access token is valid until $endDate"
            $invalidToken = $false
        }
    }
    process {
        if ($invalidToken) {
            if (-not($ApplicationId)) {
                # Get Access Token from current context
                Write-Output "[-] Get-AccessToken : Get access token from current context"
                $graphToken = Get-AzAccessToken -ResourceTypeName MSGraph

                $script:endDate = ($graphToken.ExpiresOn).LocalDateTime
                $script:aadRequestHeader = @{
                    "Token"          = ($graphToken.Token | ConvertTo-SecureString -AsPlainText -Force)
                    "Authentication" = $graphToken.Type
                    "Method"         = 'GET'
                }
            }
            else {
                Write-Output "[-] Get-AccessToken : Get access token from App Registration"
                if ([string]::IsNullOrEmpty($ApplicationId) -or [string]::IsNullOrEmpty($ApplicationSecret) -or [string]::IsNullOrEmpty($TenantId)) {
                    Write-Error "Not all required parameters are provided"
                    return
                }

                $payload = @{
                    Grant_Type    = "client_credentials"
                    client_id     = "$ApplicationId"
                    client_secret = "$ApplicationSecret"
                }

                if ($SecurityGraph) {
                    $authUri = "https://login.windows.net/39c255b1-21ea-4674-835b-79fe8e6f3525/oauth2/token"
                    $payload.resource = 'https://api.security.microsoft.com'
                } else {
                    $authUri = "https://login.microsoftonline.com/39c255b1-21ea-4674-835b-79fe8e6f3525/oauth2/v2.0/token"
                    $payload.scope = 'https://graph.microsoft.com/.default'
                }

                try {
                    Write-Output "[-] Get-AccessToken : Requesting token from the Azure Active Directory"

                    $requestHash = @{
                        "Uri"           = $authUri
                        "Method"        = 'POST'
                        "Body"          = $payload
                        "ErrorVariable" = 'ErrMsg'
                    }
                    $graphToken = Invoke-RestMethod @requestHash #-Uri $authUri -Method POST -Body $payload -ErrorVariable ErrMsg

                    $script:endDate = (Get-Date).AddSeconds($graphToken.expires_in)
                    $script:aadRequestHeader = @{
                        "Token"          = ($graphToken.access_token | ConvertTo-SecureString -AsPlainText -Force)
                        "Authentication" = $graphToken.token_type
                        "Method"         = 'GET'
                    }
                    Write-Output "[-] Get-AccessToken : Succesfully created access token"
                } catch {
                    Write-Error ((($ErrMsg.ErrorRecord | ConvertFrom-Json).error_description) -split ("`r"))[0]
                }
            }
        }
    }
}

Description

This Azure function can be used to create a authentication header to use for requests to the Microsoft Graph or Security Graph
When running the script an environment variable aadRequestHeader will be created that can be used in the Invoke-RestMethod call.

Example 1

Request an Access Token for the current PowerShell context

Get-AccessToken

Example 2

Request an Access Token in the current PowerShell context for the Security Graph

Get-AccessToken -SecurityGraph

Example 3

Request an Access Token for an App Registration

Get-AccessToken `
    -ApplicationId "a0a50537-85de-4087-a55b-18018eeac90b"  `
    -ApplicationSecret "M3a8Q~BwDvC4PNRIyAxgK2CzBW2To3DFt6W4Abl7" `
    -TenantId "4c2c8992-c7e1-4bc1-9661-2f33e3409cec"

Output Usage

-The request header containing the access token can be used to query the Microsoft (Security) Graph

Example 4

Invoke-RestMethod -uri 'https://graph.microsoft.com/beta/users' @aadRequestHeader