Last active
October 6, 2021 23:58
-
-
Save darrenjrobinson/81858fd02641cc0852c97228a6ef80ed to your computer and use it in GitHub Desktop.
Get FIDO2 Tokens Azure Active Directory Passwordless configuration details using PowerShell. Associated blogpost https://blog.darrenjrobinson.com/what-does-your-azure-ad-fido2-passwordless-credential-look-like/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Install-Module MSAL.PS | |
Import-Module MSAL.PS | |
$resource = "https://graph.windows.net" # AzureAD Graph | |
$apiVersion = "api-version=1.6-internal" # Internal API | |
$scope = "user_impersonation" # Delegated User Impersonation | |
$clientID = "1b730954-1685-4b74-9bfd-dac224a7b894" # PowerShell | |
$tenantID = "yourcompanyAADName.com" # AAD | |
$myUPN = "useruserUPN@yourcompanyAADName.com" # User UPN | |
try { | |
$myAccessToken = Get-MsalToken -ClientId $clientID ` | |
-TenantId $tenantID ` | |
-Scopes "$($resource)/$($scope)" ` | |
-LoginHint $myUPN | |
if ($myAccessToken.AccessToken) { | |
# Get User Object via AAD Graph | |
$myUserObj = Invoke-RestMethod -Method Get ` | |
-Uri "$($resource)/$($tenantID)/users/$($myUPN)?$($apiVersion)" ` | |
-Headers @{Authorization = "Bearer $($myAccessToken.AccessToken)" } | |
# Get FIDO2 Keys | |
$fidoKeys = $myUserObj.searchableDeviceKey | Where-Object { $_.usage -eq "FIDO" } | Select-Object | |
$fidoKeys.Count | |
if (@($fidoKeys).Count -gt 0) { | |
$output = @() | |
foreach ($fidoKey in $fidoKeys) { | |
$fido2Details = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($fidoKey.keyMaterial)) | ConvertFrom-Json) | |
try { | |
# Windows PowerShell | |
$fido2Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 | |
$fido2Cert.Import([Convert]::FromBase64String($fido2Details.x5c[0])) | |
} | |
catch { | |
# PowerShell Core/6/7+ | |
$fido2Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(, [Convert]::FromBase64String($fido2Details.x5c[0])) | |
} | |
$fido2DetailsObj = $null | |
$fido2DetailsObj = [PSCustomObject][ordered]@{ | |
Usage = $fidoKey.usage | |
Version = $fido2Details.version | |
DisplayName = $fido2Details.displayName | |
fidoKeyCert = $fido2Cert | |
creationTime = $fidoKey.creationTime | |
deviceId = $fidoKey.deviceId | |
keyIdentifier = $fidoKey.keyIdentifier | |
fidoKeyCertRaw = $fidoKey.keyMaterial | |
fidoAaGuid = $fidoKey.fidoAaGuid | |
fidoAuthenticatorVersion = $fidoKey.fidoAuthenticatorVersion | |
fidoAttestationCertificates = $fidoKey.fidoAttestationCertificates | |
} | |
$output += $fido2DetailsObj | |
} | |
} | |
else { | |
Write-Output "No FIDO Keys found for user '$($myUPN)'" | |
} | |
return $output | |
} | |
else { | |
Write-Output "No Access Token return from AAD AuthN" | |
$_ | |
} | |
} | |
catch { | |
Write-Output "Authentication to AAD Failed" | |
$_ | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment