Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Get FIDO2 Tokens Azure Active Directory Passwordless configuration details using PowerShell. Associated blogpost https://blog.darrenjrobinson.com/what-does-your-azure-ad-fido2-passwordless-credential-look-like/
#Install-Module MSAL.PS
Import-Module MSAL.PS
$resource = "https://graph.windows.net" # AzureAD Graph
$apiVersion = "api-version=1.6-internal" # Internal API
$scope = "user_impersonation" # Delegated User Impersonation
$clientID = "1b730954-1685-4b74-9bfd-dac224a7b894" # PowerShell
$tenantID = "yourcompanyAADName.com" # AAD
$myUPN = "useruserUPN@yourcompanyAADName.com" # User UPN
try {
$myAccessToken = Get-MsalToken -ClientId $clientID `
-TenantId $tenantID `
-Scopes "$($resource)/$($scope)" `
-LoginHint $myUPN
if ($myAccessToken.AccessToken) {
# Get User Object via AAD Graph
$myUserObj = Invoke-RestMethod -Method Get `
-Uri "$($resource)/$($tenantID)/users/$($myUPN)?$($apiVersion)" `
-Headers @{Authorization = "Bearer $($myAccessToken.AccessToken)" }
# Get FIDO2 Keys
$fidoKeys = $myUserObj.searchableDeviceKey | Where-Object { $_.usage -eq "FIDO" } | Select-Object
$fidoKeys.Count
if (@($fidoKeys).Count -gt 0) {
$output = @()
foreach ($fidoKey in $fidoKeys) {
$fido2Details = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($fidoKey.keyMaterial)) | ConvertFrom-Json)
try {
# Windows PowerShell
$fido2Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$fido2Cert.Import([Convert]::FromBase64String($fido2Details.x5c[0]))
}
catch {
# PowerShell Core/6/7+
$fido2Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(, [Convert]::FromBase64String($fido2Details.x5c[0]))
}
$fido2DetailsObj = $null
$fido2DetailsObj = [PSCustomObject][ordered]@{
Usage = $fidoKey.usage
Version = $fido2Details.version
DisplayName = $fido2Details.displayName
fidoKeyCert = $fido2Cert
creationTime = $fidoKey.creationTime
deviceId = $fidoKey.deviceId
keyIdentifier = $fidoKey.keyIdentifier
fidoKeyCertRaw = $fidoKey.keyMaterial
fidoAaGuid = $fidoKey.fidoAaGuid
fidoAuthenticatorVersion = $fidoKey.fidoAuthenticatorVersion
fidoAttestationCertificates = $fidoKey.fidoAttestationCertificates
}
$output += $fido2DetailsObj
}
}
else {
Write-Output "No FIDO Keys found for user '$($myUPN)'"
}
return $output
}
else {
Write-Output "No Access Token return from AAD AuthN"
$_
}
}
catch {
Write-Output "Authentication to AAD Failed"
$_
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment