darrenjrobinson/Get AAD FIDO2 Token Details.ps1

## Get AAD FIDO2 Token Details.ps1
#Install-Module MSAL.PS
Import-Module MSAL.PS

$resource = "https://graph.windows.net" # AzureAD Graph
$apiVersion = "api-version=1.6-internal" # Internal API
$scope = "user_impersonation" # Delegated User Impersonation
$clientID = "1b730954-1685-4b74-9bfd-dac224a7b894" # PowerShell
$tenantID = "yourcompanyAADName.com" # AAD
$myUPN = "useruserUPN@yourcompanyAADName.com" # User UPN

try {
    $myAccessToken = Get-MsalToken -ClientId $clientID `
        -TenantId $tenantID `
        -Scopes "$($resource)/$($scope)" `
        -LoginHint $myUPN

    if ($myAccessToken.AccessToken) {
        # Get User Object via AAD Graph
        $myUserObj = Invoke-RestMethod -Method Get `
            -Uri "$($resource)/$($tenantID)/users/$($myUPN)?$($apiVersion)" `
            -Headers @{Authorization = "Bearer $($myAccessToken.AccessToken)" }

        # Get FIDO2 Keys
        $fidoKeys = $myUserObj.searchableDeviceKey | Where-Object { $_.usage -eq "FIDO" } | Select-Object
        $fidoKeys.Count
        if (@($fidoKeys).Count -gt 0) {
            $output = @()
            foreach ($fidoKey in $fidoKeys) {
                $fido2Details = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($fidoKey.keyMaterial)) | ConvertFrom-Json)
                try {
                    # Windows PowerShell
                    $fido2Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
                    $fido2Cert.Import([Convert]::FromBase64String($fido2Details.x5c[0]))
                }
                catch {
                    # PowerShell Core/6/7+
                    $fido2Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(, [Convert]::FromBase64String($fido2Details.x5c[0]))
                }
                $fido2DetailsObj = $null
                $fido2DetailsObj = [PSCustomObject][ordered]@{
                    Usage                       = $fidoKey.usage
                    Version                     = $fido2Details.version
                    DisplayName                 = $fido2Details.displayName
                    fidoKeyCert                 = $fido2Cert
                    creationTime                = $fidoKey.creationTime
                    deviceId                    = $fidoKey.deviceId
                    keyIdentifier               = $fidoKey.keyIdentifier
                    fidoKeyCertRaw              = $fidoKey.keyMaterial
                    fidoAaGuid                  = $fidoKey.fidoAaGuid
                    fidoAuthenticatorVersion    = $fidoKey.fidoAuthenticatorVersion
                    fidoAttestationCertificates = $fidoKey.fidoAttestationCertificates
                }
                $output += $fido2DetailsObj
            }
        }
        else {
            Write-Output "No FIDO Keys found for user '$($myUPN)'"
        }
        return $output
    }
    else {
        Write-Output "No Access Token return from AAD AuthN"
        $_
    }
}
catch {
    Write-Output "Authentication to AAD Failed"
    $_
}
	#Install-Module MSAL.PS
	Import-Module MSAL.PS

	$resource = "https://graph.windows.net" # AzureAD Graph
	$apiVersion = "api-version=1.6-internal" # Internal API
	$scope = "user_impersonation" # Delegated User Impersonation
	$clientID = "1b730954-1685-4b74-9bfd-dac224a7b894" # PowerShell
	$tenantID = "yourcompanyAADName.com" # AAD
	$myUPN = "useruserUPN@yourcompanyAADName.com" # User UPN

	try {
	$myAccessToken = Get-MsalToken -ClientId $clientID `
	-TenantId $tenantID `
	-Scopes "$($resource)/$($scope)" `
	-LoginHint $myUPN

	if ($myAccessToken.AccessToken) {
	# Get User Object via AAD Graph
	$myUserObj = Invoke-RestMethod -Method Get `
	-Uri "$($resource)/$($tenantID)/users/$($myUPN)?$($apiVersion)" `
	-Headers @{Authorization = "Bearer $($myAccessToken.AccessToken)" }

	# Get FIDO2 Keys
	$fidoKeys = $myUserObj.searchableDeviceKey \| Where-Object { $_.usage -eq "FIDO" } \| Select-Object
	$fidoKeys.Count
	if (@($fidoKeys).Count -gt 0) {
	$output = @()
	foreach ($fidoKey in $fidoKeys) {
	$fido2Details = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($fidoKey.keyMaterial)) \| ConvertFrom-Json)
	try {
	# Windows PowerShell
	$fido2Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
	$fido2Cert.Import([Convert]::FromBase64String($fido2Details.x5c[0]))
	}
	catch {
	# PowerShell Core/6/7+
	$fido2Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(, [Convert]::FromBase64String($fido2Details.x5c[0]))
	}
	$fido2DetailsObj = $null
	$fido2DetailsObj = [PSCustomObject][ordered]@{
	Usage = $fidoKey.usage
	Version = $fido2Details.version
	DisplayName = $fido2Details.displayName
	fidoKeyCert = $fido2Cert
	creationTime = $fidoKey.creationTime
	deviceId = $fidoKey.deviceId
	keyIdentifier = $fidoKey.keyIdentifier
	fidoKeyCertRaw = $fidoKey.keyMaterial
	fidoAaGuid = $fidoKey.fidoAaGuid
	fidoAuthenticatorVersion = $fidoKey.fidoAuthenticatorVersion
	fidoAttestationCertificates = $fidoKey.fidoAttestationCertificates
	}
	$output += $fido2DetailsObj
	}
	}
	else {
	Write-Output "No FIDO Keys found for user '$($myUPN)'"
	}
	return $output
	}
	else {
	Write-Output "No Access Token return from AAD AuthN"
	$_
	}
	}
	catch {
	Write-Output "Authentication to AAD Failed"
	$_
	}