Last active
November 9, 2023 14:11
-
-
Save ehrnst/409e65f71b0c1e37876ab97fc4980f87 to your computer and use it in GitHub Desktop.
CSP Secure app model with Powershell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Connect to partner center via refresh token | |
# Considering the refresh token is stored securely. We will have to get a new access token. | |
$clientId = {multi tenant app id} | |
$secret = {multi tnant app secret} | |
$partnerAccessTokenUri = "https://login.windows.net/$partnerTenant/oauth2/token" | |
$params = @{ | |
resource = "https://api.partnercenter.microsoft.com"; | |
grant_type = "refresh_token"; | |
client_secret = $secret; | |
client_id = $ClientId; | |
scope = "openid"; | |
refresh_token = $refresh.refresh_token | |
} | |
# Get AAD token | |
$cspAccess = Invoke-RestMethod -Uri $partnerAccessTokenUri -Method POST -Body $params | |
$customers = Invoke-RestMethod -Uri "https://api.partnercenter.microsoft.com/v1.0/customers" -Headers @{Authorization = "Bearer " + $cspAccess.access_token} | |
# use the access token to get a refresh token against a customers tenant | |
# first example request token for Microsoft Graph and get tenants users | |
$customerAccessTokenUri = "https://login.windows.net/$customerTenant/oauth2/token" | |
$params = @{ | |
resource = "https://graph.microsoft.com"; | |
grant_type = "refresh_token"; | |
client_secret = $secret; | |
client_id = $ClientId; | |
scope = "openid"; | |
refresh_token = $refresh.refresh_token} | |
$graphAccess = Invoke-RestMethod -Uri $customerAccessTokenUri -Method POST -Body $params | |
$users = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users" -Headers @{Authorization = "Bearer " + $graphAccess.access_token} | |
# second example. Get's information about customers Azure subscriptions using Azure Resource Manager APIs | |
$params = @{ | |
resource = "https://management.azure.com"; | |
grant_type = "refresh_token"; | |
client_secret = $secret; | |
client_id = $ClientId; | |
scope = "openid"; | |
refresh_token = $refresh.refresh_token} | |
$azAccess = Invoke-RestMethod -Uri $customerAccessTokenUri -Method POST -Body $params | |
$subscriptions = Invoke-RestMethod -Uri "https://management.azure.com/subscriptions?api-version=2016-06-01" -Headers @{Authorization = "Bearer " + $azAccess.access_token} | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
https://login.windows.net/partnertenant.com/oauth2/authorize?client_id={multi tenant appid} | |
&response_type=code | |
&response_mode=query | |
&resource=https://api.partnercenter.microsoft.com&prompt=login |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$code="{code from consent}" | |
$clientId = 'multi tenant app id' | |
$loginurl = "https://login.windows.net/partnertenant.com/oauth2/token" | |
$secret = "secret from multi tenant app" | |
$partnerTenant = "{partner tenant}" | |
# use the authorization code from consent to create a refresh token. | |
# save this to key vault or similar. This is the token you use to generate an access token | |
$params = @{resource = "https://api.partnercenter.microsoft.com"; | |
grant_type = "authorization_code"; | |
client_id = $clientId; | |
client_secret = $secret; | |
redirect_uri = 'https://localhost'; | |
code = $code | |
} | |
# here's our refresh token | |
$refreshToken = Invoke-RestMethod -Uri $loginurl -Method POST -Body $params |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# get AAD access token | |
$params = @{ | |
scope = 'https://vault.azure.net/.default'; | |
grant_type = 'client_credentials'; | |
client_id = {single tenant app id}; | |
client_secret = {single tenant app secret}; | |
} | |
$AADToken = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantID/oauth2/v2.0/token" -Body $params | |
Invoke-RestMethod -Method Get -Uri ($fullURIincludingVersion + "?api-version=7.0") -Headers @{Authorization = "Bearer " + $AADToken.access_token} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This example can be used for everything keyVault. Nothing to do with partner center. | |
$secretName = "refreshtoken" | |
$KeyvaultFullUrl = $keyVaultUrl + "/secrets/" + $secretName + "?api-version=7.0" | |
# get AAD access token | |
$params = @{ | |
scope = 'https://vault.azure.net/.default'; | |
grant_type = 'client_credentials'; | |
client_id = {single tenant app id}; | |
client_secret = {single tenant app secret}; | |
} | |
$AADToken = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token" -Body $params | |
# use token to post new or update existing | |
$secretBody = @{ | |
value = $refreshToken | |
} | ConvertTo-Json | |
$secret = Invoke-RestMethod -Method Put -Uri $keyVaultfullUrl -Body $secretBody -Headers @{'Authorization' = "Bearer " + $AADToken.access_token; 'Content-Type' = "Application/Json"} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment