Last active
December 23, 2022 01:12
-
-
Save ehrnst/d9f0e978f9e1973a2f1c7937e3122950 to your computer and use it in GitHub Desktop.
Create a token to authenticate against microsoft partner center API as App + User
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-PCAppUserAuthenticationBearer { | |
<# | |
.SYNOPSIS | |
Function to retrieve App+User bearer token from Microsoft CSP API | |
.DESCRIPTION | |
This function connects to Azure AD to generate an oAuth token. | |
Aquired token is then used against the partner center REST API to generate a App+User jwt token. https://api.partnercenter.microsoft.com/generatetoken | |
You can read more about the authentication method here: https://msdn.microsoft.com/en-us/library/partnercenter/mt634709.aspx | |
.PARAMETER ClientID | |
The ClientID of the application used for authentication against Azure AD. | |
.PARAMETER TenantId | |
The TenantId of the Azure AD that you wish to authenticate against. Ie: test.onmicrosoft.com | |
.PARAMETER Credential | |
Pass a Powershell credential object or type in username and password | |
.EXAMPLE | |
Get-PCAppUserAuthenticationBearer -TenantID https://test.onmicrosoft.com -ClientID <Native App GUID> -username <admin@test.onmicrosft.com> -password <password> | |
Returns a object containing the response from azure ad and a generated CSP bearer. Use the CSP bearer for further authenticating against the CSP API's and AAD token for reference | |
.NOTES | |
Version 1.0 | |
Martin Ehrnst | |
September 2017 | |
#> | |
[CmdletBinding()] | |
param( | |
[Parameter(Mandatory = $true)] | |
[string]$TenantID, | |
[Parameter(Mandatory = $true)] | |
[string]$ClientID, | |
[Parameter(Mandatory = $true)] | |
[System.Management.Automation.PSCredential]$Credential = (get-credential) | |
) | |
#clear error variable | |
$error.clear() | |
$ErrorActionPreference = "Stop" | |
$username = $Credential.UserName | |
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR(($Credential.Password)) | |
$StringPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) | |
#try to access azure ad to generate a token | |
try { | |
$loginurl = "https://login.windows.net/$tenantId/oauth2/token" | |
$params = @{resource = "https://api.partnercenter.microsoft.com"; grant_type = "password"; client_id = $ClientId; username = $username; password = $StringPassword; scope = "openid"} | |
$res = Invoke-RestMethod -Uri $loginurl -Method POST -Body $params | |
$oAuth = "Bearer " + $res.access_token | |
} | |
catch { | |
write-error -message "$error" | |
} | |
try { | |
$CSPAuthHeader = @{ | |
"Content-Type" = "application/x-www-form-urlencoded" | |
"Authorization" = $oAuth | |
} | |
$CspAuthBody = "grant_type=jwt_token" | |
$CSPAppUserToken = (Invoke-restmethod -uri 'https://api.partnercenter.microsoft.com/generatetoken' -Method Post -Body $CspAuthBody -Headers $CSPAuthHeader).access_token | |
} | |
catch { | |
write-error -message "$error" | |
} | |
$CspBearer = "Bearer " + $CSPAppUserToken | |
$Tokens = @{ | |
"AzureAd" = $res | |
"CSPBearer" = $CspBearer | |
} | |
$tokens | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Be aware that the function does require a credential object, but when you atuhenticate against AAD the password is decoded and sent in the post request.