mcollier/AAD_AcquireToken_Scratch.ps1

## AAD_AcquireToken_Scratch.ps1
$subscriptionId = "---- ADD YOUR AZURE SUBSCRIPTION ID ----"
$tennantId = "---- ADD YOUR AZURE AD TENANT ID ----"

# Password for the service principal
$secret = "test!12345678910"
$secureStringPassword = ConvertTo-SecureString -String $secret -AsPlainText -Force

# $resource = "https://management.azure.com/"
$resource = "https://management.core.windows.net/"

# Authenticate to a specific Azure subscription.
Connect-AzureRmAccount -SubscriptionId $subscriptionId


# ********************************
#          Example 1 - Using ADAL
# ********************************

# Create a new Azure AD application
$azureAdApplication = New-AzureRmADApplication  -DisplayName "My Azure Monitor"  -HomePage "https://localhost/azure-monitor"  -IdentifierUris "https://localhost/azure-monitor" -Password $secureStringPassword

# Create a new service principal associated with the designated application
New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId

# Sleep for a few seconds to give AAD time to propogate data.
Start-Sleep -Seconds 30

# Assign Reader role to the newly created service principal
New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $azureAdApplication.ApplicationId.Guid

# Get the AAD application and Azure subscription.
$azureAdApplication = Get-AzureRmADApplication -IdentifierUri "https://localhost/azure-monitor"

$clientId = $azureAdApplication.ApplicationId.Guid
$authUrl = "https://login.microsoftonline.com/${tennantId}"

# Use ADAL to get the authentication token.
$AuthContext = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext]$authUrl
$cred = New-Object -TypeName Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential -ArgumentList ($clientId, $secureStringPassword)

$result = $AuthContext.AcquireTokenAsync($resource, $cred)
if ($result.Exception -ne $null) {
    Write-Error($result.Exception)
}
else {

    # Build an array of HTTP header values
    $authHeader = @{
        'Content-Type'  = 'application/json'
        'Accept'        = 'application/json'
        'Authorization' = $result.CreateAuthorizationHeader()
    }
}


# ********************************
#          Example 2 - Using MSAL
# ********************************
Add-Type -Path "Microsoft.Identity.Client.dll"

[Microsoft.Identity.Client.TokenCache] $tokenCache = New-Object Microsoft.Identity.Client.TokenCache

# TODO: Create service principal

$pwd = "xxxxxxx"
$clientId = "yyyyyyyyyyyyyyy"
$authority = "https://login.microsoftonline.com/zzzzzzzzzzzzzzzzzzz"

[Microsoft.Identity.Client.ClientCredential] $clientCredential = New-Object Microsoft.Identity.Client.ClientCredential -ArgumentList $pwd
[Microsoft.Identity.Client.ConfidentialClientApplication] $app = New-Object Microsoft.Identity.Client.ConfidentialClientApplication -ArgumentList $clientId, $authority, $clientCredential, $null, $tokenCache

$scopes = [string[]]@("https://management.azure.com/.default")

[Microsoft.Identity.Client.AuthenticationResult] $result = $app.AcquireTokenForClientAsync($scopes).GetAwaiter().GetResult()


# ********************************
#          Example 3 - Using REST API
# ********************************

#SPN ClientId and Secret.  Obtain the Client ID from the Azure Portal if necessary.
#$clientId = "---- ADD CLIENT ID OR USE VALUE FROM EXAMPLE 1"
$tokenEndpoint = "https://login.microsoftonline.com/$tennantId/oauth2/token"

$body = @{
    'resource'      = $resource
    'client_id'     = $clientId
    'grant_type'    = 'client_credentials'
    'client_secret' = $secret
}

$params = @{
    ContentType = 'application/x-www-form-urlencoded'
    Headers     = @{'accept' = 'application/json'}
    Body        = $body
    Method      = 'Post'
    URI         = $tokenEndpoint
}

$token = Invoke-RestMethod @params

$authHeader = @{
    'Content-Type'  = 'application/json'
    'Accept'        = 'application/json'
    'Authorization' = 'Bearer ' + $token.access_token
}

$result = Invoke-RestMethod -Uri "https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.Web/sites?api-version=2016-08-01" -Headers $authHeader -Method Get

$result
	$subscriptionId = "---- ADD YOUR AZURE SUBSCRIPTION ID ----"
	$tennantId = "---- ADD YOUR AZURE AD TENANT ID ----"

	# Password for the service principal
	$secret = "test!12345678910"
	$secureStringPassword = ConvertTo-SecureString -String $secret -AsPlainText -Force

	# $resource = "https://management.azure.com/"
	$resource = "https://management.core.windows.net/"

	# Authenticate to a specific Azure subscription.
	Connect-AzureRmAccount -SubscriptionId $subscriptionId


	# ********************************
	# Example 1 - Using ADAL
	# ********************************

	# Create a new Azure AD application
	$azureAdApplication = New-AzureRmADApplication -DisplayName "My Azure Monitor" -HomePage "https://localhost/azure-monitor" -IdentifierUris "https://localhost/azure-monitor" -Password $secureStringPassword

	# Create a new service principal associated with the designated application
	New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId

	# Sleep for a few seconds to give AAD time to propogate data.
	Start-Sleep -Seconds 30

	# Assign Reader role to the newly created service principal
	New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $azureAdApplication.ApplicationId.Guid

	# Get the AAD application and Azure subscription.
	$azureAdApplication = Get-AzureRmADApplication -IdentifierUri "https://localhost/azure-monitor"

	$clientId = $azureAdApplication.ApplicationId.Guid
	$authUrl = "https://login.microsoftonline.com/${tennantId}"

	# Use ADAL to get the authentication token.
	$AuthContext = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext]$authUrl
	$cred = New-Object -TypeName Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential -ArgumentList ($clientId, $secureStringPassword)

	$result = $AuthContext.AcquireTokenAsync($resource, $cred)
	if ($result.Exception -ne $null) {
	Write-Error($result.Exception)
	}
	else {

	# Build an array of HTTP header values
	$authHeader = @{
	'Content-Type' = 'application/json'
	'Accept' = 'application/json'
	'Authorization' = $result.CreateAuthorizationHeader()
	}
	}



	# ********************************
	# Example 2 - Using MSAL
	# ********************************
	Add-Type -Path "Microsoft.Identity.Client.dll"

	[Microsoft.Identity.Client.TokenCache] $tokenCache = New-Object Microsoft.Identity.Client.TokenCache

	# TODO: Create service principal

	$pwd = "xxxxxxx"
	$clientId = "yyyyyyyyyyyyyyy"
	$authority = "https://login.microsoftonline.com/zzzzzzzzzzzzzzzzzzz"

	[Microsoft.Identity.Client.ClientCredential] $clientCredential = New-Object Microsoft.Identity.Client.ClientCredential -ArgumentList $pwd
	[Microsoft.Identity.Client.ConfidentialClientApplication] $app = New-Object Microsoft.Identity.Client.ConfidentialClientApplication -ArgumentList $clientId, $authority, $clientCredential, $null, $tokenCache

	$scopes = [string[]]@("https://management.azure.com/.default")

	[Microsoft.Identity.Client.AuthenticationResult] $result = $app.AcquireTokenForClientAsync($scopes).GetAwaiter().GetResult()



	# ********************************
	# Example 3 - Using REST API
	# ********************************

	#SPN ClientId and Secret. Obtain the Client ID from the Azure Portal if necessary.
	#$clientId = "---- ADD CLIENT ID OR USE VALUE FROM EXAMPLE 1"
	$tokenEndpoint = "https://login.microsoftonline.com/$tennantId/oauth2/token"

	$body = @{
	'resource' = $resource
	'client_id' = $clientId
	'grant_type' = 'client_credentials'
	'client_secret' = $secret
	}

	$params = @{
	ContentType = 'application/x-www-form-urlencoded'
	Headers = @{'accept' = 'application/json'}
	Body = $body
	Method = 'Post'
	URI = $tokenEndpoint
	}

	$token = Invoke-RestMethod @params

	$authHeader = @{
	'Content-Type' = 'application/json'
	'Accept' = 'application/json'
	'Authorization' = 'Bearer ' + $token.access_token
	}

	$result = Invoke-RestMethod -Uri "https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.Web/sites?api-version=2016-08-01" -Headers $authHeader -Method Get

	$result