-
-
Save sandytsang/d16da8ec0c0c5dad9a27e0933bb534b8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-AdminServiceAuthToken | |
{ | |
$AadModule = Get-Module -Name "AzureAD" -ListAvailable | |
if ($AadModule -eq $null) | |
{ | |
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview" | |
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable | |
} | |
if ($AadModule -eq $null) | |
{ | |
Write-Error "AzureAD Powershell module not installed..." | |
Write-Error "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" | |
exit | |
} | |
# Getting path to ActiveDirectory Assemblies | |
# If the module count is greater than 1 find the latest version | |
if ($AadModule.count -gt 1) | |
{ | |
$Latest_Version = ($AadModule | Select-Object version | Sort-Object)[-1] | |
$aadModule = $AadModule | ForEach-Object { $_.version -eq $Latest_Version.version } | |
# Checking if there are multiple versions of the same module found | |
if ($AadModule.count -gt 1) | |
{ | |
$aadModule = $AadModule | Select-Object -Unique | |
} | |
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" | |
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll" | |
} | |
else | |
{ | |
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" | |
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll" | |
} | |
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null | |
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null | |
$clientId = "6ed98779-af2a-41a2-be63-a7374c611e8b" #Change this to your own AdminService App ID | |
$TenantID = "8cfbf3fe-35a7-482f-ab0a-000000000" #Change this to your own tenant ID | |
$resourceAppIdURI = "https://ConfigMgrServiceTP" #Change this to your own resource app ID URL | |
$redirectUri = "urn:ietf:wg:oauth:2.0:oob" | |
$authority = "https://login.microsoftonline.com/$($TenantID)/oauth2/v2.0/authorize" | |
try | |
{ | |
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority | |
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx | |
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession | |
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Always" | |
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI, $clientId, $redirectUri, $platformParameters).Result | |
# If the accesstoken is valid then create the authentication header | |
if ($authResult.AccessToken) | |
{ | |
# Creating header for Authorization token | |
$authHeader = @{ | |
'Content-Type' = 'application/json' | |
'Authorization' = "Bearer " + $authResult.AccessToken | |
'ExpiresOn' = $authResult.ExpiresOn | |
} | |
return $authHeader | |
} | |
else | |
{ | |
Write-Error "Authorization Access Token is null, please re-run authentication..." | |
break | |
} | |
} | |
catch | |
{ | |
Write-Error $_.Exception.Message | |
Write-Error $_.Exception.ItemName | |
break | |
} | |
} | |
#Ignore self-signed certificate checks | |
if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type) | |
{ | |
$certCallback = @" | |
using System; | |
using System.Net; | |
using System.Net.Security; | |
using System.Security.Cryptography.X509Certificates; | |
public class ServerCertificateValidationCallback | |
{ | |
public static void Ignore() | |
{ | |
if(ServicePointManager.ServerCertificateValidationCallback ==null) | |
{ | |
ServicePointManager.ServerCertificateValidationCallback += | |
delegate | |
( | |
Object obj, | |
X509Certificate certificate, | |
X509Chain chain, | |
SslPolicyErrors errors | |
) | |
{ | |
return true; | |
}; | |
} | |
} | |
} | |
"@ | |
Add-Type $certCallback | |
} | |
[ServerCertificateValidationCallback]::Ignore() | |
#Get AAD Token for AdminService | |
$authToken = Get-AdminServiceAuthToken | |
#AdminService endpoint, get ConfigMgr SMS_R_User infor | |
$url = "https://configmgrcmg001.smsboot.com/CCM_Proxy_ServerAuth/72057594037927941/AdminService/wmi/SMS_R_User" | |
# Make REST API call | |
$Data = Invoke-RestMethod -Method Get -Uri $url -Headers $authToken -Verbose | |
$Data.value |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment