Skip to content

Instantly share code, notes, and snippets.

@vman
Last active February 8, 2019 20:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save vman/c23ffe39440b5432733d68a69f2f4301 to your computer and use it in GitHub Desktop.
Save vman/c23ffe39440b5432733d68a69f2f4301 to your computer and use it in GitHub Desktop.
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;
using System.Globalization;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Security.Cryptography.X509Certificates;
namespace AppPermissionsDemo
{
class Program
{
static void Main(string[] args)
{
string clientId = "<client-id-of-aad-app-registration>"; //e.g. 01e54f9a-81bc-4dee-b15d-e661ae13f382
string tenantDomain = "yourtenant.onmicrosoft.com";
//Demo values
string certStoreName = "My";
string certStoreLocation = "CurrentUser";
string certThumprint = "<your-cert-thumbprint>"; // e.g. CE20E000D53A4C968ED8BA3EFC92C40A2692AE98
//Client Id of App created through the Azure AD App Registration portal. Cert uploaded in the portal as well.
X509Certificate2 appOnlyCert = GetAppOnlyCertificate(certStoreName, certStoreLocation, certThumprint);
string accessToken = GetMSGraphApplicationAccessToken(clientId, tenantDomain, appOnlyCert);
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
//Sample request to get all groups. The AAD App registration will need at least Group.Read.All application permission granted.
var request = new HttpRequestMessage(HttpMethod.Get, $"https://graph.microsoft.com/v1.0/groups");
var response = httpClient.SendAsync(request).Result;
var content = response.Content.ReadAsStringAsync().Result;
Console.WriteLine(content);
}
public static string GetMSGraphApplicationAccessToken(string clientId, string tenantDomain, X509Certificate2 cert)
{
string authority = string.Format(CultureInfo.InvariantCulture, "{0}/{1}/", "https://login.windows.net", tenantDomain);
var authContext = new AuthenticationContext(authority);
var clientAssertionCert = new ClientAssertionCertificate(clientId, cert);
var result = authContext.AcquireTokenAsync("https://graph.microsoft.com", clientAssertionCert).Result;
var accessToken = result.AccessToken;
return accessToken;
}
private static X509Certificate2 GetAppOnlyCertificate(string certStoreName, string certStoreLocation, string certThumprint)
{
X509Certificate2 appOnlyCertificate = null;
StoreName storeName;
StoreLocation storeLocation;
Enum.TryParse(certStoreName, out storeName);
Enum.TryParse(certStoreLocation, out storeLocation);
X509Store certStore = new X509Store(storeName, storeLocation);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, certThumprint, false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
appOnlyCertificate = certCollection[0];
}
certStore.Close();
return appOnlyCertificate;
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment