Last active
February 8, 2019 20:18
-
-
Save vman/c23ffe39440b5432733d68a69f2f4301 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using Microsoft.IdentityModel.Clients.ActiveDirectory; | |
using System; | |
using System.Globalization; | |
using System.Net.Http; | |
using System.Net.Http.Headers; | |
using System.Security.Cryptography.X509Certificates; | |
namespace AppPermissionsDemo | |
{ | |
class Program | |
{ | |
static void Main(string[] args) | |
{ | |
string clientId = "<client-id-of-aad-app-registration>"; //e.g. 01e54f9a-81bc-4dee-b15d-e661ae13f382 | |
string tenantDomain = "yourtenant.onmicrosoft.com"; | |
//Demo values | |
string certStoreName = "My"; | |
string certStoreLocation = "CurrentUser"; | |
string certThumprint = "<your-cert-thumbprint>"; // e.g. CE20E000D53A4C968ED8BA3EFC92C40A2692AE98 | |
//Client Id of App created through the Azure AD App Registration portal. Cert uploaded in the portal as well. | |
X509Certificate2 appOnlyCert = GetAppOnlyCertificate(certStoreName, certStoreLocation, certThumprint); | |
string accessToken = GetMSGraphApplicationAccessToken(clientId, tenantDomain, appOnlyCert); | |
HttpClient httpClient = new HttpClient(); | |
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken); | |
//Sample request to get all groups. The AAD App registration will need at least Group.Read.All application permission granted. | |
var request = new HttpRequestMessage(HttpMethod.Get, $"https://graph.microsoft.com/v1.0/groups"); | |
var response = httpClient.SendAsync(request).Result; | |
var content = response.Content.ReadAsStringAsync().Result; | |
Console.WriteLine(content); | |
} | |
public static string GetMSGraphApplicationAccessToken(string clientId, string tenantDomain, X509Certificate2 cert) | |
{ | |
string authority = string.Format(CultureInfo.InvariantCulture, "{0}/{1}/", "https://login.windows.net", tenantDomain); | |
var authContext = new AuthenticationContext(authority); | |
var clientAssertionCert = new ClientAssertionCertificate(clientId, cert); | |
var result = authContext.AcquireTokenAsync("https://graph.microsoft.com", clientAssertionCert).Result; | |
var accessToken = result.AccessToken; | |
return accessToken; | |
} | |
private static X509Certificate2 GetAppOnlyCertificate(string certStoreName, string certStoreLocation, string certThumprint) | |
{ | |
X509Certificate2 appOnlyCertificate = null; | |
StoreName storeName; | |
StoreLocation storeLocation; | |
Enum.TryParse(certStoreName, out storeName); | |
Enum.TryParse(certStoreLocation, out storeLocation); | |
X509Store certStore = new X509Store(storeName, storeLocation); | |
certStore.Open(OpenFlags.ReadOnly); | |
X509Certificate2Collection certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, certThumprint, false); | |
// Get the first cert with the thumbprint | |
if (certCollection.Count > 0) | |
{ | |
appOnlyCertificate = certCollection[0]; | |
} | |
certStore.Close(); | |
return appOnlyCertificate; | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment