functions/Public/Authorization/Get-MgaToken.ps1
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 |
function Get-MgaToken { <# .LINK https://github.com/baswijdenes/Optimized.Mga/ .LINK https://baswijdenes.com/c/microsoft/mga/ .SYNOPSIS Get-MgaToken will retreive a RefreshToken for the Microsoft Graph API. .DESCRIPTION The AccessToken is automatically renewed when you use cmdlets. .PARAMETER Certificate Use Certificate to get an AccessToken with a Certificate. You can also use a Certificate thumbprint. .PARAMETER Secret Use a ClientSecret to get an AccessToken. .PARAMETER ClientId CliendId is the AzureAD Application registration ObjectId. .PARAMETER Identity Parameter is a switch, it can be used for when it's a Managed Identity authenticating to Microsoft Graph API. Examples are: Azure Automation, Azure Functions, & Azure Virtual Machines. .PARAMETER DeviceCode Parameter is a switch and it will let you log in with a DeviceCode. It will open a browser window and you will have to log in with your credentials. You have 15 minutes before it cancels the request. .PARAMETER TenantId TenantId is the TenantId or XXX.onmicrosoft.com address. .PARAMETER Force Use -Force when you want to overwrite the AccessToken with a new one. .EXAMPLE Get-MgaToken -ClientSecret '1yD3h~.KgROPO.K1sbRF~XXXXXXXXXXXXX' -CliendId 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX' -TenantId 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX' .EXAMPLE $Cert = get-ChildItem 'Cert:\LocalMachine\My\XXXXXXXXXXXXXXXXXXX' Get-MgaToken -Certificate $Cert -CliendId 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX' -TenantId 'XXXXXXXX.onmicrosoft.com' .EXAMPLE Get-MgaToken -Certificate '3A7328F1059E9802FAXXXXXXXXXXXXXX' -CliendId 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX' -TenantId 'XXXXXXXX.onmicrosoft.com' .EXAMPLE Get-MgaToken -Credential $Cred -TenantId 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX' -CliendId 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX' .EXAMPLE Get-MgaToken -Identity .EXAMPLE Get-MgaToken -DeviceCode #> [CmdletBinding(DefaultParameterSetName = 'DeviceCode')] param ( [Parameter(Mandatory = $true, ParameterSetName = 'Certificate')] [ValidateScript( { ($_.length -eq 40) -or ([System.Security.Cryptography.X509Certificates.X509Certificate2]$_) })] [Alias('Thumbprint')] $Certificate, [Parameter(Mandatory = $true, ParameterSetName = 'ClientSecret')] [Alias('ClientSecret', 'AppSecret', 'AppPass')] [string] $Secret, [Parameter(Mandatory = $true, ParameterSetName = 'ManagedIdentity')] [Alias('ManagedIdentity', 'ManagedSPN')] [switch] $Identity, [Parameter(Mandatory = $false, ParameterSetName = 'DeviceCode')] [switch] $DeviceCode, [Parameter(Mandatory = $true, ParameterSetName = 'Certificate')] [Parameter(Mandatory = $true, ParameterSetName = 'ClientSecret')] [Parameter(Mandatory = $false, ParameterSetName = 'ManagedIdentity')] [Parameter(Mandatory = $false, ParameterSetName = 'DeviceCode')] [Alias('ApplicationID', 'AppID', 'App', 'Application')] [String] $ClientId, [Parameter(Mandatory = $true, ParameterSetName = 'Certificate')] [Parameter(Mandatory = $true, ParameterSetName = 'ClientSecret')] [Parameter(Mandatory = $false, ParameterSetName = 'ManagedIdentity')] [Alias('Tenant')] [String] $TenantId, [Parameter(Mandatory = $false)] [Switch] $Force ) begin { try { if ($Force) { Write-Verbose 'Running Remove-MgaToken to force a new AccessToken' $null = Remove-MgaToken } else { if ($Script:MgaSession.headerParameters) { $Confirmation = Read-Host 'You already have an AccessToken, are you sure you want to proceed? Type (Y)es to continue' if (($Confirmation -eq 'y') -or ($Confirmation -eq 'yes') -or ($Confirmation -eq 'true') -or ($Confirmation -eq '(Y)es')) { $null = Remove-MgaToken } else { throw 'Login aborted' } } } if ($Certificate.length -eq 40) { Write-Verbose 'Certificate is a string of 40 characters, updating value to search for certificate on client' $Thumbprint = $Certificate } Write-Verbose 'Creating MgaSession HashTable for Script scope' $MgaSession = @{ headerParameters = $null ApplicationID = $null Tenant = $null Secret = $null Certificate = $null AccessToken = $null ManagedIdentity = $null ManagedIdentityType = $null DeviceCode = $null LoginScope = $null OriginalHeader = $null } $Null = New-Variable -Name MgaSession -Value $MgaSession -Scope Script -Force } catch { throw $_ } } process { try { $ReceiveMgaOauthToken = @{ ApplicationId = $ClientId Tenant = $TenantId } if ($Thumbprint) { $ReceiveMgaOauthToken.Add('Thumbprint', $Thumbprint) Receive-MgaOauthToken @ReceiveMgaOauthToken } elseif ($Certificate) { $ReceiveMgaOauthToken.Add('Certificate', $Certificate) Receive-MgaOauthToken @ReceiveMgaOauthToken } elseif ($Secret) { $ReceiveMgaOauthToken.Add('ClientSecret', $Secret) Receive-MgaOauthToken @ReceiveMgaOauthToken } elseif ($Identity -eq $true) { Receive-MgaOauthToken -ManagedIdentity 'TryMe' } else { Start-Process 'https://microsoft.com/devicelogin' Receive-MgaOauthToken -DeviceCode } } catch { throw $_ } } end { return "AccessToken received, you can now use other cmdlets from module 'Mga'" } } |