Optimized.Mga

4.0.0

functions/Public/Authorization/Show-MgaToken.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
                                function Show-MgaToken {

    <#

    .LINK

    https://github.com/baswijdenes/Optimized.Mga/

    .LINK 

    https://baswijdenes.com/c/microsoft/mga/

    .SYNOPSIS

    Use this cmdlet to retrieve the AccessToken decoded.

    .DESCRIPTION

    Show-MgaToken is mainly used for troubleshooting permission errors to see which permissions are missing.

    .PARAMETER AccessToken

    By leaving parameter AccessToken empty, it will use the AccessToken from the MgaSession variable.

    You can also decode another AccessToken by using this parameter. 

    For example from the official Microsoft SDK PowerShell module or webbrowser.

    .PARAMETER Roles

    Use this Parameter to only see the roles in the AccessToken.

    .EXAMPLE

    Show-MgaToken 

    .EXAMPLE

    Show-MgaToken -Roles

    #>

    [CmdletBinding()]

    param (

        [parameter(mandatory = $false, Position = 0)]

        $AccessToken = ($Script:MgaSession.headerParameters).Authorization,

        [parameter(mandatory = $false)]

        [switch]

        $Roles

    )  

    begin {

        try {

            if ($AccessToken -like 'Bearer *') {

                Write-Verbose "Removing 'Bearer ' from token for formatting"

            }

            $AccessToken = ($AccessToken).Replace('Bearer ', '')

            $AccessTokenSplitted = $AccessToken.Split('.')

            $AccessTokenHeader = $AccessTokenSplitted[0].Replace('-', '+').Replace('_', '/')

            While ($AccessTokenHeader.Length % 4) {

                $AccessTokenHeader += '='

            }      

            $AccessTokenPayLoad = $AccessTokenSplitted.Split('.')[1].Replace('-', '+').Replace('_', '/')

            While ($AccessTokenPayLoad.Length % 4) {

                $AccessTokenPayLoad += '='

            }

        }

        catch {

            throw $_

        }

    }

    process {

        try {

            Write-Verbose 'Decoding Header to JSON'

            $AccessTokenHeaderJSON = [System.Text.Encoding]::ASCII.GetString([system.convert]::FromBase64String($AccessTokenHeader))

            Write-Verbose 'Decoding PayLoad to JSON'

            $AccessTokenPayLoadJSON = [System.Text.Encoding]::ASCII.GetString([system.convert]::FromBase64String($AccessTokenPayLoad))

            $AccessTokenHeaderUpdated = $AccessTokenHeaderJSON -replace '.$'

            $AccessTokenPayLoadUpdated = $AccessTokenPayLoadJSON -Replace '^.', ','

            $AccessTokenJson = $AccessTokenHeaderUpdated + $AccessTokenPayLoadUpdated

            Write-Verbose 'Converting from Json to EndResult'

            $AccessTokenEndResult = $AccessTokenJson | ConvertFrom-Json  

        }

        catch {

            throw $_

        }

    }  

    end {

        if ($Roles -eq $true) {

            return $AccessTokenEndResult.Roles

        }

        else {

            return $AccessTokenEndResult

        }

    }

}