-
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathGet-MgToken.ps1
114 lines (97 loc) · 4.43 KB
/
Get-MgToken.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
function Get-MgToken {
<#
.SYNOPSIS
Provides a way to get a token for Microsoft Graph API to be used with Connect-MGGraph
.DESCRIPTION
Provides a way to get a token for Microsoft Graph API to be used with Connect-MGGraph
.PARAMETER ClientID
Provide the Application ID of the App Registration
.PARAMETER ClientSecret
Provide the Client Secret of the App Registration
.PARAMETER Credential
Provide the Client Secret of the App Registration as a PSCredential
.PARAMETER TenantID
Provide the Tenant ID of the App Registration
.PARAMETER Domain
Provide the Domain of the tenant where the App is registred
.EXAMPLE
Get-MgToken -ClientID 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' -ClientSecret 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' -TenantID 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
.EXAMPLE
Get-MgToken -ClientID 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' -ClientSecret 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' -Domain 'contoso.com'
.EXAMPLE
$ClientSecretEncrypted = 'ClientSecretToEncrypt' | ConvertTo-SecureString -AsPlainText | ConvertFrom-SecureString
$AccessToken = Get-MgToken -Domain 'evotec.pl' -ClientID 'ClientID' -ClientSecretEncrypted $ClientSecretEncrypted
Connect-MgGraph -AccessToken $AccessToken
.NOTES
General notes
#>
[CmdletBinding(DefaultParameterSetName = 'Domain')]
param(
[Parameter(ParameterSetName = 'TenantID', Mandatory)]
[Parameter(ParameterSetName = 'Domain', Mandatory)]
[Parameter(ParameterSetName = 'TenantIDEncrypted', Mandatory)]
[Parameter(ParameterSetName = 'DomainEncrypted', Mandatory)]
[alias('ApplicationID')][string] $ClientID,
[Parameter(ParameterSetName = 'TenantID', Mandatory)]
[Parameter(ParameterSetName = 'Domain', Mandatory)]
[string] $ClientSecret,
[Parameter(ParameterSetName = 'TenantIDEncrypted', Mandatory)]
[Parameter(ParameterSetName = 'DomainEncrypted', Mandatory)]
[string] $ClientSecretEncrypted,
[Parameter(ParameterSetName = 'TenantIDEncrypted', Mandatory)]
[Parameter(ParameterSetName = 'TenantID', Mandatory)][string] $TenantID,
[Parameter(ParameterSetName = 'DomainEncrypted', Mandatory)]
[Parameter(ParameterSetName = 'Domain', Mandatory)][string] $Domain,
[Parameter(ParameterSetName = 'TenantID')]
[Parameter(ParameterSetName = 'Domain')]
[Parameter(ParameterSetName = 'TenantIDEncrypted')]
[Parameter(ParameterSetName = 'DomainEncrypted')]
[string] $Proxy,
[Parameter(ParameterSetName = 'TenantID')]
[Parameter(ParameterSetName = 'Domain')]
[Parameter(ParameterSetName = 'TenantIDEncrypted')]
[Parameter(ParameterSetName = 'DomainEncrypted')]
[PSCredential] $ProxyCredential,
[Parameter(ParameterSetName = 'TenantID')]
[Parameter(ParameterSetName = 'Domain')]
[Parameter(ParameterSetName = 'TenantIDEncrypted')]
[Parameter(ParameterSetName = 'DomainEncrypted')]
[switch] $ProxyUseDefaultCredentials
)
if ($PSBoundParameters.ContainsKey('ClientSecretEncrypted')) {
$TemporaryKey = ConvertTo-SecureString -String $ClientSecretEncrypted -Force
$ApplicationKey = [System.Net.NetworkCredential]::new([string]::Empty, $TemporaryKey).Password
} else {
$ApplicationKey = $ClientSecret
}
$Body = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
Client_Id = $ClientID
Client_Secret = $ApplicationKey
}
if ($TenantID) {
$Tenant = $TenantID
} elseif ($Domain) {
$Tenant = Get-O365TenantID -Domain $Domain
}
if (-not $Tenant) {
throw "Get-MgToken - Unable to get Tenant ID"
}
$invokeRestMethodSplat = @{
Uri = "https://login.microsoftonline.com/$Tenant/oauth2/v2.0/token"
Method = 'POST'
Body = $Body
}
if ($PSBoundParameters.ContainsKey('Proxy')) {
$invokeRestMethodSplat.Proxy = $Proxy
}
if ($PSBoundParameters.ContainsKey('ProxyCredential')) {
$invokeRestMethodSplat.ProxyCredential = $ProxyCredential
}
if ($PSBoundParameters.ContainsKey('ProxyUseDefaultCredentials')) {
$invokeRestMethodSplat.ProxyUseDefaultCredentials = $ProxyUseDefaultCredentials
}
$connection = Invoke-RestMethod @invokeRestMethodSplat
$connection.access_token
}