
# ----------------------------------------------------------------------------
# * Used the follow resource as a guide to write this script
# * At the time of writing this...
# > AzureAD Module Version (AzureAdPreview version
# > Active Directory Authentication Library version 3.19.7

# ----------------------------------------------------------------------------
    $TenantName = ""
    $RedirectURI = "urn:ietf:wg:oauth:2.0:oob"
    $ResourceId = ""
    # If using Native app type
    $ClientID = ""
    # If using Web app type
    $ClientID = ""
    $ClientSecret = ""
    $aadContext = [AadContext]::new()
    $aadContext.TenantName = $TenantName
    #$aadContext.AcquireToken($Resource, $ClientId, $ClientSecret)
    $Headers = $aadContext.CreateAuthenticationHeaders()

Gets a token using ADAL installed with Azure AD PowerShell Module
Prompts user to sign-in in order to acquire token.
Set the resource in which you want to get a access token for
Set the Client ID/App Id in which you want to get a access token from
Set the Redirect URL/URI for which Azure AD will redirect back to your application
Sets the prompt behavior for ADAL
Sets the tenant in which your authenticating to
Used in conjunction with Instance to form the Authority
Sets the Azure AD Instance tenant in which your authenticating to
Used in conjunction with Tenant to form the Authority
.PARAMETER UseClientCredential
Tell ADAL to use the Client Credential flow (Gets a client only access token)
.PARAMETER ClientSecret
Sets the Client Secret for ADAL to use during Client Credential flow
Prompt user to sign-in to get access token
Get-AadTokenUsingAdal -ResourceId "" -ClientId 5567ba8a-e608-4219-97d8-3d3ea63718e7 -Redirect ""
To get client only access token
Get-AadTokenUsingAdal -UseClientCredential -ResourceId "" -ClientId 5567ba8a-e608-4219-97d8-3d3ea63718e7 -ClientSecret "98iwjdc-098343js="
General notes

function Get-AadTokenUsingAdal

        $ResourceId = "",

        [Parameter(ParameterSetName="UserAccessToken", Mandatory=$false)]
        [Parameter(ParameterSetName="ClientAccessToken", Mandatory=$false)]

        [Parameter(ParameterSetName="UserAccessToken", Mandatory=$false)]

        [Parameter(ParameterSetName="UserAccessToken", Mandatory=$false)]


        $Tenant = "common",

        $Instance = "",

        [Parameter(ParameterSetName="ClientAccessToken", Mandatory=$true)]

        [Parameter(ParameterSetName="ClientAccessToken", Mandatory=$true)]



    #Ensure Parameters are valid
    if(-not $Tenant)
            $Tenant = $Global:AadSupport.Session.TenantId
            $Tenant = "common"

    # Get Service Principal
    if(-not $SkipServicePrincipalSearch)
        $sp = Get-AadServicePrincipal -Id $ClientId
        $ClientId = $sp.AppId
        if(-not $Redirect)
            $Redirect = $sp.ReplyUrls[0]

    if($sp.count -gt 1)
        throw "Found too many results for '$ClientId'. Please specify a unique ClientId."

    if(-not $Global:AadSupport.AdalContext[$Tenant])
        $Global:AadSupport.AdalContext[$Tenant] = [AadContext]::new("$Instance/$Tenant")

    if(-not $UserId -and -not $Prompt)
        $UserId = $Global:AadSupport.Session.AccountId

    $ExtraQueryParams = ""
    if ($UserId)
        $ExtraQueryParams += "&login_hint=$UserId"
    if ($DomainHint)
        $ExtraQueryParams += "&domain_hint=$DomainHint"


    if ($UseClientCredential)
        if($Tenant -eq "common")
            throw "Invalid Tenant. When using Client Credentials, Tenant is required."

        $result = $Global:AadSupport.AdalContext[$Tenant].AcquireToken($ResourceId,$ClientId,$ClientSecret)| ConvertFrom-Json

    if (-not $UseClientCredential)

        if($Prompt -ne "Always" -and $Prompt -ne "SelectAccount")
            $result = $Global:AadSupport.AdalContext[$Tenant].AcquireSilentToken($ResourceId,$ClientId,$UserId)

        else {
            Write-Host "Authenticating user..." -ForegroundColor Yellow
            $result = $Global:AadSupport.AdalContext[$Tenant].AcquireToken($ResourceId,$ClientId,$Redirect,$Prompt,$UserId, $ExtraQueryParams)

            $result = [psobject]$result | ConvertFrom-Json

            $result = $Global:AadSupport.AdalContext[$Tenant].AcquireToken($ResourceId,$ClientId,$Redirect,"Auto",$UserId, $ExtraQueryParams)
            $result = [psobject]$result | ConvertFrom-Json

    $details = @{}
    $details.AppId = $ClientId
    $details.ReplyAddress = $Redirect
    $details.Audience = $ResourceId

        $details.Error = $result.ErrorDetails.Exception.Message

        if (-not $HideOutput)
            Write-Host ""
            Write-Host "Error" -ForegroundColor Yellow
            $AadError = $details.Error.Message
            Write-Host $AadError -ForegroundColor Red

            # If Output is allowed, lets return the error
            return $details

        #Otherwise throw the error to stop the program
        throw $result.ErrorDetails.Exception

    foreach($member in $result | Get-member)
        if ($member.MemberType -eq 'NoteProperty')
            $details[$member.Name] = $result.($member.Name)


    if(-not $Global:AadSupport.AdalContext[$Tenant])
        $Global:AadSupport.AdalContext[$details.TenantId] = $Global:AadSupport.AdalContext[$Tenant]

    $Headers = @{ "Authorization" = "Bearer $($details.AccessToken)" }
    $details.Headers = $Headers
    $details.AccessTokenClaims = $details.AccessToken | ConvertFrom-AadJwtToken
    $details.Scopes = $details.AccessTokenClaims.scp
    $details.Roles = $details.AccessTokenClaims.Roles
    if($details.IdToken) { $details.IdTokenClaims = $details.IdToken | ConvertFrom-AadJwtToken }

    $Object = New-Object -TypeName PSObject -Property $details
    if($Object.AccessToken -and -not $HideOutput)
        Write-Host ""
        Write-Host "Access Token" -ForegroundColor Yellow
        $AccessTokenClaims = $Object.AccessTokenClaims
        Write-ObjectToHost $AccessTokenClaims

    return $Object

# ----------------------------------------------------------------------------
# AadContext (AAD Helper Class)

class AadContext {

    [string]$AadInstance = ""

    [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext]$authContext = $null

    AadContext($authority) {
        #Build the auth context and get the result
        $TokenCache = New-Object -TypeName "Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache"
        $this.authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority, $TokenCache

    # ----------------------------------------------------------------------------
    # AcquireToken
    # Method to help get Azure AD tokens (Interactive flow)
    [string]AcquireToken([string]$_ResourceId, [string]$_ClientID, [string]$_RedirectURI, [string]$_PromptBehavior, [string]$_UserId, [string]$_ExtraQueryParams)
        $result = @{}

        if($null -eq $_ClientID -or $_ClientID -eq "")
            $result.Error = "Client ID required!"
            return $result

        if($null -eq $_RedirectURI -or $_RedirectURI -eq "")
            $result.Error = "Redirect URI required!"
            return $result

        if($null -eq $_ResourceId -or $_ResourceId -eq "")
            $result.Error = "Resource Id required!"
            return $result

        if(-not $_PromptBehavior)
            $_PromptBehavior = "Auto"
        $promptBehavior = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior"

        # Set UserIdentifier
        $UserIdentifier = $null
            $UserType = [Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifierType]::RequiredDisplayableId 
            $UserIdentifier = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList $_UserId,$UserType 

        # If UserIdentifier not set yet from above...
        if(-not $UserIdentifier)
            $UserIdentifier = [Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier]::AnyUser

        $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList $promptBehavior::$_PromptBehavior


            if($_UserId -and $_ExtraQueryParams)
                $RebuildQueryParams = @()
                $SplitQueryParams = $_ExtraQueryParams.Split("&")

                foreach($item in $SplitQueryParams)
                    if(-not ($item -match "login_hint")) 
                        $RebuildQueryParams += $item

                $_ExtraQueryParams = $RebuildQueryParams -join "&"

            $request = $this.authContext.AcquireTokenAsync($_ResourceId, $_ClientID, $_RedirectURI, $platformParameters, $UserIdentifier, $_ExtraQueryParams)
            $result = $request.GetAwaiter().GetResult()

        Catch  #[System.Management.Automation.MethodInvocationException]
            $result.Error = $true
            $result.ErrorDetails = $_

        #Return the authentication token
        return ($result | ConvertTo-Json)

    # ----------------------------------------------------------------------------
    # AcquireToken - CLIENT CREDENTIALS
    [string]AcquireToken([string]$_ResourceId, [string]$_ClientID, [string]$_ClientSecret)
        $return = @{}

        $_AadInstance = $this.AadInstance

        if($null -eq $_ClientID -or $_ClientID -eq "")
            throw "Client ID required!"

        if($null -eq $_ClientSecret -or $_ClientSecret -eq "")
            throw "Client Secret required!"
        if($null -eq $_ResourceId -or $_ResourceId -eq "")
            throw "Resource Id required!"
        $AdClientCreds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential" -ArgumentList $_ClientID, $_ClientSecret
        Write-Verbose "Attempting client credentials authentication"
        $result = @{}
        try {
            $request = $this.authContext.AcquireTokenAsync($_ResourceId, $AdClientCreds)
            $result = $request.GetAwaiter().GetResult()
        Catch  #[System.Management.Automation.MethodInvocationException]
            $result.Error = $true
            $result.ErrorDetails = $_

        #Return the authentication token
        return ($result | ConvertTo-Json)

        # ----------------------------------------------------------------------------
    # AcquireToken - Acquire Token Silently
    [string]AcquireSilentToken([string]$_ResourceId, [string]$_ClientID, [string]$_UserId)
        $result = @{}

        $_TenantName = $this.TenantName
        $_AadInstance = $this.AadInstance

        if($null -eq $_ClientID -or $_ClientID -eq "")
            throw "Client ID required!"
        if($null -eq $_ResourceId -or $_ResourceId -eq "")
            throw "Resource Id required!"

        # Set UserIdentifier
        if(-not $_UserId)
            $UserIdentifier = [Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier]::AnyUser
            $UserType = [Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifierType]::RequiredDisplayableId 
            $UserIdentifier = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList $_UserId,$UserType 

        #Build the logon URL with the tenant name
        $authority = "$_AadInstance/$_TenantName"

        Write-Verbose "Attempting authentication"
        try {

            $request = $this.authContext.AcquireTokenSilentAsync($_ResourceId, $_ClientID, $UserIdentifier)
            $result = $request.GetAwaiter().GetResult()

        Catch  #[System.Management.Automation.MethodInvocationException]
            $result.Error = $true
            $result.ErrorDetails = $_

        #Return the authentication token
        return ($result | ConvertTo-Json)

    [hashtable]CreateAuthenticationHeaders() {
        return @{ "Authorization" = "Bearer "+$this.AccessToken }


# ############################################################################
# $AdalAssembly = Allow to set custom Adal Assembly path
# Implement AcquireToken using user credentials
# Implement AcquireToken using OBO
# Implement Options to set additional parameters
# > AAD Instance
# > Set login_hint
# > Set domain_hint
# > Set Prompt Behavior