
Make a API request to a protected AAD resource using a Accesss Token.
This is the API url you are making a request to.
.PARAMETER AccessToken
Pass the access token to the protected API
Make a GET request to the protected API
Use the PATCH Http Method
Use the POST Http Method
Use the DELETE Http Method
Use the PUT Http Method
Include a body content with your API request
.PARAMETER ContentType
Specify a ContentType to use. (Default application/json)
Invoke-AadProtectedApi -GET -Endpoint "" -AccessToken "eyJ***"
function Invoke-AadProtectedApi



       [Parameter(ParameterSetName="ProvideToken_Get", Mandatory=$True)]

       [Parameter(ParameterSetName="GetToken_Get", Mandatory=$True)]

       [Parameter(ParameterSetName="GetToken_Get", Mandatory=$True)]

       $Method = "GET",


       $ContentType = "application/json"
    ) #end param

    # Parameter requirements
    if ( ($Method -eq "POST" -or $Method -eq "PATCH" -or $Method -eq "PUT") -and -not $Body )
        throw "Body required when using POST, PATCH, or PUT"

    if(-not $AccessToken -and -not $Client)
        throw "You must specify either -AccessToken or -Client"

    # Check if Body is file
        if(Test-Path -Path $Body)
            $content = Get-Content -Path $Body -Raw
            $Body = $content

    if($Client -and $Resource)
        $ClientId = (Get-AadServicePrincipal -Id $Client).AppId
        $ResourceId = (Get-AadServicePrincipal -Id $Resource).AppId
        if(!$ClientId) {
            $ClientId = $Client

        if(!$ResourceId) {
            $ResourceId = $Client

        write-verbose "Getting token for $Client and $Resource"
        $token = Get-AadTokenUsingAdal -ClientId $ClientId -ResourceId $ResourceId -UserId $Global:AadSupport.Session.AccountId -Prompt Auto -HideOutput -SkipServicePrincipalSearch
            return $token["Error"]

        $AccessToken = $token.AccessToken

    $Result = @{}
    $Result.Content = @()
    $nextLink = $null

    $RetryAttempts = 0
    $MaxRetryAttempts = 5
    do {
        # Refresh Token if ClientId and ResourceId provided
        if($ClientId -and $ResourceId)
            $token = Get-AadTokenUsingAdal -ClientId $ClientId -ResourceId $ResourceId -UserId $Global:AadSupport.Session.AccountId -Prompt Auto -HideOutput -SkipServicePrincipalSearch
            $AccessToken = $token.AccessToken
        Start-Sleep -Milliseconds 60
            $endpoint = $nextLink
            $nextLink = $null

        try {
            write-verbose "Making Graph call..."
            if ($Method -eq "GET")
                $request = Invoke-WebRequest -Headers @{ "Authorization" = "Bearer $AccessToken" } -Uri $endpoint -Method GET -ContentType $ContentType

            if ($Method -eq "POST" -or $Method -eq "PATCH" -or $Method -eq "PUT")
                $request = Invoke-WebRequest -Headers @{ "Authorization" = "Bearer $AccessToken" } -Uri $endpoint -Method $Method -Body $Body -ContentType $ContentType

            if ($Method -eq "DELETE")
                $request = Invoke-WebRequest -Headers @{ "Authorization" = "Bearer $AccessToken" } -Uri $endpoint -Method $Method -ContentType $ContentType

            Start-Sleep -Milliseconds (1000*$RetryAttempts*2)

            Write-Host "Exception calling API." -ForegroundColor Red
                $String = $request.Response.Content

            elseif($_.Exception.Response) {
                $reqstream = $_.Exception.Response.GetResponseStream()
                $reqstream.Position = 0

                $stream = [System.IO.StreamReader]::new($reqstream)
                $String = $stream.ReadToEnd()

            Write-Host $String -ForegroundColor Yellow

            if($_.Exception.Response.StatusCode -eq "429")
                Write-Host "Throttling limit hit: StatusCode 429: Waiting 1 minute. It may take up to 5 minutes" -ForegroundColor Yellow
                Start-Sleep -Seconds 61

            elseif($_.Exception.Response.StatusCode -eq "Unauthorized")
                Write-Host "Invalid Access Token." -ForegroundColor Yellow
                throw $_

            elseif($_.Exception.Response.StatusCode -eq "Forbidden")
                Write-Host "Missing Permissions." -ForegroundColor Yellow
                Start-Sleep -Seconds 300
                throw $_
            if($RetryAttempts -gt $MaxRetryAttempts)
                throw $_
            Write-Host ""
            Write-Host "Retrying request!" -ForegroundColor Yellow
            $JsonObject = $request.Content | ConvertFrom-Json
                $Result.Content += $JsonObject.Value
                    $nextLink = $JsonObject.'@odata.nextLink'
                    if(-not $nextLink -match "https")
                        $nextLink = $JsonObject.'odata.nextLink'
                        Write-Host "nextLink is not a valid web address."
                        Write-Host $nextLink
                $Result.Content += $JsonObject
            $Result.Content += $request.Content
    } while ($nextLink)
    $Result.Headers = $request.Headers
    $Result.StatusCode = $request.StatusCode
    $Result.Response = $request

        Write-Verbose $request.Headers
        Write-Verbose $request.StatusCode
        Write-Verbose $Result.Response

    $ReturnObject = New-Object -TypeName PsCustomObject -Property $Result

        $members = $ReturnObject.Content | Get-Member | where {$_.MemberType -eq "NoteProperty"}
        $ValuePropertyExist = $members.Name.Contains("value")

    if(!$ReturnObject.Content.Value -and $ValuePropertyExist)
        return $null

    return $ReturnObject.Content


function Test-InvokeAadProtectedApi
    Remove-Module AadSupportPreview
    Import-Module AadSupportPreview

    # Test 1 returned result from a collection
    $endpoint = "`$filter=userPrincipalName eq ''"
    $result = Invoke-AadProtectedApi -Client 'test native app' -Resource 'Microsoft Graph' -Endpoint $Endpoint

    # Test 0 returned results from a collection
    $endpoint = "`$filter=userPrincipalName eq ''"
    $result = Invoke-AadProtectedApi -Client 'test native app' -Resource 'Microsoft Graph' -Endpoint $Endpoint

    # Test 1 returned result
    $endpoint = ""
    $result = Invoke-AadProtectedApi -Client 'test native app' -Resource 'Microsoft Graph' -Endpoint $Endpoint

    # Test Pagination
    $endpoint = "`$top=10"
    $result = Invoke-AadProtectedApi -Client 'test native app' -Resource 'Microsoft Graph' -Endpoint $Endpoint