Authentication.ps1
|
#Requires -Module Microsoft.Graph.Authentication <# The Connect-Graph function incorporates work to get tokens from an Azure session and to referesh tokens which was published by Justin Grote at https://github.com/JustinGrote/JustinGrote.Microsoft.Graph.Extensions/blob/main/src/Public/Connect-MgGraphAz.ps1 and licensed by him under the same MIT terms which apply to this module (see the LICENSE file for details) Portions of this file are Copyright 2021 Justin Grote @justinwgrote The remainder is Copyright 2018-2021 James O'Neill #> using namespace Microsoft.Graph.PowerShell.Authentication using namespace Microsoft.Graph.PowerShell.Models using namespace System.Management.Automation [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWriteHost', '', Justification='Write host used for colored information message telling user to make a change and remove the message')] [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidGlobalVars', '', Justification='Items needed outside the module')] [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '', Justification='False positive for global vars.')] param() #Functions we will define are aliases in Microsoft.Graph.Authentication so remove them Remove-item Alias:\Invoke-GraphRequest -ErrorAction SilentlyContinue Remove-Item Alias:\Connect-Graph -ErrorAction SilentlyContinue Set-Alias -Value Get-MgContext -Name "Get-GraphContext" function Test-GraphSession { <# .synopsis Connect if necessary, catch tokens needing renewal. #> param ( [switch]$Quiet ) if (-not [GraphSession]::Instance.AuthContext) {Connect-Graph -Quiet:$Quiet | Out-Host} elseif ([GraphSession]::Instance.AuthContext.TokenExpires -is [datetime] -and [GraphSession]::Instance.AuthContext.TokenExpires -lt [datetime]::Now.AddMinutes(-1)) { if ($Script:RefreshParams) { if (-not $Quiet) { Write-Host -ForegroundColor DarkCyan "Token Expired! Refreshing before executing command."} Connect-Graph @script:RefreshParams } else {Write-Warning "Token appears to have expired and no refresh information is available "} } } function Invoke-GraphRequest { <# .synopsis Wrappper for Invoke-MgGraphRequest.With token management and result pre-processing .description Adds -ValueOnly to return just the value part -AllValues to return gather multiple sets when data is paged -AsType to convert the retuned results to a specific type -ExcludeProperty and -PropertyNotMatch for results which have properties which aren't in the specified type #> [alias('igr')] param ( #Uri to call can be a segment such as /beta/me or a fully qualified https://graph.microsoft.com/beta/me [Parameter(Mandatory=$true, Position=1 )] [uri]$Uri, #Http Method [ValidateSet('GET','POST','PUT','PATCH','DELETE')] [Parameter(Position=2 )] $Method, #Request body, required when Method is POST or PATCH [Parameter(Position=3,ValueFromPipeline=$true)] $Body, #Optional custom headers, commonly @{'ConsistencyLevel'='eventual'} [System.Collections.IDictionary]$Headers, #Output file where the response body will be saved [string]$OutputFilePath, [switch]$InferOutputFileName, #Input file to send in the request [string]$InputFilePath, #Indicates that the cmdlet returns the results, in addition to writing them to a file. Only valid when the OutFile parameter is also used. [switch]$PassThru, #OAuth or Bearer token to use instead of acquired token [securestring]$Token, #Add headers to request header collection without validation [switch]$SkipHeaderValidation, #Body content type, for exmaple 'application/json' [string]$ContentType, #Graph Authentication type - 'default' or 'userProvivedToken' [Microsoft.Graph.PowerShell.Authentication.Models.GraphRequestAuthenticationType] $Authentication, #Specifies a web request session. Enter the variable name, including the dollar sign ($).You can''t use the SessionVariable and GraphRequestSession parameters in the same command. [Alias('SV')] [string]$SessionVariable, [Alias('RHV')] [string]$ResponseHeadersVariable, [string]$StatusCodeVariable, [switch]$SkipHttpErrorCheck, #If specified returns the .values property instead of the whole JSON object returned by the API call [switch]$ValueOnly, #If specified, loops through multi-paged results indicated by an '@odata.nextLink' property [switch]$AllValues, #If specified removes properties found in the JSON before converting to a type or returning the object [string[]]$ExcludeProperty =@(), #A regular expression for keys to be removed, for example to catch many odata properties [string]$PropertyNotMatch, #If specified converts the JSON object to properties of the a new object of the requested type. Any properties which are expected in the JSON but not defined in the type should be excluded. [string]$AsType ) begin { $null = $PSBoundParameters.Remove('AllValues') , $PSBoundParameters.Remove('AsType'), $PSBoundParameters.Remove('ExcludeProperty'), $PSBoundParameters.Remove('PropertyNotMatch') , $PSBoundParameters.Remove('ValueOnly') if ($ExcludeProperty -notcontains '@odata.id') {$ExcludeProperty += '@odata.id'} Test-GraphSession } process { #I try to use "response" when it is an interim thing not the final result. $response = $null $response = Microsoft.Graph.Authentication\Invoke-MgGraphRequest @PSBoundParameters if ($ValueOnly -or $AllValues) { $result = $response.value if ($AllValues) { while ($response.'@odata.nextLink') { $PSBoundParameters['Uri'] = $response.'@odata.nextLink' $response = Microsoft.Graph.Authentication\Invoke-MgGraphRequest @PSBoundParameters $result += $response.value } } } else {$result = $response} if ($StatusCodeVariable) {Set-variable $StatusCodeVariable -Scope 1 -Value (Get-Variable $StatusCodeVariable -ValueOnly) } foreach ($r in $result) { foreach ($p in $ExcludeProperty) {$r.remove($p)} if ($PropertyNotMatch) { $keystoRemove = $r.keys -match $PropertyNotMatch foreach ($p in $keystoRemove) {[void]$r.remove($p)} } if ($AsType) {New-Object -TypeName $AsType -Property $r} else {$r} } } } function Get-AccessToken { <# .Synopsis Requests a token for a resource path, used by connect graph but available to other tools. .Description An access token is obtained form "https://login.microsoft.com/<<tenant-ID>>/oauth2/token" By specifying the ID, and secret of a client app known to in that tenant, different modes of granting a token to access a resource (logging on) are possible: Extra fields passed in BodyParts grant_type * Username and password 'Password' * Refresh_token 'Referesh_token' * None (logon as the app itself) 'client_credentials' The Set-GraphOptions command sets the tenant ID, a client ID and a client secret for the session. By default, when the module loads it looks at $env:GraphSettingsPath or for Microsoft.Graph.PlusPlus.settings.ps1 in the module folder, and executes it to set these values) Get-AccessToken relies on these if they are not set Connect-Graph removes the parameters which support non-intereactive logons and calling it seperately will fail #> param ( [string]$Resoure = 'https://graph.microsoft.com', [Parameter(Mandatory=$true)] [string]$GrantType , [hashtable]$BodyParts = @{} ) if (-not ($Script:TenantID -and $Script:ClientID)) { [UnauthorizedAccessException]::new('The tenant, and ClientID need to be set with Set-GraphOptions before calling this command.') } $tokenUri = "https://login.microsoft.com/$Script:TenantID/oauth2/token" $body = $BodyParts + @{ 'client_id' = $Script:ClientID 'resource' = $Resoure 'grant_type' = $GrantType } Invoke-RestMethod -Method Post -Uri $tokenUri -Body $body } function Get-AzureIdentityToken { [CmdletBinding(DefaultParameterSetName='scopes')] param ( [Parameter(ParameterSetName = 'scopes')] [String[]]$Scopes = 'https://graph.microsoft.com/', [Parameter(ParameterSetName = 'tokenRequest', Mandatory)] [TokenRequestContext]$TokenRequestContext, [Switch]$Interactive, [ValidateSet('AzureCLI','Default','DeviceCode','InteractiveBrowser')] [string]$Type = 'Default' ) end { if ($Type -in @('InteractiveBrowser','DeviceCode')) { $scopes = @('User.ReadWrite.all', 'openid', 'profile') } if (!$TokenRequestContext) {$TokenRequestContext = [Azure.Core.TokenRequestContext]::new($Scopes)} switch ($type) { "AzureCLI" {$tokenCache = [Azure.Identity.AzureCliCredential]::new()} #returns scopes AuditLog.Read.All Directory.AccessAsUser.All Group.ReadWrite.All User.ReadWrite.All / client 04b07795-8ddb-461a-bbee-02f9e1bf7b46 : Microsoft Azure CLI #.AuthorizationCodeCredential, would take $Script:TenantID, $Script:ClientID, $Script:ClientSecret + AuthCode; can't get AzurePowerShellCredential to work #.ChainedTokenCredential takes array of tokencredentials, ClientCertificateCredential takes $Script:TenantID, $Script:ClientID cert # ClientSecretCredential takes $Script:TenantID, $Script:ClientID, $Script:ClientSecret' EnvironmentCredential uses env variables "Default" {$tokenCache = [Azure.Identity.DefaultAzureCredential]::new($Interactive)} # returns scopes Application.ReadWrite.All email openid profile User.ReadWrite.All / client 872cd9fa-d31f-45e0-9eab-6e460a02d1f1 : : Visual Studio "DeviceCode" {$tokenCache = [Azure.Identity.DeviceCodeCredential]::new()} # returns Scopes AuditLog.Read.All Directory.AccessAsUser.All email Group.ReadWrite.All openid profile User.ReadWrite.All / client 04b07795-8ddb-461a-bbee-02f9e1bf7b46 : Microsoft Azure CLI "InteractiveBrowser" {$tokenCache = [Azure.Identity.InteractiveBrowserCredential]::new()} # AuditLog.Read.All Directory.AccessAsUser.All email Group.ReadWrite.All openid profile User.ReadWrite.All / client 04b07795-8ddb-461a-bbee-02f9e1bf7b46 : Microsoft Azure CLI #ManagedIdentityCredential takes clientID ;SharedTokenCacheCredential doesn't need anything (but is empty for me!) #.UsernamePasswordCredential string username, string password, string tenantId, string clientId } $tokenCache.GetToken($TokenRequestContext,[System.Threading.CancellationToken]::new($false)) } } function Connect-Graph { <# .Synopsis Starts a session with Microsoft Graph .Description This commands is a wrapper for Connect-MgGraph it extends the authentication methods available and caches information needed by other commands. #> [cmdletbinding(DefaultParameterSetName='UserParameterSet')] [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '', Justification='False positive for global vars.')] [Alias('New-GraphSession','GraphSession')] param ( [Parameter(ParameterSetName = 'UserParameterSet', Position = 1 )] #An array of delegated permissions to consent to. [string[]]$Scopes = $Script:DefaultGraphScopes, #Specifies a bearer token for Microsoft Graph service. Access tokens do timeout and you'll have to handle their refresh. [Parameter(ParameterSetName = 'AccessTokenParameterSet', Position = 1, Mandatory = $true)] [string]$AccessToken, #Forces the command to get a new access token silently. [switch]$ForceRefresh , #Determines the scope of authentication context. This accepts `Process` for the current process, or `CurrentUser` for all sessions started by user. # [ContextScope]$ContextScope, #Suppress the welcome messages [Switch]$Quiet ) dynamicParam { <# If the Azure commands are present offer -FromAzureToken If ClientSecret, ClientID and TenantID have all been set, offer -Credential & -AsApp and if a refresh token was stored, -refresh In either of those cases offer -NoRefresh If client ID and TenantID have been set (with or without secret) offer the cert parameters. #> $paramDictionary = New-Object System.Management.Automation.RuntimeDefinedParameterDictionary $NoRefreshAttributeCollection = New-Object System.Collections.ObjectModel.Collection[System.Attribute] if ($Script:ClientSecret -and $Script:ClientID -and $Script:TenantID) { $AppParamAttribute = New-Object System.Management.Automation.ParameterAttribute -Property @{Mandatory=$true; ParameterSetName='AppSecretParameterSet';} #If Specified logs in as the app and gets the access granted to the app instead of logging on as a user. $paramDictionary.Add('AsApp',[RuntimeDefinedParameter]::new("AsApp", [SwitchParameter],$AppParamAttribute)) } if ($Script:ClientID -and $Script:TenantID) { $NoRefreshAttributeCollection.Add((New-Object System.Management.Automation.ParameterAttribute -Property @{ ParameterSetName='CredParameterSet'})) $CredParamAttribute = New-Object System.Management.Automation.ParameterAttribute -Property @{Mandatory=$true; ParameterSetName='CredParameterSet'} $RefreshParamAttribute = New-Object System.Management.Automation.ParameterAttribute -Property @{Mandatory=$true; ParameterSetName='RefreshParameterSet'} #A credential object to logon with an app registered in the tennant $paramDictionary.Add('Credential',[RuntimeDefinedParameter]::new("Credential", [pscredential], $CredParamAttribute)) if ($Script:RefreshToken) { $paramDictionary.Add('Refresh',[RuntimeDefinedParameter]::new("Refresh", [SwitchParameter], $RefreshParamAttribute)) } $CertNameAttributeSet = New-Object System.Collections.ObjectModel.Collection[System.Attribute] $CertNameAttributeSet.add((New-Object System.Management.Automation.Aliasattribute -ArgumentList 'CertificateSubject')) $CertNameAttributeSet.add((New-Object System.Management.Automation.ParameterAttribute -Property @{ParameterSetName='AppCertNameParameterSet'; Position=1})) $CertThumbParamAttribute = New-Object System.Management.Automation.ParameterAttribute -Property @{ParameterSetName='AppCertThunbParameterSet';Position=2} $CertParamAttribute = New-Object System.Management.Automation.ParameterAttribute -Property @{ParameterSetName='AppCertParameterSet'} #The name of your certificate. The Certificate will be retrieved from the current user's certificate store. $paramDictionary.Add('CertificateName', [RuntimeDefinedParameter]::new('CertificateName', [string], $CertNameAttributeSet)) #The thumbprint of your certificate. The Certificate will be retrieved from the current user's certificate store. $paramDictionary.Add('CertificateThumbprint',[RuntimeDefinedParameter]::new('CertificateThumbprint', [string], $CertThumbParamAttribute)) #An x509 Certificate supplied during invocation - see https://docs.microsoft.com/en-us/graph/powershell/app-only? for configuring the host side. $paramDictionary.Add('Certificate',[RuntimeDefinedParameter]::new('Certificate', [System.Security.Cryptography.X509Certificates.X509Certificate2], $CertParamAttribute)) } #the simpler Get-command Get-AzAccessToken -ErrorAction SilentlyContinue loads az.accounts. Only offer the parameter if the module is loaded. if ("Get-AzAccessToken" -in (Get-Module Az.accounts).ExportedCmdlets.Keys) { $NoRefreshAttributeCollection.Add((New-Object System.Management.Automation.ParameterAttribute -Property @{ ParameterSetName='AzureParameterSet'})) $FromAzParamAttribute = New-Object System.Management.Automation.ParameterAttribute -Property @{ParameterSetName='AzureParameterSet';Position=3} $DefProfParamAttribute = New-Object System.Management.Automation.ParameterAttribute -Property @{ParameterSetName='AzureParameterSet';Position=4} #The Az Module Context to use for the connection. You can get a list with Get-AzContext -ListAvailable. Note this parameter only accepts one context and if multiple are supplied it will only connect to the last one supplied $paramDictionary.Add('FromAzureSession',[RuntimeDefinedParameter]::new('FromAzureSession', [SwitchParameter], $FromAzParamAttribute)) $paramDictionary.Add('DefaultProfile', [RuntimeDefinedParameter]::new('DefaultProfile', [System.Object], $DefProfParamAttribute)) } if (Get-Command az) { $NoRefreshAttributeCollection.Add((New-Object System.Management.Automation.ParameterAttribute -Property @{ ParameterSetName='CLIParameterSet'})) $FromCLIParamAttribute = New-Object System.Management.Automation.ParameterAttribute -Property @{ParameterSetName='CLIParameterSet';Position=5} $paramDictionary.Add('FromAzCLI',[RuntimeDefinedParameter]::new('FromAzCLI', [SwitchParameter], $FromCLIParamAttribute)) } if ($NoRefreshAttributeCollection.Count -ge 1) { #Dont register the global refresh handler workaround. This is required if you want to use HttpPipelinePrepend $paramDictionary.Add('NoRefresh', [RuntimeDefinedParameter]::new("NoRefresh", [SwitchParameter],$NoRefreshAttributeCollection)) } return $paramDictionary } begin { #Justin Grote's code makes this script block to call this function with the right parameters. If the token has timed out #and makes it the default httpPipelinePrepend script block for SDK commands. We'll poke the parameters in later $RefreshScript = @' param ($req, $callback, $next) Write-Debug 'Checking if access token refresh required' #Check if global timer has expired and refresh if so if ([Microsoft.Graph.PowerShell.Authentication.GraphSession]::Instance.AuthContext.TokenExpires -is [datetime] -and [Microsoft.Graph.PowerShell.Authentication.GraphSession]::Instance.AuthContext.TokenExpires -lt [DateTime]::Now) {{ Write-Host -Fore DarkCyan "Token Expired! Refreshing before executing command." Connect-Graph -quiet {0} }} '@ } end { $result = $null $bp = @{} + $PSBoundParameters #I do not know why psb doesn't work normally with dynamic params but this works round it.... $paramsToPass = @{} #Sometimes when we want to convert an opaque drive ID (e.g. on a file or folder) to a name; save extra calls to the server by caching the id-->name if ((-not $bp.refresh) -or (-not $Global:DriveCache)) {$Global:DriveCache = @{} } #Justin used this variable, for checking expiry I have moved it on to an extra property of [graphSession].instance I'll remove this when I'm happy on compat. if ($Global:__MgAzTokenExpires) {$Global:__MgAzTokenExpires = $null} #credential , refresh, Azaupp, FromAzureSession are dynamic to hide them if we dont have what they need #If specified, get (or refresh) a token for a user name / password with a registerd appID in a known tennant, #or for an app-id / secret, or by calling Get-AzAccessToken in the Az.Accounts module (V2 and later) if ($bp.Credential -or $bp.Refresh -or $bp.AsApp -or $bp.FromAzureSession -or $bp.FromAzCLI ){ $tokenUri = "https://login.microsoft.com/$Script:TenantID/oauth2/token" if ($bp.Refresh) { Write-Verbose "CONNECT: Sending a 'Refresh_token' token request " $authresp = Get-AccessToken -GrantType refresh_token -BodyParts @{'refresh_token' = $Script:RefreshToken} } elseif ($bp.Credential) { Write-Verbose "CONNECT: Sending a 'Password' token request for $($bp.Credential.UserName) " $parts = @{ 'username' = $bp.Credential.UserName; 'password' = $bp.Credential.GetNetworkCredential().Password } if ($Script:ClientSecret) { $parts['client_secret'] = $Script:ClientSecret } $authresp = Get-AccessToken -GrantType password -BodyParts $parts } elseif ($bp.AsApp) { Write-Verbose "CONNECT: Sending a 'client_credentials' token request for the App." $authresp = Get-AccessToken -GrantType client_credentials -BodyParts @{'client_secret' = $Script:ClientSecret} } elseif ($bp.FromAzureSession) { Write-Verbose "CONNECT: getting an access token from an Azure PowerShell session." if ($bp.DefaultProfile) {$Global:__MgAzContext = $DefaultProfile } $authresp = Get-AzAccessToken -ResourceUrl 'https://graph.microsoft.com' -DefaultProfile $Global:__MgAzContext } elseif ($bp.FromAzCLI) { Write-Verbose "CONNECT: getting an access token from the Azure CLI." $authresp = az account get-access-token --resource-type ms-graph --output json | ConvertFrom-Json } #Did we get our token? If so, store it and whatever we need to refreshing if (-not ($authresp.access_token -or $authresp.accesstoken -or $authResp.Token)) { throw [System.UnauthorizedAccessException]::new("No Token was returned") } Write-Verbose ("CONNECT: Token Response= " + ($authresp | Get-Member -MemberType NoteProperty).name -join ", ") if ($authresp.access_token) { $null = $paramsToPass.Add("AccessToken", $authresp.access_token) } elseif ($authresp.accesstoken) { $null = $paramsToPass.Add("AccessToken", $authresp.accesstoken) } elseif ($authresp.Token) { $null = $paramsToPass.Add("AccessToken", $authresp.Token) } if ($authresp.scope) {Write-Verbose "CONNECT: Scope= $($authresp.scope)" } if ($authresp.refresh_token) {$Script:RefreshToken = $authresp.refresh_token} if ($authresp.expires_in) {$Global:__MgAzTokenExpires = (Get-Date).AddSeconds([int]$authresp.expires_in -60 )} elseif ($authresp.expires_on -or $authresp.expireson ) { if ($authresp.expires_on) {$e = $authresp.expires_on} else {$e = $authresp.ExpiresOn} if ($e -is [string] -and $e -match "^\w{10}$") {$Global:__MgAzTokenExpires = [datetime]::UnixEpoch.AddSeconds($e)} elseif ($e -is [string] ) {$Global:__MgAzTokenExpires = [datetime]::$e } elseif ($e -is [datetimeoffset]) {$Global:__MgAzTokenExpires = $e.LocalDateTime } } if ($bp.NoRefresh) { $Script:RefreshParams = $null } elseif ($bp.FromAzureSession) { $Script:RefreshParams = @{'Quiet' = $true; 'FromAzureSession' = $True} $RefreshScriptBlock = [scriptblock]::Create(($RefreshScript -f ' -FromAzureSession ')) } elseif ($bp.FromAzCLI) { $Script:RefreshParams = @{'Quiet' = $true; 'FromAzCLI' = $true} $RefreshScriptBlock = [scriptblock]::Create(($RefreshScript -f ' FromAzCLI ')) } elseif ($bp.AsApp) { $Script:RefreshParams = @{'Quiet' = $true; 'AsApp' = $true} $RefreshScriptBlock = [scriptblock]::Create(($RefreshScript -f ' -Refresh ')) } elseif ($Script:RefreshToken) { $Script:RefreshParams = @{'Quiet' = $true; 'Refresh' = $true} $RefreshScriptBlock = [scriptblock]::Create(($RefreshScript -f ' -Refresh ')) } } #region gather params and call Connect-MGGraph with a token (passed or just fetched), or with a cert, or opening the device dialog #common parameters need to processed differently $paramsinTarget = (Get-Command Connect-MgGraph).Parameters.Keys | Where-Object {$_ -notin [System.Management.Automation.Cmdlet]::CommonParameters} $paramsFromCurrentSet = $pscmdlet.MyInvocation.MyCommand.Parameters.values.where({ ($_.ParameterSets.containskey($pscmdlet.ParameterSetName) -or $_.ParameterSets.containskey('__AllParameterSets') ) -and $_.Name -in $paramsinTarget -and (Get-Variable $_.Name -ValueOnly -ErrorAction SilentlyContinue)}) foreach ($p in $paramsFromCurrentSet.Name ) { $paramsToPass[$p] = Get-Variable $P -ValueOnly ; Write-Verbose ("{0,20} = {1}" -f $p.ToUpper(), $paramsToPass[$p]) } foreach ($p in [System.Management.Automation.Cmdlet]::CommonParameters.Where({$bp.ContainsKey($_)})) { $paramsToPass[$p] = $bp[$p] ; Write-Verbose ("{0,20} = {1}" -f $p.ToUpper(), $paramsToPass[$p]) } if ($Script:TenantID -and -not $paramsToPass.AccessToken) { $paramsToPass['TenantID'] = $Script:TenantID } if ($pscmdlet.ParameterSetName -match '^AppCert') { $paramsToPass['ClientId'] = $Script:ClientID } $result = Connect-MgGraph @paramsToPass #endregion #region connection succeeds, cache information about the user and session, and if necessary setup a trigger to auto-refresh tokens we fetched above if ($result -match "Welcome To Microsoft Graph") { $authcontext = [GraphSession]::Instance.AuthContext #we could call Get-Mgorganization but this way we don't depend on anything outside authentication module $Organization = Invoke-GraphRequest -Method GET -Uri "$GraphURI/organization/" -ValueOnly if ($Organization.id) { Write-Verbose -Message "CONNECT: Account is from $($Organization.DisplayName)" Add-Member -force -InputObject $authcontext -NotePropertyName TenantName -NotePropertyValue $Organization.DisplayName Add-Member -force -InputObject $authcontext -NotePropertyName WorkOrSchool -NotePropertyValue $true } else { Write-Verbose -Message "CONNECT: Account is from Windows live" Add-Member -force -InputObject $authcontext -NotePropertyName TenantName -NotePropertyVa.lue $Organization.DisplayName Add-Member -force -InputObject $authcontext -NotePropertyName WorkOrSchool -NotePropertyValue $true } if ($authcontext.Account) { $result = 'Welcome To Microsoft Graph++, {0}.' -f $authcontext.Account $user = Invoke-MgGraphRequest -Method GET -Uri "$GraphURI/me/" if ($Global:GraphUser -and $Global:GraphUser -ne $user.userPrincipalName) { Set-GraphOneNoteHome $null Set-GraphHomeDrive $null } $Global:GraphUser = $user.userPrincipalName Add-Member -Force -InputObject $authcontext -NotePropertyName UserDisplayName -NotePropertyValue $user.displayName Add-Member -Force -InputObject $authcontext -NotePropertyName UserID -NotePropertyValue $user.ID } else {$result = "Welcome To Microsoft Graph, connected to tenant '{1}' as the app '{0}'." -f $authcontext.AppName, $authcontext.TenantName } Add-Member -Force -InputObject $authcontext -NotePropertyName RefreshTokenPresent -NotePropertyValue ($Script:RefreshToken -as [bool]) Add-Member -Force -InputObject $authcontext -NotePropertyName TokenAutoRefresh -NotePropertyValue ($RefreshScriptBlock -as [bool]) if ($Global:__MgAzTokenExpires) { Add-Member -Force -InputObject $authcontext -NotePropertyName TokenExpires -NotePropertyValue ($Global:__MgAzTokenExpires) } elseif ($authcontext.TokenExpires) {$authcontext.TokenExpires = $null} if ($RefreshScriptBlock -and -not $Global:PSDefaultParameterValues['*-Mg*:HttpPipelinePrepend']) { if (-not $Quiet){ Write-Host -Fore DarkCyan "The HttpPipelinePrepend parameter now has a default that checks for refresh tokens. Any command which uses this parameter will lose the auto-refresh" } $Global:PSDefaultParameterValues['*-Mg*:HttpPipelinePrepend'] = $RefreshScriptBlock } if ($NoRefresh -and -not $Quiet) { Write-Host -Fore Cyan "-NoRefresh was specified. You will need to run this command again after $($tokeninfo.ExpiresOn.LocalDateTime.ToString())" } } #endregion if (-not $Quiet) {return $result} } } function Show-GraphSession { <# .Synopsis Returns information about the current sesssion #> [CmdletBinding(DefaultParameterSetName='None')] [OutputType([String])] [alias('GWhoAmI')] param ( #If specified returns only the current account [Parameter(ParameterSetName='Who')] [switch]$Who, #If specified returns only the scopes available to the current session [Parameter(ParameterSetName='Scopes')] [switch]$Scopes, #If specified returns the options set using Set-GraphOption [Parameter(ParameterSetName='Options')] [switch]$Options, #If specified returns the current app name. [Parameter(ParameterSetName='AppName')] [switch]$AppName, #If specified runs Test-GraphSession to ensure a session exists. [switch]$Force ) dynamicparam { $paramDictionary = New-Object System.Management.Automation.RuntimeDefinedParameterDictionary if ($PSVersionTable.PSVersion.Major -ge 7 -and $PSVersionTable.Platform -like 'win*') { $cachedTokenParamAttibute = New-Object System.Management.Automation.ParameterAttribute -Property @{ParameterSetName='CachedToken'} $paramDictionary.Add('CachedToken', [RuntimeDefinedParameter]::new("CachedToken", [SwitchParameter],$cachedTokenParamAttibute)) } if ($Script:RefreshToken) { $refreshTokenParamAttibute = New-Object System.Management.Automation.ParameterAttribute -Property @{ParameterSetName='RefreshToken'} $paramDictionary.Add('RefreshToken',[RuntimeDefinedParameter]::new("RefreshToken", [SwitchParameter],$refreshTokenParamAttibute)) } return $paramDictionary } end { if ($Force) {Test-GraphSession -Quiet} if (-not [GraphSession]::Instance.AuthContext) {Write-Host "Ready for Connect-Graph."; return} if ($Scopes) {[GraphSession]::Instance.AuthContext.Scopes} elseif ($Who) {[GraphSession]::Instance.AuthContext.Account} elseif ($AppName) {[GraphSession]::Instance.AuthContext.AppName} elseif ($Options) {[pscustomobject][Ordered]@{ 'TenantID' = $Script:TenantID 'ClientID' = $Script:ClientID 'ClientSecretSet' = $Script:ClientSecret -as [bool] 'DefaultScopes' = $Script:DefaultGraphScopes -join ', ' 'DefaultUserProperties' = $Script:DefaultUserProperties -join ', ' 'DefaultUsageLocation' = $Script:DefaultUsageLocation }} elseif ( $PSBoundParameters['RefreshToken']) {return $Script:RefreshToken} elseif (-not $PSBoundParameters['CachedToken']) { if ($Script:SkippedSubmodules) { Write-Host -ForegroundColor DarkGray ("Skipped " + ($Script:SkippedSubmodules -join ", ") + " because their Microsoft.Graph module(s) or private.dll file(s) were not found.") } if ($Global:PSDefaultParameterValues['Get-GraphDrive:Drive']) { Write-Host "Home OneDrive is set" } if ($Global:PSDefaultParameterValues['*GraphOneNoteBook*:Notebook'] -and $Global:PSDefaultParameterValues['Get-GraphOneNotePage:Section']) { Write-Host "Home Notebook and section are set" } elseif ($Global:PSDefaultParameterValues['*GraphOneNoteBook*:Notebook']) { Write-Host "Home Notebook is set" } if ($Global:PSDefaultParameterValues['Add-Graph*Tab:Team']) { Write-Host "Default Group is set and team-enabled, default calendar is a team calendar." } elseif ($Global:PSDefaultParameterValues['*-GraphEvent:Group']) { Write-Host "Default Group is set and but not team-enabled, default calendar is a team calendar." } else {Write-Host "Default Group is not set, default calendar is for the signed-in user."} Get-MgContext } else { $id = [GraphSession]::Instance.AuthContext.ClientId $path = Join-Path -ChildPath ".graph\$($id)cache.bin3" -Path ([System.Environment]::GetFolderPath([System.Environment+SpecialFolder]::UserProfile)) if (-not(Test-Path $path)) { Write-Warning "Could not find a cache file for app id $id in the .graph folder." return } #read and decrypted the ached file, it comes up as not very nice JSON so unpick that. $tokenBytes = [System.Security.Cryptography.ProtectedData]::Unprotect( (Get-Content $path -AsByteStream) , $null, 0) $tokendata = ConvertFrom-Json ([string]::new($tokenBytes) -replace '(Token|Account|AppMetaData)":{".*?":{' ,'$1":{"X":{' -replace '"secret":".*?",','') $tokendata.account.x | Select-Object Name, Username, Local_account_id, Realm, Authority_type, @{n='environment'; e={$tokendata.AccessToken.x.environment}}, @{n='client_id'; e={$tokendata.AccessToken.x.client_id}}, @{n='credential_type';e={$tokendata.AccessToken.x.credential_type}}, @{n='target'; e={$tokendata.AccessToken.x.target}}, @{n='cached_at'; e={[datetime]::UnixEpoch.AddSeconds($tokendata.AccessToken.x.cached_at)}}, @{n='expires_on'; e={[datetime]::UnixEpoch.AddSeconds($tokendata.AccessToken.x.expires_on)}} } } } function ContextHas { <# .Syopsis Checks if the the current context is a work/school account and/or has access with the right scopes #> [cmdletbinding()] param ( #list of scopes. will return true if at least one IS present. [string[]]$Scopes, #if specifies returns ture for a work-or-school account and false for "Live" accounts [switch]$WorkOrSchoolAccount, #if specified returns ture if connected with a user account and false if connected as an application [switch]$AsUser, #if specified returns ture if connected as an application and false if connected with a user account [switch]$AsApp, #If specified break instead of turning false [switch]$BreakIfNot, #If specified reverses the output. [switch]$Not ) if (-not [GraphSession]::Instance.AuthContext) { Connect-Graph | Out-Host} if (-not $Scopes) { $state = $true } else { $state = $false foreach ($s in $Scopes) { $state = $state -or ([GraphSession]::Instance.AuthContext.Scopes -contains $s) } } if ($WorkOrSchoolAccount) { $state = $state -and [GraphSession]::Instance.AuthContext.WorkOrSchool } if ($AsUser) { $state = $state -and [GraphSession]::Instance.AuthContext.Account } if ($AsApp) { $state = $state -and -not [GraphSession]::Instance.AuthContext.Account } if ($BreakIfNot ) { if ($Scopes -and -not $state) {Write-Warning ("This requires the {0} scope(s)." -f ($Scopes -join ', ')) ; break} if ($WorkOrSchoolAccount -and -not $state) {Write-Warning "This requires a work or school account." ; break} if ($AsUser -and -not $state) {Write-Warning "This requires a user-logon, not an app-logon." ; break} if ($AsApp -and -not $state) {Write-Warning "This requires an app-logon, not a user-logon." ; break} } #otherwise return true or false else {return ( $state -xor $not )} } |