Functions/Get-GraphSecurityAuthToken.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
<#
.Synopsis
   Gets a authenticaiton token to be used by other Microsoft Graph Security module cmdlets.
.DESCRIPTION
   Get-GraphSecurityAuthToken gets an authentication token to be used by other Microsoft Graph Security module cmdlets.
 
   When using Get-GraphSecurityAuthToken you will be prompted to provide your Azure AD username (UPN), password and AppId.
 
   Get-GraphSecurityAuthToken takes the token and stores them in a special global session variable called $GraphSecurityAuthToken.
 
   All Microsoft Graph Security Module cmdlets reference that special global variable to pass requests to your tenant.
 
.EXAMPLE
   Get-GraphSecurityAuthToken
 
    This prompts the user to enter both their username as well as their password, then prompts for AppId.
 
    Username = username (Example: Nicholas@contoso.com)
    Password = Password (Example: Sup3rS3cureP@ssw0rd!)
    Username = AppId
    Password = AppId (Example: 64407e7c-8522-417f-a003-f69ad0b1a89b)
 
    C:\>$GraphSecurityAuthToken
 
    To verify your auth token is set in the current session, run the above command.
 
    UserName Password
    -------- --------
    nicholas@contoso.com System.Security.SecureString
 
.FUNCTIONALITY
   Get-GraphSecurityAuthToken is intended to get an authentication token into a global session variable to allow other cmdlets to authenticate when passing requests.
#>


function Get-GraphSecurityAuthToken {

    [CmdletBinding()]

    Param
    (

        # Specifies the password.
        [Parameter(Mandatory = $false)]
        [ValidateNotNullOrEmpty()]
        [System.Management.Automation.PSCredential]$GraphSecurityCredential

    )

    Try { $Username = Select-GraphSecurityUsername }
    Catch { Throw $_ }

    Try { $AppId = Select-GraphSecurityAppId }
    Catch { Throw $_ }

    $user = New-Object "System.Net.Mail.MailAddress" -ArgumentList $Username

    $tenant = $user.Host

    Write-Verbose "Checking for AzureAD module..."

    $AadModule = Get-Module -Name "AzureAD" -ListAvailable

    if ($null -eq $AadModule) {

        Write-Verbose "AzureAD PowerShell module not found, looking for AzureADPreview"

        $AadModule = Get-Module -Name "AzureADPreview" -ListAvailable

    }

    if ($null -eq $AadModule) {

        Install-GraphSecurityAADModule

        $AadModule = Get-Module -Name "AzureAD" -ListAvailable

    }

    # Getting path to ActiveDirectory Assemblies
    # If the module count is greater than 1 find the latest version

    if ($AadModule.count -gt 1) {

        $Latest_Version = ($AadModule | Select-Object version | Sort-Object)[-1]

        $aadModule = $AadModule | Where-Object { $_.version -eq $Latest_Version.version }

        # Checking if there are multiple versions of the same module found

        if ($AadModule.count -gt 1) {

            $aadModule = $AadModule | Select-Object -Unique

        }

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"

        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

    else {

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"

        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

    [System.Reflection.Assembly]::LoadFrom($adal) | Out-Null

    [System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null

    $redirectUri = "urn:ietf:wg:oauth:2.0:oob"

    $resourceAppIdURI = "https://graph.microsoft.com"

    $authority = "https://login.microsoftonline.com/$Tenant"

    try {

        $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority

        # https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
        # Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession

        $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"

        $userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($Username, "OptionalDisplayableId")

        $authResult = $authContext.AcquireTokenAsync($resourceAppIdURI, $AppId, $redirectUri, $platformParameters, $userId).Result

        if ($authResult.AccessToken) {

            # Creating header for Authorization token

            $global:GraphSecurityAuthHeader = @{
                'Content-Type'  = 'application/json'
                'Authorization' = "Bearer " + $authResult.AccessToken
                'ExpiresOn'     = $authResult.ExpiresOn
                'Prefer'        = 'return=representation'
            }

        }

        else {


            Write-Warning "Authorization Access Token is null, please re-run authentication..."

            break

        }

    }

    catch {

        Write-Verbose $_.Exception.Message
        Write-Verbose $_.Exception.ItemName

        break

    }

}