PowerGraph365

0.0.3

Functions/Shared/Connect-MSGraph.ps1

                                Function Connect-MSGraph

{

    [CmdletBinding()]

    param

    (

        [Parameter(Mandatory = $true, ParameterSetName="Daemon")]

        [Parameter(Mandatory = $true, ParameterSetName="UserPassword")]

        [ValidateNotNullOrEmpty()]

        [string]$AzureADDomain,

        [Parameter(Mandatory = $true, ParameterSetName="Daemon")]

        [Parameter(Mandatory = $true, ParameterSetName="UserPassword")]

        [Alias("ClientId")]

        [ValidateNotNullOrEmpty( )]

        [string]$AppId,

        [Parameter(Mandatory = $true, ParameterSetName="Daemon")]

        [Parameter(Mandatory = $true, ParameterSetName="UserPassword")]

        [Alias("ClientSecret")]

        [ValidateNotNullOrEmpty()]

        [String]$AppSecret,

        [Parameter(Mandatory = $true, ParameterSetName="Daemon")]

        [Parameter(Mandatory = $true, ParameterSetName="UserPassword")]

        [ValidateNotNullOrEmpty()]

        [string]$RedirectUrl,

        [Parameter(Mandatory = $false, ParameterSetName="Daemon")]

        [Parameter(Mandatory = $false, ParameterSetName="UserPassword")]

        [ValidateNotNullOrEmpty()]

        [string]$BaseUrl = "https://graph.microsoft.com/v1.0/",

        [Parameter(Mandatory = $true, ParameterSetName="UserPassword", Position = 0)]

        [ValidateNotNullOrEmpty()]

        [string]$UserName,

        [Parameter(Mandatory = $true, ParameterSetName="UserPassword", Position = 1)]

        [ValidateNotNullOrEmpty()]

        [string]$Password

    )

    $global:PowerGraph_BaseUrl = $BaseUrl

    $authority = "https://login.microsoftonline.com/$AzureADDomain"

    Write-Verbose "Authority set to $authority"

#consent: https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_id=Enter_the_Application_Id_Here

    # try {

        switch ($PsCmdlet.ParameterSetName)

        {

            "Daemon" {

                #https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds

                $defaultScope = "https://graph.microsoft.com/.default"

                $path = "$PSScriptRoot\..\..\Libraries\Microsoft.Identity.Client\4.3.0\Microsoft.Identity.Client.dll"

                Write-Verbose "Loading Microsoft.Identity.Client library from $path"

                [System.Reflection.Assembly]::LoadFrom($path) | Out-Null

                # legacy library

                # $clientCredential = New-Object Microsoft.Identity.Client.ClientCredential -ArgumentList $appSecret

                # $clientApplication  = New-Object Microsoft.Identity.Client.ConfidentialClientApplication -ArgumentList $AppId, $authority, $RedirectUrl, $clientCredential, $null, $null

                $clientApplication  = [Microsoft.Identity.Client.ConfidentialClientApplicationBuilder]::Create($AppId).WithClientSecret($AppSecret).WithAuthority([Uri]::new($authority)).Build()

                $scopesList = New-Object Collections.Generic.List[string]

                $scopesList.Add("https://graph.microsoft.com/.default")

                Write-Verbose "Aquiring Token - Client Credentials Grant Flow"

                $authenticationResult = $clientApplication.AcquireTokenForClient($scopesList).ExecuteAsync().Result

                $token = @{

                    "TokenType" = "Client Credentials"

                    "AccessToken" = $authenticationResult.AccessToken

                    "ExpiresOn" = $authenticationResult.ExpiresOn

                    "RefreshToken" = $null

                }

            }

            "UserPassword" {

                $resource = "https://graph.microsoft.com"

                $tokenEndpointUri = "$authority/v2.0/authorize" # "$authority/oauth2/v2.0/token" # # "$authority/oauth2/token"

                $tokenEndpointUri = "https://login.microsoftonline.com/$AzureADDomain/oauth2/token"

                $body = "grant_type=password&username=$UserName&password=$Password&client_id=$AppId&client_secret=$appSecret&resource=$resource";

                Write-Verbose "Aquiring Token - Password Grant"

                $response = Invoke-WebRequest -Uri $tokenEndpointUri -Body $body -Method Post -UseBasicParsing

                $responseBody = $response.Content | ConvertFrom-JSON

                $token = @{

                    "TokenType" = "Password"

                    "AccessToken" = $responseBody.access_token

                    "ExpiresOn" = $responseBody.expires_on #TODO: Convert this nicely

                    "RefreshToken" = $null

                }

                Write-Verbose "Scopes received: $($responseBody.scope)"

            }

        }

        Write-Verbose "Token retrieved, expires on $($token.ExpiresOn)"

        $global:PowerGraph_AccessToken = $token

    # }

    # catch {

    #     $responseStream = $_.Exception.Response.GetResponseStream()

    #     $streamReader = New-Object System.IO.StreamReader $responseStream

    #     $responseBody = $streamReader.ReadToEnd()

    #     if ($_.Exception.Response.StatusCode -eq "Bad Request") # 400

    #         { $hint = " [Hint: The request you are making might not be possible using the authentication model you've selected. Review the api reference for the command you're trying to execute at https://developer.microsoft.com/en-us/graph/docs/api-reference and verify that the permission does not say 'Not supported.'. If it does, you might need to call Connect-MSGraph with a username and password first instead.] " }

    #     if ($_.Exception.Response.StatusCode -eq "Forbidden") # 403

    #         { $hint = " [Hint: You might need to get an updated Admin consent if you've recently changed the application's permissions. ] " }

    #     Write-Error ($_.Exception.Message + $hint + " " + $responseBody)

    # }

}