I recently had the need to authenticate as an Azure AD (AAD) application to the oAuth endpoint to return an oAuth token. As this procedure was to be performed by an Azure Automation Runbook, I needed a solution that was entirely PowerShell based.
In my case we needed to use this token to perform tasks under the context of the AAD application such as accessing an Azure API Management API, as well as sending requests to the Azure GraphAPI.
After having no luck finding anything online, I decided to post my solution here.
function Get-oAuthToken {
<#
.SYNOPSIS
Function to connect to the Microsoft login OAuth endpoint and return an OAuth token.
.DESCRIPTION
This Function connects to the Microsoft AAD OAuth endpoint and generates an OAuth token.
This token can then be used for authentication against the resource supplied In the parameters.
.PARAMETER ClientID
The ClientID of the application used for authentication against Azure AD.
.PARAMETER ClientSecret
The Key generated within the application used for authentication against Azure AD.
This key should have rights to the resource supplied in the ResourceName parameter.
.PARAMETER TenantId
The TenantId of the Azure AD that you wish to authenticate against.
.PARAMETER ResourceName
The name of the resource that you want to generate a token for.
.EXAMPLE
C:\PS> Get-ApiToken -ClientID '12345678-9012-3456-7890-123456789012' -ClientSecret 'AfXooIr8rswX24yrFXMrO4SbBgutwTtojAZEpQOaaaa=' -TenantId 'abcdefff-d0bc-1234-854a-114710c94dbb' -Resource 'https://test.onmicrosoft.com/apitest'
Returns the authentication context object generated by the endpoint.
.NOTES
Version 1.0
#>
[Cmdletbinding()]
Param(
[Parameter(Mandatory=$true)][string]$ClientID,
[Parameter(Mandatory=$true)][string]$ClientSecret,
[Parameter(Mandatory=$true)][string]$TenantId,
[Parameter(Mandatory=$false)][string]$ResourceName = "https://graph.windows.net",
[Parameter(Mandatory=$false)][switch]$ChinaAuth
)
#This script will require the Web Application and permissions configured in Azure Active Directory.
if($ChinaAuth){
$LoginURL = 'https://login.chinacloudapi.cn'
}else{
$LoginURL = 'https://login.windows.net'
}
#Get an Oauth 2 access token based on client id, secret and tenant id
$Body = @{grant_type="client_credentials";resource=$ResourceName;client_id=$ClientID;client_secret=$ClientSecret}
Return Invoke-RestMethod -Method Post -Uri $LoginURL/$TenantId/oauth2/token?api-version=1.0 -Body $Body
}
The code is fairly straightforward, however I will expand on a few points:
- In my case I needed the ability to generate tokens against multiple Azure regions, including the Azure China region. To ensure the China authentication requests hit the correct endpoint, I have added a switch -ChinaAuth. If this is specified it will attempt to authenticate to https://login.chinacloudapi.cn.
- The function will return an object containing:
- token_type
- expires_in
- ext_expires_in
- expires_on
- not_before
- resource
- access_token