-
Notifications
You must be signed in to change notification settings - Fork 0
Authentication broker
Jiri Formacek edited this page Dec 30, 2024
·
1 revision
Windows Authentication Broker (WAM) is currently available on Windows platform only, and supports additional features, such as:
- tranparent user authentication in AAD-joined machines
- issuance of Proof-of-Possession tokens
This option provides transparent SSO with currently logged-in user account.
Note: This option Works only on Windows platform and on AAD-joined machines.
New-AadAuthenticationFactory -TenantId 'mytenant.com' -AuthMode WAM
Get-AadToken -Scopes 'https://management.azure.net/.default' | Test-AadToken -PayloadOnlyStarting with version 3.2.0, module supports retrieval of PoP tokens in addition to Bearer tokens. For PoP tokens details, see RFC7800.
PoP token support is limited to public client with WAM flow. Also, resouce server is required to support PoP for PoP token to be issued.
For details, see MSAL PoP support details.
Sample below shows hot to authenticate to MS Graph API with PoP token:
New-AadAuthenticationFactory -DefaultScopes 'https://graph.microsoft.com/.default' -TenantId 'mytenant.com' -AuthMode WAM
$uri = 'https://graph.microsoft.com/v1.0/me/directReports'
#ask for PoP token by specifying PoPRequestUri - PoP token is alwaays bound to Uri and http method
#when specifying PopRequestUri and optionally PopHttpHethod (defaults to Get when not specified)
#this indicates interes in getting PoP token
#we reach the uri behind the scenes to retrieve a nonce from resource server - nonce is needed to create a PoP token
$h = Get-AadToken -Verbose -PoPRequestUri $uri -PopHttpMethod Get -AsHashTable
Invoke-RestMethod -uri $uri -Method Get -Headers $h | select -expand value