Confidential client auth

Module supports configential client with client secret, certificate, or federated credentials.

Certificate authentication

This sample creates authentication factory for getting tokens for different resources for application that uses X.509 certificate for authentication.

#load certificate for auth
$thumbprint = 'e827f78a78cf532eb539479d6afe9c7f703173d5'
$appId = '1b69b00f-08f0-4798-9976-af325f7f7526'
$cert = dir Cert:\CurrentUser\My\ | where-object{$_.Thumbprint -eq $thumbprint}

#create factory for issuing of tokens for Graph Api and Azure KeyVault.
#single factory can issue tokens for multiple resources/scopes
$factory = New-AadAuthenticationfactory -tenantId mydomain.com -ClientId $appId -X509Certificate $cert -DefaultScopes 'https://graph.microsoft.com/.default'

#get tokens
$graphToken = Get-AadToken -Factory $factory
$vaultToken = $factory | Get-AadToken -Scopes 'https://vault.azure.net/.default'

#examine tokens
Test-AadToken -Token $graphToken.AccessToken
Test-AadToken -Token $vaultToken.AccessToken

Login with federated credentials

This option allows passing JWT token obtained from federated identity provider and use it to get AAD token via federated credentials.
For real-life usage, see azure-automation-devops-integration repo, where we use this approach to exchange Azure DevOps JWT token for AAD token to manage Azure Automation account.
Code to be found in Manage-AutomationAccount script that implements Azure pipeline task and support authentication of pipeline with federated credentials for deployment.

$tenantId = 'mydomain.com'
#appId of app registration with federated credential
$clientId = 'd01734f1-2a3f-452e-ad42-8ffe7ae900ef'
#TODO: implement JWT token retrieval yourself
$assertion = Get-JwtTokenFromExternalIdentityProvider
#use the JWT token to create factory
New-AadAuthenticationFactory -TenantId $tenantId -ClientId $clientId -Assertion $assertion
#retrieve AAD token
$headers = Get-AadToken -Scopes 'https://management.azure.net/.default' -AsHashTable