Skip to content

Simple usage

Jump to bottom
Jiri Formacek edited this page Feb 22, 2025 · 3 revisions

Examples below show basic usage for the module:

  • creating a factory
  • requesting an access token
  • examining information stored in access token

Simple usage with single factory and default Public client

Module caches most-recently created factory. When name specified for the factory, factory can later be retrieved via Get-AadAuthenticationFactory command, passing name of the factory as parameter.
Factory uses Client Id of Azure Powershell app provided by MS. Sample uses browser based authentication and gives Delegated permissions configured for Azure Powershell for Graph API to calling user.
Sample demonstrates examination of resulting Access and ID tokens issued for calling of Graph API.

Note: Access tokens for Graph API fail to validate - this is by design according to MS - see discussion here: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/609

# get default client id used by module
Get-AadDefaultClientId
#create authnetication factory with interactive browser login and cache it inside the module
#factory can have a name you can use to reference the factory
New-AadAuthenticationFactory -TenantId mytenant.com -DefaultScopes 'https://graph.microsoft.com/.default' -AuthMode Interactive -Name myFactory

#ask for token
# token issued for default scopes specified when creating factory
#you can reference factory by name. If not specified, most recently created factory is used
$Token = Get-AadToken -Factory myFactory

#examine access token data
$Token.AccessToken | Test-AadToken | Select -Expand Payload

#examine ID token data
$Token.IdToken | Test-AadToken | Select -Expand Payload

#ask for token to different resource using authentication provided earlier
#we just explicitly specify different scopes when asking for token
$Token2 = Get-AadToken -Scopes https://vault.azure.net/.default

#ask for fresh token with reauthentication of user
$Token = Get-AadToken -ForceAuthentication

Simple usage with single factory and custom client with client secret

Module caches most-recently created factory. In this exampleů factory uses custom Client Id with client secret to authenticate with EntraID.

$appId = '1b69b00f-08f0-4798-9976-af325f7f7526'
$secret = 'xxxx'
#create authnetication factory and cache it inside module
#we do not specify default scopes, which means we must always specify scope when asking for token
New-AadAuthenticationFactory -TenantId mytenant.com -ClientId $appId -ClientSecret  $secret

#ask for token
$Token = Get-AadToken -Scopes 'https://graph.microsoft.com/.default'

#examine access token data
$Token.AccessToken | Test-AadToken | Select -Expand Payload

#examine ID token data
$Token.IdToken | Test-AadToken | Select -Expand Payload
Clone this wiki locally