mcollier · February 16, 2019 22:11
diff --git a/AAD_AcquireToken_Scratch.ps1 b/AAD_AcquireToken_Scratch.ps1
 $subscriptionId = "---- ADD YOUR AZURE SUBSCRIPTION ID ----"
 $tennantId = "---- ADD YOUR AZURE AD TENANT ID ----"

 # Password for the service principal
 $secret = "test!12345678910"
 $secureStringPassword = ConvertTo-SecureString -String $secret -AsPlainText -Force

 # $resource = "https://management.azure.com/"
 $resource = "https://management.core.windows.net/"

 # Authenticate to a specific Azure subscription.
 Connect-AzureRmAccount -SubscriptionId $subscriptionId


 # ********************************
 #          Example 1 - Using ADAL 
 # ********************************

 # Create a new Azure AD application
 $azureAdApplication = New-AzureRmADApplication  -DisplayName "My Azure Monitor"  -HomePage "https://localhost/azure-monitor"  -IdentifierUris "https://localhost/azure-monitor" -Password $secureStringPassword

 # Create a new service principal associated with the designated application
 New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId

 # Sleep for a few seconds to give AAD time to propogate data.
 Start-Sleep -Seconds 30

 # Assign Reader role to the newly created service principal
 New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $azureAdApplication.ApplicationId.Guid

 # Get the AAD application and Azure subscription.
 $azureAdApplication = Get-AzureRmADApplication -IdentifierUri "https://localhost/azure-monitor"

 $clientId = $azureAdApplication.ApplicationId.Guid
 $authUrl = "https://login.microsoftonline.com/${tennantId}"

 # Use ADAL to get the authentication token.
 $AuthContext = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext]$authUrl
 $cred = New-Object -TypeName Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential -ArgumentList ($clientId, $secureStringPassword)

 $result = $AuthContext.AcquireTokenAsync($resource, $cred)
 if ($result.Exception -ne $null) {
    Write-Error($result.Exception)
 }
 else {

    # Build an array of HTTP header values
    $authHeader = @{
        'Content-Type'  = 'application/json'
        'Accept'        = 'application/json'
        'Authorization' = $result.CreateAuthorizationHeader()
    }
 }



 # ********************************
 #          Example 2 - Using MSAL
 # ********************************
 Add-Type -Path "Microsoft.Identity.Client.dll"

 [Microsoft.Identity.Client.TokenCache] $tokenCache = New-Object Microsoft.Identity.Client.TokenCache

 # TODO: Create service principal

 $pwd = "xxxxxxx"
 $clientId = "yyyyyyyyyyyyyyy"
 $authority = "https://login.microsoftonline.com/zzzzzzzzzzzzzzzzzzz"

 [Microsoft.Identity.Client.ClientCredential] $clientCredential = New-Object Microsoft.Identity.Client.ClientCredential -ArgumentList $pwd
 [Microsoft.Identity.Client.ConfidentialClientApplication] $app = New-Object Microsoft.Identity.Client.ConfidentialClientApplication -ArgumentList $clientId, $authority, $clientCredential, $null, $tokenCache

 $scopes = [string[]]@("https://management.azure.com/.default")

 [Microsoft.Identity.Client.AuthenticationResult] $result = $app.AcquireTokenForClientAsync($scopes).GetAwaiter().GetResult()



 # ********************************
 #          Example 3 - Using REST API
 # ********************************

 #SPN ClientId and Secret.  Obtain the Client ID from the Azure Portal if necessary.
 #$clientId = "---- ADD CLIENT ID OR USE VALUE FROM EXAMPLE 1"
 $tokenEndpoint = "https://login.microsoftonline.com/$tennantId/oauth2/token"

 $body = @{
    'resource'      = $resource
    'client_id'     = $clientId
    'grant_type'    = 'client_credentials'
    'client_secret' = $secret
 }

 $params = @{
    ContentType = 'application/x-www-form-urlencoded'
    Headers     = @{'accept' = 'application/json'}
    Body        = $body
    Method      = 'Post'
    URI         = $tokenEndpoint
 }

 $token = Invoke-RestMethod @params

 $authHeader = @{
    'Content-Type'  = 'application/json'
    'Accept'        = 'application/json'
    'Authorization' = 'Bearer ' + $token.access_token
 }

 $result = Invoke-RestMethod -Uri "https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.Web/sites?api-version=2016-08-01" -Headers $authHeader -Method Get

 $result
	$subscriptionId = "---- ADD YOUR AZURE SUBSCRIPTION ID ----"
	$tennantId = "---- ADD YOUR AZURE AD TENANT ID ----"

	# Password for the service principal
	$secret = "test!12345678910"
	$secureStringPassword = ConvertTo-SecureString -String $secret -AsPlainText -Force

	# $resource = "https://management.azure.com/"
	$resource = "https://management.core.windows.net/"

	# Authenticate to a specific Azure subscription.
	Connect-AzureRmAccount -SubscriptionId $subscriptionId


	# ********************************
	# Example 1 - Using ADAL
	# ********************************

	# Create a new Azure AD application
	$azureAdApplication = New-AzureRmADApplication -DisplayName "My Azure Monitor" -HomePage "https://localhost/azure-monitor" -IdentifierUris "https://localhost/azure-monitor" -Password $secureStringPassword

	# Create a new service principal associated with the designated application
	New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId

	# Sleep for a few seconds to give AAD time to propogate data.
	Start-Sleep -Seconds 30

	# Assign Reader role to the newly created service principal
	New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $azureAdApplication.ApplicationId.Guid

	# Get the AAD application and Azure subscription.
	$azureAdApplication = Get-AzureRmADApplication -IdentifierUri "https://localhost/azure-monitor"

	$clientId = $azureAdApplication.ApplicationId.Guid
	$authUrl = "https://login.microsoftonline.com/${tennantId}"

	# Use ADAL to get the authentication token.
	$AuthContext = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext]$authUrl
	$cred = New-Object -TypeName Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential -ArgumentList ($clientId, $secureStringPassword)

	$result = $AuthContext.AcquireTokenAsync($resource, $cred)
	if ($result.Exception -ne $null) {
	Write-Error($result.Exception)
	}
	else {

	# Build an array of HTTP header values
	$authHeader = @{
	'Content-Type' = 'application/json'
	'Accept' = 'application/json'
	'Authorization' = $result.CreateAuthorizationHeader()
	}
	}



	# ********************************
	# Example 2 - Using MSAL
	# ********************************
	Add-Type -Path "Microsoft.Identity.Client.dll"

	[Microsoft.Identity.Client.TokenCache] $tokenCache = New-Object Microsoft.Identity.Client.TokenCache

	# TODO: Create service principal

	$pwd = "xxxxxxx"
	$clientId = "yyyyyyyyyyyyyyy"
	$authority = "https://login.microsoftonline.com/zzzzzzzzzzzzzzzzzzz"

	[Microsoft.Identity.Client.ClientCredential] $clientCredential = New-Object Microsoft.Identity.Client.ClientCredential -ArgumentList $pwd
	[Microsoft.Identity.Client.ConfidentialClientApplication] $app = New-Object Microsoft.Identity.Client.ConfidentialClientApplication -ArgumentList $clientId, $authority, $clientCredential, $null, $tokenCache

	$scopes = [string[]]@("https://management.azure.com/.default")

	[Microsoft.Identity.Client.AuthenticationResult] $result = $app.AcquireTokenForClientAsync($scopes).GetAwaiter().GetResult()



	# ********************************
	# Example 3 - Using REST API
	# ********************************

	#SPN ClientId and Secret. Obtain the Client ID from the Azure Portal if necessary.
	#$clientId = "---- ADD CLIENT ID OR USE VALUE FROM EXAMPLE 1"
	$tokenEndpoint = "https://login.microsoftonline.com/$tennantId/oauth2/token"

	$body = @{
	'resource' = $resource
	'client_id' = $clientId
	'grant_type' = 'client_credentials'
	'client_secret' = $secret
	}

	$params = @{
	ContentType = 'application/x-www-form-urlencoded'
	Headers = @{'accept' = 'application/json'}
	Body = $body
	Method = 'Post'
	URI = $tokenEndpoint
	}

	$token = Invoke-RestMethod @params

	$authHeader = @{
	'Content-Type' = 'application/json'
	'Accept' = 'application/json'
	'Authorization' = 'Bearer ' + $token.access_token
	}

	$result = Invoke-RestMethod -Uri "https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.Web/sites?api-version=2016-08-01" -Headers $authHeader -Method Get

	$result