diff --git a/docs/cloud/azure/azure-access-and-token.md b/docs/cloud/azure/azure-access-and-token.md index 8d02a2e..950088a 100644 --- a/docs/cloud/azure/azure-access-and-token.md +++ b/docs/cloud/azure/azure-access-and-token.md @@ -82,40 +82,49 @@ Whoami equivalent: `Get-MgContext` * Login with credentials ```ps1 + # TODO ``` -* Login with device code flow - ```ps1 - # paste this in a PowerShell console - $body = @{ - "client_id" = "1950a258-227b-4e31-a9cf-717495945fc2"! - "resource" = "https://graph.microsoft.com" - } - $UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" - $Headers=@{} - $Headers["User-Agent"] = $UserAgent - $authResponse = Invoke-RestMethod ` - -UseBasicParsing ` - -Method Post ` - -Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" ` - -Headers $Headers ` - -Body $body - $authResponse - # then browse to https://microsoft.com/devicelogin and use the device_code - # finally execute this command to ask for tokens - $body=@{ - "client_id" = "1950a258-227b-4e31-a9cf-717495945fc2" - "grant_type" = "urn:ietf:params:oauth:grant-type:device_code" - "code" = $authResponse.device_code - } - $Tokens = Invoke-RestMethod ` - -UseBasicParsing ` - -Method Post ` - -Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" ` - -Headers $Headers ` - -Body $body - $Tokens - ``` +#### Device Code + +Request a device code + +```ps1 +$body = @{ + "client_id" = "1950a258-227b-4e31-a9cf-717495945fc2" + "resource" = "https://graph.microsoft.com" +} +$UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" +$Headers=@{} +$Headers["User-Agent"] = $UserAgent +$authResponse = Invoke-RestMethod ` + -UseBasicParsing ` + -Method Post ` + -Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" ` + -Headers $Headers ` + -Body $body +$authResponse +``` + +Go to device login [microsoft.com/devicelogin](https://login.microsoftonline.com/common/oauth2/deviceauth) and input the device code. Then ask for an access token. + +```ps1 +$body=@{ + "client_id" = "1950a258-227b-4e31-a9cf-717495945fc2" + "grant_type" = "urn:ietf:params:oauth:grant-type:device_code" + "code" = $authResponse.device_code +} +$Tokens = Invoke-RestMethod ` + -UseBasicParsing ` + -Method Post ` + -Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" ` + -Headers $Headers ` + -Body $body +$Tokens +``` + + +#### Service Principal * Request an access token using a **service principal password** ```ps1 @@ -127,6 +136,31 @@ Whoami equivalent: `Get-MgContext` --data-urlencode 'grant_type=client_credentials' ``` +#### App Secret + +An App Secret (also called a client secret) is a string used for securing communication between an application and Azure Active Directory (Azure AD). It is a credential that the application uses along with its client ID to authenticate itself when accessing Azure resources, such as APIs or other services, on behalf of a user or a system. + +```ps1 +$appid = '' +$tenantid = '' +$secret = '' + +$body = @{ + Grant_Type = "client_credentials" + Scope = "https://graph.microsoft.com/.default" + Client_Id = $appid + Client_Secret = $secret +} + +$connection = Invoke-RestMethod ` + -Uri https://login.microsoftonline.com/$tenantid/oauth2/v2.0/token ` + -Method POST ` + -Body $body + +Connect-MgGraph -AccessToken $connection.access_token +``` + + ### Internal HTTP API > **MSI_ENDPOINT** is an alias for **IDENTITY_ENDPOINT**, and **MSI_SECRET** is an alias for **IDENTITY_HEADER**.