Device Code Flow + App Secret Auth

2024-10-04 16:50:06 +02:00 · 2024-10-04 16:50:06 +02:00 · d07e3a2727
parent 302d0a37f7
commit d07e3a2727
1 changed files with 66 additions and 32 deletions
--- a/docs/cloud/azure/azure-access-and-token.md
+++ b/docs/cloud/azure/azure-access-and-token.md
@ -82,12 +82,16 @@ Whoami equivalent: `Get-MgContext`

 * Login with credentials
    ```ps1
+    # TODO
    ```
-* Login with device code flow
+
+#### Device Code
+
+Request a device code
+
 ```ps1
-    # paste this in a PowerShell console
 $body = @{
-        "client_id" =     "1950a258-227b-4e31-a9cf-717495945fc2"!
+    "client_id" =     "1950a258-227b-4e31-a9cf-717495945fc2"
    "resource" =      "https://graph.microsoft.com"
 }
 $UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
@ -100,9 +104,11 @@ Whoami equivalent: `Get-MgContext`
    -Headers $Headers `
    -Body $body
 $authResponse
+```

-    # then browse to https://microsoft.com/devicelogin and use the device_code
-    # finally execute this command to ask for tokens
+Go to device login [microsoft.com/devicelogin](https://login.microsoftonline.com/common/oauth2/deviceauth) and input the device code. Then ask for an access token.
+
+```ps1
 $body=@{
    "client_id" =  "1950a258-227b-4e31-a9cf-717495945fc2"
    "grant_type" = "urn:ietf:params:oauth:grant-type:device_code"
@ -117,6 +123,9 @@ Whoami equivalent: `Get-MgContext`
 $Tokens
 ```

+
+#### Service Principal 
+
 * Request an access token using a **service principal password**
    ```ps1
    curl --location --request POST 'https://login.microsoftonline.com/<tenant-name>/oauth2/v2.0/token' \
@ -127,6 +136,31 @@ Whoami equivalent: `Get-MgContext`
    --data-urlencode 'grant_type=client_credentials'
    ```

+#### App Secret
+
+An App Secret (also called a client secret) is a string used for securing communication between an application and Azure Active Directory (Azure AD). It is a credential that the application uses along with its client ID to authenticate itself when accessing Azure resources, such as APIs or other services, on behalf of a user or a system.
+
+```ps1
+$appid = '<app-id>'
+$tenantid = '<tenant-id>'
+$secret = '<app-secret>'
+ 
+$body =  @{
+    Grant_Type    = "client_credentials"
+    Scope         = "https://graph.microsoft.com/.default"
+    Client_Id     = $appid
+    Client_Secret = $secret
+}
+ 
+$connection = Invoke-RestMethod `
+    -Uri https://login.microsoftonline.com/$tenantid/oauth2/v2.0/token `
+    -Method POST `
+    -Body $body
+
+Connect-MgGraph -AccessToken $connection.access_token
+```
+
+
 ### Internal HTTP API

 > **MSI_ENDPOINT** is an alias for **IDENTITY_ENDPOINT**, and **MSI_SECRET** is an alias for **IDENTITY_HEADER**.