AccessToken_utils.ps1
# This script contains functions for handling access tokens # and some utility functions # VARIABLES # Unix epoch time (1.1.1970) $epoch = Get-Date -Day 1 -Month 1 -Year 1970 -Hour 0 -Minute 0 -Second 0 -Millisecond 0 # FOCI client ids # Ref: https://github.com/secureworks/family-of-client-ids-research/blob/main/known-foci-clients.csv $FOCIs = @{ "00b41c95-dab0-4487-9791-b9d2c32c80f2" = "Office 365 Management" "04b07795-8ddb-461a-bbee-02f9e1bf7b46" = "Microsoft Azure CLI" "1950a258-227b-4e31-a9cf-717495945fc2" = "Microsoft Azure PowerShell" "1fec8e78-bce4-4aaf-ab1b-5451cc387264" = "Microsoft Teams" "26a7ee05-5602-4d76-a7ba-eae8b7b67941" = "Windows Search" "27922004-5251-4030-b22d-91ecd9a37ea4" = "Outlook Mobile" "4813382a-8fa7-425e-ab75-3b753aab3abb" = "Microsoft Authenticator App" "ab9b8c07-8f02-4f72-87fa-80105867a763" = "OneDrive SyncEngine" "d3590ed6-52b3-4102-aeff-aad2292ab01c" = "Microsoft Office" "872cd9fa-d31f-45e0-9eab-6e460a02d1f1" = "Visual Studio" "af124e86-4e96-495a-b70a-90f90ab96707" = "OneDrive iOS App" "2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8" = "Microsoft Bing Search for Microsoft Edge" "844cca35-0656-46ce-b636-13f48b0eecbd" = "Microsoft Stream Mobile Native" "87749df4-7ccf-48f8-aa87-704bad0e0e16" = "Microsoft Teams - Device Admin Agent" "cf36b471-5b44-428c-9ce7-313bf84528de" = "Microsoft Bing Search" "0ec893e0-5785-4de6-99da-4ed124e5296c" = "Office UWP PWA" "22098786-6e16-43cc-a27d-191a01a1e3b5" = "Microsoft To-Do client" "4e291c71-d680-4d0e-9640-0a3358e31177" = "PowerApps" "57336123-6e14-4acc-8dcf-287b6088aa28" = "Microsoft Whiteboard Client" "57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0" = "Microsoft Flow" "66375f6b-983f-4c2c-9701-d680650f588f" = "Microsoft Planner" "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223" = "Microsoft Intune Company Portal" "a40d7d7d-59aa-447e-a655-679a4107e548" = "Accounts Control UI" "a569458c-7f2b-45cb-bab9-b7dee514d112" = "Yammer iPhone" "b26aadf8-566f-4478-926f-589f601d9c74" = "OneDrive" "c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12" = "Microsoft Power BI" "d326c1ce-6cc6-4de2-bebc-4591e5e13ef0" = "SharePoint" "e9c51622-460d-4d3d-952d-966a5b1da34c" = "Microsoft Edge" "eb539595-3fe1-474e-9c1d-feb3625d1be5" = "Microsoft Tunnel" "ecd6b820-32c2-49b6-98a6-444530e5a77a" = "Microsoft Edge" "f05ff7c9-f75a-4acd-a3b5-f4b6a870245d" = "SharePoint Android" "f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34" = "Microsoft Edge" "be1918be-3fe3-4be9-b32b-b542fc27f02e" = "M365 Compliance Drive Client" "cab96880-db5b-4e15-90a7-f3f1d62ffe39" = "Microsoft Defender Platform" "d7b530a4-7680-4c23-a8bf-c52c121d2e87" = "Microsoft Edge Enterprise New Tab Page" "dd47d17a-3194-4d86-bfd5-c6ae6f5651e3" = "Microsoft Defender for Mobile" "e9b154d0-7658-433b-bb25-6b8e0a8a7c59" = "Outlook Lite" } # Resource ids $RESIDs = @{ "00000003-0000-0000-c000-000000000000" = "https://graph.microsoft.com" } # Stored tokens (access & refresh) $tokens=@{} $refresh_tokens=@{} ## UTILITY FUNCTIONS FOR API COMMUNICATIONS # Return user's login information function Get-LoginInformation { <# .SYNOPSIS Returns authentication information of the given user or domain .DESCRIPTION Returns authentication of the given user or domain .Example Get-AADIntLoginInformation -Domain outlook.com Tenant Banner Logo : Authentication Url : https://login.live.com/login.srf?username=nn%40outlook.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx= Pref Credential : 6 Federation Protocol : WSTrust Throttle Status : 0 Cloud Instance : microsoftonline.com Federation Brand Name : MSA Realms Domain Name : live.com Federation Metadata Url : https://nexus.passport.com/FederationMetadata/2007-06/FederationMetadata.xml Tenant Banner Illustration : Consumer Domain : True State : 3 Federation Active Authentication Url : https://login.live.com/rst2.srf User State : 2 Account Type : Federated Tenant Locale : Domain Type : 2 Exists : 5 Has Password : True Cloud Instance audience urn : urn:federation:MicrosoftOnline Federation Global Version : -1 .Example Get-AADIntLoginInformation -UserName someone@company.com Tenant Banner Logo : https://secure.aadcdn.microsoftonline-p.com/c1c6b6c8-okmfqodscgr7krbq5-p48zooi4b7m9g2zcpryoikta/logintenantbranding/0/bannerlogo?ts=635912486993671038 Authentication Url : Pref Credential : 1 Federation Protocol : Throttle Status : 1 Cloud Instance : microsoftonline.com Federation Brand Name : Company Ltd Domain Name : company.com Federation Metadata Url : Tenant Banner Illustration : Consumer Domain : State : 4 Federation Active Authentication Url : User State : 1 Account Type : Managed Tenant Locale : 0 Domain Type : 3 Exists : 0 Has Password : True Cloud Instance audience urn : urn:federation:MicrosoftOnline Desktop Sso Enabled : True Federation Global Version : #> [cmdletbinding()] Param( [Parameter(ParameterSetName='Domain',Mandatory=$True)] [String]$Domain, [Parameter(ParameterSetName='User',Mandatory=$True)] [String]$UserName ) Process { if([string]::IsNullOrEmpty($UserName)) { $isDomain = $true $UserName = "nn@$Domain" } $subScope = Get-TenantSubscope -Domain $UserName.Split("@")[1] # Gather login information using different APIs $realm1=Get-UserRealm -UserName $UserName -SubScope $subScope # common/userrealm API 1.0 $realm2=Get-UserRealmExtended -UserName $UserName -SubScope $subScope # common/userrealm API 2.0 $realm3=Get-UserRealmV2 -UserName $UserName -SubScope $subScope # GetUserRealm.srf (used in the old Office 365 login experience) $realm4=Get-CredentialType -UserName $UserName -SubScope $subScope # common/GetCredentialType (used in the "new" Office 365 login experience) # Create a return object $attributes = @{ "Account Type" = $realm1.account_type # Managed or federated "Domain Name" = $realm1.domain_name "Cloud Instance" = $realm1.cloud_instance_name "Cloud Instance audience urn" = $realm1.cloud_audience_urn "Federation Brand Name" = $realm2.FederationBrandName "Tenant Locale" = $realm2.TenantBrandingInfo.Locale "Tenant Banner Logo" = $realm2.TenantBrandingInfo.BannerLogo "Tenant Banner Illustration" = $realm2.TenantBrandingInfo.Illustration "State" = $realm3.State "User State" = $realm3.UserState "Exists" = $realm4.IfExistsResult "Throttle Status" = $realm4.ThrottleStatus "Pref Credential" = $realm4.Credentials.PrefCredential "Has Password" = $realm4.Credentials.HasPassword "Domain Type" = $realm4.EstsProperties.DomainType "Federation Protocol" = $realm1.federation_protocol "Federation Metadata Url" = $realm1.federation_metadata_url "Federation Active Authentication Url" = $realm1.federation_active_auth_url "Authentication Url" = $realm2.AuthUrl "Consumer Domain" = $realm2.ConsumerDomain "Federation Global Version" = $realm3.FederationGlobalVersion "Desktop Sso Enabled" = $realm4.EstsProperties.DesktopSsoEnabled } # Return return New-Object psobject -Property $attributes } } # Return user's authentication realm from common/userrealm using API 1.0 function Get-UserRealm { <# .SYNOPSIS Returns authentication realm of the given user .DESCRIPTION Returns authentication realm of the given user using common/userrealm API 1.0 .Example Get-AADIntUserRealm -UserName "user@company.com" ver : 1.0 account_type : Managed domain_name : company.com cloud_instance_name : microsoftonline.com cloud_audience_urn : urn:federation:MicrosoftOnline .Example Get-AADIntUserRealm -UserName "user@company.com" ver : 1.0 account_type : Federated domain_name : company.com federation_protocol : WSTrust federation_metadata_url : https://sts.company.com/adfs/services/trust/mex federation_active_auth_url : https://sts.company.com/adfs/services/trust/2005/usernamemixed cloud_instance_name : microsoftonline.com cloud_audience_urn : urn:federation:MicrosoftOnline #> [cmdletbinding()] Param( [Parameter(Mandatory=$True)] [String]$UserName, [Parameter(Mandatory=$False)] [Microsoft.PowerShell.Commands.WebRequestSession]$webSession, [Parameter(Mandatory=$False)] [String]$SubScope ) Process { # Call the API $userRealm=Invoke-RestMethod -UseBasicParsing -Uri ("$(Get-TenantLoginUrl -SubScope $SubScope)/common/userrealm/$UserName"+"?api-version=1.0") -WebSession $webSession -Headers @{"User-agent" = Get-UserAgent} # Verbose Write-Verbose "USER REALM $($userRealm | Out-String)" # Return $userRealm } } # Return user's authentication realm from common/userrealm using API 2.0 function Get-UserRealmExtended { <# .SYNOPSIS Returns authentication realm of the given user .DESCRIPTION Returns authentication realm of the given user using common/userrealm API 2.0 .Example Get-AADIntUserRealmExtended -UserName "user@company.com" NameSpaceType : Managed Login : user@company.com DomainName : company.com FederationBrandName : Company Ltd TenantBrandingInfo : {@{Locale=0; BannerLogo=https://secure.aadcdn.microsoftonline-p.com/xxx/logintenantbranding/0/bannerlogo? ts=111; TileLogo=https://secure.aadcdn.microsoftonline-p.com/xxx/logintenantbranding/0/til elogo?ts=112; BackgroundColor=#FFFFFF; BoilerPlateText=From here you can sign-in to Company Ltd services; UserIdLabel=firstname.lastname@company.com; KeepMeSignedInDisabled=False}} cloud_instance_name : microsoftonline.com .Example Get-AADIntUserRealmExtended -UserName "user@company.com" NameSpaceType : Federated federation_protocol : WSTrust Login : user@company.com AuthURL : https://sts.company.com/adfs/ls/?username=user%40company.com&wa=wsignin1. 0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx= DomainName : company.com FederationBrandName : Company Ltd TenantBrandingInfo : cloud_instance_name : microsoftonline.com #> [cmdletbinding()] Param( [Parameter(Mandatory=$True)] [String]$UserName, [Parameter(Mandatory=$False)] [String]$SubScope ) Process { # Call the API $userRealm=Invoke-RestMethod -UseBasicParsing -Uri ("$(Get-TenantLoginUrl -SubScope $SubScope)/common/userrealm/$UserName"+"?api-version=2.0") -Headers @{"User-agent" = Get-UserAgent} # Verbose Write-Verbose "USER REALM $($userRealm | Out-String)" # Return $userRealm } } # Return user's authentication realm from GetUserRealm.srf (used in the old Office 365 login experience) function Get-UserRealmV2 { <# .SYNOPSIS Returns authentication realm of the given user .DESCRIPTION Returns authentication realm of the given user using GetUserRealm.srf (used in the old Office 365 login experience) .Example Get-AADIntUserRealmV3 -UserName "user@company.com" State : 4 UserState : 1 Login : user@company.com NameSpaceType : Managed DomainName : company.com FederationBrandName : Company Ltd CloudInstanceName : microsoftonline.com .Example Get-AADIntUserRealmV2 -UserName "user@company.com" State : 3 UserState : 2 Login : user@company.com NameSpaceType : Federated DomainName : company.com FederationGlobalVersion : -1 AuthURL : https://sts.company.com/adfs/ls/?username=user%40company.com&wa=wsignin1. 0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx= FederationBrandName : Company Ltd CloudInstanceName : microsoftonline.com #> [cmdletbinding()] Param( [Parameter(Mandatory=$True)] [String]$UserName, [Parameter(Mandatory=$False)] [String]$SubScope ) Process { # Call the API $userRealm=Invoke-RestMethod -UseBasicParsing -Uri ("$(Get-TenantLoginUrl -SubScope $SubScope)/GetUserRealm.srf?login=$UserName") -Headers @{"User-agent" = Get-UserAgent} # Verbose Write-Verbose "USER REALM: $($userRealm | Out-String)" # Return $userRealm } } # Return user's authentication type information from common/GetCredentialType function Get-CredentialType { <# .SYNOPSIS Returns authentication information of the given user .DESCRIPTION Returns authentication of the given user using common/GetCredentialType (used in the "new" Office 365 login experience) .Example Get-AADIntUserRealmExtended -UserName "user@company.com" Username : user@company.com Display : user@company.com IfExistsResult : 0 ThrottleStatus : 1 Credentials : @{PrefCredential=1; HasPassword=True; RemoteNgcParams=; FidoParams=; SasParams=} EstsProperties : @{UserTenantBranding=System.Object[]; DomainType=3} FlowToken : apiCanary : AQABAAA..A NameSpaceType : Managed Login : user@company.com DomainName : company.com FederationBrandName : Company Ltd TenantBrandingInfo : {@{Locale=0; BannerLogo=https://secure.aadcdn.microsoftonline-p.com/xxx/logintenantbranding/0/bannerlogo? ts=111; TileLogo=https://secure.aadcdn.microsoftonline-p.com/xxx/logintenantbranding/0/til elogo?ts=112; BackgroundColor=#FFFFFF; BoilerPlateText=From here you can sign-in to Company Ltd services; UserIdLabel=firstname.lastname@company.com; KeepMeSignedInDisabled=False}} cloud_instance_name : microsoftonline.com .Example Get-AADIntUserRealmExtended -UserName "user@company.com" Username : user@company.com Display : user@company.com IfExistsResult : 0 ThrottleStatus : 1 Credentials : @{PrefCredential=4; HasPassword=True; RemoteNgcParams=; FidoParams=; SasParams=; FederationRed irectUrl=https://sts.company.com/adfs/ls/?username=user%40company.com&wa=wsignin1.0&wtreal m=urn%3afederation%3aMicrosoftOnline&wctx=} EstsProperties : @{UserTenantBranding=; DomainType=4} FlowToken : apiCanary : AQABAAA..A #> [cmdletbinding()] Param( [Parameter(Mandatory=$True)] [String]$UserName, [Parameter(Mandatory=$False)] [String]$FlowToken, [Parameter(Mandatory=$False)] [String]$OriginalRequest, [Parameter(Mandatory=$False)] [Microsoft.PowerShell.Commands.WebRequestSession]$webSession, [Parameter(Mandatory=$False)] [String]$SubScope ) Process { # Create a body for REST API request $body = @{ "username"=$UserName "isOtherIdpSupported" = $true "checkPhones" = $true "isRemoteNGCSupported" = $true "isCookieBannerShown" = $false "isFidoSupported" = $true "isAccessPassSupported" = $true "originalRequest" = $OriginalRequest "flowToken" = $FlowToken } # TAP support can only be requested if originalRequest is provided. Otherwise we'll get error code 6000. if(![string]::IsNullOrEmpty($OriginalRequest)) { $body["isAccessPassSupported"] = $true } # Call the API $userRealm=Invoke-RestMethod -UseBasicParsing -Uri ("$(Get-TenantLoginUrl -SubScope $SubScope)/common/GetCredentialType") -ContentType "application/json; charset=UTF-8" -Method POST -Body ($body|ConvertTo-Json) -WebSession $webSession -Headers @{"User-agent" = Get-UserAgent} # Verbose & Debug Write-Verbose "CREDENTIAL TYPE: Exist=$($userRealm.IfExistsResult), Federated=$(![string]::IsNullOrEmpty($userRealm.Credentials.FederationRedirectUrl))" Write-Debug "CREDENTIAL TYPE: $($userRealm | Out-String)" # Return $userRealm } } # Return OpenID configuration for the domain # Mar 21 2019 function Get-OpenIDConfiguration { <# .SYNOPSIS Returns OpenID configuration of the given domain or user .DESCRIPTION Returns OpenID configuration of the given domain or user .Example Get-AADIntOpenIDConfiguration -UserName "user@company.com" .Example Get-AADIntOpenIDConfiguration -Domain company.com authorization_endpoint : https://login.microsoftonline.com/5b62a25d-60c6-40e6-aace-8a43e8b8ba4a/oauth2/authorize token_endpoint : https://login.microsoftonline.com/5b62a25d-60c6-40e6-aace-8a43e8b8ba4a/oauth2/token token_endpoint_auth_methods_supported : {client_secret_post, private_key_jwt, client_secret_basic} jwks_uri : https://login.microsoftonline.com/common/discovery/keys response_modes_supported : {query, fragment, form_post} subject_types_supported : {pairwise} id_token_signing_alg_values_supported : {RS256} http_logout_supported : True frontchannel_logout_supported : True end_session_endpoint : https://login.microsoftonline.com/5b62a25d-60c6-40e6-aace-8a43e8b8ba4a/oauth2/logout response_types_supported : {code, id_token, code id_token, token id_token...} scopes_supported : {openid} issuer : https://sts.windows.net/5b62a25d-60c6-40e6-aace-8a43e8b8ba4a/ claims_supported : {sub, iss, cloud_instance_name, cloud_instance_host_name...} microsoft_multi_refresh_token : True check_session_iframe : https://login.microsoftonline.com/5b62a25d-60c6-40e6-aace-8a43e8b8ba4a/oauth2/checkses sion userinfo_endpoint : https://login.microsoftonline.com/5b62a25d-60c6-40e6-aace-8a43e8b8ba4a/openid/userinfo tenant_region_scope : EU cloud_instance_name : microsoftonline.com cloud_graph_host_name : graph.windows.net msgraph_host : graph.microsoft.com rbac_url : https://pas.windows.net #> [cmdletbinding()] Param( [Parameter(ParameterSetName='Domain',Mandatory=$True)] [String]$Domain, [Parameter(ParameterSetName='User',Mandatory=$True)] [String]$UserName ) Process { if([String]::IsNullOrEmpty($Domain)) { $Domain = $UserName.Split("@")[1] } # Call the API $openIdConfig=Invoke-RestMethod -UseBasicParsing -Uri "https://login.microsoftonline.com/$domain/.well-known/openid-configuration" -Headers @{"User-agent" = Get-UserAgent} # Return $openIdConfig } } # Get the tenant ID for the given user/domain/accesstoken function Get-TenantID { <# .SYNOPSIS Returns TenantID of the given domain, user, or AccessToken .DESCRIPTION Returns TenantID of the given domain, user, or AccessToken .Example Get-AADIntTenantID -UserName "user@company.com" .Example Get-AADIntTenantID -Domain company.com .Example Get-AADIntTenantID -AccessToken $at #> [cmdletbinding()] Param( [Parameter(ParameterSetName='Domain',Mandatory=$True)] [String]$Domain, [Parameter(ParameterSetName='User',Mandatory=$True)] [String]$UserName, [Parameter(ParameterSetName='AccessToken', Mandatory=$True)] [String]$AccessToken ) Process { if([String]::IsNullOrEmpty($AccessToken)) { if([String]::IsNullOrEmpty($Domain)) { $Domain = $UserName.Split("@")[1] } Try { $TenantId = (Invoke-RestMethod -UseBasicParsing -Uri "https://odc.officeapps.live.com/odc/v2.1/federationprovider?domain=$domain" -Headers @{"User-agent" = Get-UserAgent}).TenantId } catch { return $null } } else { $TenantId=(Read-Accesstoken($AccessToken)).tid } # Return $TenantId } } # Check if the access token has expired function Is-AccessTokenExpired { [cmdletbinding()] Param( [Parameter(Mandatory=$True)] [String]$AccessToken ) Process { # Read the token $token = Read-Accesstoken($AccessToken) $now=(Get-Date).ToUniversalTime() # Get the expiration time $exp=$epoch.Date.AddSeconds($token.exp) # Compare and return $retVal = $now -ge $exp return $retVal } } # Check if the access token signature is valid # May 20th 2020 function Is-AccessTokenValid { [cmdletbinding()] Param( [Parameter(Mandatory=$True)] [String]$AccessToken ) Process { # Token sections $sections = $AccessToken.Split(".") $header = $sections[0] $payload = $sections[1] $signature = $sections[2] $signatureValid = $false # Fill the header with padding for Base 64 decoding while ($header.Length % 4) { $header += "=" } # Convert the token to string and json $headerBytes=[System.Convert]::FromBase64String($header) $headerArray=[System.Text.Encoding]::ASCII.GetString($headerBytes) $headerObj=$headerArray | ConvertFrom-Json # Get the signing key $KeyId=$headerObj.kid Write-Debug "PARSED TOKEN HEADER: $($headerObj | Format-List | Out-String)" # The algorithm should be RSA with SHA-256, i.e. RS256 if($headerObj.alg -eq "RS256") { # Get the public certificate $publicCert = Get-APIKeys -KeyId $KeyId Write-Debug "TOKEN SIGNING CERT: $publicCert" $certBin=[convert]::FromBase64String($publicCert) # Construct the JWT data to be verified $dataToVerify="{0}.{1}" -f $header,$payload $dataBin = [text.encoding]::UTF8.GetBytes($dataToVerify) # Remove the Base64 URL encoding from the signature and add padding $signature=$signature.Replace("-","+").Replace("_","/") while ($signature.Length % 4) { $signature += "=" } $signBytes = [convert]::FromBase64String($signature) # Extract the modulus and exponent from the certificate for($a=0;$a -lt $certBin.Length ; $a++) { # Read the bytes $byte = $certBin[$a] $nByte = $certBin[$a+1] # We are only interested in 0x02 tag where our modulus is hidden.. if($byte -eq 0x02 -and $nByte -band 0x80) { $a++ if($nbyte -band 0x02) { $byteCount = [System.BitConverter]::ToInt16($certBin[$($a+2)..$($a+1)],0) $a+=3 } elseif($nbyte -band 0x01) { $byteCount = $certBin[$($a+1)] $a+=2 } # If the first byte is 0x00, skip it if($certBin[$a] -eq 0x00) { $a++ $byteCount-- } # Now we have the modulus! $modulus = $certBin[$a..$($a+$byteCount-1)] # Next byte value is the exponent $a+=$byteCount if($certBin[$a++] -eq 0x02) { $byteCount = $certBin[$a++] $exponent = $certBin[$a..$($a+$byteCount-1)] Write-Debug "MODULUS: $(Convert-ByteArrayToHex -Bytes $modulus)" Write-Debug "EXPONENT: $(Convert-ByteArrayToHex -Bytes $exponent)" break } else { Write-Debug "Error getting modulus and exponent" } } } if($exponent -and $modulus) { # Create the RSA and other required objects $rsa = New-Object -TypeName System.Security.Cryptography.RSACryptoServiceProvider $rsaParameters = New-Object -TypeName System.Security.Cryptography.RSAParameters # Set the verification parameters $rsaParameters.Exponent = $exponent $rsaparameters.Modulus = $modulus $rsa.ImportParameters($rsaParameters) $signatureValid = $rsa.VerifyData($dataBin, $signBytes,[System.Security.Cryptography.HashAlgorithmName]::SHA256, [System.Security.Cryptography.RSASignaturePadding]::Pkcs1) $rsa.Dispose() } } else { Write-Error "Access Token signature algorithm $($headerObj.alg) not supported!" } return $signatureValid } } # Gets OAuth information using SAML token function Get-OAuthInfoUsingSAML { [cmdletbinding()] Param( [Parameter(Mandatory=$True)] [String]$SAMLToken, [Parameter(Mandatory=$True)] [String]$Resource, [Parameter(Mandatory=$False)] [String]$ClientId="1b730954-1685-4b74-9bfd-dac224a7b894" ) Begin { # Create the headers. We like to be seen as Outlook. $headers = @{ "User-Agent" = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; Microsoft Outlook 16.0.4266)" } } Process { $encodedSamlToken= [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($SAMLToken)) # Debug Write-Debug "SAML TOKEN: $samlToken" Write-Debug "ENCODED SAML TOKEN: $encodedSamlToken" # Create a body for API request $body = @{ "resource"=$Resource "client_id"=$ClientId "grant_type"="urn:ietf:params:oauth:grant-type:saml1_1-bearer" "assertion"=$encodedSamlToken "scope"="openid" } # Debug Write-Debug "FED AUTHENTICATION BODY: $($body | Out-String)" # Set the content type and call the Microsoft Online authentication API $contentType="application/x-www-form-urlencoded" try { $jsonResponse=Invoke-RestMethod -UseBasicParsing -Uri "https://login.microsoftonline.com/common/oauth2/token" -ContentType $contentType -Method POST -Body $body -Headers $headers } catch { Throw ($_.ErrorDetails.Message | convertfrom-json).error_description } return $jsonResponse } } # Return OAuth information for the given user function Get-OAuthInfo { [cmdletbinding()] Param( [Parameter(Mandatory=$True)] [System.Management.Automation.PSCredential]$Credentials, [Parameter(Mandatory=$True)] [String]$Resource, [Parameter(Mandatory=$False)] [String]$ClientId="1b730954-1685-4b74-9bfd-dac224a7b894", [Parameter(Mandatory=$False)] [String]$Tenant="common" ) Begin { # Create the headers. We like to be seen as Outlook. $headers = @{ "User-Agent" = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; Microsoft Outlook 16.0.4266)" } if([string]::IsNullOrEmpty($Tenant)) { $Tenant="common" } } Process { # Get the user realm $userRealm = Get-UserRealm($Credentials.UserName) # Check the authentication type if($userRealm.account_type -eq "Unknown") { Write-Error "User type of $($Credentials.Username) is Unknown!" return $null } elseif($userRealm.account_type -eq "Managed") { # If authentication type is managed, we authenticate directly against Microsoft Online # with user name and password to get access token # Create a body for REST API request $body = @{ "resource"=$Resource "client_id"=$ClientId "grant_type"="password" "username"=$Credentials.UserName "password"=$Credentials.GetNetworkCredential().Password "scope"="openid" } # Debug Write-Debug "AUTHENTICATION BODY: $($body | Out-String)" # Set the content type and call the Microsoft Online authentication API $contentType="application/x-www-form-urlencoded" try { $jsonResponse=Invoke-RestMethod -UseBasicParsing -Uri "https://login.microsoftonline.com/$Tenant/oauth2/token" -ContentType $contentType -Method POST -Body $body -Headers $headers } catch { Throw ($_.ErrorDetails.Message | convertfrom-json).error_description } } else { # If authentication type is Federated, we must first authenticate against the identity provider # to fetch SAML token and then get access token from Microsoft Online # Get the federation metadata url from user realm $federation_metadata_url=$userRealm.federation_metadata_url # Call the API to get metadata [xml]$response=Invoke-RestMethod -UseBasicParsing -Uri $federation_metadata_url # Get the url of identity provider endpoint. # Note! Tested only with AD FS - others may or may not work $federation_url=($response.definitions.service.port | where name -eq "UserNameWSTrustBinding_IWSTrustFeb2005Async").address.location # login.live.com # TODO: Fix #$federation_url=$response.EntityDescriptor.RoleDescriptor[1].PassiveRequestorEndpoint.EndpointReference.Address # Set credentials and other needed variables $username=$Credentials.UserName $password=$Credentials.GetNetworkCredential().Password $created=(Get-Date).ToUniversalTime().toString("yyyy-MM-ddTHH:mm:ssZ").Replace(".",":") $expires=(Get-Date).AddMinutes(10).ToUniversalTime().toString("yyyy-MM-ddTHH:mm:ssZ").Replace(".",":") $message_id=(New-Guid).ToString() $user_id=(New-Guid).ToString() # Set headers $headers = @{ "SOAPAction"="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" "Host"=$federation_url.Split("/")[2] "client-request-id"=(New-Guid).toString() } # Debug Write-Debug "FED AUTHENTICATION HEADERS: $($headers | Out-String)" # Create the SOAP envelope $envelope=@" <s:Envelope xmlns:s='http://www.w3.org/2003/05/soap-envelope' xmlns:a='http://www.w3.org/2005/08/addressing' xmlns:u='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'> <s:Header> <a:Action s:mustUnderstand='1'>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action> <a:MessageID>urn:uuid:$message_id</a:MessageID> <a:ReplyTo> <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address> </a:ReplyTo> <a:To s:mustUnderstand='1'>$federation_url</a:To> <o:Security s:mustUnderstand='1' xmlns:o='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'> <u:Timestamp u:Id='_0'> <u:Created>$created</u:Created> <u:Expires>$expires</u:Expires> </u:Timestamp> <o:UsernameToken u:Id='uuid-$user_id'> <o:Username>$username</o:Username> <o:Password>$password</o:Password> </o:UsernameToken> </o:Security> </s:Header> <s:Body> <trust:RequestSecurityToken xmlns:trust='http://schemas.xmlsoap.org/ws/2005/02/trust'> <wsp:AppliesTo xmlns:wsp='http://schemas.xmlsoap.org/ws/2004/09/policy'> <a:EndpointReference> <a:Address>urn:federation:MicrosoftOnline</a:Address> </a:EndpointReference> </wsp:AppliesTo> <trust:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</trust:KeyType> <trust:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</trust:RequestType> </trust:RequestSecurityToken> </s:Body> </s:Envelope> "@ # Debug Write-Debug "FED AUTHENTICATION: $envelope" # Set the content type and call the authentication service $contentType="application/soap+xml" [xml]$xmlResponse=Invoke-RestMethod -UseBasicParsing -Uri $federation_url -ContentType $contentType -Method POST -Body $envelope -Headers $headers # Get the SAML token from response and encode it with Base64 $samlToken=$xmlResponse.Envelope.Body.RequestSecurityTokenResponse.RequestedSecurityToken.Assertion.OuterXml $encodedSamlToken= [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($samlToken)) $jsonResponse = Get-OAuthInfoUsingSAML -SAMLToken $samlToken -Resource $Resource -ClientId $ClientId } # Debug Write-Debug "AUTHENTICATION JSON: $($jsonResponse | Out-String)" # Return $jsonResponse } } # Parse access token and return it as PS object function Read-Accesstoken { <# .SYNOPSIS Extract details from the given Access Token .DESCRIPTION Extract details from the given Access Token and returns them as PS Object .Parameter AccessToken The Access Token. .Example PS C:\>$token=Get-AADIntReadAccessTokenForAADGraph PS C:\>Parse-AADIntAccessToken -AccessToken $token aud : https://graph.windows.net iss : https://sts.windows.net/f2b2ba53-ed2a-4f4c-a4c3-85c61e548975/ iat : 1589477501 nbf : 1589477501 exp : 1589481401 acr : 1 aio : ASQA2/8PAAAALe232Yyx9l= amr : {pwd} appid : 1b730954-1685-4b74-9bfd-dac224a7b894 appidacr : 0 family_name : company given_name : admin ipaddr : 107.210.220.129 name : admin company oid : 1713a7bf-47ba-4826-a2a7-bbda9fabe948 puid : 100354 rh : 0QfALA. scp : user_impersonation sub : BGwHjKPU tenant_region_scope : NA tid : f2b2ba53-ed2a-4f4c-a4c3-85c61e548975 unique_name : admin@company.onmicrosoft.com upn : admin@company.onmicrosoft.com uti : -EWK6jMDrEiAesWsiAA ver : 1.0 .Example PS C:\>Parse-AADIntAccessToken -AccessToken $token -Validate Read-Accesstoken : Access Token is expired At line:1 char:1 + Read-Accesstoken -AccessToken $at -Validate -verbose + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Read-Accesstoken aud : https://graph.windows.net iss : https://sts.windows.net/f2b2ba53-ed2a-4f4c-a4c3-85c61e548975/ iat : 1589477501 nbf : 1589477501 exp : 1589481401 acr : 1 aio : ASQA2/8PAAAALe232Yyx9l= amr : {pwd} appid : 1b730954-1685-4b74-9bfd-dac224a7b894 appidacr : 0 family_name : company given_name : admin ipaddr : 107.210.220.129 name : admin company oid : 1713a7bf-47ba-4826-a2a7-bbda9fabe948 puid : 100354 rh : 0QfALA. scp : user_impersonation sub : BGwHjKPU tenant_region_scope : NA tid : f2b2ba53-ed2a-4f4c-a4c3-85c61e548975 unique_name : admin@company.onmicrosoft.com upn : admin@company.onmicrosoft.com uti : -EWK6jMDrEiAesWsiAA ver : 1.0 #> [cmdletbinding()] Param( [Parameter(Mandatory=$True,ValueFromPipeline)] [String]$AccessToken, [Parameter()] [Switch]$ShowDate, [Parameter()] [Switch]$Validate ) Process { if([string]::IsNullOrEmpty($AccessToken)) { Write-Warning "Unable to read access token (null or empty)" return $null } # Token sections $sections = $AccessToken.Split(".") if($sections.Count -eq 5) { Write-Warning "JWE token, expected JWS. Unable to parse." return } $header = $sections[0] $payload = $sections[1] $signature = $sections[2] # Convert the token to string and json $payloadString = Convert-B64ToText -B64 $payload $payloadObj=$payloadString | ConvertFrom-Json if($ShowDate) { # Show dates $payloadObj.exp=($epoch.Date.AddSeconds($payloadObj.exp)).toString("yyyy-MM-ddTHH:mm:ssZ").Replace(".",":") $payloadObj.iat=($epoch.Date.AddSeconds($payloadObj.iat)).toString("yyyy-MM-ddTHH:mm:ssZ").Replace(".",":") $payloadObj.nbf=($epoch.Date.AddSeconds($payloadObj.nbf)).toString("yyyy-MM-ddTHH:mm:ssZ").Replace(".",":") } if($Validate) { # Check the signature if((Is-AccessTokenValid -AccessToken $AccessToken)) { Write-Verbose "Access Token signature successfully verified" } else { Write-Error "Access Token signature could not be verified" } # Check the timestamp if((Is-AccessTokenExpired -AccessToken $AccessToken)) { Write-Error "Access Token is expired" } else { Write-Verbose "Access Token is not expired" } } # Debug Write-Debug "PARSED ACCESS TOKEN: $($payloadObj | Out-String)" # Return $payloadObj } } # Prompts for credentials and gets the access token # Supports MFA. function Prompt-Credentials { [cmdletbinding()] Param( [Parameter(Mandatory=$False)] [String]$Resource, [Parameter(Mandatory=$False)] [String]$ClientId, [Parameter(Mandatory=$False)] [String]$Tenant, [Parameter(Mandatory=$False)] [bool]$ForceMFA=$false, [Parameter(Mandatory=$False)] [bool]$ForceNGCMFA=$false, [Parameter(Mandatory=$False)] [string]$RefreshTokenCredential, [Parameter(Mandatory=$False)] [System.Management.Automation.PSCredential]$Credentials, [Parameter(Mandatory=$False)] [string]$OTPSecretKey, [Parameter(Mandatory=$False)] [string]$TAP, [Parameter(Mandatory=$False)] [string]$RedirectURI, [Parameter(Mandatory=$False)] [string]$SubScope, [Parameter(Mandatory=$False)] [string]$ESTSAUTH ) Process { # Set AMR values as needed $amr = $null if($ForceMFA) { $amr = "mfa" } elseif($ForceNGCMFA) { $amr = "ngcmfa" } # If we have credentials, try first using ROPC flow $response = $null if($Credentials -and [string]::IsNullOrEmpty($amr) -and [string]::IsNullOrEmpty((Get-CredentialType -UserName $Credentials.UserName).Credentials.FederationRedirectUrl)) { Write-Verbose "Domain not federated, credentials provided, and no MFA enforced. Trying ROPC flow." # Create a body for REST API request $body = @{ "resource"=$Resource "client_id"=$ClientId "grant_type"="password" "username"=$Credentials.UserName "password"=$Credentials.GetNetworkCredential().Password "scope"="openid" } # Debug Write-Debug "AUTHENTICATION BODY: $($body | Out-String)" # Set the content type and call the Microsoft Online authentication API # Headers $headers = @{ "Content-Type" = "application/x-www-form-urlencoded" "User-Agent" = Get-UserAgent } try { $response=Invoke-RestMethod -UseBasicParsing -Uri "https://login.microsoftonline.com/common/oauth2/token" -Method POST -Body $body -Headers $headers } catch { Write-Verbose "ROPC failed, switching to interactive flow: $(($_.ErrorDetails.Message | convertfrom-json).error_description)" } } if($null -eq $response) { # Check the tenant if([string]::IsNullOrEmpty($Tenant)) { $Tenant = "common" } # Get the authorization code $authorizationCode = Get-AuthorizationCode -Resource $Resource -ClientId $ClientId -Tenant $Tenant -AMR $amr -RefreshTokenCredential $RefreshTokenCredential -Credentials $Credentials -OTPSecretKey $OTPSecretKey -TAP $TAP -RedirectURI $RedirectURI -SubScope $SubScope -ESTSAUTH $ESTSAUTH if($authorizationCode) { if([string]::IsNullOrEmpty($RedirectURI)) { $RedirectURI = Get-AuthRedirectUrl -ClientId $ClientId -Resource $Resource } # Construct the body for auth code grant $body = @{ client_id = $ClientId grant_type = "authorization_code" code = $authorizationCode redirect_uri = $RedirectURI } # Headers $headers = @{ "Content-Type" = "application/x-www-form-urlencoded" "User-Agent" = Get-UserAgent } $response = Invoke-RestMethod -UseBasicParsing -Uri "$(Get-TenantLoginUrl -SubScope $SubScope)/$Tenant/oauth2/token" -Method POST -Body $body -Headers $headers } } # return return $response } } ## GENERAL ADMIN API FUNCTIONS # Gets Office 365 instance names (used when getting ip addresses) function Get-EndpointInstances { <# .SYNOPSIS Get Office 365 endpoint instances .DESCRIPTION Get Office 365 endpoint instances .Example PS C:\>Get-AADIntEndpointInstances instance latest -------- ------ Worldwide 2018100100 USGovDoD 2018100100 USGovGCCHigh 2018100100 China 2018100100 Germany 2018100100 #> [cmdletbinding()] Param() Process { $clientrequestid=(New-Guid).ToString(); Invoke-RestMethod -UseBasicParsing -Uri "https://endpoints.office.com/version?clientrequestid=$clientrequestid" } } # Gets Office 365 ip addresses for specific instance function Get-EndpointIps { <# .SYNOPSIS Get Office 365 endpoint ips and urls .DESCRIPTION Get Office 365 endpoint ips and urls .Parameter Instance The instance which ips and urls are returned. Defaults to WorldWide. .Example PS C:\>Get-AADIntEndpointIps id : 1 serviceArea : Exchange serviceAreaDisplayName : Exchange Online urls : {outlook.office.com, outlook.office365.com} ips : {13.107.6.152/31, 13.107.9.152/31, 13.107.18.10/31, 13.107.19.10/31...} tcpPorts : 80,443 expressRoute : True category : Optimize required : True id : 2 serviceArea : Exchange serviceAreaDisplayName : Exchange Online urls : {smtp.office365.com} ips : {13.107.6.152/31, 13.107.9.152/31, 13.107.18.10/31, 13.107.19.10/31...} tcpPorts : 587 expressRoute : True category : Allow required : True .Example PS C:\>Get-AADIntEndpointIps -Instance Germany id : 1 serviceArea : Exchange serviceAreaDisplayName : Exchange Online urls : {outlook.office.de} ips : {51.4.64.0/23, 51.5.64.0/23} tcpPorts : 80,443 expressRoute : False category : Optimize required : True id : 2 serviceArea : Exchange serviceAreaDisplayName : Exchange Online urls : {r1.res.office365.com} tcpPorts : 80,443 expressRoute : False category : Default required : True #> [cmdletbinding()] Param( [Parameter()] [ValidateSet('Worldwide','USGovDoD','USGovGCCHigh','China','Germany')] [String]$Instance="Worldwide" ) Process { $clientrequestid=(New-Guid).ToString(); Invoke-RestMethod -UseBasicParsing -Uri ("https://endpoints.office.com/endpoints/$Instance"+"?clientrequestid=$clientrequestid") } } # Gets username from authorization header # Apr 4th 2019 function Get-UserNameFromAuthHeader { Param( [Parameter(Mandatory=$True)] [String]$Auth ) Process { $type = $Auth.Split(" ")[0] $data = $Auth.Split(" ")[1] if($type -eq "Basic") { ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($data))).Split(":")[0] } else { (Read-Accesstoken -AccessToken $data).upn } } } # Creates authorization header from Credentials or AccessToken # Apr 4th 2019 function Create-AuthorizationHeader { Param( [Parameter()] [System.Management.Automation.PSCredential]$Credentials, [Parameter()] [String]$AccessToken, [Parameter()] [String]$Resource, [Parameter()] [String]$ClientId ) Process { if($Credentials -ne $null) { $userName = $Credentials.UserName $password = $Credentials.GetNetworkCredential().Password $auth = "Basic $([Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("$($userName):$($password)")))" } else { # Get from cache if not provided $AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource $Resource -ClientId $ClientId $auth = "Bearer $AccessToken" } return $auth } } # Gets Microsoft online services' public keys # May 18th 2020 function Get-APIKeys { [cmdletbinding()] Param( [Parameter()] [String]$KeyId ) Process { $keys=Invoke-RestMethod -UseBasicParsing -Uri "https://login.microsoftonline.com/common/discovery/keys" if($KeyId) { $keys.keys | Where-Object -Property kid -eq $KeyId | Select-Object -ExpandProperty x5c } else { $keys.keys } } } # Gets the AADInt credentials cache # Jun 14th 2020 function Get-Cache { <# .SYNOPSIS Dumps AADInternals credentials cache .DESCRIPTION Dumps AADInternals credentials cache .EXAMPLE Get-AADIntCache | Format-Table Name ClientId Audience Tenant IsExpired HasRefreshToken ---- -------- -------- ------ --------- --------------- admin@company.com 1b730954-1685-4b74-9bfd-dac224a7b894 https://graph.windows.net 82205ae4-4c4e-4db5-890c-cb5e5a98d7a3 False True admin@company.com 1b730954-1685-4b74-9bfd-dac224a7b894 https://management.core.windows.net/ 82205ae4-4c4e-4db5-890c-cb5e5a98d7a3 False True #> [cmdletbinding()] Param() Process { $cacheKeys = $script:tokens.keys # Loop through the cache elements foreach($key in $cacheKeys) { $accessToken=$script:tokens[$key] if([string]::IsNullOrEmpty($accessToken)) { Write-Warning "Access token with key ""$key"" not found!" return } $parsedToken = Read-Accesstoken -AccessToken $accessToken if($parsedToken.xms_mirid) { # Managed identity $name = $parsedToken.xms_mirid.Substring($parsedToken.xms_mirid.LastIndexOf("/")+1) } else { $name = $parsedToken.unique_name } $attributes = [ordered]@{ "Name" = $name "ClientId" = $parsedToken.appid "Audience" = $parsedToken.aud "Tenant" = $parsedToken.tid "IsExpired" = Is-AccessTokenExpired -AccessToken $accessToken "HasRefreshToken" = $script:refresh_tokens.Contains($key) "AuthMethods" = $parsedToken.amr "Device" = $parsedToken.deviceid } New-Object psobject -Property $attributes } } } # Clears the AADInt credentials cache # Jun 14th 2020 function Clear-Cache { <# .SYNOPSIS Clears AADInternals credentials cache .DESCRIPTION Clears AADInternals credentials cache .EXAMPLE Clear-AADIntCache #> [cmdletbinding()] Param() Process { $script:tokens = @{} $script:refresh_tokens = @{} } } # Adds an access and refresh token to cache # Aug 30th 2022 function Add-AccessTokenToCache { <# .SYNOPSIS Adds the given access token to AADInternals credentials cache .DESCRIPTION Adds the given access token to AADInternals credentials cache .PARAMETER AccessToken The access token to add .PARAMETER RefreshToken The refresh token to add .EXAMPLE Add-AADIntAccessTokenToCache -AccessToken "eyJ0eXAiOiJKV..." Name ClientId Audience Tenant IsExpired HasRefreshToken ---- -------- -------- ------ --------- --------------- admin@company.com 1b730954-1685-4b74-9bfd-dac224a7b894 https://graph.windows.net 82205ae4-4c4e-4db5-890c-cb5e5a98d7a3 False False .EXAMPLE Add-AADIntAccessTokenToCache -AccessToken "eyJ0eXAiOiJKV..." -RefreshToken "0.AXkAnZT_xZYmaEueEwVfGe..." Name ClientId Audience Tenant IsExpired HasRefreshToken ---- -------- -------- ------ --------- --------------- admin@company.com 1b730954-1685-4b74-9bfd-dac224a7b894 https://graph.windows.net 82205ae4-4c4e-4db5-890c-cb5e5a98d7a3 False True #> [cmdletbinding()] Param( [Parameter(Mandatory=$True,ValueFromPipeline)] [String]$AccessToken, [Parameter(Mandatory=$False)] [String]$RefreshToken, [Parameter(Mandatory=$False)] [boolean]$ShowCache = $true ) Process { # Parse the token $parsedToken = Read-Accesstoken -AccessToken $accessToken $clientId = $parsedToken.appid $resource = $parsedToken.aud.TrimEnd("/") # Add to cache $Script:tokens["$clientId-$resource"] = $AccessToken if(![string]::IsNullOrEmpty($RefreshToken)) { Add-RefreshTokenToCache -ClientId $clientId -Resource $resource -RefreshToken $RefreshToken } # Dump the cache if($ShowCache) { Get-Cache } } } # Adds refresh token to cache # Apr 25th 2023 function Add-RefreshTokenToCache { [cmdletbinding()] Param( [Parameter(Mandatory=$True)] [String]$RefreshToken, [Parameter(Mandatory=$True)] [String]$ClientId, [Parameter(Mandatory=$True)] [String]$Resource ) Process { # Strip the trailing slash $Resource = $Resource.TrimEnd("/") $Script:refresh_tokens["$ClientId-$Resource"] = $RefreshToken } } # Gets other domains of the given tenant # Jun 15th 2020 function Get-TenantDomains { <# .SYNOPSIS Gets other domains from the tenant of the given domain .DESCRIPTION Uses Exchange Online autodiscover service to retrive other domains from the tenant of the given domain. The given domain SHOULD be Managed, federated domains are not always found for some reason. If nothing is found, try to use <domain>.onmicrosoft.com .Example Get-AADIntTenantDomains -Domain company.com company.com company.fi company.co.uk company.onmicrosoft.com company.mail.onmicrosoft.com #> [cmdletbinding()] Param( [Parameter(Mandatory=$True)] [String]$Domain, [Parameter(Mandatory=$False)] [String]$SubScope ) Process { # Get Tenant Region subscope from Open ID configuration if not provided if([string]::IsNullOrEmpty($SubScope)) { $SubScope = Get-TenantSubscope -Domain $Domain } # Use the correct url switch($SubScope) { "DOD" # DoD { $uri = "https://autodiscover-s-dod.office365.us/autodiscover/autodiscover.svc" } "DODCON" # GCC-High { $uri = "https://autodiscover-s.office365.us/autodiscover/autodiscover.svc" } default # Commercial/GCC { $uri = "https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc" } } # Create the body $body=@" <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:exm="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:ext="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Header> <a:Action soap:mustUnderstand="1">http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation</a:Action> <a:To soap:mustUnderstand="1">$uri</a:To> <a:ReplyTo> <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address> </a:ReplyTo> </soap:Header> <soap:Body> <GetFederationInformationRequestMessage xmlns="http://schemas.microsoft.com/exchange/2010/Autodiscover"> <Request> <Domain>$Domain</Domain> </Request> </GetFederationInformationRequestMessage> </soap:Body> </soap:Envelope> "@ # Create the headers $headers=@{ "Content-Type" = "text/xml; charset=utf-8" "SOAPAction" = '"http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation"' "User-Agent" = Get-UserAgent } # Invoke $response = Invoke-RestMethod -UseBasicParsing -Method Post -uri $uri -Body $body -Headers $headers # Return $domains = @($response.Envelope.body.GetFederationInformationResponseMessage.response.Domains.Domain) if($Domain -notin $domains) { $domains += $Domain } $domains | Sort-Object } } # Gets the auth_redirect url for the given client and resource # Aug 12th 2021 function Get-AuthRedirectUrl { [cmdletbinding()] Param( [Parameter(Mandatory=$True)] [String]$ClientId, [Parameter(Mandatory=$True)] [String]$Resource ) Begin { $oobClients = @( "d3590ed6-52b3-4102-aeff-aad2292ab01c" # Microsoft Office "29d9ed98-a469-4536-ade2-f981bc1d605e" # Microsoft Authentication Broker "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223" # Microsoft Intune Company Portal ) } Process { # default $redirect_uri = "https://login.microsoftonline.com/common/oauth2/nativeclient" if($ClientId -eq "1fec8e78-bce4-4aaf-ab1b-5451cc387264") # Teams { $redirect_uri = "https://login.microsoftonline.com/common/oauth2/nativeclient" } elseif($ClientId -eq "9bc3ab49-b65d-410a-85ad-de819febfddc") # SPO { $redirect_uri = "https://oauth.spops.microsoft.com/" } elseif($ClientId -eq "c44b4083-3bb0-49c1-b47d-974e53cbdf3c") # Azure admin interface { $redirect_uri = "https://portal.azure.com/signin/index/?feature.prefetchtokens=true&feature.showservicehealthalerts=true&feature.usemsallogin=true" } elseif($ClientId -eq "0000000c-0000-0000-c000-000000000000") # Azure AD Account { $redirect_uri = "https://account.activedirectory.windowsazure.com/" } elseif($ClientId -eq "19db86c3-b2b9-44cc-b339-36da233a3be2") # My sign-ins { $redirect_uri = "https://mysignins.microsoft.com" } elseif($ClientId -eq "29d9ed98-a469-4536-ade2-f981bc1d605e" -and $Resource -ne "https://enrollment.manage.microsoft.com/") # Azure AD Join { $redirect_uri = "ms-aadj-redir://auth/drs" } elseif($ClientId -eq "0c1307d4-29d6-4389-a11c-5cbe7f65d7fa") # Azure Android App { $redirect_uri = "https://azureapp" } elseif($ClientId -eq "33be1cef-03fb-444b-8fd3-08ca1b4d803f") # OneDrive Web { $redirect_uri = "https://admin.onedrive.com/" } elseif($ClientId -eq "ab9b8c07-8f02-4f72-87fa-80105867a763") # OneDrive native client { $redirect_uri = "https://login.windows.net/common/oauth2/nativeclient" } elseif($ClientId -eq "3d5cffa9-04da-4657-8cab-c7f074657cad") # MS Commerce { $redirect_uri = "http://localhost/m365/commerce" } elseif($ClientId -eq "4990cffe-04e8-4e8b-808a-1175604b879f") # MS Partner - this flow doesn't work as expected :( { $redirect_uri = "https://partner.microsoft.com/aad/authPostGateway" } elseif($ClientId -eq "fb78d390-0c51-40cd-8e17-fdbfab77341b" -or # Microsoft Exchange REST API Based Powershell $ClientId -eq "fdd7719f-d61e-4592-b501-793734eb8a0e" -or # SharePoint Migration Tool $ClientId -eq "a0c73c16-a7e3-4564-9a95-2bdf47383716") # EXO PS { $redirect_uri = "https://login.microsoftonline.com/common/oauth2/nativeclient" } elseif($ClientId -eq "3b511579-5e00-46e1-a89e-a6f0870e2f5a") { $redirect_uri = "https://windows365.microsoft.com/signin-oidc" } elseif($ClientId -eq "08e18876-6177-487e-b8b5-cf950c1e598c") # SharePoint Online Web Client Extensibility { $redirect_uri = "https://*-admin.sharepoint.com/_forms/spfxsinglesignon.aspx" } elseif($ClientId -eq "29d9ed98-a469-4536-ade2-f981bc1d605e" -and $Resource -ne "https://enrollment.manage.microsoft.com/") # AADJoin { $auth_redirect="ms-aadj-redir://auth/drs" } elseif($ClientId -eq "dd762716-544d-4aeb-a526-687b73838a22") # WHfB? { $redirect_uri = "ms-appx-web://microsoft.aad.brokerplugin/dd762716-544d-4aeb-a526-687b73838a22" } elseif($ClientId -eq "4765445b-32c6-49b0-83e6-1d93765276ca") # Office Web UI { $redirect_uri = "https://www.office.com/landingv2" } elseif($oobClients -contains $ClientId) { $redirect_uri = "urn:ietf:wg:oauth:2.0:oob" } return $redirect_uri } } # Gets RST token # Mar 3rd 2023 function Get-RSTToken { [cmdletbinding()] Param( [Parameter(ParameterSetName='Credentials',Mandatory=$True)] [System.Management.Automation.PSCredential]$Credentials, [Parameter(ParameterSetName='UserNameAndPassword',Mandatory=$True)] [String]$UserName, [Parameter(ParameterSetName='UserNameAndPassword',Mandatory=$False)] [String]$Password, [Parameter(Mandatory=$True)] [String]$EndpointAddress, [Parameter(Mandatory=$True)] [String]$Url ) Process { If([String]::IsNullOrEmpty($UserName)) { $UserName = $Credentials.UserName $Password = $Credentials.GetNetworkCredential().password } $requestId = (New-Guid).ToString() $now = Get-Date $created = $now.toUniversalTime().toString("o") $expires = $now.addMinutes(10).toUniversalTime().toString("o") $body=@" <?xml version='1.0' encoding='UTF-8'?> <s:Envelope xmlns:s='http://www.w3.org/2003/05/soap-envelope' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:saml='urn:oasis:names:tc:SAML:1.0:assertion' xmlns:wsp='http://schemas.xmlsoap.org/ws/2004/09/policy' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:wsa='http://www.w3.org/2005/08/addressing' xmlns:wssc='http://schemas.xmlsoap.org/ws/2005/02/sc' xmlns:wst='http://schemas.xmlsoap.org/ws/2005/02/trust' xmlns:ic='http://schemas.xmlsoap.org/ws/2005/05/identity'> <s:Header> <wsa:Action s:mustUnderstand='1'>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action> <wsa:To s:mustUnderstand='1'>$url</wsa:To> <wsa:MessageID>urn:uuid:$((New-Guid).ToString())</wsa:MessageID> <wsse:Security s:mustUnderstand="1"> <wsu:Timestamp wsu:Id="_0"> <wsu:Created>$created</wsu:Created> <wsu:Expires>$expires</wsu:Expires> </wsu:Timestamp> <wsse:UsernameToken wsu:Id="uuid-$((New-Guid).toString())"> <wsse:Username>$UserName</wsse:Username> <wsse:Password>$Password</wsse:Password> </wsse:UsernameToken> </wsse:Security> </s:Header> <s:Body> <wst:RequestSecurityToken Id='RST0'> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType> <wsp:AppliesTo> <wsa:EndpointReference> <wsa:Address>$EndpointAddress</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType> </wst:RequestSecurityToken> </s:Body> </s:Envelope> "@ try { $response = Invoke-RestMethod -UseBasicParsing -Uri $url -Method Post -Body $body -ErrorAction SilentlyContinue $tokenResponse = $response.Envelope.Body.RequestSecurityTokenResponse if($tokenResponse) { switch($tokenResponse.TokenType) { # DesktopSSOToken when EndpointAddress is: # urn:federation:MicrosoftOnline ("urn:oasis:names:tc:SAML:1.0:assertion") { $token = $tokenResponse.RequestedSecurityToken.Assertion.DesktopSsoToken break } # Passport Compact when EndpointAddress is one of: # officeapps.live.com # sharepoint.com ("urn:passport:compact") { $token = $tokenResponse.RequestedSecurityToken.BinarySecurityToken.'#text' break } # Passport Legacy when EndpointAddress is: # http://Passport.NET/tb ("urn:passport:legacy") { # TODO: Try to figure out how this is encrypted $cipherData = $tokenResponse.RequestedSecurityToken.EncryptedData.CipherData.CipherData $keyName = $tokenResponse.RequestedSecurityToken.EncryptedData.KeyInfo.KeyName $encAlg = $tokenResponse.RequestedSecurityToken.EncryptedData.EncryptionMethod.Algorithm Write-Warning "Unable to decrypt legacy passport token, returning encrypted token" $token = $cipherData break } } return $token } else { $errorDetails = $response.Envelope.Body.Fault.Detail.error.internalerror.text } } catch { $stream = $_.Exception.Response.GetResponseStream() $responseBytes = New-Object byte[] $stream.Length $stream.Position = 0 $stream.Read($responseBytes,0,$stream.Length) | Out-Null $responseXml = [xml][text.encoding]::UTF8.GetString($responseBytes) $errorDetails = $responseXml.Envelope.Body.Fault.Detail.error.internalerror.text } throw $errorDetails } } # Checks whether the client is a FOCI clientid # Apr 25th 2023 function IsFOCI { [cmdletbinding()] Param( [Parameter(Mandatory=$True)] [guid]$ClientId, [Parameter(Mandatory=$False)] [int]$FOCI = -1 ) Process { # If FOCI = 1 this is 100% a FOCI client # Is this a known FOCI client? $isFOCI = $Script:FOCIs.ContainsKey($ClientId.ToString()) Write-Verbose "FOCI: Known FOCI $isFOCI, FOCI indicator $FOCI" # Is this a new or deprecated FOCI client? if($isFOCI -and $FOCI -eq 0) { # Found in FOCI list, but no FOCI indicator present Write-Warning "Found deprecated FOCI client $ClientId. Please report at https://github.com/secureworks/family-of-client-ids-research" $isFOCI = $False } elseif ($FOCI -eq 1 -and -not $isFOCI) { # Not found on FOCI list, but FOCI indicator present Write-Warning "Found a new FOCI client $ClientId. Please report at https://github.com/secureworks/family-of-client-ids-research" $Script:FOCIs[$ClientId] = "UNKNOWN" $isFOCI = $True } return $isFOCI } } # Lists FOCI clients # Apr 26th 2023 function Get-FOCIClientIDs { <# .SYNOPSIS Dumps the list of known FOCI client ids .DESCRIPTION Dumps the list of Family of known Client IDs (FOCI) client ids .Parameter Online Get's list online from https://raw.githubusercontent.com/secureworks/family-of-client-ids-research/main/known-foci-clients.csv .Example PS C:\>Get-AADIntFOCIClientIDs client_id application_name --------- ---------------- 00b41c95-dab0-4487-9791-b9d2c32c80f2 Office 365 Management 04b07795-8ddb-461a-bbee-02f9e1bf7b46 Microsoft Azure CLI 1950a258-227b-4e31-a9cf-717495945fc2 Microsoft Azure PowerShell 1fec8e78-bce4-4aaf-ab1b-5451cc387264 Microsoft Teams 26a7ee05-5602-4d76-a7ba-eae8b7b67941 Windows Search 27922004-5251-4030-b22d-91ecd9a37ea4 Outlook Mobile 4813382a-8fa7-425e-ab75-3b753aab3abb Microsoft Authenticator App ab9b8c07-8f02-4f72-87fa-80105867a763 OneDrive SyncEngine d3590ed6-52b3-4102-aeff-aad2292ab01c Microsoft Office 872cd9fa-d31f-45e0-9eab-6e460a02d1f1 Visual Studio af124e86-4e96-495a-b70a-90f90ab96707 OneDrive iOS App 2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8 Microsoft Bing Search for Microsoft Edge 844cca35-0656-46ce-b636-13f48b0eecbd Microsoft Stream Mobile Native 87749df4-7ccf-48f8-aa87-704bad0e0e16 Microsoft Teams - Device Admin Agent cf36b471-5b44-428c-9ce7-313bf84528de Microsoft Bing Search 0ec893e0-5785-4de6-99da-4ed124e5296c Office UWP PWA 22098786-6e16-43cc-a27d-191a01a1e3b5 Microsoft To-Do client 4e291c71-d680-4d0e-9640-0a3358e31177 PowerApps 57336123-6e14-4acc-8dcf-287b6088aa28 Microsoft Whiteboard Client 57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0 Microsoft Flow 66375f6b-983f-4c2c-9701-d680650f588f Microsoft Planner 9ba1a5c7-f17a-4de9-a1f1-6178c8d51223 Microsoft Intune Company Portal a40d7d7d-59aa-447e-a655-679a4107e548 Accounts Control UI a569458c-7f2b-45cb-bab9-b7dee514d112 Yammer iPhone b26aadf8-566f-4478-926f-589f601d9c74 OneDrive c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12 Microsoft Power BI d326c1ce-6cc6-4de2-bebc-4591e5e13ef0 SharePoint e9c51622-460d-4d3d-952d-966a5b1da34c Microsoft Edge eb539595-3fe1-474e-9c1d-feb3625d1be5 Microsoft Tunnel ecd6b820-32c2-49b6-98a6-444530e5a77a Microsoft Edge f05ff7c9-f75a-4acd-a3b5-f4b6a870245d SharePoint Android f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34 Microsoft Edge .Example PS C:\>Get-AADIntFOCIClientIDs -Online client_id application_name --------- ---------------- 00b41c95-dab0-4487-9791-b9d2c32c80f2 Office 365 Management 04b07795-8ddb-461a-bbee-02f9e1bf7b46 Microsoft Azure CLI 1950a258-227b-4e31-a9cf-717495945fc2 Microsoft Azure PowerShell 1fec8e78-bce4-4aaf-ab1b-5451cc387264 Microsoft Teams 26a7ee05-5602-4d76-a7ba-eae8b7b67941 Windows Search 27922004-5251-4030-b22d-91ecd9a37ea4 Outlook Mobile 4813382a-8fa7-425e-ab75-3b753aab3abb Microsoft Authenticator App ab9b8c07-8f02-4f72-87fa-80105867a763 OneDrive SyncEngine d3590ed6-52b3-4102-aeff-aad2292ab01c Microsoft Office 872cd9fa-d31f-45e0-9eab-6e460a02d1f1 Visual Studio af124e86-4e96-495a-b70a-90f90ab96707 OneDrive iOS App 2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8 Microsoft Bing Search for Microsoft Edge 844cca35-0656-46ce-b636-13f48b0eecbd Microsoft Stream Mobile Native 87749df4-7ccf-48f8-aa87-704bad0e0e16 Microsoft Teams - Device Admin Agent cf36b471-5b44-428c-9ce7-313bf84528de Microsoft Bing Search 0ec893e0-5785-4de6-99da-4ed124e5296c Office UWP PWA 22098786-6e16-43cc-a27d-191a01a1e3b5 Microsoft To-Do client 4e291c71-d680-4d0e-9640-0a3358e31177 PowerApps 57336123-6e14-4acc-8dcf-287b6088aa28 Microsoft Whiteboard Client 57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0 Microsoft Flow 66375f6b-983f-4c2c-9701-d680650f588f Microsoft Planner 9ba1a5c7-f17a-4de9-a1f1-6178c8d51223 Microsoft Intune Company Portal a40d7d7d-59aa-447e-a655-679a4107e548 Accounts Control UI a569458c-7f2b-45cb-bab9-b7dee514d112 Yammer iPhone b26aadf8-566f-4478-926f-589f601d9c74 OneDrive c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12 Microsoft Power BI d326c1ce-6cc6-4de2-bebc-4591e5e13ef0 SharePoint e9c51622-460d-4d3d-952d-966a5b1da34c Microsoft Edge eb539595-3fe1-474e-9c1d-feb3625d1be5 Microsoft Tunnel ecd6b820-32c2-49b6-98a6-444530e5a77a Microsoft Edge f05ff7c9-f75a-4acd-a3b5-f4b6a870245d SharePoint Android f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34 Microsoft Edge #> [cmdletbinding()] Param( [Parameter(Mandatory=$False)] [switch]$Online ) Process { if($Online) { try { $FOCIClients = Invoke-RestMethod -UseBasicParsing -Uri "https://raw.githubusercontent.com/secureworks/family-of-client-ids-research/main/known-foci-clients.csv" ConvertFrom-Csv -Delimiter "," -InputObject $FOCIClients } catch { Throw "Unable to get FOCI clients from https://raw.githubusercontent.com/secureworks/family-of-client-ids-research/main/known-foci-clients.csv" } } else { foreach($key in $Script:FOCIs.Keys) { [PSCustomObject]@{ "client_id" = $key "application_name" = $Script:FOCIs[$key] } } } } } # Parses config from login.microsoftonline.com sites # May 28th 2023 function Parse-LoginMicrosoftOnlineComConfig { [cmdletbinding()] Param( [Parameter(Mandatory=$True)] [String]$Body ) Process { # Try to get the $Config= $c = Get-StringBetween -String $body -Start '$Config=' -End "//]]>" try { # Trim null, carriage return, newline, and ; $c = $c.TrimEnd(@(0x00,0x0a,0x0d,0x3B)) $j = $c | ConvertFrom-Json -ErrorAction SilentlyContinue # Some verbose if($j.serverDetails) { $s = $j.serverDetails Write-Verbose "SERVER: $($s.dc) $($s.ri) $($s.ver.v -join ".")" } if($j.correlationId) { Write-Verbose "Correlation ID: $($j.correlationId)" } if($j.sessionId) { Write-Verbose "Session ID: $($j.sessionId)" } } catch {} return $j } } # Gets authorization code in interactive mode - Supports MFA # May 28th 2023 # OAuth 2.0 Auth code grant flow function Get-AuthorizationCode { [cmdletbinding()] Param( # Use these default values to get the code as some tenants may have blocked others with Conditional Access. # You can then use the refresh_token to get access_token for correct resource and clientid. [Parameter(Mandatory=$False)] [String]$Resource = "https://graph.windows.net", [Parameter(Mandatory=$True)] [String]$ClientId = "1b730954-1685-4b74-9bfd-dac224a7b894", [Parameter(Mandatory=$False)] [String]$Tenant, [Parameter(Mandatory=$False)] [string]$AMR, [Parameter(Mandatory=$False)] [string]$RefreshTokenCredential, [Parameter(Mandatory=$False)] [System.Management.Automation.PSCredential]$Credentials, [Parameter(Mandatory=$False)] [System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate, [Parameter(Mandatory=$False)] [string]$PfxFileName, [Parameter(Mandatory=$False)] [string]$PfxPassword, [Parameter(Mandatory=$False)] [string]$OTPSecretKey, [Parameter(Mandatory=$False)] [string]$TAP, [Parameter(Mandatory=$False)] [string]$RedirectURI, [Parameter(Mandatory=$False)] [switch]$AppConsent, [Parameter(Mandatory=$False)] [string]$SubScope, [Parameter(Mandatory=$False)] [string]$ESTSAUTH, [Parameter(Mandatory=$False)] [switch]$DumpESTSAUTH, [Parameter(Mandatory=$False)] [boolean]$KMSI ) Begin { # Function for processing ADFS authentication function Process-ADFSLogin { [cmdletbinding()] Param( [Parameter(Mandatory=$False)] [System.Management.Automation.PSCredential]$Credentials, [Parameter(Mandatory=$False)] [String]$UserName, [Parameter(Mandatory=$False)] [Microsoft.PowerShell.Commands.WebRequestSession]$webSession, [Parameter(Mandatory=$True)] [String]$FederationRedirectUrl, [Parameter(Mandatory=$False)] [string]$SubScope ) Process { # If authentication type is Federated, we must first authenticate against the identity provider # to fetch SAML token and then get access token from Microsoft Online if($Credentials) { $UserName = $Credentials.UserName } # Only ADFS is supported if(!$FederationRedirectUrl.Contains("/adfs/")) { Throw "Only ADFS federation is supported." } # Loop until we get a correct password or get CTRL+C $passwordOk = $false while(-not $passwordOk) { # Set credentials if($Credentials) { $password = $Credentials.GetNetworkCredential().Password # Set Credentials to $null to avoid authentication loop $Credentials = $null } # Prompt for password else { $password = Read-HostPassword -Prompt "Password" } if($password -eq $null) { return $null } # Set the parameters $body = @{ "UserName" = $UserName "Kmsi" = "" "AuthMethod" = "FormsAuthentication" "Password" = $password } try { # Authenticate $response = Invoke-WebRequest2 -Uri $FederationRedirectUrl -Method POST -Body $body -Headers $Headers -WebSession $webSession [xml]$xmlResponse = $response.content # Extract WS-Fed parameters $body=@{} foreach($input in $xmlResponse.html.body.form.input) { $body[$input.name] = $input.value } $url = "$(Get-TenantLoginUrl -SubScope $SubScope)/login.srf" return Invoke-WebRequest2 -Uri $url -WebSession $webSession -Method Post -MaximumRedirection 0 -ErrorAction SilentlyContinue -Body $body -Headers @{"User-Agent"="Mozilla/5.0 (Windows NT 10.0; Win64; x64)"} } catch { $_ # Failed, probably just wrong password } } } } # Function for processing password & TAP function Process-Login { [cmdletbinding()] Param( [Parameter(Mandatory=$False)] [System.Management.Automation.PSCredential]$Credentials, [Parameter(Mandatory=$False)] [boolean]$isTAP = $false, [Parameter(Mandatory=$True)] [PSObject]$Config, [Parameter(Mandatory=$False)] [string]$TAP, [Parameter(Mandatory=$False)] [string]$SubScope, [Parameter(Mandatory=$False)] [boolean]$KMSI ) Process { $loginEndPoint = Get-TenantLoginUrl -SubScope $SubScope # Loop until we get a correct password/TAP or get CTRL+C while(-not $passwordOk) { # Use the provided TAP if($isTAP -and -not [string]::IsNullOrEmpty($TAP)) { $password = $TAP } # Use the provided credentials elseif($Credentials) { $password = $Credentials.GetNetworkCredential().Password } # Prompt for password/TAP else { $pwdPrompt = "Password" if($isTAP) { $pwdPrompt = "Temporary Access Pass" } $password = Read-HostPassword -Prompt $pwdPrompt } # Send the password/TAP if($config.urlPost.startsWith("/")) { $url = "$($loginEndPoint)$($config.urlPost)" } else { $url = $config.urlPost } # Create the body $body = @{ "login" = $userName "passwd" = $password "ctx" = $config.sCtx "flowToken" = $config.sFT "canary" = $config.canary "client_id" = $ClientId } if($KMSI) { $body["LoginOptions"] = 1 } if($isTAP) { $body.Remove("passwd") $body["accesspass"] = $password } $response = Invoke-WebRequest2 -Uri $url -WebSession $LoginSession -Method Post -MaximumRedirection 0 -Headers $Headers -Body $body -ErrorAction SilentlyContinue $config = Parse-LoginMicrosoftOnlineComConfig -Body $response.Content # Return app consent stuff if($config.pgid -eq "ConvergedConsent") { return [pscustomobject]@{ "MFA" = $MFA "Config" = $Config "Response" = $response } } # Expired password if($config.pgid -eq "ConvergedChangePassword") { Write-Verbose "ConvergedChangePassword" $newPasswordOk = $false while($newPasswordOk -eq $false) { # Prompt for the password Write-Host "You need to update your password because this is the first time you are signing in, or because your password has expired." $newPassword = Read-HostPassword -Prompt "New password" if([string]::IsNullOrEmpty($newPassword)) { return $null } # SSPR BEGIN $body = @{ "Ctx" = $config.sCtx "FlowToken" = $config.sFT "OldPassword" = $password "NewPassword" = $newPassword } $url = "$($loginEndPoint)$($config.urlAsyncSsprBegin)" $ssprResponse = Invoke-RestMethod -UseBasicParsing -Uri $url -WebSession $LoginSession -Method Post -MaximumRedirection 0 -ErrorAction SilentlyContinue -Headers $Headers -Body ($body | ConvertTo-Json) -ContentType "application/json; charset=UTF-8" # SSPR POLL while($ssprResponse.IsJobPending) { $body = @{ "Ctx" = $ssprResponse.Ctx "FlowToken" = $ssprResponse.FlowToken "CoupledDataCenter" = $ssprResponse.CoupledDataCenter "CoupledScaleUnit" = $ssprResponse.CoupledScaleUnit } $url = "$($loginEndPoint)$($config.urlAsyncSsprPoll)" $ssprResponse = Invoke-RestMethod -UseBasicParsing -Uri $url -WebSession $LoginSession -Method Post -MaximumRedirection 0 -ErrorAction SilentlyContinue -Headers $Headers -Body ($body | ConvertTo-Json) -ContentType "application/json; charset=UTF-8" } # Complexity requirements.. if($ssprResponse.ErrorMessage) { Write-Host $ssprResponse.ErrorMessage -ForegroundColor Red } else { $newPasswordOk = $true } } # SSPR END $body = @{ "ctx" = $ssprResponse.Ctx "flowToken" = $ssprResponse.FlowToken "currentpasswd" = $password "confirmnewpasswd" = $newPassword "canary" = $config.canary } $url = "$($loginEndPoint)$($config.urlPost)" $response = Invoke-WebRequest2 -Uri $url -WebSession $LoginSession -Method Post -MaximumRedirection 0 -Headers $Headers -Body $body -ContentType "application/x-www-form-urlencoded" -ErrorAction SilentlyContinue $config = Parse-LoginMicrosoftOnlineComConfig -Body $response.Content } # MFA action required if($config.pgid -eq "ConvergedProofUpRedirect") { Write-Verbose "ConvergedProofUpRedirect" $MFADays = $config.iRemainingDaysToSkipMfaRegistration if($MFADays) { Write-Warning "MFA must be set up in $($MFA) days" # Create the body $body = @{ "LoginOptions" = 1 "ctx" = $config.sCtx "flowToken" = $config.sFT "canary" = $config.canary } $url = $config.urlSkipMfaRegistration $response = Invoke-WebRequest2 -Uri $url -WebSession $LoginSession -MaximumRedirection 0 -Headers $Headers -ErrorAction SilentlyContinue } else { throw "MFA method must be registered." } } # Keep me signed in prompt elseif($config.pgid -eq "KmsiInterrupt") { Write-Verbose "KMSI" # Create the body $body = @{ "LoginOptions" = 1 "ctx" = $config.sCtx "flowToken" = $config.sFT "canary" = $config.canary } $url = "$($loginEndPoint)$($config.urlPost)" $response = Invoke-WebRequest2 -Uri $url -WebSession $LoginSession -Method Post -MaximumRedirection 0 -Headers $Headers -Body $body -ContentType "application/x-www-form-urlencoded" -ErrorAction SilentlyContinue } # Some weird redirect issue with non-edge Chrome browsers elseif($config.oPostParams) { Throw "Chrome redirect issue. Try using Edge or non-chrome User-Agent." } # Check the response code switch($response.StatusCode) { # We got an error or MFA prompt 200 { $config = Parse-LoginMicrosoftOnlineComConfig -Body $response.Content # Something severe if($config.strServiceExceptionMessage) { # Wrong redirect URI if($config.strServiceExceptionMessage.StartsWith("AADSTS50011")) { Write-Verbose "Invalid redirect URI, trying to get correct one" $newRedirectURI="" try { $url = "$($loginEndPoint)/common/oauth2/authorize?client_id=$ClientID&response_type=code" $response = Invoke-WebRequest2 -Uri $url -WebSession $LoginSession -Method Get -MaximumRedirection 0 -Headers $Headers -ErrorAction SilentlyContinue # Parse from the Location header if($response.StatusCode -eq 302) { $newRedirectURI = $response.Headers.Location.Substring(0,$response.Headers.Location.IndexOf("?")) Write-Verbose "Redirect URI: $newRedirectURI" Write-Warning "Wrong RedirectURI $RedirectURI for client $ClientID." Write-Warning "Try again with switch -RedirectURI $newRedirectURI" } else { Write-Error $config.strServiceExceptionMessage } return $null } catch { throw $config.strServiceExceptionMessage } } else { throw $config.strServiceExceptionMessage } } # Wrong password etc elseif($config.sErrorCode -ne $null) { # When using TAP for MFA, the correct error code is not returned if($config.sErrorCode -eq "InvalidAccessPass") { $AADError = "130503: Your Temporary Access Pass is incorrect. If you don't know your pass, contact your administrator." } # Get error text from Azure AD else { $AADError = Get-Error -ErrorCode $config.sErrorCode } # We don't want to loop with provided password/TAP so throw the error if(($Credentials) -or ($isTAP -and (-not [string]::IsNullOrEmpty($TAP)))) { Throw $AADError } Write-Host $AADError -ForegroundColor Red } # MFA elseif($config.arrUserProofs -ne $null) { $passwordOk = $true $MFA = $true } } # Ok, we got the code! 302 { $passwordOk = $true } } } return [pscustomobject]@{ "MFA" = $MFA "Config" = $Config "Response" = $response } } } } Process { # Remove variables Remove-Variable -Name "LoginSession" -ErrorAction SilentlyContinue Remove-Variable -Name "Config" -ErrorAction SilentlyContinue Remove-Variable -Name "Response" -ErrorAction SilentlyContinue # Load certificate if provided if(!$Certificate -and -not [string]::IsNullOrEmpty($PfxFileName)) { $Certificate = Load-Certificate -FileName $PfxFileName -Password $PfxPassword -Exportable } # Create the url $loginEndPoint = Get-TenantLoginUrl -SubScope $SubScope $request_id=(New-Guid).ToString() # Headers $headers = @{ "User-Agent" = Get-UserAgent } # Get redirect url if([string]::IsNullOrEmpty($RedirectURI)) { $RedirectURI = Get-AuthRedirectUrl -ClientId $ClientId -Resource $Resource } # If ESTSAUTH cookie provided, use that # Ref: https://github.com/rvrsh3ll/TokenTactics/pull/9/commits/1a88fe7f01ea88731de4a23c0b3306d4ed714260 if(![string]::IsNullOrEmpty($ESTSAUTH)) { $url="$loginEndPoint/common/oauth2/authorize?resource=$Resource&client_id=$ClientId&response_type=code&redirect_uri=$RedirectURI&scope=openid" $LoginSession = [Microsoft.PowerShell.Commands.WebRequestSession]::new() $cookie = [System.Net.Cookie]::new("ESTSAUTHPERSISTENT", $ESTSAUTH) $LoginSession.Cookies.Add("$loginEndPoint/", $cookie) $response = Invoke-WebRequest -UseBasicParsing -Uri $url -WebSession $LoginSession -Method get -MaximumRedirection 0 -ErrorAction SilentlyContinue -Headers $Headers try { $config = Parse-LoginMicrosoftOnlineComConfig -Body $response.Content if($config.pgid -ne $null) { $throwMessage = "Unable to get authorization code with ESTSAUTH cookie. Page ID = $($config.pgid). Error = $($config.strServiceExceptionMessage)" } else { return Parse-CodeFromResponse -Response $response } } catch { $throwMessage = "Unable to get authorization code with ESTSAUTH cookie" } if($throwMessage) { Throw $throwMessage } } # If getting app consent, use different url elseif($AppConsent) { $url="$loginEndPoint/$Tenant/oauth2/authorize?client_id=$ClientId&response_type=code&sso_reload=True" } else { $url="$loginEndPoint/$Tenant/oauth2/authorize?resource=$Resource&client_id=$ClientId&response_type=code&redirect_uri=$RedirectURI&client-request-id=$request_id&prompt=login&scope=openid profile&response_mode=query&sso_reload=True" } # Authentication Method References (AMR), "mfa" or "ngcmfa" will enforce MFA # Ref: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/0fc398ca-88d0-4118-ae60-c3033e396e60 if($AMR) { $url+="&amr_values=$AMR" } # Set RefreshTokenCredential for device authentication if($RefreshTokenCredential) { $headers["x-ms-RefreshTokenCredential"] = $RefreshTokenCredential $parsedToken = Read-AccessToken -AccessToken $RefreshTokenCredential if($parsedToken.request_nonce) { $url += "&sso_nonce=$($parsedToken.request_nonce)" } } # Make the first request to authorization endpoint. Allow one redirect for sso_nonce $response = Invoke-WebRequest -UseBasicParsing -Uri $url -SessionVariable "LoginSession" -Method get -MaximumRedirection 1 -ErrorAction SilentlyContinue -Headers $Headers $config = Parse-LoginMicrosoftOnlineComConfig -Body $response.Content # Prompt for user name if not provided if($Credentials) { $userName = $Credentials.UserName } else { Write-Host "Logging in to $($config.sCompanyDisplayName)" $userName = Read-Host -Prompt "Enter email, phone, or Skype" } # Get credential type $credType = Get-CredentialType -UserName $userName -FlowToken $config.sFT -OriginalRequest $config.sCtx -webSession $LoginSession # Check whether we are throttling if($credType.ThrottleStatus -eq 1) { Write-Warning "Requests throttled. If authentication fails, wait a minute and try again." } # Does the user exist? if($credType.IfExistsResult -ne 0 -and $credType.IfExistsResult -ne 6 -and $credType.IfExistsResult -ne 5) { Throw "We couldn't find an account with that username." } # Check the credential type (managed vs federated) $isFederated = ![string]::IsNullOrEmpty($credType.Credentials.FederationRedirectUrl) # Do the federated domain authentication if($isFederated) { # Create WS-Fed response $response = Process-ADFSLogin -Credentials $Credentials -UserName $userName -webSession $loginSession -FederationRedirectUrl $credType.Credentials.FederationRedirectUrl -SubScope $SubScope switch($response.StatusCode) { # We got an error or MFA prompt 200 { $config = Parse-LoginMicrosoftOnlineComConfig -Body $response.Content # Something severe if($config.strServiceExceptionMessage) { throw $config.strServiceExceptionMessage } # Wrong password etc elseif($config.sErrorCode -ne $null) { # When using TAP for MFA, the correct error code is not returned if($config.sErrorCode -eq "InvalidAccessPass") { $AADError = "130503: Your Temporary Access Pass is incorrect. If you don't know your pass, contact your administrator." } # Get error text from Azure AD else { $AADError = Get-Error -ErrorCode $config.sErrorCode } # We don't want to loop with provided password/TAP so throw the error if($isTAP -and (-not [string]::IsNullOrEmpty($TAP))) { Throw $AADError } Write-Host $AADError -ForegroundColor Red } # MFA elseif($config.arrUserProofs -ne $null) { $MFA = $true } } # Ok, we got the code! 302 { $passwordOk = $true } } #$config = $loginResponse.Config #$MFA = $loginResponse.MFA #$response = $loginResponse.Response } # Do the managed domain authentication else { # Ask which account to use (MSA or AAD) # MSA not supported at the moment, so skip this <# $accountType = 0 # AAD if($credType.IfExistsResult -eq 6) { $options = @( New-Object System.Management.Automation.Host.ChoiceDescription "&1 Work or school account" New-Object System.Management.Automation.Host.ChoiceDescription "&2 Personal account" ) $accountType = $host.UI.PromptForChoice("Choose account","It looks like this email is used with more than one account from Microsoft. Which one do you want to use?",$options,0) } #> # Choose authentication method $authOptions = @() $nAuthOption = 0 $pwdOption = -2 $cbaOption = -2 $tapOption = -2 # Password? if($credType.Credentials.HasPassword -eq $True) { Write-Verbose "Password enabled." $pwdOption = $nAuthOption $nAuthOption++ $authOptions += New-Object System.Management.Automation.Host.ChoiceDescription "&$nAuthOption Password" } # Temporary Access Pass (TAP)? if($credType.Credentials.HasAccessPass -eq $True) { Write-Verbose "Temporary Access Pass enabled." $tapOption = $nAuthOption $nAuthOption++ $authOptions += New-Object System.Management.Automation.Host.ChoiceDescription "&$nAuthOption Temporary Access Pass" } # Certificate Based Authentication (CBA)? if($credType.Credentials.HasCertAuth -eq $True) { Write-Verbose "CBA enabled." if($Certificate) { $cbaOption = $nAuthOption $nAuthOption++ $authOptions += New-Object System.Management.Automation.Host.ChoiceDescription "&$nAuthOption Certificate" } else { Write-Verbose "No certificate provided, skipping CBA." } } # No supported authentication options found :( if($authOptions.Count -eq 0) { Throw "No supported authentication options found!" } # Just one option so use that elseif($authOptions.Count -eq 1) { $authOption = 0 } # If we have TAP and it's available, use that elseif($tapOption -ge 0 -and -not [string]::IsNullOrEmpty($TAP)) { $authOption = $tapOption } # Prompt for options else { $authOption = $host.UI.PromptForChoice("Authentication options","Choose authentication method",[System.Management.Automation.Host.ChoiceDescription[]]$authOptions,0) } switch($authOption) { $pwdOption { $cPWD = $true } $cbaOption { $cCBA = $true } $tapOption { $cTAP = $true } default { return $null } } # PWD & TAP if($cPWD -or $cTAP) { $loginResponse = Process-Login -Credentials $Credentials -Config $config -IsTAP ($cTAP -eq $true) -TAP $TAP -SubScope $SubScope -KMSI $KMSI if($loginResponse -eq $null) { return $null } $config = $loginResponse.Config $MFA = $loginResponse.MFA $response = $loginResponse.Response } } if($MFA) { # Get MFA types from the config $MFATypes = [ordered]@{} $MFAOptions = @() $m = 1 foreach($mfaType in $config.arrUserProofs) { # Certificate not currently supported if($mfaType.authMethodId -ne "Certificate") { $MFATypes[$mfaType.authMethodId] = $mfaType.display $MFAOptions += New-Object System.Management.Automation.Host.ChoiceDescription "&$m $($mfaType.authMethodId) ($($mfaType.display))" $m++ # If OTPSecret is provided and whe have PhoneAppOTP option, use that if($mfaType.authMethodId -eq "PhoneAppOTP" -and -not [string]::IsNullOrEmpty($OTPSecretKey)) { $mfaMethod = $mfaType.authMethodId } } } if($MFAOptions.Count -eq 0) { Throw "No supported MFA methods found!" } # Ask user to choose MFA method if not automatically chosen if(-not $mfaMethod) { # If there's just one method, use that if($MFATypes.Count -eq 1) { $mfaMethod = [string]$MFATypes.Keys[0] } else { $mfaSelection = $host.UI.PromptForChoice("MFA options","Choose MFA method",$MFAOptions,0) if($mfaSelection -eq -1) { return $null } $p = 0 foreach($key in $MFATypes.Keys) { if($p -eq $mfaSelection) { $mfaMethod = $key break } $p++ } } } # Start the MFA loop $url = $config.urlBeginAuth $body = @{ "AuthMethodId" = $mfaMethod "ctx" = $config.sCtx "flowToken" = $config.sFT "Method" = "BeginAuth" } # TAP has unique MFA flow if($mfaMethod -eq "AccessPass") { $body["AuthMethodId"] = "PhoneAppOTP" } $headers = @{ "User-Agent" = Get-UserAgent "canary" = $config.apiCanary "Content-Type" = "application/json; charset=utf-8" } # SAS/BeginAuth if not TAP if($mfaMethod -eq "AccessPass") { $beginAuth = $true } else { $response = Invoke-RestMethod -UseBasicParsing -Uri $url -WebSession $LoginSession -Method Post -MaximumRedirection 0 -ErrorAction SilentlyContinue -Headers $Headers -Body ($body|ConvertTo-Json) $beginAuth = $response.Success -eq $true } if($beginAuth) { # Prompt for MFA method switch($mfaMethod) { "PhoneAppNotification" { Write-Host "Open your Authenticator app, and enter the number shown to sign in:​​" Write-Host $response.Entropy break } "PhoneAppOTP" { # Use provided OTPSecret if($OTPSecretKey) { Write-Host "Using the provided OTP Secret for MFA." # Calculate OTP using the secret key $OTP = New-AADIntOTP -SecretKey $OTPSecretKey # Strip the spaces $additionalAuthData = $OTP.OTP.Replace(" ","") break } else { $additionalAuthData = Read-Host "Please type in the code displayed on your authenticator app from your device" break } } "OneWaySMS" { $additionalAuthData = Read-Host "We texted your phone $($MFATypes[$mfaMethod]). Please enter the code to sign in" break } "TwoWayVoiceMobile" { Write-Host "We're calling your phone $($MFATypes[$mfaMethod]). Please answer it to continue." break } "TwoWayVoiceAlternateMobile" { Write-Host "We're calling your phone $($MFATypes[$mfaMethod]). Please answer it to continue." break } "AccessPass" { # TAP has a unique flow $loginResponse = Process-Login -Config $config -IsTAP $true -TAP $TAP if($loginResponse -eq $null) { return $null } $config = $loginResponse.Config $MFA = $loginResponse.MFA $response = $loginResponse.Response break } default { Throw "MFA method $mfaMethod not supported." break } } # SAS/EndAuth if($mfaMethod -ne "AccessPass") { for($p = 1;$p -le $config.iMaxPollAttempts ; $p++) { # If OTP or SMS send a single request if(@("PhoneAppOTP","OneWaySMS") -contains $mfaMethod) { $url = $config.urlEndAuth $headers = @{ "User-Agent" = Get-UserAgent "canary" = $config.apiCanary "Content-Type" = "application/json; charset=utf-8" } $body = @{ "AdditionalAuthData" = $additionalAuthData "AuthMethodId" = $mfaMethod "SessionId" = $response.SessionId "FlowToken" = $response.FlowToken "Ctx" = $response.Ctx "Method" = "EndAuth" } $response = Invoke-RestMethod -UseBasicParsing -Uri $url -WebSession $LoginSession -Method Post -MaximumRedirection 0 -ErrorAction SilentlyContinue -Headers $Headers -Body ($body | ConvertTo-Json) } # Poll until we get response or timeout else { $url = "$($config.urlEndAuth)?authMethodId=$mfaMethod&pollCount=$p" $headers = @{ "User-Agent" = Get-UserAgent "x-ms-sessionId" = $response.SessionId "x-ms-flowToken" = $response.FlowToken "x-ms-ctx" = $response.Ctx } $response = Invoke-RestMethod -UseBasicParsing -Uri $url -WebSession $LoginSession -Method Get -MaximumRedirection 0 -ErrorAction SilentlyContinue -Headers $Headers } if($response.Success -eq $true) { # SAS/ProcessAuth $headers = @{ "User-Agent" = Get-UserAgent "Content-Type" = "application/x-www-form-urlencoded" } $url = $config.urlPost $body = @{ "request" = $response.Ctx "mfaAuthMethod" = $mfaMethod "login" = $userName "flowToken" = $response.FlowToken "canary" = $config.canary } $response = Invoke-WebRequest2 -Uri $url -WebSession $LoginSession -Method Post -MaximumRedirection 0 -Headers $Headers -Body $body -ErrorAction SilentlyContinue break } elseif($response.Retry -eq $false) { Throw "$($response.Message) $($response.ResultValue)" } Start-Sleep -Milliseconds $config.iPollingInterval } } } } # Dump app consent stuff if($AppConsent) { return $config } # Some weird redirect again if($response.Content.Contains("https://device.login.microsoftonline.com")) { Write-Warning "Got an error, try using another User-Agent, current is: $(Get-UserAgent)" throw "Got unexpected redirect to https://device.login.microsoftonline.com" } # Check for errors $config = Parse-LoginMicrosoftOnlineComConfig -Body $response.Content if($config.strServiceExceptionMessage) { Write-Warning "Got an error, try using another User-Agent, current is: $(Get-UserAgent)" throw $config.strServiceExceptionMessage } elseif($config.sErrorCode -ne $null) { $AADError = Get-Error -ErrorCode $config.sErrorCode throw $AADError } $authorizationCode = Parse-CodeFromResponse -Response $response # Try to dump the ESTS cookies if($DumpESTSAUTH) { $cookieName = "ESTSAUTH" if($KMSI) { $cookieName += "PERSISTENT" } Write-Verbose "Trying to dump $cookieName cookie" try { foreach($cookie in $LoginSession.Cookies.GetCookies((Get-TenantLoginUrl -SubScope $SubScope))) { if($cookie.Name -eq $cookieName) { return $cookie.Value } } } catch {} } return $authorizationCode } } # May 21st 2024 # Return tenant subscope from Open ID configuration function Get-TenantSubscope { [cmdletbinding()] Param( [Parameter(ParameterSetName='Domain',Mandatory=$True)] [String]$Domain, [Parameter(ParameterSetName='Config',Mandatory=$True)] [PSObject]$OpenIDConfiguration ) Process { # Get Tenant Region subscope from Open ID configuration if($OpenIDConfiguration -eq $null) { $OpenIDConfiguration = Get-OpenIDConfiguration -Domain $Domain } return $OpenIDConfiguration.tenant_region_sub_scope } } # May 21st 2024 # Return tenant login url based on the subscope function Get-TenantLoginUrl { [cmdletbinding()] Param( [Parameter(Mandatory=$false)] [String]$SubScope ) Process { # Use the correct url switch($SubScope) { "DOD" # DoD { return "https://login.microsoftonline.us" } "DODCON" # GCC-High { return "https://login.microsoftonline.us" } default # Commercial/GCC { return "https://login.microsoftonline.com" } } } } |