Public/Get-EntraDeviceAuthRequest.ps1

function Get-EntraDeviceAuthRequest {
    <#
    .SYNOPSIS
        Creates a new device authentication request for an Entra-joined device.

    .DESCRIPTION
        This function generates a new device authentication request for an Entra-joined device by retrieving the necessary certificate information, creating a signature, and constructing the validation request.

    .NOTES
        Author: Florian Salzmann
        Contact: @FlorianSLZ
        Created: 2024-06-21
        Updated: 2024-06-21

        Version history:
        1.0.0 - (2024-06-21) Function created

    #>


    param ()

    try {
        $AzureADJoinInfoRegistryKeyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo"

        # Check if the registry path for Azure AD Join info exists
        if (Test-Path -Path $AzureADJoinInfoRegistryKeyPath) {
            # Retrieve the certificate thumbprint from the registry
            $CertificateThumbprint = Get-ChildItem -Path $AzureADJoinInfoRegistryKeyPath | Select-Object -ExpandProperty "PSChildName"

            if ($CertificateThumbprint -ne $null) {
                # Retrieve the machine certificate based on the thumbprint from the registry key
                $AzureADJoinCertificate = Get-ChildItem -Path "Cert:\LocalMachine\My" -Recurse | Where-Object { $_.Thumbprint -eq $CertificateThumbprint }
                if ($AzureADJoinCertificate -ne $null) {
                    # Extract the device identifier from the certificate's subject name
                    $AzureADDeviceID = ($AzureADJoinCertificate | Select-Object -ExpandProperty "Subject") -replace "CN=", ""

                    # Get the public key bytes from the certificate and convert to Base64 string
                    [byte[]]$PublicKeyBytes = $AzureADJoinCertificate.GetPublicKey()
                    $PublicKey = [System.Convert]::ToBase64String($PublicKeyBytes)
                
                }else{
                    Write-Error "No Entra Device Certificate found."
                }
            } else {
                Write-Error "No Entra Device Certificate Thumbprint found."
            }

            # Generate the signature using the certificate thumbprint and device ID
            $Signature = New-RSASignatureFromCertificate -Content $AzureADDeviceID -Thumbprint $CertificateThumbprint

            # Construct the validation request object with necessary details
            $ValidationRequest = [ordered]@{
                DeviceName  = $env:COMPUTERNAME
                DeviceID    = $AzureADDeviceID
                Signature   = $Signature
                Thumbprint  = $CertificateThumbprint
                PublicKey   = $PublicKey
            }

            # Return the validation request object
            return $ValidationRequest

        } else {
            Write-Error "Device is not Entra joined."
        }

    } catch {
        Write-Error "Error while processing device authentication request `n$_"
    }
}