MiniGraph.psm1
function Assert-GraphConnection { <# .SYNOPSIS Asserts a valid graph connection has been established. .DESCRIPTION Asserts a valid graph connection has been established. .PARAMETER Cmdlet The $PSCmdlet variable of the calling command. .EXAMPLE PS C:\> Assert-GraphConnection -Cmdlet $PSCmdlet Asserts a valid graph connection has been established. #> [CmdletBinding()] param ( [Parameter(Mandatory = $true)] $Cmdlet ) process { if ($script:token) { return } $exception = [System.InvalidOperationException]::new('Not yet connected to MSGraph. Use Connect-Graph* to establish a connection!') $errorRecord = [System.Management.Automation.ErrorRecord]::new($exception, "NotConnected", 'InvalidOperation', $null) $Cmdlet.ThrowTerminatingError($errorRecord) } } function Connect-GraphRefreshToken { <# .SYNOPSIS Connect with the refresh token provided previously. .DESCRIPTION Connect with the refresh token provided previously. Used mostly for delegate authentication flows to avoid interactivity. .EXAMPLE PS C:\> Connect-GraphRefreshToken Connect with the refresh token provided previously. #> [CmdletBinding()] param ( ) process { if (-not $script:lastConnect.Refresh) { throw "No refresh token found!" } $scopes = 'https://graph.microsoft.com/.default' if ($script:lastConnect.Parameters.Scopes) { $scopes = $script:lastConnect.Parameters.Scopes } $body = @{ client_id = $script:lastConnect.Parameters.ClientID scope = $scopes -join " " refresh_token = [PSCredential]::new("whatever", $script:lastConnect.Refresh).GetNetworkCredential().Password grant_type = 'refresh_token' } $uri = "https://login.microsoftonline.com/$($script:lastConnect.Parameters.TenantID)/oauth2/v2.0/token" $authResponse = Invoke-RestMethod -Method Post -Uri $uri -Body $body $script:token = $authResponse.access_token $script:lastConnect.Refresh = $authResponse.refresh_token } } function ConvertTo-Base64 { <# .SYNOPSIS Converts input string to base 64. .DESCRIPTION Converts input string to base 64. .PARAMETER Text The text to encode. .PARAMETER Encoding The encoding of the input text. .EXAMPLE PS C:\> "Hello World" | ConvertTo-Base64 Converts the string "Hello World" to base 64. #> [OutputType([string])] [CmdletBinding()] param ( [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [string[]] $Text, [System.Text.Encoding] $Encoding = [System.Text.Encoding]::UTF8 ) process { foreach ($entry in $Text) { $bytes = $Encoding.GetBytes($entry) [Convert]::ToBase64String($bytes) } } } function ConvertTo-SignedString { <# .SYNOPSIS Signs a string. .DESCRIPTION Signs a string. Used for certificate authentication. .PARAMETER Text The text to sign. .PARAMETER Certificate The certificate to sign with. Must have private key. .PARAMETER Padding The padding mechanism to use while signing. Defaults to "Pkcs1" .PARAMETER Algorithm The signing algorithm to use. Defaults to "SHA256" .PARAMETER Encoding Encoding of the source text. Defaults to UTF8 .EXAMPLE PS C:\> $token | ConvertTo-SignedString -Certificate $cert Signs the text stored in $token with the certificate stored in $cert #> [OutputType([string])] [CmdletBinding()] param ( [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [string[]] $Text, [System.Security.Cryptography.X509Certificates.X509Certificate2] $Certificate, [Security.Cryptography.RSASignaturePadding] $Padding = [Security.Cryptography.RSASignaturePadding]::Pkcs1, [Security.Cryptography.HashAlgorithmName] $Algorithm = [Security.Cryptography.HashAlgorithmName]::SHA256, [System.Text.Encoding] $Encoding = [System.Text.Encoding]::UTF8 ) begin { $privateKey = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Certificate) } process { foreach ($entry in $Text) { $inBytes = $Encoding.GetBytes($entry) $outBytes = $privateKey.SignData($inBytes, $Algorithm, $Padding) [convert]::ToBase64String($outBytes) } } } function Invoke-TerminatingException { <# .SYNOPSIS Throw a terminating exception in the context of the caller. .DESCRIPTION Throw a terminating exception in the context of the caller. Masks the actual code location from the end user in how the message will be displayed. .PARAMETER Cmdlet The $PSCmdlet variable of the calling command. .PARAMETER Message The message to show the user. .PARAMETER Exception A nested exception to include in the exception object. .PARAMETER Category The category of the error. .PARAMETER ErrorRecord A full error record that was caught by the caller. Use this when you want to rethrow an existing error. .PARAMETER Target The target of the exception. .EXAMPLE PS C:\> Invoke-TerminatingException -Cmdlet $PSCmdlet -Message 'Unknown calling module' Terminates the calling command, citing an unknown caller. #> [CmdletBinding()] Param ( [Parameter(Mandatory = $true)] $Cmdlet, [string] $Message, [System.Exception] $Exception, [System.Management.Automation.ErrorCategory] $Category = [System.Management.Automation.ErrorCategory]::NotSpecified, [System.Management.Automation.ErrorRecord] $ErrorRecord, $Target ) process{ if ($ErrorRecord -and -not $Message) { $Cmdlet.ThrowTerminatingError($ErrorRecord) } $exceptionType = switch ($Category) { default { [System.Exception] } 'InvalidArgument' { [System.ArgumentException] } 'InvalidData' { [System.IO.InvalidDataException] } 'AuthenticationError' { [System.Security.Authentication.AuthenticationException] } 'InvalidOperation' { [System.InvalidOperationException] } } if ($Exception) { $newException = $Exception.GetType()::new($Message, $Exception) } elseif ($ErrorRecord) { $newException = $ErrorRecord.Exception.GetType()::new($Message, $ErrorRecord.Exception) } else { $newException = $exceptionType::new($Message) } $record = [System.Management.Automation.ErrorRecord]::new($newException, (Get-PSCallStack)[1].FunctionName, $Category, $Target) $Cmdlet.ThrowTerminatingError($record) } } function Set-ReconnectInfo { <# .SYNOPSIS Helper Utility to set the automatic reconnection information. .DESCRIPTION Helper Utility to set the automatic reconnection information. Registers the connection time, parameters used and command for ease of reuse. .PARAMETER BoundParameters The parameters the Connect-Graph* command was called with .PARAMETER NoReconnect Whether to not reconnect after all. .PARAMETER RefreshToken The refresh token returned after the calling command's connection. When provided, will be used to do the refreshing when possible. .EXAMPLE PS C:\> Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect Called from within a Connect-Graph* command, this will set itself to auto-reconnect. #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingConvertToSecureStringWithPlainText", "")] [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")] [CmdletBinding()] param ( $BoundParameters, [switch] $NoReconnect, [string] $RefreshToken ) process { if ($NoReconnect) { $script:lastConnect = @{ When = $null Command = $null Parameters = $null Refresh = $null } return } $script:lastConnect = @{ When = Get-Date Command = Get-Command (Get-PSCallStack)[1].InvocationInfo.MyCommand Parameters = $BoundParameters Refresh = $null } if ($RefreshToken) { $script:lastConnect.Refresh = $RefreshToken | ConvertTo-SecureString -AsPlainText -Force } } } function Update-Token { <# .SYNOPSIS Automatically reconnects if necessary, using the previous method of connecting. .DESCRIPTION Automatically reconnects if necessary, using the previous method of connecting. Called from within Invoke-GraphRequest, it ensures that tokens don't expire, especially during long-running queries. Will not cause errors directly, but the reconnection attempt might fail. .EXAMPLE PS C:\> Update-Token Automatically reconnects if necessary, using the previous method of connecting. #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "")] [CmdletBinding()] param ( ) process { # If no reconnection data is set, terminate if (-not $script:lastConnect) { return } if (-not $script:lastConnect.When) { return } # If the last connection is less than 50 minutes ago, terminate if ($script:lastConnect.When -gt (Get-Date).AddMinutes(-50)) { return } if ($script:lastConnect.Refresh) { Connect-GraphRefreshToken return } $command = $script:lastConnect.Command $param = $script:lastConnect.Parameters & $command @param } } function Connect-GraphAzure { <# .SYNOPSIS Connect to graph using your current Az session. .DESCRIPTION Connect to graph using your current Az session. Requires the Az.Accounts module and for the current session to already be connected via Connect-AzAccount. .PARAMETER Authority Authority to connect to. Defaults to: "https://graph.microsoft.com" .PARAMETER ShowDialog Whether to risk showing a dialog during authentication. If set to never, it will fail if not possible to do silent authentication. Defaults to: Auto .PARAMETER NoReconnect Disables automatic reconnection. By default, MiniGraph will automatically try to reaquire a new token before the old one expires. .EXAMPLE PS C:\> Connect-GraphAzure Connect to graph via the current Az session #> [CmdletBinding()] param ( [string] $Authority = "https://graph.microsoft.com", [ValidateSet('Auto', 'Always', 'Never')] [string] $ShowDialog = 'Auto', [switch] $NoReconnect ) try { $azContext = Get-AzContext -ErrorAction Stop } catch { $PSCmdlet.ThrowTerminatingError($_) } try { $result = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate( $azContext.Account, $azContext.Environment, "$($azContext.Tenant.id)", $null, $ShowDialog, $null, $Authority ) } catch { $PSCmdlet.ThrowTerminatingError($_) } $script:token = $result.AccessToken Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect } function Connect-GraphBrowser { <# .SYNOPSIS Interactive logon using the Authorization flow and browser. Supports SSO. .DESCRIPTION Interactive logon using the Authorization flow and browser. Supports SSO. This flow requires an App Registration configured for the platform "Mobile and desktop applications". Its redirect Uri must be "http://localhost" On successful authentication .PARAMETER ClientID The ID of the registered app used with this authentication request. .PARAMETER TenantID The ID of the tenant connected to with this authentication request. .PARAMETER SelectAccount Forces account selection on logon. As this flow supports single-sign-on, it will otherwise not prompt for anything if already signed in. This could be a problem if you want to connect using another (e.g. an admin) account. .PARAMETER Scopes Generally doesn't need to be changed from the default 'https://graph.microsoft.com/.default' .PARAMETER LocalPort The local port that should be redirected to. In order to process the authentication response, we need to listen to a local web request on some port. Usually needs not be redirected. Defaults to: 8080 .PARAMETER Resource The resource the token grants access to. Generally doesn't need to be changed from the default 'https://graph.microsoft.com/' Only needed when connecting to another service. .PARAMETER Browser The path to the browser to use for the authentication flow. Provide the full path to the executable. The browser must accept the url to open as its only parameter. Defaults to your default browser. .PARAMETER NoReconnect Disables automatic reconnection. By default, MiniGraph will automatically try to reaquire a new token before the old one expires. .EXAMPLE PS C:\> Connect-GraphBrowser -ClientID '<ClientID>' -TenantID '<TenantID>' Connects to the specified tenant using the specified client, prompting the user to authorize via Browser. #> [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [string] $TenantID, [Parameter(Mandatory = $true)] [string] $ClientID, [switch] $SelectAccount, [string[]] $Scopes = 'https://graph.microsoft.com/.default', [int] $LocalPort = 8080, [Uri] $Resource = 'https://graph.microsoft.com/', [string] $Browser, [switch] $NoReconnect ) process { Add-Type -AssemblyName System.Web $redirectUri = "http://localhost:$LocalPort" $actualScopes = foreach ($scope in $Scopes) { if ($scope -like 'https://*/*') { $scope } else { "{0}://{1}/{2}" -f $Resource.Scheme, $Resource.Host, $scope } } if (-not $NoReconnect) { $actualScopes = @($actualScopes) + 'offline_access' } $uri = "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/authorize?" $state = Get-Random $parameters = @{ client_id = $ClientID response_type = 'code' redirect_uri = $redirectUri response_mode = 'query' scope = $Scopes -join ' ' state = $state } if ($SelectAccount) { $parameters.prompt = 'select_account' } $paramStrings = foreach ($pair in $parameters.GetEnumerator()) { $pair.Key, ([System.Web.HttpUtility]::UrlEncode($pair.Value)) -join '=' } $uriFinal = $uri + ($paramStrings -join '&') Write-Verbose "Authorize Uri: $uriFinal" $redirectTo = 'https://raw.githubusercontent.com/FriedrichWeinmann/MiniGraph/master/nothing-to-see-here.txt' if ((Get-Random -Minimum 10 -Maximum 99) -eq 66) { $redirectTo = 'https://www.youtube.com/watch?v=dQw4w9WgXcQ' } # Start local server to catch the redirect $http = [System.Net.HttpListener]::new() $http.Prefixes.Add("$redirectUri/") try { $http.Start() } catch { Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "Failed to create local http listener on port $LocalPort. Use -LocalPort to select a different port. $_" -Category OpenError } # Execute in default browser if ($Browser) { & $Browser $uriFinal } else { Start-Process $uriFinal } # Get Result $task = $http.GetContextAsync() $authorizationCode, $stateReturn, $sessionState = $null try { while (-not $task.IsCompleted) { Start-Sleep -Milliseconds 200 } $context = $task.Result $context.Response.Redirect($redirectTo) $context.Response.Close() $authorizationCode, $stateReturn, $sessionState = $context.Request.Url.Query -split "&" } finally { $http.Stop() $http.Dispose() } if (-not $stateReturn) { Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "Authentication failed (see browser for details)" -Category AuthenticationError } if ($state -ne $stateReturn.Split("=")[1]) { Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "Received invalid authentication result. Likely returned from another flow redirecting to the same local port!" -Category InvalidOperation } $actualAuthorizationCode = $authorizationCode.Split("=")[1] $body = @{ client_id = $ClientID scope = $actualScopes -join " " code = $actualAuthorizationCode redirect_uri = $redirectUri grant_type = 'authorization_code' } $uri = "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token" try { $authResponse = Invoke-RestMethod -Method Post -Uri $uri -Body $body -ErrorAction Stop } catch { if ($_ -notmatch '"error":\s*"invalid_client"') { Invoke-TerminatingException -Cmdlet $PSCmdlet -ErrorRecord $_ } Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "The App Registration $ClientID has not been configured correctly. Ensure you have a 'Mobile and desktop applications' platform with redirect to 'http://localhost' configured (and not a 'Web' Platform). $_" -Category $_.CategoryInfo.Category } $script:token = $authResponse.access_token Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect -RefreshToken $authResponse.refresh_token } } function Connect-GraphCertificate { <# .SYNOPSIS Connect to graph as an application using a certificate .DESCRIPTION Connect to graph as an application using a certificate .PARAMETER Certificate The certificate to use for authentication. .PARAMETER TenantID The Guid of the tenant to connect to. .PARAMETER ClientID The ClientID / ApplicationID of the application to connect as. .PARAMETER Scopes The scopes to request when connecting. IN Application flows, this only determines the service for which to retrieve the scopes already configured on the App Registration. Defaults to graph API. .PARAMETER NoReconnect Disables automatic reconnection. By default, MiniGraph will automatically try to reaquire a new token before the old one expires. .EXAMPLE PS C:\> $cert = Get-Item -Path 'Cert:\CurrentUser\My\082D5CB4BA31EED7E2E522B39992E34871C92BF5' PS C:\> Connect-GraphCertificate -TenantID '0639f07d-76e1-49cb-82ac-abcdefabcdefa' -ClientID '0639f07d-76e1-49cb-82ac-1234567890123' -Certificate $cert Connect to graph with the specified cert stored in the current user's certificate store. .LINK https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials #> [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateScript({ if (-not $_.HasPrivateKey) { throw "Certificate has no private key!" } $true })] [System.Security.Cryptography.X509Certificates.X509Certificate2] $Certificate, [Parameter(Mandatory = $true)] [string] $TenantID, [Parameter(Mandatory = $true)] [string] $ClientID, [string[]] $Scopes = 'https://graph.microsoft.com/.default', [switch] $NoReconnect ) $jwtHeader = @{ alg = "RS256" typ = "JWT" x5t = [Convert]::ToBase64String($Certificate.GetCertHash()) -replace '\+', '-' -replace '/', '_' -replace '=' } $encodedHeader = $jwtHeader | ConvertTo-Json | ConvertTo-Base64 $claims = @{ aud = "https://login.microsoftonline.com/$TenantID/v2.0" exp = ((Get-Date).AddMinutes(5) - (Get-Date -Date '1970.1.1')).TotalSeconds -as [int] iss = $ClientID jti = "$(New-Guid)" nbf = ((Get-Date) - (Get-Date -Date '1970.1.1')).TotalSeconds -as [int] sub = $ClientID } $encodedClaims = $claims | ConvertTo-Json | ConvertTo-Base64 $jwtPreliminary = $encodedHeader, $encodedClaims -join "." $jwtSigned = ($jwtPreliminary | ConvertTo-SignedString -Certificate $Certificate) -replace '\+', '-' -replace '/', '_' -replace '=' $jwt = $jwtPreliminary, $jwtSigned -join '.' $body = @{ client_id = $ClientID client_assertion = $jwt client_assertion_type = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' scope = $Scopes -join ' ' grant_type = 'client_credentials' } $header = @{ Authorization = "Bearer $jwt" } $uri = "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token" try { $script:token = (Invoke-RestMethod -Uri $uri -Method Post -Body $body -Headers $header -ContentType 'application/x-www-form-urlencoded' -ErrorAction Stop).access_token } catch { $PSCmdlet.ThrowTerminatingError($_) } Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect } function Connect-GraphClientSecret { <# .SYNOPSIS Connects using a client secret. .DESCRIPTION Connects using a client secret. .PARAMETER ClientID The ID of the registered app used with this authentication request. .PARAMETER TenantID The ID of the tenant connected to with this authentication request. .PARAMETER ClientSecret The actual secret used for authenticating the request. .PARAMETER Scopes Generally doesn't need to be changed from the default 'https://graph.microsoft.com/.default' .PARAMETER Resource The resource the token grants access to. Generally doesn't need to be changed from the default 'https://graph.microsoft.com/' Only needed when connecting to another service. .PARAMETER NoReconnect Disables automatic reconnection. By default, MiniGraph will automatically try to reaquire a new token before the old one expires. .EXAMPLE PS C:\> Connect-GraphClientSecret -ClientID '<ClientID>' -TenantID '<TenantID>' -ClientSecret $secret Connects to the specified tenant using the specified client and secret. #> [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [string] $ClientID, [Parameter(Mandatory = $true)] [string] $TenantID, [Parameter(Mandatory = $true)] [securestring] $ClientSecret, [string[]] $Scopes = 'https://graph.microsoft.com/.default', [string] $Resource = 'https://graph.microsoft.com/', [switch] $NoReconnect ) process { $body = @{ client_id = $ClientID client_secret = [PSCredential]::new('NoMatter', $ClientSecret).GetNetworkCredential().Password scope = $Scopes -join " " grant_type = 'client_credentials' resource = $Resource } try { $authResponse = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$TenantId/oauth2/token" -Body $body -ErrorAction Stop } catch { $PSCmdlet.ThrowTerminatingError($_) } $script:token = $authResponse.access_token Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect } } function Connect-GraphCredential { <# .SYNOPSIS Connect to graph using username and password. .DESCRIPTION Connect to graph using username and password. This logs into graph as a user, not as an application. Only cloud-only accounts can be used for this workflow. Consent to scopes must be granted before using them, as this command cannot show the consent prompt. .PARAMETER Credential Credentials of the user to connect as. .PARAMETER TenantID The Guid of the tenant to connect to. .PARAMETER ClientID The ClientID / ApplicationID of the application to use. .PARAMETER Scopes The permission scopes to request. .PARAMETER NoReconnect Disables automatic reconnection. By default, MiniGraph will automatically try to reaquire a new token before the old one expires. .EXAMPLE PS C:\> Connect-GraphCredential -Credential max@contoso.com -ClientID $client -TenantID $tenant -Scopes 'user.read','user.readbasic.all' Connect as max@contoso.com with the rights to read user information. #> [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [System.Management.Automation.PSCredential] $Credential, [Parameter(Mandatory = $true)] [string] $ClientID, [Parameter(Mandatory = $true)] [string] $TenantID, [string[]] $Scopes = 'user.read', [switch] $NoReconnect ) $request = @{ client_id = $ClientID scope = $Scopes -join " " username = $Credential.UserName password = $Credential.GetNetworkCredential().Password grant_type = 'password' } try { $answer = Invoke-RestMethod -Method POST -Uri "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token" -Body $request -ErrorAction Stop } catch { $PSCmdlet.ThrowTerminatingError($_) } $script:token = $answer.access_token Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect } function Connect-GraphDeviceCode { <# .SYNOPSIS Connects to Azure AD using the Device Code authentication workflow. .DESCRIPTION Connects to Azure AD using the Device Code authentication workflow. .PARAMETER ClientID The ID of the registered app used with this authentication request. .PARAMETER TenantID The ID of the tenant connected to with this authentication request. .PARAMETER Scopes Generally doesn't need to be changed from the default 'https://graph.microsoft.com/.default' .PARAMETER Resource The resource the token grants access to. Generally doesn't need to be changed from the default 'https://graph.microsoft.com/' Only needed when connecting to another service. .PARAMETER NoReconnect Disables automatic reconnection. By default, MiniGraph will automatically try to reaquire a new token before the old one expires. .EXAMPLE PS C:\> Connect-GraphDeviceCode -ClientID '<ClientID>' -TenantID '<TenantID>' Connects to the specified tenant using the specified client, prompting the user to authorize via Browser. #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "")] [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [string] $ClientID, [Parameter(Mandatory = $true)] [string] $TenantID, [string[]] $Scopes = 'https://graph.microsoft.com/.default', [Uri] $Resource = 'https://graph.microsoft.com/', [switch] $NoReconnect ) $actualScopes = foreach ($scope in $Scopes) { if ($scope -like 'https://*/*') { $scope } else { "{0}://{1}/{2}" -f $Resource.Scheme, $Resource.Host, $scope } } try { $initialResponse = Invoke-RestMethod -Method POST -Uri "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/devicecode" -Body @{ client_id = $ClientID scope = @($actualScopes) + 'offline_access' -join " " } -ErrorAction Stop } catch { throw } Write-Host $initialResponse.message $paramRetrieve = @{ Uri = "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token" Method = "POST" Body = @{ grant_type = "urn:ietf:params:oauth:grant-type:device_code" client_id = $ClientID device_code = $initialResponse.device_code } ErrorAction = 'Stop' } $limit = (Get-Date).AddSeconds($initialResponse.expires_in) while ($true) { if ((Get-Date) -gt $limit) { Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "Timelimit exceeded, device code authentication failed" -Category AuthenticationError } Start-Sleep -Seconds $initialResponse.interval try { $authResponse = Invoke-RestMethod @paramRetrieve } catch { if ($_ -match '"error":\s*"authorization_pending"') { continue } $PSCmdlet.ThrowTerminatingError($_) } if ($authResponse) { break } } $script:token = $authResponse.access_token Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect -RefreshToken $authResponse.refresh_token } function Connect-GraphToken { <# .SYNOPSIS Connect to graph using a token and the on behalf of flow. .DESCRIPTION Connect to graph using a token and the on behalf of flow. .PARAMETER Token The existing token to use for the request. .PARAMETER TenantID The Guid of the tenant to connect to. .PARAMETER ClientID The ClientID / ApplicationID of the application to connect as. .PARAMETER ClientSecret The secret used to authorize the OBO flow. .PARAMETER Scopes The scopes to request Defaults to: 'https://graph.microsoft.com/.default' .PARAMETER NoReconnect Disables automatic reconnection. By default, MiniGraph will automatically try to reaquire a new token before the old one expires. .EXAMPLE PS C:\> Connect-GraphToken -Token $token -TenantID $tenantID -ClientID $clientID -CLientSecret $secret Connect to graph using a token and the on behalf of flow. .LINK https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow #> [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [string] $Token, [Parameter(Mandatory = $true)] [string] $TenantID, [Parameter(Mandatory = $true)] [string] $ClientID, [Parameter(Mandatory = $true)] [SecureString] $ClientSecret, [string[]] $Scopes = 'https://graph.microsoft.com/.default', [switch] $NoReconnect ) $body = @{ grant_type = 'urn:ietf:params:oauth:grant-type:jwt-bearer' client_id = $ClientID client_secret = ([PSCredential]::new("Whatever", $ClientSecret)).GetNetworkCredential().Password assertion = $Token scope = @($Scopes) requested_token_use = 'on_behalf_of' } $param = @{ Method = "POST" Uri = "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token" Body = $body ContentType = 'application/x-www-form-urlencoded' } try { $script:token = Invoke-RestMethod @param -ErrorAction Stop } catch { $PSCmdlet.ThrowTerminatingError($_) } Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect } function Get-GraphToken { <# .SYNOPSIS Retrieve the currently used graph token. .DESCRIPTION Retrieve the currently used graph token. Use one of the Connect-Graph* commands to first establish a connection. The token retrieved is a static copy of the current token - it will not be automatically refreshed once expired. .EXAMPLE PS C:\> Get-GraphToken Retrieve the currently used graph token. #> [CmdletBinding()] param ( ) process { [PSCustomObject]@{ Token = $script:token Created = $script:lastConnect.When HasRefresh = $script:lastConnect.Refresh -as [bool] Endpoint = $script:baseEndpoint } } } function Invoke-GraphRequest { <# .SYNOPSIS Execute a request against the graph API .DESCRIPTION Execute a request against the graph API .PARAMETER Query The relative graph query with all conditions appended. Uses the full query if the query starts with http:// or https://. .PARAMETER Method Which rest method to use. Defaults to GET. .PARAMETER ContentType Which content type to specify. Defaults to "Application/Json" .PARAMETER Body Any body to specify. Anything not a string, will be converted to json. .PARAMETER Raw Return the raw response, rather than processing the output. .PARAMETER NoPaging Only return the first set of data, rather than paging through the entire set. .PARAMETER Header Additional header entries to include beside authentication .EXAMPLE PS C:\> Invoke-GraphRequest -Query me Returns information about the current user. #> [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [string] $Query, [Microsoft.PowerShell.Commands.WebRequestMethod] $Method = 'GET', [string] $ContentType = 'application/json', $Body, [switch] $Raw, [switch] $NoPaging, [hashtable] $Header = @{ } ) begin { Assert-GraphConnection -Cmdlet $PSCmdlet } process { $parameters = @{ Uri = "$($script:baseEndpoint)/$($Query.TrimStart("/"))" Method = $Method ContentType = $ContentType } if ($Query -match '^http://|https://') { $parameters.Query = $Query } if ($Body) { if ($Body -is [string]) { $parameters.Body = $Body } else { $parameters.Body = $Body | ConvertTo-Json -Compress -Depth 99 } } do { try { Update-Token } catch { throw } $parameters.Headers = @{ Authorization = "Bearer $($script:Token)" } + $Header try { $data = Invoke-RestMethod @parameters -ErrorAction Stop } catch { throw } if ($Raw) { $data } elseif ($data.Value) { $data.Value } elseif ($data -and $null -eq $data.Value) { $data } $parameters.Uri = $data.'@odata.nextLink' } until (-not $data.'@odata.nextLink' -or $NoPaging) } } function Invoke-GraphRequestBatch { <# .SYNOPSIS Invoke a batch request against the graph API .DESCRIPTION Invoke a batch request against the graph API in batches of twenty. .PARAMETER Request A list of requests to batch. Each entry should either be ... - A relative uri to query (what you would send to Invoke-GraphRequest) - A hashtable consisting of url (mandatory), method (optional), id (optional), body (optional), headers (optional) and dependsOn (optional). .PARAMETER Method The method to use with requests, that do not specify their method. Defaults to "GET" .PARAMETER Body The body to add to requests that do not specify their own body. .PARAMETER Header The header to add to requests that do not specify their own header. .EXAMPLE $servicePrincipals = Invoke-GraphRequest -Query "servicePrincipals?&`$filter=accountEnabled eq true" $requests = @($servicePrincipals).ForEach{ "/servicePrincipals/$($_.id)/appRoleAssignments" } Invoke-GraphRequestBatch -Request $requests Retrieve the role assignments for all enabled service principals .EXAMPLE $servicePrincipals = Invoke-GraphRequest -Query "servicePrincipals?&`$filter=accountEnabled eq false" $requests = @($servicePrincipals).ForEach{ "/servicePrincipals/$($_.id)" } Invoke-GraphRequestBatch -Request $requests -Body { accountEnabled = $true } -Method PATCH Enables all disabled service principals .EXAMPLE $servicePrincipals = Invoke-GraphRequest -Query "servicePrincipals?&`$filter=accountEnabled eq true" $araCounter = 1 $idToSp = @{} $appRoleAssignmentsRequest = foreach ($sp in $servicePrincipals) { @{ url = "/servicePrincipals/$($sp.id)/appRoleAssignments" method = "GET" id = $araCounter } $idToSp[$araCounter] = $sp $araCounter++ } Invoke-GraphRequestBatch -Request $appRoleAssignmentsRequest Retrieve the role assignments for all enabled service principals #> [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [object[]] $Request, [Microsoft.PowerShell.Commands.WebRequestMethod] $Method = 'Get', [hashtable] $Body, [hashtable] $Header ) begin { function ConvertTo-BatchRequest { [CmdletBinding()] param ( [object[]] $Request, [Microsoft.PowerShell.Commands.WebRequestMethod] $Method, $Cmdlet, [AllowNull()] [hashtable] $Body, [AllowNull()] [hashtable] $Header ) $defaultMethod = "$Method".ToUpper() $results = @{} $requests = foreach ($entry in $Request) { $newRequest = @{ url = '' method = $defaultMethod id = 0 } if ($Body) { $newRequest.body = $Body } if ($Header) { $newRequest.headers = $Header } if ($entry -is [string]) { $newRequest.url = $entry $newRequest continue } if (-not $entry.url) { Invoke-TerminatingException -Cmdlet $Cmdlet -Message "Invalid batch request: No Url found! $entry" -Category InvalidArgument } $newRequest.url = $entry.url if ($entry.Method) { $newRequest.method = "$($entry.Method)".ToUpper() } if ($entry.id -as [int]) { $newRequest.id = $entry.id -as [int] $results[($entry.id -as [int])] = $newRequest } if ($entry.body) { $newRequest.body = $entry.body } if ($entry.headers) { $newRequest.headers = $entry.headers } if ($entry.dependsOn) { $newRequest.dependsOn } $newRequest } $index = 1 $finalList = foreach ($requestItem in $requests) { $requestItem.id = $requestItem.id -as [string] if ($requestItem.id) { $requestItem continue } while ($results[$index]) { $index++ } $requestItem.id = $index $results[$index] = $requestItem $requestItem } $finalList | Sort-Object { $_.id -as [int] } } } process { $batchSize = 20 # Currently hardcoded API limit $counter = [pscustomobject] @{ Value = 0 } $batches = ConvertTo-BatchRequest -Request $Request -Method $Method -Cmdlet $PSCmdlet -Body $Body -Header $Header | Group-Object -Property { [math]::Floor($counter.Value++ / $batchSize) } -AsHashTable foreach ($batch in ($batches.GetEnumerator() | Sort-Object -Property Key)) { [array] $innerResult = try { $jsonbody = @{requests = [array]$batch.Value } | ConvertTo-Json -Depth 42 -Compress (MiniGraph\Invoke-GraphRequest -Query '$batch' -Method Post -Body $jsonbody -ErrorAction Stop).responses } catch { Write-Error -Message "Error sending batch: $($_.Exception.Message)" -TargetObject $jsonbody continue } $throttledRequests = $innerResult | Where-Object status -EQ 429 $failedRequests = $innerResult | Where-Object { $_.status -ne 429 -and $_.status -in (400..499) } $successRequests = $innerResult | Where-Object status -In (200..299) foreach ($failedRequest in $failedRequests) { Write-Error -Message "Error in batch request $($failedRequest.id): $($failedRequest.body.error.message)" } if ($successRequests) { $successRequests } if ($throttledRequests) { $interval = ($throttledRequests.Headers | Sort-Object 'Retry-After' | Select-Object -Last 1).'Retry-After' Write-Verbose -Message "Throttled requests detected, waiting $interval seconds before retrying" Start-Sleep -Seconds $interval $retry = $Request | Where-Object id -In $throttledRequests.id if (-not $retry) { continue } try { (MiniGraph\Invoke-GraphRequestBatch -Request $retry -ErrorAction Stop).responses } catch { Write-Error -Message "Error sending retry batch: $($_.Exception.Message)" -TargetObject $retry } } } } } function Set-GraphEndpoint { <# .SYNOPSIS Specify which graph endpoint to use for subsequent requests. .DESCRIPTION Specify which graph endpoint to use for subsequent requests. .PARAMETER Type Which kind of endpoint to use. v1 or beta .PARAMETER Url Specify a custom Url as endpoint. Used to switch to a government cloud. .EXAMPLE PS C:\> Set-GraphEndpoint -Type beta Switch to using the beta graph endpoint #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] [CmdletBinding()] param ( [Parameter(Mandatory = $true, ParameterSetName = 'Default')] [ValidateSet('v1','beta')] [string] $Type, [Parameter(Mandatory = $true, ParameterSetName = 'Url')] [string] $Url ) if ($Type) { switch ($Type) { 'v1' { $script:baseEndpoint = 'https://graph.microsoft.com/v1.0' } 'beta' { $script:baseEndpoint = 'https://graph.microsoft.com/beta' } } } if ($Url) { $script:baseEndpoint = $Url.Trim("/") } } # Graph Token used for connections $script:token = $null # Endpoint used for queries $script:baseEndpoint = 'https://graph.microsoft.com/v1.0' # Cached Connection Data $script:lastConnect = @{ When = $null Command = $null Parameters = $null Refresh = $null } # Used for Browser-Based interactive logon $script:browserPath = 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' |