How can I authenticate to AAD and call the Graph A

2019-01-12 02:01发布

问题:

I am trying to do some very quick tests on Azure Active Directory, and I need a tool which will allow me to quickly authenticate to AAD, and make calls to the AAD Graph API.

I have registered a Native Client application in my directory already, and I have set it up to have the appropriate permissions to call the AAD Graph API.

I want to take a look at my AAD Token, and the output from the Graph API after my call. How can I use PowerShell to quickly accomplish this?

回答1:

>> See here for instructions on how to create a similar script for emulating a Daemon Client Application using the Client Credential Flow.

PowerShell allows you to load .NET assemblies right into your command line. This means that you are able to load ADAL (Azure Active Directory Authentication Libraries) and use it to really simplify the authentication experience. Once you have acquired a token from ADAL, then you can simply use the Invoke-RestMethod cmdlet to make calls to the AAD Graph API.

First you need to download and save the .NET dlls for ADAL. The download link can be found on Nuget.

Note: We specifically use ADAL v2 here.

You can extract the contents of the .nupkg with a File Extractor like 7z, WinZip, etc...

Extract the contents from \lib\net45\ and copy them into your working directory. I put the files in their own "ADAL" folder, to keep it separate.

Then you should be able to create a new PowerShell script with the following:

# Load ADAL
Add-Type -Path ".\ADAL\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"

# Output Token and Response from AAD Graph API
$accessToken = ".\Token.txt"
$output = ".\Output.json"

# Application and Tenant Configuration
$clientId = "<AppIDGUID>"
$tenantId = "<TenantID>"
$resourceId = "https://graph.windows.net"
$redirectUri = New-Object system.uri("<ReplyURL>")
$login = "https://login.microsoftonline.com"

# Get an Access Token with ADAL
$authContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext ("{0}/{1}" -f $login,$tenantId)
$authenticationResult = $authContext.AcquireToken($resourceId, $clientID, $redirectUri) 
($token = $authenticationResult.AccessToken) | Out-File $accessToken

# Call the AAD Graph API
$headers = @{ 
    "Authorization" = ("Bearer {0}" -f $token);
    "Content-Type" = "application/json";
}

Invoke-RestMethod -Method Get -Uri ("{0}/{1}/users?api-version=1.6" -f $resourceId, $tenantId) -Headers $headers -OutFile $output

Note: You will need to update the App ID, Tenant ID, and Reply URL in this script. I have also pre-configured the AAD Graph API call to return the users in my tenant, but you can change this REST call to whatever you want.

After you successfully run the script, you should get 2 new files in your working directory: A text file that contains your encoded JSON access token, which can be base64 decoded on sites like this, and a JSON file with the response from the AAD Graph API.

Let me know if this helps!