Public/Connect-Avd.ps1
|
function Connect-Avd { <# .SYNOPSIS Get an access token using either authorization code flow or device code flow, that can be used to authenticate and authorize against resources in Azure. .DESCRIPTION Get an access token using either authorization code flow or device code flow, that can be used to authenticate and authorize against resources in Azure. .PARAMETER TenantID Specify the tenant name or ID, e.g. tenant.onmicrosoft.com or <GUID>. .PARAMETER ClientID Application ID (Client ID) for an Azure AD service principal. Uses by default the 'Microsoft Azure PowerShell' service principal Application ID. .PARAMETER ClientSecret Application secret is using a custom Azure AD service principal. .PARAMETER RedirectUri Specify the Redirect URI (also known as Reply URL) of the custom Azure AD service principal. .PARAMETER DeviceCode Specify delegated login using devicecode flow, you will be prompted to navigate to https://microsoft.com/devicelogin .PARAMETER SubscriptionId Specify a subscription ID to set the Azure context. Can be changed later using Set-AvdContext. .PARAMETER Refresh Specify to refresh an existing access token. .EXAMPLE Connect-Avd -TenantID $Tenantid -SubscriptionId $SubscriptionId -DeviceCode .EXAMPLE Connect-Avd -ClientID xxxx -ClientSecret "xxxxx" -TenantID $Tenantid -SubscriptionId $SubscriptionId #> [CmdletBinding(DefaultParameterSetName = "ClientSecret")] param( [parameter(Mandatory, ParameterSetName = "DeviceCode")] [parameter(ParameterSetName = "ClientSecret")] [parameter(ParameterSetName = "Refresh")] [ValidateNotNullOrEmpty()] [string]$TenantID, [parameter(ParameterSetName = "ClientSecret", HelpMessage = "Application ID (Client ID) for an Azure AD service principal. Uses by default the 'Microsoft Azure PowerShell' service principal Application ID.")] [parameter(ParameterSetName = "DeviceCode")] [ValidateNotNullOrEmpty()] [string]$ClientID = "1950a258-227b-4e31-a9cf-717495945fc2", [parameter(ParameterSetName = "ClientSecret", HelpMessage = "Specify the Redirect URI (also known as Reply URL) of the custom Azure AD service principal.")] [parameter(ParameterSetName = "DeviceCode")] [ValidateNotNullOrEmpty()] [string]$RedirectUri = [string]::Empty, [parameter(ParameterSetName = "ClientSecret", HelpMessage = "Specify the subscription ID to connect to")] [parameter(ParameterSetName = "DeviceCode", HelpMessage = "Specify the subscription ID to connect to")] [ValidateNotNullOrEmpty()] [string]$SubscriptionId, [parameter(ParameterSetName = "ClientSecret", HelpMessage = "Specify the client secret of your registered application")] [string]$ClientSecret, [parameter(ParameterSetName = "ClientSecret", HelpMessage = "Specify the subscription ID to connect to")] [parameter(ParameterSetName = "DeviceCode", HelpMessage = "Specify the subscription ID to connect to")] [ValidateNotNullOrEmpty()] [string]$Scope = "https://management.azure.com//.default", [parameter(Mandatory, ParameterSetName = "DeviceCode", HelpMessage = "Specify to do delegated login using devicecode flow, you will be prompted to navigate to https://microsoft.com/devicelogin")] [switch]$DeviceCode, [parameter(ParameterSetName = "Refresh", HelpMessage = "Specify to refresh an existing access token.")] [string]$RefreshToken ) Begin { $script:TenantId = $TenantID if ($SubscriptionId) { Write-Verbose "Subscription ID provided, setting context to $SubscriptionId" $script:subscriptionId = $SubscriptionId } # Determine the correct RedirectUri (also known as Reply URL) to use with MSAL.PS if ($ClientID -eq "1950a258-227b-4e31-a9cf-717495945fc2") { $RedirectUri = "urn:ietf:wg:oauth:2.0:oob" } else { if (-not([string]::IsNullOrEmpty($ClientID))) { Write-Verbose -Message "Using custom Azure AD service principal specified with Application ID: $($ClientID)" # Adjust RedirectUri parameter input in case non was passed on command line if ([string]::IsNullOrEmpty($RedirectUri)) { switch -Wildcard ($PSVersionTable["PSVersion"]) { "5.*" { $RedirectUri = "https://login.microsoftonline.com/common/oauth2/nativeclient" } "7.*" { $RedirectUri = "http://localhost" } } } } } Write-Verbose -Message "Using RedirectUri with value: $($RedirectUri)" # Set default error action preference configuration $ErrorActionPreference = "Stop" } Process { Write-Verbose -Message "Using authentication flow: $($PSCmdlet.ParameterSetName)" try { switch ($PSCmdlet.ParameterSetName) { "DeviceCode" { if ($null -ne $script:tokenRequest -and ($script:tokenRequest.scope -eq 'user_impersonation')){ throw "You allready are logged in with user_impersonation, disconnect first if you want to reauthenticate. Use Disconnect-Avd" } $clientBody = @{ client_id = $ClientId tenant = $TenantID scope = $Scope } $requestUrl = Invoke-WebRequest -Method POST -Uri "https://login.microsoftonline.com/$($TenantID)/oauth2/v2.0/devicecode" -Body $clientBody $content = ($requestUrl.Content | ConvertFrom-Json) if ([string]::IsNullOrEmpty($script:tokenRequest.access_token)) { Write-Information "`n$($content.message)" -InformationAction Continue } # Get OAuth Token $tokenBody = @{ grant_type = "urn:ietf:params:oauth:grant-type:device_code" code = $content.device_code client_id = $ClientId } while ([string]::IsNullOrEmpty($script:tokenRequest.access_token)) { $script:tokenRequest = try { Invoke-RestMethod -Method POST -Uri "https://login.microsoftonline.com/$TenantID/oauth2/token" -Body $tokenBody } catch { $errorMessage = $_.ErrorDetails.Message | ConvertFrom-Json # If not waiting for auth, throw error if ($errorMessage.error -ne "authorization_pending") { throw "Authorization is pending." } } } } "ClientSecret" { if ($null -ne $script:tokenRequest -and (!($script:tokenRequest.scope))){ throw "You allready are logged in with a service principal, disconnect first if you want to reauthenticate. Use Disconnect-Avd" } # Must be this URL. https://management.azure.com is not working while using the resource object. The scope object is ignored when providing management.azure.com $Scope = 'https://management.core.windows.net/' $tokenBody = @{ grant_type = "client_credentials" client_id = $ClientID client_secret = $ClientSecret resource = $Scope } $contentType = "application/x-www-form-urlencoded" $script:tokenRequest = try { Invoke-RestMethod -Method POST -Uri "https://login.microsoftonline.com/$TenantID/oauth2/token" -Body $tokenBody -ContentType $contentType } catch { $errorMessage = $_.ErrorDetails.Message | ConvertFrom-Json # If not waiting for auth, throw error if ($errorMessage.error -ne "authorization_pending") { throw "Authorization is pending." } } } "Refresh" { Write-Verbose "Refreshing token" $tokenBody = @{ grant_type = "refresh_token" client_id = $ClientId refresh_token = $RefreshToken scope = $script:tokenRequest.scope } $script:tokenRequest = try { Invoke-RestMethod -Method POST -Uri "https://login.microsoftonline.com/$TenantID/oauth2/token" -Body $tokenBody } catch { $errorMessage = $_.ErrorDetails.Message | ConvertFrom-Json # If not waiting for auth, throw error } } } Write-Verbose "Token is $($script:tokenRequest)" $script:authHeader = @{ 'Content-Type' = 'application/json' Authorization = "Bearer {0}" -f $script:tokenRequest.access_token } Write-Information "Succesfully connected to scope $scope" return $script:authHeader } catch [System.Exception] { Write-Error -Message "An error occurred while constructing parameter input for access token retrieval. Error message: $($PSItem.Exception.Message)" } } } |