Private/Get-AuthToken.ps1

<#
 
.COPYRIGHT
Copyright (c) Office Center Hønefoss AS. All rights reserved. Based on code by Jan Egil Ring (Crayon). Licensed under the MIT license.
See https://github.com/officecenter/OCH-Public/blob/master/LICENSE for license information.
 
#>


function Get-AuthToken 
{
  <#
      .SYNOPSIS
      This function is used to authenticate with the Graph API REST interface
      .DESCRIPTION
      The function authenticate with the Graph API Interface with the tenant name
      .EXAMPLE
      Get-AuthToken
      Authenticates you with the Graph API interface
      .NOTES
      NAME: Get-AuthToken
  #>

    
  [cmdletbinding()]
    
  param
  (
    [PSCredential]
    $Credentials = $global:GraphCredentials
  )
  
  If (-not ($Credentials))
  {
    $Credentials = Get-Credential -Message 'Enter Intune Graph API Credentials'
  }    

  If ($authToken)
  {
    If ($authToken.ExpiresOn -gt (Get-Date))
    {
      return $authToken
    }
  }

  $userUpn = New-Object -TypeName 'System.Net.Mail.MailAddress' -ArgumentList $Credentials.UserName
    
  $tenant = $userUpn.Host
    
  Write-Host -Object 'Checking for AzureAD module...'
    
  $AadModule = Get-Module -Name 'AzureAD' -ListAvailable
    
  if ($AadModule -eq $null) 
  {
    Write-Host -Object 'AzureAD PowerShell module not found, looking for AzureADPreview'
    $AadModule = Get-Module -Name 'AzureADPreview' -ListAvailable
  }
    
  if ($AadModule -eq $null) 
  {
    Write-Host -Object 'AzureAD Powershell module not installed...' -ForegroundColor Red
    Write-Host -Object "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -ForegroundColor Yellow
    Write-Host -Object "Script can't continue..." -ForegroundColor Red
                    
    exit
  }
    
  # Getting path to ActiveDirectory Assemblies
  # If the module count is greater than 1 find the latest version
    
  if($AadModule.count -gt 1)
  {
    $Latest_Version = ($AadModule |
      Select-Object -Property version |
    Sort-Object)[-1]
    
    $AadModule = $AadModule | Where-Object -FilterScript {
      $_.version -eq $Latest_Version.version 
    }
    
    # Checking if there are multiple versions of the same module found
    
    if($AadModule.count -gt 1)
    {
      $AadModule = $AadModule | Select-Object -Unique
    }
    
    $adal = Join-Path -Path $AadModule.ModuleBase -ChildPath 'Microsoft.IdentityModel.Clients.ActiveDirectory.dll'
    $adalforms = Join-Path -Path $AadModule.ModuleBase -ChildPath 'Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll'
  }
    
  else 
  {
    $adal = Join-Path -Path $AadModule.ModuleBase -ChildPath 'Microsoft.IdentityModel.Clients.ActiveDirectory.dll'
    $adalforms = Join-Path -Path $AadModule.ModuleBase -ChildPath 'Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll'
  }
    
  $null = [System.Reflection.Assembly]::LoadFrom($adal)
    
  $null = [System.Reflection.Assembly]::LoadFrom($adalforms)
    
  # InTune Graph API Client ID
  $clientId = 'd1ddf0e4-d672-4dae-b554-9d5bdfd93547'
    
  #$redirectUri = 'urn:ietf:wg:oauth:2.0:oob'
    
  $resourceAppIdURI = 'https://graph.microsoft.com'
    
  $authority = "https://login.microsoftonline.com/$tenant"
    
  try 
  {
    $authContext = New-Object -TypeName 'Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext' -ArgumentList $authority
    
    # https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
    # Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession

    $platformParameters = New-Object -TypeName 'Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters' -ArgumentList 'Auto'

    $UserID = New-Object -TypeName 'Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier' -ArgumentList ($Credentials.Username, 'OptionalDisplayableId')
             
    $userCredentials = New-Object -TypeName Microsoft.IdentityModel.Clients.ActiveDirectory.UserPasswordCredential -ArgumentList $Credentials.Username, $Credentials.Password
      
    $authResult = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions]::AcquireTokenAsync($authContext, $resourceAppIdURI, $clientId, $userCredentials)

        
    # If the accesstoken is valid then create the authentication header
    
    if($authResult.Result.AccessToken)
    {
      # Creating header for Authorization token
    
      $global:authToken = @{
        'Content-Type' = 'application/json'
        'Authorization' = 'Bearer ' + $authResult.Result.AccessToken
        'ExpiresOn'   = $authResult.Result.ExpiresOn
      }

      $global:GraphCredentials = $Credentials    
      return $global:authToken
    }
    
    else 
    {
      Write-Host -Object 'Authorization Access Token is null, please re-run authentication...' -ForegroundColor Red
                    
      break
    }
  }
    
  catch 
  {
    Write-Host -Object $_.Exception.Message -ForegroundColor Red
    Write-Host -Object $_.Exception.ItemName -ForegroundColor Red
            
    break
  }
}