From 329750ebfcee50db7cb9a89152109703bd44d0b6 Mon Sep 17 00:00:00 2001 From: Michal Gajda <47522674+mgajda83@users.noreply.github.com> Date: Thu, 13 Jul 2023 15:01:06 +0200 Subject: [PATCH 1/2] Update Get-MsalToken.ps1 Added param -AsSecureString to makes it easier work with Microsoft.Graph SDK 2.0 --- src/Get-MsalToken.ps1 | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/src/Get-MsalToken.ps1 b/src/Get-MsalToken.ps1 index f759ce4..e3eebc0 100644 --- a/src/Get-MsalToken.ps1 +++ b/src/Get-MsalToken.ps1 @@ -17,8 +17,13 @@ PS C:\>$MsalClientApplication = Get-MsalClientApplication -ClientId '00000000-0000-0000-0000-000000000000' -ClientCertificate $ClientCertificate -TenantId '00000000-0000-0000-0000-000000000000' PS C:\>$MsalClientApplication | Get-MsalToken -Scopes 'https://graph.microsoft.com/.default' Pipe in confidential client options object to get a confidential client application using a client certificate and target a specific tenant. +.EXAMPLE + PS C:\>$MsalToken = Get-MsalToken -ClientId '00000000-0000-0000-0000-000000000000' -Scopes 'https://graph.microsoft.com/User.Read','https://graph.microsoft.com/Files.ReadWrite' -AsSecureString + PS C:\>Connect-MgGraph -AccessToken $MsalToken.AccessTokenAsSecureString() + Get AccessToken and allow to convert to SecureString. Makes it easier to work with Microsoft.Graph SDK 2.0 - AccessToken param now is SecureString. #> function Get-MsalToken { + [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingConvertToSecureStringWithPlainText", "")] [CmdletBinding(DefaultParameterSetName = 'PublicClient')] [OutputType([Microsoft.Identity.Client.AuthenticationResult])] param @@ -201,7 +206,11 @@ function Get-MsalToken { # Specifies the timeout threshold for MSAL.net operations. [Parameter(Mandatory = $false)] - [timespan] $Timeout + [timespan] $Timeout, + + # Convert tokens to SecureString. + [Parameter(Mandatory = $false)] + [switch] $AsSecureString ) begin { @@ -380,6 +389,7 @@ function Get-MsalToken { else { $AuthenticationResult = $taskAuthenticationResult.Result } + } catch { Write-Error -Exception (Coalesce $_.Exception.InnerException,$_.Exception) -Category ([System.Management.Automation.ErrorCategory]::AuthenticationError) -CategoryActivity $MyInvocation.MyCommand -ErrorId 'GetMsalTokenFailureAuthenticationError' -TargetObject $AquireTokenParameters -ErrorAction Stop @@ -387,6 +397,19 @@ function Get-MsalToken { break } } + + if($AsSecureString) { + try { + $AccessTokenSecureString = { ConvertTo-SecureString -AsPlainText $this.AccessToken -Force } + $AuthenticationResult | Add-Member -MemberType ScriptMethod -Name AccessTokenAsSecureString -Value $AccessTokenSecureString + } + catch {} + try { + $IdTokenSecureString = { ConvertTo-SecureString -AsPlainText $this.IdToken -Force } + $AuthenticationResult | Add-Member -MemberType ScriptMethod -Name IdTokenAsSecureString -Value $IdTokenSecureString + } + catch {} + } return $AuthenticationResult } From 03e25a44154565ab8b582707e9369fbd59034c9c Mon Sep 17 00:00:00 2001 From: Michal Gajda <47522674+mgajda83@users.noreply.github.com> Date: Thu, 13 Jul 2023 15:02:43 +0200 Subject: [PATCH 2/2] Update Get-MsalToken.ps1 --- src/Get-MsalToken.ps1 | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/Get-MsalToken.ps1 b/src/Get-MsalToken.ps1 index e3eebc0..0e9c3f1 100644 --- a/src/Get-MsalToken.ps1 +++ b/src/Get-MsalToken.ps1 @@ -19,7 +19,7 @@ Pipe in confidential client options object to get a confidential client application using a client certificate and target a specific tenant. .EXAMPLE PS C:\>$MsalToken = Get-MsalToken -ClientId '00000000-0000-0000-0000-000000000000' -Scopes 'https://graph.microsoft.com/User.Read','https://graph.microsoft.com/Files.ReadWrite' -AsSecureString - PS C:\>Connect-MgGraph -AccessToken $MsalToken.AccessTokenAsSecureString() + PS C:\>Connect-MgGraph -AccessToken $MsalToken.AccessTokenAsSecureString() Get AccessToken and allow to convert to SecureString. Makes it easier to work with Microsoft.Graph SDK 2.0 - AccessToken param now is SecureString. #> function Get-MsalToken { @@ -208,7 +208,7 @@ function Get-MsalToken { [Parameter(Mandatory = $false)] [timespan] $Timeout, - # Convert tokens to SecureString. + # Convert tokens to SecureString. [Parameter(Mandatory = $false)] [switch] $AsSecureString ) @@ -398,18 +398,18 @@ function Get-MsalToken { } } - if($AsSecureString) { - try { - $AccessTokenSecureString = { ConvertTo-SecureString -AsPlainText $this.AccessToken -Force } - $AuthenticationResult | Add-Member -MemberType ScriptMethod -Name AccessTokenAsSecureString -Value $AccessTokenSecureString - } - catch {} - try { - $IdTokenSecureString = { ConvertTo-SecureString -AsPlainText $this.IdToken -Force } - $AuthenticationResult | Add-Member -MemberType ScriptMethod -Name IdTokenAsSecureString -Value $IdTokenSecureString - } - catch {} - } + if($AsSecureString) { + try { + $AccessTokenSecureString = { ConvertTo-SecureString -AsPlainText $this.AccessToken -Force } + $AuthenticationResult | Add-Member -MemberType ScriptMethod -Name AccessTokenAsSecureString -Value $AccessTokenSecureString + } + catch {} + try { + $IdTokenSecureString = { ConvertTo-SecureString -AsPlainText $this.IdToken -Force } + $AuthenticationResult | Add-Member -MemberType ScriptMethod -Name IdTokenAsSecureString -Value $IdTokenSecureString + } + catch {} + } return $AuthenticationResult }