如何使用PowerShell对AAD进行身份验证并作为本地客户端应用程序调用Graph API？ [英] How can I authenticate to AAD and call the Graph API as a Native Client application with PowerShell?

问题描述

我正在尝试在Azure Active Directory上进行一些非常快速的测试，并且我需要一个工具，该工具将允许我快速向AAD进行身份验证，并调用AAD Graph API。

I am trying to do some very quick tests on Azure Active Directory, and I need a tool which will allow me to quickly authenticate to AAD, and make calls to the AAD Graph API.

我已经在目录中注册了本机客户端应用程序，并且已将其设置为具有适当的权限来调用AAD Graph API。

I have registered a Native Client application in my directory already, and I have set it up to have the appropriate permissions to call the AAD Graph API.

我想看一下我的AAD令牌以及调用后Graph API的输出。我如何使用PowerShell快速完成此任务？

I want to take a look at my AAD Token, and the output from the Graph API after my call. How can I use PowerShell to quickly accomplish this?

推荐答案

>>参见此处，了解如何使用客户端凭据流为
创建一个类似的脚本来模拟守护程序客户端
应用程序。

PowerShell允许您将.NET程序集直接加载到命令行中。这意味着您可以加载 ADAL（Azure Active Directory身份验证库），并使用它来真正简化身份验证体验。从ADAL获得令牌后，只需使用 Invoke-RestMethod cmdlet调用AAD Graph API。

PowerShell allows you to load .NET assemblies right into your command line. This means that you are able to load ADAL (Azure Active Directory Authentication Libraries) and use it to really simplify the authentication experience. Once you have acquired a token from ADAL, then you can simply use the Invoke-RestMethod cmdlet to make calls to the AAD Graph API.

首先，您需要下载并保存ADAL的.NET dll。可以在Nuget上上找到下载链接。

First you need to download and save the .NET dlls for ADAL. The download link can be found on Nuget.

注意：我们在这里专门使用ADAL v2。

您可以使用7z，WinZip等文件提取器来提取.nupkg的内容。

You can extract the contents of the .nupkg with a File Extractor like 7z, WinZip, etc...

从 \lib\net45\ 中提取内容，并将其复制到您的工作目录中。我将文件放在各自的 ADAL文件夹中，以使其分开。

Extract the contents from \lib\net45\ and copy them into your working directory. I put the files in their own "ADAL" folder, to keep it separate.

然后，您应该能够使用以下命令创建新的PowerShell脚本：

Then you should be able to create a new PowerShell script with the following:

# Load ADAL
Add-Type -Path ".\ADAL\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"

# Output Token and Response from AAD Graph API
$accessToken = ".\Token.txt"
$output = ".\Output.json"

# Application and Tenant Configuration
$clientId = "<AppIDGUID>"
$tenantId = "<TenantID>"
$resourceId = "https://graph.windows.net"
$redirectUri = New-Object system.uri("<ReplyURL>")
$login = "https://login.microsoftonline.com"

# Get an Access Token with ADAL
$authContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext ("{0}/{1}" -f $login,$tenantId)
$authenticationResult = $authContext.AcquireToken($resourceId, $clientID, $redirectUri) 
($token = $authenticationResult.AccessToken) | Out-File $accessToken

# Call the AAD Graph API
$headers = @{ 
    "Authorization" = ("Bearer {0}" -f $token);
    "Content-Type" = "application/json";
}

Invoke-RestMethod -Method Get -Uri ("{0}/{1}/users?api-version=1.6" -f $resourceId, $tenantId) -Headers $headers -OutFile $output

注意：您需要更新应用ID，租户ID ，以及此脚本中的回复URL。我还预先配置了AAD Graph API调用，以返回租户中的用户，但是您可以将此REST调用更改为所需的任何内容。

成功运行脚本后，您应该在工作目录中获得2个新文件：包含编码的JSON访问令牌的文本文件，可以在这，以及带有AAD Graph API响应的JSON文件。

After you successfully run the script, you should get 2 new files in your working directory: A text file that contains your encoded JSON access token, which can be base64 decoded on sites like this, and a JSON file with the response from the AAD Graph API.

让我知道这是否有帮助！

Let me know if this helps!

这篇关于如何使用PowerShell对AAD进行身份验证并作为本地客户端应用程序调用Graph API？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！