如何向 AAD 进行身份验证并使用 PowerShell 作为本机客户端应用程序调用 Graph API? [英] How can I authenticate to AAD and call the Graph API as a Native Client application with PowerShell?

问题描述

我正在尝试在 Azure Active Directory 上进行一些非常快速的测试，我需要一个工具来快速向 AAD 进行身份验证，并调用 AAD Graph API.

I am trying to do some very quick tests on Azure Active Directory, and I need a tool which will allow me to quickly authenticate to AAD, and make calls to the AAD Graph API.

我已经在我的目录中注册了一个 Native Client 应用程序，并且我已将其设置为具有调用 AAD Graph API 的适当权限.

I have registered a Native Client application in my directory already, and I have set it up to have the appropriate permissions to call the AAD Graph API.

我想查看我的 AAD 令牌，以及调用后来自 Graph API 的输出.如何使用 PowerShell 快速完成此任务?

I want to take a look at my AAD Token, and the output from the Graph API after my call. How can I use PowerShell to quickly accomplish this?

推荐答案

PowerShell 允许您将 .NET 程序集直接加载到命令行中.这意味着您可以加载 ADAL(Azure Active Directory 身份验证库) 并使用它来真正简化身份验证体验.从 ADAL 获取令牌后，您只需使用 Invoke-RestMethod cmdlet 即可调用 AAD Graph API.

PowerShell allows you to load .NET assemblies right into your command line. This means that you are able to load ADAL (Azure Active Directory Authentication Libraries) and use it to really simplify the authentication experience. Once you have acquired a token from ADAL, then you can simply use the Invoke-RestMethod cmdlet to make calls to the AAD Graph API.

首先，您需要为 ADAL 下载并保存 .NET dll.下载链接可以在 on Nuget.

First you need to download and save the .NET dlls for ADAL. The download link can be found on Nuget.

注意:我们在这里专门使用 ADAL v2.

您可以使用 7z、WinZip 等文件提取器提取 .nupkg 的内容...

You can extract the contents of the .nupkg with a File Extractor like 7z, WinZip, etc...

从 lib et45 中提取内容并将它们复制到您的工作目录中.我将文件放在他们自己的ADAL"文件夹中，以保持独立.

Extract the contents from lib et45 and copy them into your working directory. I put the files in their own "ADAL" folder, to keep it separate.

然后您应该能够使用以下内容创建一个新的 PowerShell 脚本:

Then you should be able to create a new PowerShell script with the following:

# Load ADAL
Add-Type -Path ".ADALMicrosoft.IdentityModel.Clients.ActiveDirectory.dll"

# Output Token and Response from AAD Graph API
$accessToken = ".Token.txt"
$output = ".Output.json"

# Application and Tenant Configuration
$clientId = "<AppIDGUID>"
$tenantId = "<TenantID>"
$resourceId = "https://graph.windows.net"
$redirectUri = New-Object system.uri("<ReplyURL>")
$login = "https://login.microsoftonline.com"

# Get an Access Token with ADAL
$authContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext ("{0}/{1}" -f $login,$tenantId)
$authenticationResult = $authContext.AcquireToken($resourceId, $clientID, $redirectUri) 
($token = $authenticationResult.AccessToken) | Out-File $accessToken

# Call the AAD Graph API
$headers = @{ 
    "Authorization" = ("Bearer {0}" -f $token);
    "Content-Type" = "application/json";
}

Invoke-RestMethod -Method Get -Uri ("{0}/{1}/users?api-version=1.6" -f $resourceId, $tenantId) -Headers $headers -OutFile $output

注意:您需要在此脚本中更新 App ID、租户 ID 和回复 URL.我还预先配置了 AAD Graph API 调用以返回我租户中的用户，但您可以将此 REST 调用更改为您想要的任何内容.

成功运行脚本后，您应该在工作目录中获得 2 个新文件: 一个包含编码 JSON 访问令牌的文本文件，可以在 this，以及带有来自 AAD Graph API 的响应的 JSON 文件.

After you successfully run the script, you should get 2 new files in your working directory: A text file that contains your encoded JSON access token, which can be base64 decoded on sites like this, and a JSON file with the response from the AAD Graph API.

如果这有帮助，请告诉我！

Let me know if this helps!

这篇关于如何向 AAD 进行身份验证并使用 PowerShell 作为本机客户端应用程序调用 Graph API?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！