如何通过 PowerShell 向 AAD 进行身份验证并将 Graph API 作为守护程序应用程序调用? [英] How can I authenticate to AAD and call the Graph API as a Daemon Application with PowerShell?

问题描述

我正在尝试在 Azure Active Directory 上进行一些非常快速的测试，并且我想使用守护程序应用程序来访问图形 API，而无需用户在场进行身份验证.我想验证我的应用程序注册是否可以成功向 AAD 进行身份验证，我的客户端密码是否有效，并调用 AAD Graph API.

I am trying to do some very quick tests on Azure Active Directory, and I want to use a Daemon Application to access the Graph API without needing a user present to authenticate. I want to verify that my application registration can successfully authenticate to AAD, that my client secret is valid, and make calls to the AAD Graph API.

我已经在我的目录中注册了一个Web 应用程序/API"，并且我已将其设置为具有在 App Only 上下文中调用 AAD Graph API 的适当权限.我还为我的应用生成了一个应用密钥/证书，以便我可以作为机密客户端进行身份验证.

I have registered a "Web App/API" in my directory already, and I have set it up to have the appropriate permissions to call the AAD Graph API in the App Only Context. I have also generated an application key/certificate for my app so that I can authenticate as a confidential client.

我想查看我的 AAD 令牌，以及调用后来自 Graph API 的输出.如何使用 PowerShell 快速完成此任务?

I want to take a look at my AAD Token, and the output from the Graph API after my call. How can I use PowerShell to quickly accomplish this?

推荐答案

这个问题和这个 创建一个 PowerShell 脚本以作为原生客户端应用程序进行身份验证.但是，在这种情况下，存在一些细微而重要的区别，因为您希望作为机密客户端进行身份验证.具体来说，我们需要创建一个 Client Credential 以便我们可以在没有用户的情况下作为 守护程序应用程序.

This question is very similar to this one where create a PowerShell script to authenticate as a Native Client Application. However, in this situation, there are some subtle and important differences because you want to authenticate as a confidential client. Specifically, we need to create a Client Credential so that we can authenticate without a user as a Daemon Application.

首先，您需要为 ADAL 下载并保存 .NET dll.下载链接可以在 Nuget 上找到.

First you need to download and save the .NET dlls for ADAL. The download link can be found on Nuget.

注意:我们在这里专门使用 ADAL v2.

您可以使用文件提取器来提取 .nupkg 的内容，例如7z、WinZip 等...

You can extract the contents of the .nupkg with a File Extractor like 7z, WinZip, etc...

从 lib et45 中提取内容并将它们复制到您的工作目录中.我将文件放在他们自己的ADAL"文件夹中，以保持独立.

Extract the contents from lib et45 and copy them into your working directory. I put the files in their own "ADAL" folder, to keep it separate.

然后您应该能够使用以下内容创建一个新的 PowerShell 脚本:

Then you should be able to create a new PowerShell script with the following:

# Load ADAL
Add-Type -Path ".ADALMicrosoft.IdentityModel.Clients.ActiveDirectory.dll"

# Output Token and Response from AAD Graph API
$accessToken = ".Token.txt"
$output = ".Output.json"

# Application and Tenant Configuration
$clientId = "<AppIDGUID>"
$tenantId = "<TenantID>"
$resourceId = "https://graph.windows.net"
$login = "https://login.microsoftonline.com"

# Create Client Credential Using App Key
$secret = "<AppKey>"


# Create Client Credential Using Certificate
#$certFile = "<PFXFilePath>"
#$certFilePassword = "<CertPassword>"
#$secret = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate -ArgumentList $certFile,$certFilePassword


# Get an Access Token with ADAL
$clientCredential = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential($clientId,$secret)
$authContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext("{0}/{1}" -f $login,$tenantId)
$authenticationResult = $authContext.AcquireToken($resourceId, $clientcredential)
($token = $authenticationResult.AccessToken) | Out-File $accessToken


# Call the AAD Graph API 
$headers = @{ 
    "Authorization" = ("Bearer {0}" -f $token);
    "Content-Type" = "application/json";
}

Invoke-RestMethod -Method Get -Uri ("{0}/{1}/users?api-version=1.6" -f $resourceId,$tenantId)  -Headers $headers -OutFile $output

注意:您需要在此脚本中更新 App ID、Tenant ID 和您的 App Secret 信息.如果您使用证书进行身份验证，只需注释掉使用 App Key 的代码，并取消注释使用证书的代码.我还预先配置了 AAD Graph API 调用以返回我的租户中的用户，但您可以将此 REST 调用更改为您想要的任何内容.

成功运行脚本后，您应该在工作目录中获得 2 个新文件: 一个包含编码 JSON 访问令牌的文本文件，可以在 this，以及带有来自 AAD Graph API 的响应的 JSON 文件.

After you successfully run the script, you should get 2 new files in your working directory: A text file that contains your encoded JSON access token, which can be base64 decoded on sites like this, and a JSON file with the response from the AAD Graph API.

如果这有帮助，请告诉我！

Let me know if this helps!

这篇关于如何通过 PowerShell 向 AAD 进行身份验证并将 Graph API 作为守护程序应用程序调用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！