如何通过 PowerShell 向 AAD 进行身份验证并将 Graph API 作为守护程序应用程序调用? [英] How can I authenticate to AAD and call the Graph API as a Daemon Application with PowerShell?
问题描述
我正在尝试在 Azure Active Directory 上进行一些非常快速的测试,并且我想使用守护程序应用程序来访问图形 API,而无需用户在场进行身份验证.我想验证我的应用程序注册是否可以成功向 AAD 进行身份验证,我的客户端密码是否有效,并调用 AAD Graph API.
I am trying to do some very quick tests on Azure Active Directory, and I want to use a Daemon Application to access the Graph API without needing a user present to authenticate. I want to verify that my application registration can successfully authenticate to AAD, that my client secret is valid, and make calls to the AAD Graph API.
我已经在我的目录中注册了一个Web 应用程序/API",并且我已将其设置为具有在 App Only 上下文中调用 AAD Graph API 的适当权限.我还为我的应用生成了一个应用密钥/证书,以便我可以作为机密客户端进行身份验证.
I have registered a "Web App/API" in my directory already, and I have set it up to have the appropriate permissions to call the AAD Graph API in the App Only Context. I have also generated an application key/certificate for my app so that I can authenticate as a confidential client.
我想查看我的 AAD 令牌,以及调用后来自 Graph API 的输出.如何使用 PowerShell 快速完成此任务?
I want to take a look at my AAD Token, and the output from the Graph API after my call. How can I use PowerShell to quickly accomplish this?
推荐答案
这个问题和这个 创建一个 PowerShell 脚本以作为原生客户端应用程序进行身份验证.但是,在这种情况下,存在一些细微而重要的区别,因为您希望作为机密客户端进行身份验证.具体来说,我们需要创建一个 Client Credential
以便我们可以在没有用户的情况下作为 守护程序应用程序.
This question is very similar to this one where create a PowerShell script to authenticate as a Native Client Application. However, in this situation, there are some subtle and important differences because you want to authenticate as a confidential client. Specifically, we need to create a Client Credential
so that we can authenticate without a user as a Daemon Application.
首先,您需要为 ADAL 下载并保存 .NET dll.下载链接可以在 Nuget 上找到.
First you need to download and save the .NET dlls for ADAL. The download link can be found on Nuget.
注意:我们在这里专门使用 ADAL v2.
您可以使用文件提取器来提取 .nupkg 的内容,例如7z、WinZip 等...
You can extract the contents of the .nupkg with a File Extractor like 7z, WinZip, etc...
从 lib
et45
中提取内容并将它们复制到您的工作目录中.我将文件放在他们自己的ADAL"文件夹中,以保持独立.
Extract the contents from lib
et45
and copy them into your working directory. I put the files in their own "ADAL" folder, to keep it separate.
然后您应该能够使用以下内容创建一个新的 PowerShell 脚本:
Then you should be able to create a new PowerShell script with the following:
# Load ADAL
Add-Type -Path ".ADALMicrosoft.IdentityModel.Clients.ActiveDirectory.dll"
# Output Token and Response from AAD Graph API
$accessToken = ".Token.txt"
$output = ".Output.json"
# Application and Tenant Configuration
$clientId = "<AppIDGUID>"
$tenantId = "<TenantID>"
$resourceId = "https://graph.windows.net"
$login = "https://login.microsoftonline.com"
# Create Client Credential Using App Key
$secret = "<AppKey>"
# Create Client Credential Using Certificate
#$certFile = "<PFXFilePath>"
#$certFilePassword = "<CertPassword>"
#$secret = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate -ArgumentList $certFile,$certFilePassword
# Get an Access Token with ADAL
$clientCredential = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential($clientId,$secret)
$authContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext("{0}/{1}" -f $login,$tenantId)
$authenticationResult = $authContext.AcquireToken($resourceId, $clientcredential)
($token = $authenticationResult.AccessToken) | Out-File $accessToken
# Call the AAD Graph API
$headers = @{
"Authorization" = ("Bearer {0}" -f $token);
"Content-Type" = "application/json";
}
Invoke-RestMethod -Method Get -Uri ("{0}/{1}/users?api-version=1.6" -f $resourceId,$tenantId) -Headers $headers -OutFile $output
注意:您需要在此脚本中更新 App ID、Tenant ID 和您的 App Secret 信息.如果您使用证书进行身份验证,只需注释掉使用 App Key 的代码,并取消注释使用证书的代码.我还预先配置了 AAD Graph API 调用以返回我的租户中的用户,但您可以将此 REST 调用更改为您想要的任何内容.
成功运行脚本后,您应该在工作目录中获得 2 个新文件: 一个包含编码 JSON 访问令牌的文本文件,可以在 this,以及带有来自 AAD Graph API 的响应的 JSON 文件.
After you successfully run the script, you should get 2 new files in your working directory: A text file that contains your encoded JSON access token, which can be base64 decoded on sites like this, and a JSON file with the response from the AAD Graph API.
如果这有帮助,请告诉我!
Let me know if this helps!
这篇关于如何通过 PowerShell 向 AAD 进行身份验证并将 Graph API 作为守护程序应用程序调用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!