Skip to main content

Create application access token and authorization header

To authentication against the Microsoft Graph API there are two general concepts. Application permissions allow an application in Microsoft Entra ID to act as it's own entity, rather than on behalf of a specific user. Delegated permissions allow an application in Microsoft Entra ID to perform actions on behalf of a particular user.

This guide focuses on authentication as an application to create unattended automations. To create or renew a token in the user context there are other instructions.

Use case

 

API Authentication

 

Build authorization header via PowerShell script

 

Function Build-AzureADApplicationAccessHeader(){
    param(
        $tenantid,
        $clientid,
        $clientSecret,
        $refreshtoken
    )

    $authenticationurl = "https://login.microsoftonline.com/$tenantid/oauth2/v2.0/token"

    if($refreshtoken -and $tenantId){
        $tokenBodySource = @{
            grant_type = "refresh_token"
            scope = "https://graph.microsoft.com/.default"
            refresh_token  = $refreshtoken
        }
    }
    elseif($tenantId -and $clientid -and $clientSecret){
        $tokenBodySource = @{
            grant_type = "client_credentials"
            scope = "https://graph.microsoft.com/.default"
            client_id  = $clientid
            client_secret = "$clientSecret"
        }
    }
    else{
        Write-Error "Authorization not successful. Not enough information provided."
    }

    while ([string]::IsNullOrEmpty($AuthResponse.access_token)) {
        $AuthResponse = try {
            Invoke-RestMethod -Method POST -Uri $authenticationurl -Body $tokenBodySource
        }
        catch {
            $ErrorAuthResponse = $_.ErrorDetails.Message | ConvertFrom-Json
            if ($ErrorAuthResponse.error -ne "authorization_pending") {
                Write-Error "Authorization not successful. Error while posting body source: $($ErrorAuthResponse.error)"
                throw
            }
        }
    }

    if($AuthResponse.token_type -and $AuthResponse.access_token){
        $global:AzureAdAccessToken = "$($AuthResponse.token_type) $($AuthResponse.access_token)"
        $global:Header = @{
            "Authorization" = "$global:AzureAdAccessToken"
        }
        Write-Output "Authorization successful! Token saved in varable."
    }
    else{
        Write-Error "Authorization not successful. Not enough information provided."
    }
}

# Authorization Header with ClientId & ClientSecret
$tenantId=""
$ClientId=""
$ClientSecret=""

Build-AzureADApplicationAccessHeader -tenantid $tenantid -clientid $clientid -clientSecret $clientSecret

# Authorization Header with refresh_token
$tenantId=""
$refreshtoken=""
Build-AzureADApplicationAccessHeader -tenantid $tenantid -refreshtoken $refreshtoken

Get Bearer Token via PowerShell script

 


function Get-AzureADApplicationAccessToken {
    param(
        $tenantid,
        $clientid,
        $clientSecret,
        $refreshtoken
    )

    $authenticationurl = "https://login.microsoftonline.com/$tenantid/oauth2/v2.0/token"

    if($refreshtoken -and $tenantId){
        $tokenBodySource = @{
            grant_type = "refresh_token"
            scope = "https://graph.microsoft.com/.default"
            refresh_token  = $refreshtoken
        }
    }
    elseif($tenantId -and $clientid -and $clientSecret){
        $tokenBodySource = @{
            grant_type = "client_credentials"
            scope = "https://graph.microsoft.com/.default"
            client_id  = $clientid
            client_secret = "$clientSecret"
        }
    }
    else{
        Write-Error "Authorization not successful. Not enough information provided."
    }

    while ([string]::IsNullOrEmpty($AuthResponse.access_token)) {
        $AuthResponse = try {
            Invoke-RestMethod -Method POST -Uri $authenticationurl -Body $tokenBodySource
        }
        catch {
            $ErrorAuthResponse = $_.ErrorDetails.Message | ConvertFrom-Json
            if ($ErrorAuthResponse.error -ne "authorization_pending") {
                Write-Error "Authorization not successful. Error while posting body source: $($ErrorAuthResponse.error)"
            }
        }
    }

    if($AuthResponse.token_type -and $AuthResponse.access_token){
        $global:AzureAdAccessToken = "$($AuthResponse.token_type) $($AuthResponse.access_token)"
        Write-Output "Authorization successful! Token saved in varable."
    }
    else{
        Write-Error "Authorization not successful. Not enough information provided."
    }
}

$tenantId=""
$ClientId=""
$ClientSecret=""

Get-AzureADApplicationAccessToken -tenantid $tenantid -clientid $clientid -clientSecret $clientSecret