search

Authentication

hashtag
Microsoft Resources in Azure Active Directory

Resource Name
Resource URI
Application ID

AAD Graph API

https://graph.windows.net/arrow-up-right

00000002-0000-0000-c000-000000000000

Office 365 Exchange Online

https://outlook-sdf.office.com/arrow-up-right

00000002-0000-0ff1-ce00-000000000000

Microsoft Graph

https://graph.microsoft.comarrow-up-right

00000003-0000-0000-c000-000000000000

Skype for Business Online

https://api.skypeforbusiness.com/arrow-up-right

00000004-0000-0ff1-ce00-000000000000

Office 365 Yammer

https://api.yammer.com/arrow-up-right

00000005-0000-0ff1-ce00-000000000000

OneNote

https://onenote.com/arrow-up-right

2d4d3d8e-2be3-4bef-9f87-7875a61c29de

Windows Azure Service Management API

https://management.core.windows.net/arrow-up-right

797f4846-ba00-4fd7-ba43-dac1f8f63013

Office 365 Management APIs

https://manage.office.comarrow-up-right

c5393580-f805-4401-95e8-94b7a6ef2fc2

Microsoft Teams Services

https://api.spaces.skype.com/arrow-up-right

cc15fd57-2c6c-4117-a88c-83b1d56b4bbe

Azure Key Vault

https://vault.azure.netarrow-up-right

cfa8b339-82a2-471a-a3c9-0fc0be7a4093

LogoCommon Microsoft Resources in Azure Active Directory | Shawn Tabriziwww.shawntabrizi.comchevron-right

hashtag
Access and Refresh Tokens

Feature

Access Token

Refresh Token

Purpose

Grants access to protected resources (APIs, services)

Used to obtain new access tokens without re-authentication

Audience

Resource server (e.g., Microsoft Graph API, custom APIs)

Azure AD (token endpoint)

Token Lifetime (default)

~1 hour

90 days (rolling, updated with use)

Usage frequency

Frequently – with every API call

Occasionally – only when access token expires

Format

JWT (JSON Web Token)

Opaque string

Scope

Narrow – specific to the resource and scopes requested

Broad – valid across multiple resources (depending on scopes)

Revocation

Difficult to revoke individually

Can be revoked by Azure AD or upon sign-out/token misuse

Refreshable?

No

Yes (can issue new access + refresh tokens if still valid)

hashtag
Access Tokens

LogoAccess tokens in the Microsoft identity platform - Microsoft identity platformMicrosoftLearnchevron-right

hashtag
Refresh Tokens

LogoRefresh tokens in the Microsoft identity platform - Microsoft identity platformMicrosoftLearnchevron-right

hashtag
Authentication Methods

hashtag
Microsoft Graph

hashtag
Az PowerShell

hashtag
Device Code Authentication

The above script demonstrates how to perform a device code authentication flow using PowerShell to interact with Microsoft Graph. The process involves generating a device code, having the user authorize the device by entering the code at the specified URL, and then exchanging the device code for access tokens.

hashtag
Steps involved

  1. Generate Device Code: The script sends a POST request to OAuth 2.0 /devicecode endpoint with necessary parameters to obtain a device code and user code.

  2. User Authorization: Direct the user to go to microsoft.com/deviceloginarrow-up-right and input the device code provided in the $authResponse.

  3. Token Exchange: After user authorization, another POST request is made to the OAuth 2.0 /token endpoint to exchange the device code for access and refresh tokens.

By completing these steps, your script will be able to authenticate the user and get access to Microsoft Graph resources, allowing for further integration and automation of tasks via PowerShell.

Go to device login microsoft.com/deviceloginarrow-up-right and input the device code.

The example will authenticate to PowerShell (Application ID 1950a258-227b-4e31-a9cf-717495945fc2)

hashtag
Microsoft Applications ID

Below list for some application IDs built in Microsoft:

Name
Application ID

Microsoft Azure PowerShell

1950a258-227b-4e31-a9cf-717495945fc2

Microsoft Azure CLI

04b07795-8ddb-461a-bbee-02f9e1bf7b46

Portal Azure

c44b4083-3bb0-49c1-b47d-974e53cbdf3c

Microsoft Office

d3590ed6-52b3-4102-aeff-aad2292ab01c

PreviousAzureNextTokens

Last updated