Authentication

Microsoft Resources in Azure Active Directory

Resource Name	Resource URI	Application ID
AAD Graph API	https://graph.windows.net/	00000002-0000-0000-c000-000000000000
Office 365 Exchange Online	https://outlook-sdf.office.com/	00000002-0000-0ff1-ce00-000000000000
Microsoft Graph	https://graph.microsoft.com	00000003-0000-0000-c000-000000000000
Skype for Business Online	https://api.skypeforbusiness.com/	00000004-0000-0ff1-ce00-000000000000
Office 365 Yammer	https://api.yammer.com/	00000005-0000-0ff1-ce00-000000000000
OneNote	https://onenote.com/	2d4d3d8e-2be3-4bef-9f87-7875a61c29de
Windows Azure Service Management API	https://management.core.windows.net/	797f4846-ba00-4fd7-ba43-dac1f8f63013
Office 365 Management APIs	https://manage.office.com	c5393580-f805-4401-95e8-94b7a6ef2fc2
Microsoft Teams Services	https://api.spaces.skype.com/	cc15fd57-2c6c-4117-a88c-83b1d56b4bbe
Azure Key Vault	https://vault.azure.net	cfa8b339-82a2-471a-a3c9-0fc0be7a4093

Common Microsoft Resources in Azure Active Directory | Shawn Tabrizi

Access and Refresh Tokens

Feature	Access Token	Refresh Token
Purpose	Grants access to protected resources (APIs, services)	Used to obtain new access tokens without re-authentication
Audience	Resource server (e.g., Microsoft Graph API, custom APIs)	Azure AD (token endpoint)
Token Lifetime (default)	~1 hour	90 days (rolling, updated with use)
Usage frequency	Frequently – with every API call	Occasionally – only when access token expires
Format	JWT (JSON Web Token)	Opaque string
Scope	Narrow – specific to the resource and scopes requested	Broad – valid across multiple resources (depending on scopes)
Revocation	Difficult to revoke individually	Can be revoked by Azure AD or upon sign-out/token misuse
Refreshable?	No	Yes (can issue new access + refresh tokens if still valid)

Access Tokens

Access tokens in the Microsoft identity platform - Microsoft identity platformMicrosoftLearn

Refresh Tokens

Refresh tokens in the Microsoft identity platform - Microsoft identity platformMicrosoftLearn

Authentication Methods

Microsoft Graph

https://graph.microsoft.com/.default

Connect-MgGraph -AccessToken ($accesstoken | ConvertTo-SecureString -AsPlainText -Force)

Az PowerShell

https://management.azure.com/.default

Connect-AzAccount -AccessToken $accesstoken -AccountId {user}@{domain}.onmicrosoft.com

Device Code Authentication

The above script demonstrates how to perform a device code authentication flow using PowerShell to interact with Microsoft Graph. The process involves generating a device code, having the user authorize the device by entering the code at the specified URL, and then exchanging the device code for access tokens.

Steps involved

1. Generate Device Code: The script sends a POST request to OAuth 2.0 /devicecode endpoint with necessary parameters to obtain a device code and user code.

2. User Authorization: Direct the user to go to microsoft.com/devicelogin and input the device code provided in the $authResponse.
3. Token Exchange: After user authorization, another POST request is made to the OAuth 2.0 /token endpoint to exchange the device code for access and refresh tokens.

By completing these steps, your script will be able to authenticate the user and get access to Microsoft Graph resources, allowing for further integration and automation of tasks via PowerShell.

$body = @{
    "client_id" =     "1950a258-227b-4e31-a9cf-717495945fc2"
    "resource" =      "https://graph.microsoft.com"
}
$UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
$Headers=@{}
$Headers["User-Agent"] = $UserAgent
$authResponse = Invoke-RestMethod `
    -UseBasicParsing `
    -Method Post `
    -Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" `
    -Headers $Headers `
    -Body $body
$authResponse

Go to device login microsoft.com/devicelogin and input the device code.

$body=@{
    "client_id" =  "1950a258-227b-4e31-a9cf-717495945fc2"
    "grant_type" = "urn:ietf:params:oauth:grant-type:device_code"
    "code" =       $authResponse.device_code
}
$Tokens = Invoke-RestMethod `
    -UseBasicParsing `
    -Method Post `
    -Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" `
    -Headers $Headers `
    -Body $body
$Tokens

The example will authenticate to PowerShell (Application ID 1950a258-227b-4e31-a9cf-717495945fc2)

Microsoft Applications ID

Below list for some application IDs built in Microsoft:

Name	Application ID
Microsoft Azure PowerShell	1950a258-227b-4e31-a9cf-717495945fc2
Microsoft Azure CLI	04b07795-8ddb-461a-bbee-02f9e1bf7b46
Portal Azure	c44b4083-3bb0-49c1-b47d-974e53cbdf3c
Microsoft Office	d3590ed6-52b3-4102-aeff-aad2292ab01c