# Authentication
## Microsoft Resources in Azure Active Directory
| Resource Name | Resource URI | Application ID |
| ------------------------------------ | ----------------------------------------------------------- | ------------------------------------ |
| AAD Graph API | | 00000002-0000-0000-c000-000000000000 |
| Office 365 Exchange Online | | 00000002-0000-0ff1-ce00-000000000000 |
| Microsoft Graph | [https://graph.microsoft.com](https://graph.microsoft.com/) | 00000003-0000-0000-c000-000000000000 |
| Skype for Business Online | | 00000004-0000-0ff1-ce00-000000000000 |
| Office 365 Yammer | | 00000005-0000-0ff1-ce00-000000000000 |
| OneNote | | 2d4d3d8e-2be3-4bef-9f87-7875a61c29de |
| Windows Azure Service Management API | | 797f4846-ba00-4fd7-ba43-dac1f8f63013 |
| Office 365 Management APIs | [https://manage.office.com](https://manage.office.com/) | c5393580-f805-4401-95e8-94b7a6ef2fc2 |
| Microsoft Teams Services | | cc15fd57-2c6c-4117-a88c-83b1d56b4bbe |
| Azure Key Vault | [https://vault.azure.net](https://vault.azure.net/) | cfa8b339-82a2-471a-a3c9-0fc0be7a4093 |
{% embed url="" %}
## Access and Refresh Tokens
| Feature | **Access Token** | **Refresh Token** |
| ---------------------------- | -------------------------------------------------------- | ------------------------------------------------------------- |
| **Purpose** | Grants access to protected resources (APIs, services) | Used to obtain new access tokens without re-authentication |
| **Audience** | Resource server (e.g., Microsoft Graph API, custom APIs) | Azure AD (token endpoint) |
| **Token Lifetime (default)** | \~1 hour | 90 days (rolling, updated with use) |
| **Usage frequency** | Frequently – with every API call | Occasionally – only when access token expires |
| **Format** | JWT (JSON Web Token) | Opaque string |
| **Scope** | Narrow – specific to the resource and scopes requested | Broad – valid across multiple resources (depending on scopes) |
| **Revocation** | Difficult to revoke individually | Can be revoked by Azure AD or upon sign-out/token misuse |
| **Refreshable?** | No | Yes (can issue new access + refresh tokens if still valid) |
### Access Tokens
{% embed url="" %}
### Refresh Tokens
{% embed url="" %}
## Authentication Methods
### Microsoft Graph
```
https://graph.microsoft.com/.default
```
```powershell
Connect-MgGraph -AccessToken ($accesstoken | ConvertTo-SecureString -AsPlainText -Force)
```
### Az PowerShell
```
https://management.azure.com/.default
```
```powershell
Connect-AzAccount -AccessToken $accesstoken -AccountId {user}@{domain}.onmicrosoft.com
```
### Device Code Authentication
The above script demonstrates how to perform a device code authentication flow using PowerShell to interact with Microsoft Graph. The process involves generating a device code, having the user authorize the device by entering the code at the specified URL, and then exchanging the device code for access tokens.
#### Steps involved
1. **Generate Device Code**: The script sends a POST request to OAuth 2.0 `/devicecode` endpoint with necessary parameters to obtain a device code and user code.
2. **User Authorization**: Direct the user to go to [microsoft.com/devicelogin](https://microsoft.com/devicelogin) and input the device code provided in the `$authResponse`.
3. **Token Exchange**: After user authorization, another POST request is made to the OAuth 2.0 `/token` endpoint to exchange the device code for access and refresh tokens.
By completing these steps, your script will be able to authenticate the user and get access to Microsoft Graph resources, allowing for further integration and automation of tasks via PowerShell.
```powershell
$body = @{
"client_id" = "1950a258-227b-4e31-a9cf-717495945fc2"
"resource" = "https://graph.microsoft.com"
}
$UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
$Headers=@{}
$Headers["User-Agent"] = $UserAgent
$authResponse = Invoke-RestMethod `
-UseBasicParsing `
-Method Post `
-Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" `
-Headers $Headers `
-Body $body
$authResponse
```
Go to device login [microsoft.com/devicelogin](https://microsoft.com/devicelogin) and input the device code.
```powershell
$body=@{
"client_id" = "1950a258-227b-4e31-a9cf-717495945fc2"
"grant_type" = "urn:ietf:params:oauth:grant-type:device_code"
"code" = $authResponse.device_code
}
$Tokens = Invoke-RestMethod `
-UseBasicParsing `
-Method Post `
-Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" `
-Headers $Headers `
-Body $body
$Tokens
```
The example will authenticate to PowerShell (Application ID 1950a258-227b-4e31-a9cf-717495945fc2)
#### Microsoft Applications ID
Below list for some application IDs built in Microsoft:
| Name | Application ID |
| -------------------------- | ------------------------------------ |
| Microsoft Azure PowerShell | 1950a258-227b-4e31-a9cf-717495945fc2 |
| Microsoft Azure CLI | 04b07795-8ddb-461a-bbee-02f9e1bf7b46 |
| Portal Azure | c44b4083-3bb0-49c1-b47d-974e53cbdf3c |
| Microsoft Office | d3590ed6-52b3-4102-aeff-aad2292ab01c |