Authentication
Microsoft Resources in Azure Active Directory
Windows Azure Service Management API
797f4846-ba00-4fd7-ba43-dac1f8f63013
Access and Refresh Tokens
Feature
Access Token
Refresh Token
Purpose
Grants access to protected resources (APIs, services)
Used to obtain new access tokens without re-authentication
Audience
Resource server (e.g., Microsoft Graph API, custom APIs)
Azure AD (token endpoint)
Token Lifetime (default)
~1 hour
90 days (rolling, updated with use)
Usage frequency
Frequently – with every API call
Occasionally – only when access token expires
Format
JWT (JSON Web Token)
Opaque string
Scope
Narrow – specific to the resource and scopes requested
Broad – valid across multiple resources (depending on scopes)
Revocation
Difficult to revoke individually
Can be revoked by Azure AD or upon sign-out/token misuse
Refreshable?
No
Yes (can issue new access + refresh tokens if still valid)
Access Tokens
Refresh Tokens
Authentication Methods
Microsoft Graph
https://graph.microsoft.com/.defaultConnect-MgGraph -AccessToken ($accesstoken | ConvertTo-SecureString -AsPlainText -Force)Az PowerShell
https://management.azure.com/.defaultConnect-AzAccount -AccessToken $accesstoken -AccountId {user}@{domain}.onmicrosoft.comDevice Code Authentication
The above script demonstrates how to perform a device code authentication flow using PowerShell to interact with Microsoft Graph. The process involves generating a device code, having the user authorize the device by entering the code at the specified URL, and then exchanging the device code for access tokens.
Steps involved
Generate Device Code: The script sends a POST request to OAuth 2.0
/devicecodeendpoint with necessary parameters to obtain a device code and user code.User Authorization: Direct the user to go to microsoft.com/devicelogin and input the device code provided in the
$authResponse.Token Exchange: After user authorization, another POST request is made to the OAuth 2.0
/tokenendpoint to exchange the device code for access and refresh tokens.
By completing these steps, your script will be able to authenticate the user and get access to Microsoft Graph resources, allowing for further integration and automation of tasks via PowerShell.
$body = @{
"client_id" = "1950a258-227b-4e31-a9cf-717495945fc2"
"resource" = "https://graph.microsoft.com"
}
$UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
$Headers=@{}
$Headers["User-Agent"] = $UserAgent
$authResponse = Invoke-RestMethod `
-UseBasicParsing `
-Method Post `
-Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" `
-Headers $Headers `
-Body $body
$authResponseGo to device login microsoft.com/devicelogin and input the device code.
$body=@{
"client_id" = "1950a258-227b-4e31-a9cf-717495945fc2"
"grant_type" = "urn:ietf:params:oauth:grant-type:device_code"
"code" = $authResponse.device_code
}
$Tokens = Invoke-RestMethod `
-UseBasicParsing `
-Method Post `
-Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" `
-Headers $Headers `
-Body $body
$TokensThe example will authenticate to PowerShell (Application ID 1950a258-227b-4e31-a9cf-717495945fc2)
Microsoft Applications ID
Below list for some application IDs built in Microsoft:
Microsoft Azure PowerShell
1950a258-227b-4e31-a9cf-717495945fc2
Microsoft Azure CLI
04b07795-8ddb-461a-bbee-02f9e1bf7b46
Portal Azure
c44b4083-3bb0-49c1-b47d-974e53cbdf3c
Microsoft Office
d3590ed6-52b3-4102-aeff-aad2292ab01c
Last updated