In automation scenarios it is common to use a service principal (app based) to work with the Graph API, or in my example, with PNP PowerShell against SharePoint (but both scenario’s work the same).<\/p>\n\n\n\n
First, you’d need a client certificate, e.g. like this:<\/p>\n\n\n
\n$folder = \"c:\\users\\JosLieben\\Desktop\"\n$cert=New-SelfSignedCertificate -Subject \"CN=JOS\" -CertStoreLocation \"Cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -KeySpec Signature -HashAlgorithm \"SHA256\" -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\"\nExport-Certificate -Cert $cert -FilePath \"$folder\\jos.cer\" \nExport-PfxCertificate -Password (ConvertTo-SecureString $clientCertPwd -AsPlainText -Force) -Cert $cert -FilePath \"$folder\\jos.pfx\"\n<\/pre><\/div>\n\n\nYou’d then upload the .cer file as a certificate on your service principal to let Azure AD recognize your cert as a valid ‘password’ for your app registration.<\/p>\n\n\n\n
Next you’d upload your .pfx file into Keyvault.<\/p>\n\n\n\n
Finally, you can use Powershell to construct an access token for a given scope:<\/p>\n\n\n
\n$tenantId = \"YOURTENANTID\"\n$clientId = \"YOURCLIENTID\"\n$scope = \"https:\/\/graph.microsoft.com\/.default\" #or, e.g. https:\/\/$($tenantName)-admin.sharepoint.com\/.default openid profile offline_access\n$secret = Get-AzKeyVaultSecret -VaultName \"YOURKEYVAULTNAME\" -Name cippCert -AsPlainText\n$clientCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret),\"\",[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)\n\n$header = @{\n alg = \"RS256\"\n typ = \"JWT\"\n x5t = [System.Convert]::ToBase64String(($clientCert.GetCertHash()))\n} | ConvertTo-Json -Compress\n\n$claimsPayload = @{\n aud = \"https:\/\/login.microsoftonline.com\/$tenantId\/oauth2\/token\"\n exp = [math]::Round(((New-TimeSpan -Start ((Get-Date \"1970-01-01T00:00:00Z\" ).ToUniversalTime()) -End (Get-Date).ToUniversalTime().AddMinutes(2)).TotalSeconds),0)\n iss = $clientId\n jti = (New-Guid).Guid\n nbf = [math]::Round(((New-TimeSpan -Start ((Get-Date \"1970-01-01T00:00:00Z\" ).ToUniversalTime()) -End ((Get-Date).ToUniversalTime())).TotalSeconds),0)\n sub = $clientId\n} | ConvertTo-Json -Compress\n\n$headerjsonbase64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($header)).Split('=')[0].Replace('+', '-').Replace('\/', '_')\n$claimsPayloadjsonbase64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($claimsPayload)).Split('=')[0].Replace('+', '-').Replace('\/', '_')\n\n$preJwt = $headerjsonbase64 + \".\" + $claimsPayloadjsonbase64\n$toSign = [System.Text.Encoding]::UTF8.GetBytes($preJwt)\n$privateKey = $clientCert.PrivateKey\n$alg = [Security.Cryptography.HashAlgorithmName]::SHA256\n$padding = [Security.Cryptography.RSASignaturePadding]::Pkcs1\n$signature = [Convert]::ToBase64String($privateKey.SignData($toSign,$alg,$padding)) -replace '\\+','-' -replace '\/','_' -replace '='\n\n$jwt = $headerjsonbase64 + \".\" + $claimsPayloadjsonbase64 + \".\" + $signature\n\n$Authbody = @{\n 'tenant' = $tenantId\n 'scope' = $scope\n 'client_assertion_type' = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'\n 'client_id' = $clientId\n 'grant_type' = 'client_credentials'\n 'client_assertion' = $jwt\n} \n\n$accessToken = (Invoke-RestMethod -Method post -Uri \"https:\/\/login.microsoftonline.com\/$($tenantid)\/oauth2\/v2.0\/token\" -Body $Authbody -ErrorAction Stop).accesstoken\n\n<\/pre><\/div>\n\n\nThe token can then be used to used to call Graph. And an example that shows how to use a sharepoint scoped token for the Sharepoint PNP PowerShell moddule:<\/p>\n\n\n
\n#use scope: https:\/\/$($tenantName)-admin.sharepoint.com\/.default\n\nconnect-PnPOnline -Url \"https:\/\/$($tenantName)-admin.sharepoint.com\" -AccessToken $accessToken -ReturnConnection\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"In automation scenarios it is common to use a service principal (app based) to work with the Graph API, or in my example, with PNP PowerShell against SharePoint (but both scenario’s work the same). First, you’d need a client certificate, e.g. like this: You’d then upload the .cer file as a certificate on your service … Continue reading Powershell Cert based authentication against the Graph API using a certificate from Keyvault<\/span>