Last active
April 26, 2022 23:57
-
-
Save weinong/b41566b588a05421bff313ceba2fb584 to your computer and use it in GitHub Desktop.
AAD samples
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| urlencode() { | |
| printf $1 'encode this'|jq -sRr @uri | |
| } | |
| TOKEN=$(az account get-access-token --resource-type aad-graph --query "accessToken" -o tsv) | |
| TENANT=$(az account show --query "tenantId" -o tsv) | |
| spName="<sp name or id>" | |
| query="?\$filter=servicePrincipalNames%2Fany%28c%3Ac+eq+%27$(urlencode ${spName})%27%29&api-version=1.6" | |
| curl -sH "Authorization: Bearer ${TOKEN}" "https://graph.windows.net/${TENANT}/servicePrincipals${query}" | jq | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| CLIENT_ID='<client-app-id>' | |
| TENANT_ID='<tenant-id>' | |
| RESOURCE='<aad-server-app-id>' | |
| ASSERTION='' | |
| BODY=$(curl -s -X POST \ | |
| -d resource=${RESOURCE} \ | |
| -d client_id=${CLIENT_ID} \ | |
| "https://login.microsoftonline.com/common/oauth2/devicecode") | |
| user_code=$(echo $BODY | jq -r ".user_code") | |
| device_code=$(echo $BODY | jq -r ".device_code") | |
| verification_url=$(echo $BODY | jq -r ".verification_url") | |
| echo "Please go to $verification_url with user_code ${user_code}" | |
| read -p "Press enter to continue when you have logged in" | |
| BODY=$(curl -s -X POST \ | |
| -d grant_type=device_code \ | |
| -d client_id=${CLIENT_ID} \ | |
| -d code="${device_code}" \ | |
| "https://login.microsoftonline.com/common/oauth2/token) | |
| echo "Token response" | |
| echo $BODY | jq | |
| ACCESS_TOKEN=$(echo $BODY | jq -r ".access_token") | |
| SERVER_APP_APP_ID='' | |
| SERVER_APP_SECRET='' | |
| SERVER_APP_SECRET='<url-encoded-SERVER_APP_SECRET>' # urlencoded string | |
| RESOURCE='https://graph.microsoft.com' # target resource | |
| read -p "Press enter to perform on-behalf-of to exchange token to access graph api" | |
| if [[ -z ${ASSERTION} ]]; then | |
| echo "use client secret" | |
| BODY=$(curl -s -X POST -d grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer \ | |
| -d client_id=${SERVER_APP_APP_ID} \ | |
| -d client_secret=${SERVER_APP_SECRET} \ | |
| -d assertion=${ACCESS_TOKEN} \ | |
| -d resource=${RESOURCE} \ | |
| -d requested_token_use=on_behalf_of \ | |
| https://login.microsoftonline.com/${TENANT_ID}/oauth2/token) | |
| else | |
| echo "use client assertion" | |
| BODY=$(curl -s -X POST -d grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer \ | |
| -d client_id=${SERVER_APP_APP_ID} \ | |
| -d client_assertion=${ASSERTION} \ | |
| -d client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer \ | |
| -d assertion=${ACCESS_TOKEN} \ | |
| -d resource=${RESOURCE} \ | |
| -d requested_token_use=on_behalf_of \ | |
| https://login.microsoftonline.com/${TENANT_ID}/oauth2/token) | |
| fi | |
| echo "Token response" | |
| echo $BODY | jq | |
| ACCESS_TOKEN=$(echo $BODY | jq -r ".access_token") | |
| read -p "Click enter to query graph.windows.net using access token | |
| curl -s -X POST -H "Content-Type: application/json" \ | |
| -d '{"securityEnabledOnly": true}' \ | |
| -H "Authorization: Bearer ${ACCESS_TOKEN}" \ | |
| "https://graph.microsoft.com/v1.0/me/getMemberGroups" | jq |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment