Get token for OAuth2 protected API in PowerShell

Question

When I use a browser I use this endpoint to authorize:

https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=<client_id>&response_type=code&redirect_uri=<redirect_uri>&scope=email+offline_access+openid+profile&state=&prompt=select_account

then I log in to my Microsoft account, and it redirects me to my application.

How I can log in to get a token from PowerShell? I need it for test automation. I found something like this (https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL/tree/master/Authorization%20Code%20Grant%20Flow) but I'm not sure if it is a good solution for my case.

Appreciate any help.

EDIT:

I don't know how to automate this step:

Answer 1

We can use MSAL library in PowerShell .

MSAL.PS module's Get-MSALToken function which prompted to return a valid token that you could use.

Example:- To Force interactive authentication to get AccessToken (with MS Graph permissions User.Read) and IdToken for specific Azure AD tenant and UPN using client id from application registration (public client).

 PS C:\>Get-MsalToken -ClientId '00000000-0000-0000-0000-000000000000' -TenantId '00000000-0000-0000-0000-000000000000' -Interactive -Scope 'https://graph.microsoft.com/User.Read'
    -LoginHint user@domain.com

Answer 2

If you want your test to call the API as an app, you can use client credentials flow.

If on the other hand you want to call the API on behalf of a user, you might need to use resource owner password credentials grant flow: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

Note that the user should usually be a local account in that AAD tenant (no external user/Microsoft account/on-prem AD account) with no MFA. Take this into account and store the user credentials securely. And do use a test AAD tenant for this so the credentials don't have access to any production environments.