Reputation: 589
Graph API - Temporary Access Pass Generation
Have the following script that is trying to create a csv of TAP codes using the Graph API.
Currently getting an Error 401 Unathorised error when reaching Invoke-RestMethod
<# Region Auth Start #>
$tenantId = "REDACTED"
$clientID = "REDACTED"
$Scope = "https://graph.microsoft.com/.default"
$redirectUri = "https://localhost"
$TokenResponse = Get-MsalToken -ClientId $clientID -TenantId $tenantId -Interactive -RedirectUri $redirectUri -Scopes $Scope
<# Region Auth End #>
<# Region Generate AAD TAP Start #>
#Import users from csv file
###########################
$users = (Import-csv -Path "c:\Temp\users.csv").UserName
#Initializing Hash table to store output
########################################
$hash = @{}
#Looping through each user to generate AAD TAP
##############################################
ForEach ($user in $users) {
$Headers = @{Authorization = "$($TokenResponse.token_type) $($TokenResponse.access_token)"}
$tapUri = "https://graph.microsoft.com/beta/users/$user/authentication/temporaryAccessPassMethods"
$body = "{}"
$tapResponse = Invoke-RestMethod -Headers $Headers -Uri $tapUri -Body $body -Method POST -ContentType "application/json"
$tap = $tapResponse.temporaryAccessPass
$hash.add($user,$tap)
}
#Saving result to file
######################
$outpath = "C:\Temp\Results.csv"
$hash.GetEnumerator() | Select-Object -Property @{N='User Name';E={$_.Key}}, @{N='Temporary Access Pass';E={$_.Value}} |Export-csv -Path $outpath -NoTypeInformation
<# Region Generate AAD TAP End #>
Any ideas as to what the route cause could be would be greatly appreciated
Upvotes: 0
Views: 1837
Answers (1)
Reputation: 10871
I have tried to generate temporary access pass codes for the users imported in csv using microsoft graph module in powershell in my environment and able to generate TAP codes for the user members successully.
- But before that please make sure you are having global admin rights
to generate taps and
UserAuthenticationMethod.ReadWrite.All,User.ReadWrite.Allapplication and delegated permissions granted before executing.- and install graph module to use it.
Powershell:
$properties = @{}
$properties.isUsableOnce = $True
$properties.startDateTime = '2022-05-05 06:00:00'
$propertiesJSON = $properties | ConvertTo-Json
$hash = @{}
$users = (Import-csv -Path "C:\Users\<path>\filename.csv")
ForEach ($user in $users)
{
New-MgUserAuthenticationTemporaryAccessPassMethod -UserId $user.userPrincipalName -BodyParameter $propertiesJSON
Get-MgUserAuthenticationTemporaryAccessPassMethod -UserId $user.userPrincipalName
$outpath = "C:\Users\....\...\Results.csv"
# $hash.GetEnumerator() | Select-Object -Property @{N='User Name';E={$_.Key}}, @{N='Temporary Access Pass';E={$_.Value}} |Export-csv -Path $outpath -NoTypeInformation
}
OUTPUT :
Reference : Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods
If you are trying above using invoke rest method try placing content type in headers and checking the Accesstoken spelling . Also try giving client secret as -ClientSecret (ConvertTo-SecureString $client_secret -AsPlainText -Force) in the $tokenResponse
$Headers = @{
"Authorization" = " Bearer $($TokenResponse.AccessToken)"
"Content-type" = "application/json"}
$body=@{ }
Upvotes: 1
Related Questions
- How to enable Access Tokens for Implicit Flow in Azure AD Application with Powershell
- Powershell - Do "Grant Permissions" action on Azure AD Application with Powershell
- Using Graph API with password grant type for a federated ID with Powershell
- How do I Request a Azure Graph API Access Token from Azure PowerShell for a user?
- Possible to use either an AccessToken or Identity token as a credential to Connect-AzureAD / MSGraph?
- Programmatical Authentication to Graph API
- Access token validation failure for AD graph API after using the token acquired from AzureRmContext in Powershell
- Microsoft Graph API - app in powershell - forbidden response
- Authenticate to Microsoft Graph api using powershell
- Graph API authenticate as a user programmatically