Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure AD supports OAuth 2.0 Device Flow for Browserless and Input Constraint devices, as described here; https://tools.ietf.org/html/draft-ietf-oauth-device-flow-07
Assuming you do not want to, or cannot, use ADAL in PowerShell, you can script this flow entirely in native PowerShell.
$clientId = "1950a258-227b-4e31-a9cf-717495945fc2" # This is the standard Client Identifier for Windows Azure PowerShell
$redirectUrl = [System.Uri]"urn:ietf:wg:oauth:2.0:oob" # This is the standard Redirect URI for Windows Azure PowerShell
$tenant = "YOURTENANTNAME.onmicrosoft.com"
$resource = "https://graph.windows.net";
$serviceRootURL = "https://graph.windows.net/$tenant"
$authUrl = "https://login.microsoftonline.com/$tenant";
$postParams = @{resource="$resource";client_id="$clientId"}
$response = Invoke-RestMethod -Method POST -Uri "$authurl/oauth2/devicecode" -Body $postParams
Write-Host $response.message
$tokenParams = @{grant_type="device_code"; resource="$resource"; client_id="$clientId"; code="$($response.device_code)"}
$tokenResponse = $null
$maxDate = (Get-Date).AddSeconds($response.expires_in)
while (!$tokenResponse -and (Get-Date) -lt $maxDate)
{
try
{
$tokenResponse = Invoke-RestMethod -Method POST -Uri "$authurl/oauth2/token" -Body $tokenParams
}
catch [System.Net.WebException]
{
if ($_.Exception.Response -eq $null)
{
throw
}
$result = $_.Exception.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($result)
$reader.BaseStream.Position = 0
$errBody = ConvertFrom-Json $reader.ReadToEnd();
if($errBody.Error -ne "authorization_pending")
{
throw
}
Start-Sleep($response.interval);
Write-Host -NoNewline ".";
}
}
After executing this script, and after successfully authenticating against Azure AD, the variable $tokenResponse should contain your tokens as issued by Azure AD.