Skip to content

fortytwoservices/powershell-module-entraidaccesstoken

BranchesTags

Repository files navigation

EntraIDAccessToken PowerShell Module

This module was created in order to eliminate the need to build authentication into each and every other module that talks to Entra ID. Instead of having 10 different modules, each with different options for client secrets, client certificates, managed service identities etc. this is built into this module and consumed by other modules. This module also takes care of caching, expiration, etc.

The overall approach to using the module is:

  1. Load the module (duh...)
  2. Add profiles using one or more of the following profiles (examples 1.*):
    • Add-EntraIDAutomationAccountMSIAccessTokenProfile
    • Add-EntraIDAzureArcManagedMSITokenProfile
    • Add-EntraIDAzureDevOpsFederatedCredentialAccessTokenProfile
    • Add-EntraIDAzurePowerShellSessionTokenProfile
    • Add-EntraIDClientCertificateAccessTokenProfile
    • Add-EntraIDClientSecretAccessTokenProfile
    • Add-EntraIDExternalAccessTokenProfile
    • Add-EntraIDFunctionAppMSIAccessTokenProfile
    • Add-EntraIDGitHubFederatedCredentialAccessTokenProfile
    • Add-EntraIDInteractiveUserAccessTokenProfile
    • Add-EntraIDROPCAccessTokenProfile
  3. Utilize Get-EntraIDAccessToken -Profile "Name" in your scripts and modules to get the token (examples 2.*)

Example 1.1 - Adding a default profile using client secret authentication and the Microsoft Graph resource

$ClientSecret = Read-Host -AsSecureString
Add-EntraIDClientSecretAccessTokenProfile -ClientSecret $ClientSecret -TenantId "237098ae-0798-4cf9-a3a5-208374d2dcfd" -ClientId "179ba868-8e81-4bcb-b8e4-a3268fe8b13d"

Example 1.2 - Adding a named profile using client secret authentication and Key Vault as resource

$ClientSecret = Read-Host -AsSecureString
Add-EntraIDClientSecretAccessTokenProfile -Profile "Pegasus" -ClientSecret $ClientSecret -TenantId "237098ae-0798-4cf9-a3a5-208374d2dcfd" -ClientId "179ba868-8e81-4bcb-b8e4-a3268fe8b13d" -Resource "https://vault.azure.net/"

Example 1.3 - Adding a profile using an Automation Account System Assigned Identity and the Microsoft Graph resource

Add-EntraIDAutomationAccountMSIAccessTokenProfile

Example 1.4 - Adding a profile using an Automation Account User Assigned Identity and Key Vault as resource

Add-EntraIDAutomationAccountMSIAccessTokenProfile -ClientId "<uai clientid>" -Resource "https://vault.azure.net/"

Example 1.5 - Adding a profile using a hard coded access token (Useful for development)

Add-EntraIDExternalAccessTokenProfile -AccessToken "ey..."

Example 1.6 - Adding a profile using a certificate

Add-EntraIDClientCertificateAccessTokenProfile -Name $Name -ClientId "..." -TenantId "..." -Thumbprint "D08A6C49E577AEB7DE4468CD49143288D6F4B003"

Example 1.7 - Adding a profile using Azure Arc Managed Identity and Microsoft Graph resource

Add-EntraIDAzureArcManagedMSITokenProfile

Example 1.8 - Adding a profile using Azure DevOps Federated Credential

Add-EntraIDAzureDevOpsFederatedCredentialAccessTokenProfile -TenantId "237098ae-0798-4cf9-a3a5-208374d2dcfd" -ClientId "179ba868-8e81-4bcb-b8e4-a3268fe8b13d"

Example 1.9 - Adding a profile using Azure PowerShell Session Token

Add-EntraIDAzurePowerShellSessionTokenProfile

Example 1.10 - Adding a profile using Function App Managed Identity

Add-EntraIDFunctionAppMSIAccessTokenProfile

Example 1.11 - Adding a profile using GitHub Federated Credential

Add-EntraIDGitHubFederatedCredentialAccessTokenProfile -TenantId "237098ae-0798-4cf9-a3a5-208374d2dcfd" -ClientId "179ba868-8e81-4bcb-b8e4-a3268fe8b13d"

Example 1.12 - Adding a profile using Interactive User Authentication

Add-EntraIDInteractiveUserAccessTokenProfile

Example 1.13 - Adding a profile using Resource Owner Password Credentials (ROPC)

$UserCredential = Get-Credential
$ClientSecret = Read-Host -AsSecureString
Add-EntraIDROPCAccessTokenProfile -TenantId "237098ae-0798-4cf9-a3a5-208374d2dcfd" -ClientId "179ba868-8e81-4bcb-b8e4-a3268fe8b13d" -ClientSecret $ClientSecret -UserCredential $UserCredential

Example 1.14 - Autonomous agent flow

# Step 1 - Add blueprint authentication
Add-EntraIDClientSecretAccessTokenProfile -ClientSecret $ClientSecret -TenantId "237098ae-0798-4cf9-a3a5-208374d2dcfd" -ClientId "9471f355-173a-4466-b142-3d4acf848b03" -Scope "api://AzureADTokenExchange/.default" -Name "Blueprint"

# Step 2 - Add autonomous agent authentication
Add-EntraIDFederatedCredentialTokenProfile -Name "Agent 1" -TenantId "237098ae-0798-4cf9-a3a5-208374d2dcfd" -ClientId "cd77c677-16ea-4f9d-b5b1-0aab1841694c" -FederatedAccessTokenProfile Blueprint -AgentIdentity -Scope "https://graph.microsoft.com/.default"

Example 2.1 - Getting an access token for the default profile

Get-EntraIDAccessToken

Example 2.2 - Getting a refreshed access token for a certain profile

Get-EntraIDAccessToken -ForceRefresh -Profile "Pegasus"

Example 2.3 - Use Invoke-RestMethod

Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users" -Headers (Get-EntraIDAccessTokenHeader)

About

A module for simplifying the process of getting an access token from Entra ID

www.powershellgallery.com/packages/EntraIDAccessToken/

Topics

jwt authentication accesstoken entraid

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

9 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases 60

v3.5.0 Latest
May 15, 2026
+ 59 releases

Contributors

Languages