图 API - 临时访问通行证生成

Graph API - Temporary Access Pass Generation

有以下脚本试图使用图表 API 创建 TAP 代码的 csv。 当前在到达 Invoke-RestMethod

时出现错误 401 Unathorised 错误
<# Region Auth Start #>
$tenantId = "REDACTED"
$clientID = "REDACTED"
$Scope = "https://graph.microsoft.com/.default"
$redirectUri = "https://localhost"
$TokenResponse = Get-MsalToken -ClientId $clientID -TenantId $tenantId -Interactive -RedirectUri $redirectUri -Scopes $Scope
<# Region Auth End #>


<# Region Generate AAD TAP Start #>
 
#Import users from csv file
###########################
$users = (Import-csv -Path "c:\Temp\users.csv").UserName
 
#Initializing Hash table to store output
########################################
$hash = @{} 
 
#Looping through each user to generate AAD TAP
##############################################
 
ForEach ($user in $users) {
    $Headers = @{Authorization = "$($TokenResponse.token_type) $($TokenResponse.access_token)"}
    $tapUri = "https://graph.microsoft.com/beta/users/$user/authentication/temporaryAccessPassMethods"
    $body = "{}"
    $tapResponse = Invoke-RestMethod -Headers $Headers -Uri $tapUri -Body $body -Method POST -ContentType "application/json"
    $tap = $tapResponse.temporaryAccessPass
    $hash.add($user,$tap)
}
 
#Saving result to file
######################
 
$outpath = "C:\Temp\Results.csv"
$hash.GetEnumerator() | Select-Object -Property @{N='User Name';E={$_.Key}}, @{N='Temporary Access Pass';E={$_.Value}} |Export-csv -Path $outpath -NoTypeInformation
 
<# Region Generate AAD TAP End #>

任何关于路线原因的想法都将不胜感激

我尝试在我的环境中使用 powershell 中的 Microsoft 图形模块为导入到 csv 中的用户生成临时访问密码,并且能够成功地为用户成员生成 TAP 代码。

  • 但在此之前请确保您拥有全局管理员权限 生成水龙头和 UserAuthenticationMethod.ReadWrite.AllUser.ReadWrite.All 已授予应用程序和委派权限 在执行之前。- 并安装图形模块以使用它。

Powershell:

$properties = @{}
$properties.isUsableOnce = $True
$properties.startDateTime = '2022-05-05 06:00:00'
$propertiesJSON = $properties | ConvertTo-Json
$hash = @{}
$users = (Import-csv -Path "C:\Users\<path>\filename.csv")

 ForEach ($user in $users) 
 {

New-MgUserAuthenticationTemporaryAccessPassMethod -UserId $user.userPrincipalName -BodyParameter $propertiesJSON
Get-MgUserAuthenticationTemporaryAccessPassMethod -UserId $user.userPrincipalName
$outpath = "C:\Users\....\...\Results.csv"
# $hash.GetEnumerator() | Select-Object -Property @{N='User Name';E={$_.Key}}, @{N='Temporary Access Pass';E={$_.Value}} |Export-csv -Path $outpath -NoTypeInformation
 
 }

输出:

参考:Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods

如果您在上面尝试使用调用 rest 方法,请尝试将内容类型放入 headers 并检查 Accesstoken 拼写。还可以尝试在 $tokenResponse

中将客户端密码作为 -ClientSecret (ConvertTo-SecureString $client_secret -AsPlainText -Force)
$Headers = @{
"Authorization" = " Bearer $($TokenResponse.AccessToken)" 
"Content-type" = "application/json"} 
$body=@{ }