图 API - 临时访问通行证生成
Graph API - Temporary Access Pass Generation
有以下脚本试图使用图表 API 创建 TAP 代码的 csv。
当前在到达 Invoke-RestMethod
时出现错误 401 Unathorised 错误
<# Region Auth Start #>
$tenantId = "REDACTED"
$clientID = "REDACTED"
$Scope = "https://graph.microsoft.com/.default"
$redirectUri = "https://localhost"
$TokenResponse = Get-MsalToken -ClientId $clientID -TenantId $tenantId -Interactive -RedirectUri $redirectUri -Scopes $Scope
<# Region Auth End #>
<# Region Generate AAD TAP Start #>
#Import users from csv file
###########################
$users = (Import-csv -Path "c:\Temp\users.csv").UserName
#Initializing Hash table to store output
########################################
$hash = @{}
#Looping through each user to generate AAD TAP
##############################################
ForEach ($user in $users) {
$Headers = @{Authorization = "$($TokenResponse.token_type) $($TokenResponse.access_token)"}
$tapUri = "https://graph.microsoft.com/beta/users/$user/authentication/temporaryAccessPassMethods"
$body = "{}"
$tapResponse = Invoke-RestMethod -Headers $Headers -Uri $tapUri -Body $body -Method POST -ContentType "application/json"
$tap = $tapResponse.temporaryAccessPass
$hash.add($user,$tap)
}
#Saving result to file
######################
$outpath = "C:\Temp\Results.csv"
$hash.GetEnumerator() | Select-Object -Property @{N='User Name';E={$_.Key}}, @{N='Temporary Access Pass';E={$_.Value}} |Export-csv -Path $outpath -NoTypeInformation
<# Region Generate AAD TAP End #>
任何关于路线原因的想法都将不胜感激
我尝试在我的环境中使用 powershell 中的 Microsoft 图形模块为导入到 csv 中的用户生成临时访问密码,并且能够成功地为用户成员生成 TAP 代码。
- 但在此之前请确保您拥有全局管理员权限
生成水龙头和
UserAuthenticationMethod.ReadWrite.All
,
User.ReadWrite.All
已授予应用程序和委派权限
在执行之前。- 并安装图形模块以使用它。
Powershell:
$properties = @{}
$properties.isUsableOnce = $True
$properties.startDateTime = '2022-05-05 06:00:00'
$propertiesJSON = $properties | ConvertTo-Json
$hash = @{}
$users = (Import-csv -Path "C:\Users\<path>\filename.csv")
ForEach ($user in $users)
{
New-MgUserAuthenticationTemporaryAccessPassMethod -UserId $user.userPrincipalName -BodyParameter $propertiesJSON
Get-MgUserAuthenticationTemporaryAccessPassMethod -UserId $user.userPrincipalName
$outpath = "C:\Users\....\...\Results.csv"
# $hash.GetEnumerator() | Select-Object -Property @{N='User Name';E={$_.Key}}, @{N='Temporary Access Pass';E={$_.Value}} |Export-csv -Path $outpath -NoTypeInformation
}
参考:Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods
如果您在上面尝试使用调用 rest 方法,请尝试将内容类型放入 headers 并检查 Accesstoken 拼写。还可以尝试在 $tokenResponse
中将客户端密码作为 -ClientSecret (ConvertTo-SecureString $client_secret -AsPlainText -Force)
$Headers = @{
"Authorization" = " Bearer $($TokenResponse.AccessToken)"
"Content-type" = "application/json"}
$body=@{ }
有以下脚本试图使用图表 API 创建 TAP 代码的 csv。
当前在到达 Invoke-RestMethod
<# Region Auth Start #>
$tenantId = "REDACTED"
$clientID = "REDACTED"
$Scope = "https://graph.microsoft.com/.default"
$redirectUri = "https://localhost"
$TokenResponse = Get-MsalToken -ClientId $clientID -TenantId $tenantId -Interactive -RedirectUri $redirectUri -Scopes $Scope
<# Region Auth End #>
<# Region Generate AAD TAP Start #>
#Import users from csv file
###########################
$users = (Import-csv -Path "c:\Temp\users.csv").UserName
#Initializing Hash table to store output
########################################
$hash = @{}
#Looping through each user to generate AAD TAP
##############################################
ForEach ($user in $users) {
$Headers = @{Authorization = "$($TokenResponse.token_type) $($TokenResponse.access_token)"}
$tapUri = "https://graph.microsoft.com/beta/users/$user/authentication/temporaryAccessPassMethods"
$body = "{}"
$tapResponse = Invoke-RestMethod -Headers $Headers -Uri $tapUri -Body $body -Method POST -ContentType "application/json"
$tap = $tapResponse.temporaryAccessPass
$hash.add($user,$tap)
}
#Saving result to file
######################
$outpath = "C:\Temp\Results.csv"
$hash.GetEnumerator() | Select-Object -Property @{N='User Name';E={$_.Key}}, @{N='Temporary Access Pass';E={$_.Value}} |Export-csv -Path $outpath -NoTypeInformation
<# Region Generate AAD TAP End #>
任何关于路线原因的想法都将不胜感激
我尝试在我的环境中使用 powershell 中的 Microsoft 图形模块为导入到 csv 中的用户生成临时访问密码,并且能够成功地为用户成员生成 TAP 代码。
- 但在此之前请确保您拥有全局管理员权限
生成水龙头和
UserAuthenticationMethod.ReadWrite.All
,User.ReadWrite.All
已授予应用程序和委派权限 在执行之前。- 并安装图形模块以使用它。
Powershell:
$properties = @{}
$properties.isUsableOnce = $True
$properties.startDateTime = '2022-05-05 06:00:00'
$propertiesJSON = $properties | ConvertTo-Json
$hash = @{}
$users = (Import-csv -Path "C:\Users\<path>\filename.csv")
ForEach ($user in $users)
{
New-MgUserAuthenticationTemporaryAccessPassMethod -UserId $user.userPrincipalName -BodyParameter $propertiesJSON
Get-MgUserAuthenticationTemporaryAccessPassMethod -UserId $user.userPrincipalName
$outpath = "C:\Users\....\...\Results.csv"
# $hash.GetEnumerator() | Select-Object -Property @{N='User Name';E={$_.Key}}, @{N='Temporary Access Pass';E={$_.Value}} |Export-csv -Path $outpath -NoTypeInformation
}
参考:Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods
如果您在上面尝试使用调用 rest 方法,请尝试将内容类型放入 headers 并检查 Accesstoken 拼写。还可以尝试在 $tokenResponse
中将客户端密码作为 -ClientSecret (ConvertTo-SecureString $client_secret -AsPlainText -Force)$Headers = @{
"Authorization" = " Bearer $($TokenResponse.AccessToken)"
"Content-type" = "application/json"}
$body=@{ }