profile for Hannel on Stack Exchange, a network of free, community-driven Q&A sites
Project Work Hours
Sat & Sun 6am - 9am
Subscribe via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Archives

This blog post goes over the process of getting an Azure Active Directory (AAD) token using a user’s credentials (username and password).  Post contains a summary of steps covered in demo video ‘Azure AD User Token – Postman’ embedded in this post.

  1. Create and configure AAD Application
  2. Set Application Permissions
  3. Configure Postman (optional)
  4. Test user token

Demo video:

Azure AD User Token – Postman
  • Create and configure AAD Application

Not to reinvent the wheel, I am just going to link information on how to create an AAD application here, this is identical to the process i used on the demo video.   The key thing is to make sure the application allows public client flows so it can allow username and password.

Allow public client flow for token
  • Set Application Permissions

Set application permissions for the resources you want to manage with the token.  For the example in my demo, I wanted to manage conditional access using Microsoft Graph API, so I set permissions for condition access and granted admin consent.

Application permission for token
  • Configure Postman (optional)

Postman provides an easy-to-use graphical user interface to make REST API calls, though it is not required I recommend using it, especially if you are a beginner.  Below are some links for your reference

Installing Postman
Configuring Postman for Azure
Postman Configuration for Azure
Link to my ‘User Token’ collection

You can use Postman to get user token and test token as I did in the demo.

  • Test user token

If you do not want to install/use Postman, below are commands you can use in PowerShell to achieve what I did in the demo.  Get a user token and use user token to get conditional access policies on tenant.

Commands

# Variables
$AppID = "<application ID>"
$tenant = "<tenant id or name (onmicrosoft name)>"
$username = "<user's upn>"
$password = '<user's password>'

# Token request header
$header = @{
    'Content-Type' = 'application/x-www-form-urlencoded'
}

# Token request body
$ReqTokenBody = @{
    Grant_Type    = "password"
    client_Id     = $AppID
    Username      = $username
    Password      = $password
    Scope         = "https://graph.microsoft.com/.default"
} 

# Getting token 
$Uri = "https://login.microsoftonline.com/$tenant/oauth2/v2.0/token" 
$response = Invoke-RestMethod -Uri "$Uri" -Method POST -Body $ReqTokenBody -Headers $header

# Formating bearer token
$authtoken = "Bearer " + $response.access_token

# Request header
$header = @{
'Authorization'=$authtoken
'Content-Type'='application/json'
}

# Basic request to validate token
$resturi = "https://graph.microsoft.com/beta/me"
Invoke-RestMethod -Method Get -Uri $resturi -Headers $header

# Request to get conditional access policy on tenant
$resturi = "https://graph.microsoft.com/beta/identity/conditionalAccess/policies"
(Invoke-RestMethod -Method Get -Uri $resturi -Headers $header).value | ConvertTo-Json -Depth 10

GOTCHAS……

Make sure user has the right role for whatever task you will be testing.  In the demo I had to give user Conditional Access Administrator Role to be able to query conditional access using Microsoft Graph API.
If MFA or any restrictive conditional access is enabled for account flow will not work.