This blog post goes over the process of getting an Azure Active Directory (AAD) token using a user’s credentials (username and password). Post contains a summary of steps covered in demo video ‘Azure AD User Token – Postman’ embedded in this post.
Demo video:
Not to reinvent the wheel, I am just going to link information on how to create an AAD application here, this is identical to the process i used on the demo video. The key thing is to make sure the application allows public client flows so it can allow username and password.
Set application permissions for the resources you want to manage with the token. For the example in my demo, I wanted to manage conditional access using Microsoft Graph API, so I set permissions for condition access and granted admin consent.
Postman provides an easy-to-use graphical user interface to make REST API calls, though it is not required I recommend using it, especially if you are a beginner. Below are some links for your reference
Installing Postman
Configuring Postman for Azure
Postman Configuration for Azure
Link to my ‘User Token’ collection
You can use Postman to get user token and test token as I did in the demo.
If you do not want to install/use Postman, below are commands you can use in PowerShell to achieve what I did in the demo. Get a user token and use user token to get conditional access policies on tenant.
Commands
# Variables
$AppID = "<application ID>"
$tenant = "<tenant id or name (onmicrosoft name)>"
$username = "<user's upn>"
$password = '<user's password>'
# Token request header
$header = @{
'Content-Type' = 'application/x-www-form-urlencoded'
}
# Token request body
$ReqTokenBody = @{
Grant_Type = "password"
client_Id = $AppID
Username = $username
Password = $password
Scope = "https://graph.microsoft.com/.default"
}
# Getting token
$Uri = "https://login.microsoftonline.com/$tenant/oauth2/v2.0/token"
$response = Invoke-RestMethod -Uri "$Uri" -Method POST -Body $ReqTokenBody -Headers $header
# Formating bearer token
$authtoken = "Bearer " + $response.access_token
# Request header
$header = @{
'Authorization'=$authtoken
'Content-Type'='application/json'
}
# Basic request to validate token
$resturi = "https://graph.microsoft.com/beta/me"
Invoke-RestMethod -Method Get -Uri $resturi -Headers $header
# Request to get conditional access policy on tenant
$resturi = "https://graph.microsoft.com/beta/identity/conditionalAccess/policies"
(Invoke-RestMethod -Method Get -Uri $resturi -Headers $header).value | ConvertTo-Json -Depth 10
GOTCHAS……
Make sure user has the right role for whatever task you will be testing. In the demo I had to give user Conditional Access Administrator Role to be able to query conditional access using Microsoft Graph API.
If MFA or any restrictive conditional access is enabled for account flow will not work.