Automating with PowerShell: Secure App Model Refresh tokens

So this is a quick one because I’ve had a talk today and noticed I never gave a fully automated way to get refresh tokens, endlessly. 🙂

When using the Secure Application Model, you only really need to go through the procedures once, after that you can get a new refresh token infinitely, without interaction.

To do that, you’ll have to use something like a keyvault, or another storage location where you store the original refresh key, we then update that key each time the script runs. You can use an Azure Function for this or just a script schedule.

Use the code below as an example to get a new refresh token, without human interaction.

######### Secrets #########
$ApplicationId = 'ApplicationID'
$ApplicationSecret = 'ApplicationSecret' | ConvertTo-SecureString -Force -AsPlainText
$TenantID = 'TenantID'
$RefreshToken = 'LongRefreshToken'
$ExchangeRefreshToken = 'LongExchangeRefreshToken'
$UPN = "YourPrettyUpnUsedToGenerateTokens"
######### Secrets #########
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)

$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant $tenantID 
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $tenantID 


$NewAADRefreshToken = $aadGraphToken.RefreshToken
$NewGraphToken = $graphToken.RefreshToken

You can use the $NewAADRefreshtoken and $NewGraphToken to push the latest version of the refresh token somewhere safe, and also pull from it in other scrips. And that’s it! as always, Happy PowerShelling.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.