entra-powershell icon indicating copy to clipboard operation
entra-powershell copied to clipboard
verified publisher icon microsoftgraph

🙏 Make it easy to generate a PoP Token for scenarios that require it

Open willfiddes opened this issue 3 months ago • 0 comments

Would be cool if Entra PowerShell makes it easy to generate a PoP Token for scenarios that requires it such as... https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addkey?view=graph-rest-1.0&tabs=http https://learn.microsoft.com/en-us/graph/api/serviceprincipal-removekey?view=graph-rest-1.0&tabs=http https://learn.microsoft.com/en-us/graph/api/application-addkey?view=graph-rest-1.0&tabs=http https://learn.microsoft.com/en-us/graph/api/application-removekey?view=graph-rest-1.0&tabs=http

Example script...

function New-EntraPoPToken {
    param (
        [Parameter(Mandatory=$true)]
        [string]$AppId,

        [Parameter(Mandatory=$true)]
        [string]$PfxPath,

        [Parameter(Mandatory=$true)]
        [string]$PfxPassword
    )

    Invoke-WebRequest -Uri "https://dist.nuget.org/win-x86-commandline/latest/nuget.exe" -OutFile "$env:USERPROFILE\Downloads\nuget.exe"
    & "$env:USERPROFILE\Downloads\nuget.exe" install Microsoft.IdentityModel.Tokens -Version 6.15.0 -OutputDirectory "$env:USERPROFILE\Downloads\.nuget"
    & "$env:USERPROFILE\Downloads\nuget.exe" install Microsoft.IdentityModel.jsonwebtokens -Version 6.15.0 -OutputDirectory "$env:USERPROFILE\Downloads\.nuget"
    & "$env:USERPROFILE\Downloads\nuget.exe" install Microsoft.IdentityModel.logging -Version 6.15.0 -OutputDirectory "$env:USERPROFILE\Downloads\.nuget"

    # Load required assemblies
    Add-Type -Path "$env:USERPROFILE\.nuget\packages\microsoft.identitymodel.tokens\6.15.0\lib\netstandard2.0\Microsoft.IdentityModel.Tokens.dll"
    Add-Type -Path "$env:USERPROFILE\.nuget\packages\microsoft.identitymodel.jsonwebtokens\6.15.0\lib\netstandard2.0\Microsoft.IdentityModel.JsonWebTokens.dll"
    Add-Type -Path "$env:USERPROFILE\.nuget\packages\microsoft.identitymodel.logging\6.15.0\lib\netstandard2.0\Microsoft.IdentityModel.logging.dll"

    # Load certificate
    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($pfxPath, $pfxPassword)

    # Create signing credentials
    $signingCredentials = New-Object Microsoft.IdentityModel.Tokens.X509SigningCredentials($cert)

    # Define token claims
    $now = [System.DateTime]::UtcNow
    $tokenDescriptor = New-Object Microsoft.IdentityModel.Tokens.SecurityTokenDescriptor

    $claims = New-Object 'System.Collections.Generic.Dictionary[string,object]'
    $claims.Add("aud", "00000002-0000-0000-c000-000000000000")
    $claims.Add("iss", "your_app_id")
    $claims.Add("sub", "your_app_id")

    $tokenDescriptor.Claims = $claims

    $tokenDescriptor.NotBefore = $now.AddMinutes(-1)
    $tokenDescriptor.Expires = $now.AddMinutes(10)
    $tokenDescriptor.SigningCredentials = $signingCredentials

    # Generate token
    $tokenHandler = New-Object Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler
    return $tokenHandler.CreateToken($tokenDescriptor)
}

Or a way to build into the existing cmdlets New New-EntraServicePrincipalKeyCredential, Remove-EntraServicePrincipalKeyCredential, New-EntraApplicationKeyCredential, Remove-EntraApplicationKeyCredential to support additional parameters such as cert path and password to automatically generate and pass the proof.

willfiddes avatar Sep 26 '25 20:09 willfiddes