🙏 Make it easy to generate a PoP Token for scenarios that require it #1546
Description
Would be cool if Entra PowerShell makes it easy to generate a PoP Token for scenarios that requires it such as...
https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addkey?view=graph-rest-1.0&tabs=http
https://learn.microsoft.com/en-us/graph/api/serviceprincipal-removekey?view=graph-rest-1.0&tabs=http
https://learn.microsoft.com/en-us/graph/api/application-addkey?view=graph-rest-1.0&tabs=http
https://learn.microsoft.com/en-us/graph/api/application-removekey?view=graph-rest-1.0&tabs=http
Example script...
function New-EntraPoPToken {
param (
[Parameter(Mandatory=$true)]
[string]$AppId,
[Parameter(Mandatory=$true)]
[string]$PfxPath,
[Parameter(Mandatory=$true)]
[string]$PfxPassword
)
Invoke-WebRequest -Uri "https://dist.nuget.org/win-x86-commandline/latest/nuget.exe" -OutFile "$env:USERPROFILE\Downloads\nuget.exe"
& "$env:USERPROFILE\Downloads\nuget.exe" install Microsoft.IdentityModel.Tokens -Version 6.15.0 -OutputDirectory "$env:USERPROFILE\Downloads\.nuget"
& "$env:USERPROFILE\Downloads\nuget.exe" install Microsoft.IdentityModel.jsonwebtokens -Version 6.15.0 -OutputDirectory "$env:USERPROFILE\Downloads\.nuget"
& "$env:USERPROFILE\Downloads\nuget.exe" install Microsoft.IdentityModel.logging -Version 6.15.0 -OutputDirectory "$env:USERPROFILE\Downloads\.nuget"
# Load required assemblies
Add-Type -Path "$env:USERPROFILE\.nuget\packages\microsoft.identitymodel.tokens\6.15.0\lib\netstandard2.0\Microsoft.IdentityModel.Tokens.dll"
Add-Type -Path "$env:USERPROFILE\.nuget\packages\microsoft.identitymodel.jsonwebtokens\6.15.0\lib\netstandard2.0\Microsoft.IdentityModel.JsonWebTokens.dll"
Add-Type -Path "$env:USERPROFILE\.nuget\packages\microsoft.identitymodel.logging\6.15.0\lib\netstandard2.0\Microsoft.IdentityModel.logging.dll"
# Load certificate
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($pfxPath, $pfxPassword)
# Create signing credentials
$signingCredentials = New-Object Microsoft.IdentityModel.Tokens.X509SigningCredentials($cert)
# Define token claims
$now = [System.DateTime]::UtcNow
$tokenDescriptor = New-Object Microsoft.IdentityModel.Tokens.SecurityTokenDescriptor
$claims = New-Object 'System.Collections.Generic.Dictionary[string,object]'
$claims.Add("aud", "00000002-0000-0000-c000-000000000000")
$claims.Add("iss", "your_app_id")
$claims.Add("sub", "your_app_id")
$tokenDescriptor.Claims = $claims
$tokenDescriptor.NotBefore = $now.AddMinutes(-1)
$tokenDescriptor.Expires = $now.AddMinutes(10)
$tokenDescriptor.SigningCredentials = $signingCredentials
# Generate token
$tokenHandler = New-Object Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler
return $tokenHandler.CreateToken($tokenDescriptor)
}Or a way to build into the existing cmdlets New New-EntraServicePrincipalKeyCredential, Remove-EntraServicePrincipalKeyCredential, New-EntraApplicationKeyCredential, Remove-EntraApplicationKeyCredential to support additional parameters such as cert path and password to automatically generate and pass the proof.