Closed DarkLite1 closed 4 years ago
I found the -Silent
switch which can be used to accommodate the desired behavior. The only issue is it cannot be combined with the the switch -IntegratedWindowsAuth
. Ideally one would like to do this:
(0..50) | ForEach-Object {
$msalParams = @{
ClientId = $azureClientId
TenantId = $azureTenantId
IntegratedWindowsAuth = $true
Scopes = "https://outlook.office.com/EWS.AccessAsUser.All"
}
$token = Get-MsalToken @msalParams -Silent
}
Because that is not possible we now require two steps to get the same result:
Acquire a token with -IntegratedWindowsAuth
:
$msalParams = @{
ClientId = $azureClientId
TenantId = $azureTenantId
IntegratedWindowsAuth = $true
Scopes = "https://outlook.office.com/EWS.AccessAsUser.All"
}
$token = Get-MsalToken @msalParams
Refresh the token:
$msalParams = @{
ClientId = $azureClientId
TenantId = $azureTenantId
Scopes = "https://outlook.office.com/EWS.AccessAsUser.All"
}
$token = Get-MsalToken @msalParams -Silent
Would it be possible to combine both steps?
Do you have requirement to only allow IntegratedWindowsAuth? Do you get the desired behavior when you remove the IntegratedWindowsAuth parameter? By default, the Get-MsalToken command will attempt a silent auth first, then IWA, and finally if all else fails it will do interactive in a web browser.
(0..50) | ForEach-Object {
$msalParams = @{
ClientId = $azureClientId
TenantId = $azureTenantId
Scopes = "https://outlook.office.com/EWS.AccessAsUser.All"
}
$token = Get-MsalToken @msalParams
}
If I remember correctly I really need the switch IntegratedWindowsAuth = $true
because in the Azure App Registration I have the following :
That switch determines what client application types the AAD service principal will accept which is either Public or Confidential. https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-client-applications
The Get-MsalToken command will always use public client application object in MSAL when ClientSecret and ClientCertificate parameters are omitted.
In any case, I can tell you with certainty that when I did my test I really needed to add the -silent
switch to have the token refreshed silently. If this was omitted it would not renew the token. Might have been my setup in Azure or something else, I just wanted you to know.
Just to clarify, MSAL will continue to return the same Access Token from the token cache until it expires or you specify the -ForceRefresh
parameter.
I just tested without -IntegratedWindowsAuth
or -Silent
and it all appears to work silently as expected. Maybe this got fixed somewhere along the way but let me know if you are still unable to get it working.
## The same command does Integrated Windows Auth the first time and Silent for all subsequent call.
Get-MsalToken -ClientId $ClientId -TenantId mytenant.onmicrosoft.com
First of all thank you for this wonderful wrapper around msal. It really helped to simplify our code. We use the following code to retrieve a valid access token:
This code is invoked multiple times by different PowerShell scripts. We assume it would retrieve a valid token from the cache and if there's no valid token it will try to acquire a new token silently. However, after multiple invocations the following error is thrown:
Looking further into this, this seems to be a reported issue at msal. A remark from @jasonnutter:
Is it possible that the CmdLet
Get-MsalToken
is not looking into the cache but requesting a token from Azure each time on invocation?To reproduce this issue: