Maintenance Scripts
Get-AccessToken.ps1
19 Sep 2025Description
Purpose
Retrieves an access token for a specified resource using Azure Active Directory App-Only authentication.
Detailed Description
The Get-AccessToken function retrieves an access token for a specified resource using Azure Active Directory App-Only authentication. It requires the TenantId, ClientId, CertificatePath, CertificatePassword, and ResourceUri parameters to be provided.
Usage
Example 1
Get-AccessToken -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -ClientId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -CertificatePath "C:\Certificates\MyCertificate.pfx" -CertificatePassword "MyPassword" -ResourceUri "https://api.example.com"
Notes
This function requires the Microsoft.IdentityModel.Clients.ActiveDirectory assembly to be loaded. The certificate used for authentication must be stored in the LocalMachine certificate store.
Script
<#
.DESCRIPTION
.PARAMETER
.EXAMPLE
#>
function Get-AccessToken() {
Param(
[Parameter(Mandatory = $true, ParameterSetName = "UseLocal")]
[Parameter(Mandatory = $false, ParameterSetName = "UseGlobal")]
[ValidateNotNullOrEmpty()]
[String]
$TenantId = $global:AzureADApplicationTenantId,
[Parameter(Mandatory = $true, ParameterSetName = "UseLocal")]
[Parameter(Mandatory = $false, ParameterSetName = "UseGlobal")]
[ValidateNotNullOrEmpty()]
[String]
$ClientId = $global:AzureADApplicationClientId,
[Parameter(Mandatory = $true, ParameterSetName = "UseLocal")]
[Parameter(Mandatory = $false, ParameterSetName = "UseGlobal")]
[ValidateNotNullOrEmpty()]
[String]
$CertificatePath = $global:AzureADApplicationCertificatePath,
[Parameter(Mandatory = $true, ParameterSetName = "UseLocal")]
[Parameter(Mandatory = $false, ParameterSetName = "UseGlobal")]
[ValidateNotNullOrEmpty()]
[String]
$CertificatePassword = $global:AzureADApplicationCertificatePassword,
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[String]
$ResourceUri
)
#region Validations
#-----------------------------------------------------------------------
# Validating the TenantId
#-----------------------------------------------------------------------
if (!(Is-Guid -Value $TenantId)) {
throw [Exception] "TenantId '$TenantId' is not a valid Guid"
}
#-----------------------------------------------------------------------
# Validating the ClientId
#-----------------------------------------------------------------------
if (!(Is-Guid -Value $ClientId)) {
throw [Exception] "ClientId '$ClientId' is not a valid Guid"
}
#-----------------------------------------------------------------------
# Validating the Certificate Path
#-----------------------------------------------------------------------
if (!(Test-Path -Path $CertificatePath)) {
throw [Exception] "CertificatePath '$CertificatePath' does not exist"
}
#endregion
#region Initialization
#-----------------------------------------------------------------------
# Loads the Azure Active Directory Assemblies
#-----------------------------------------------------------------------
Add-Type -Path "${env:ProgramFiles(x86)}\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\Services\Microsoft.IdentityModel.Clients.ActiveDirectory.dll" | Out-Null
#-----------------------------------------------------------------------
# Constants
#-----------------------------------------------------------------------
$keyStorageFlags = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet
#-----------------------------------------------------------------------
# Building required values
#-----------------------------------------------------------------------
$authorizationUriFormat = "https://login.windows.net/{0}/oauth2/authorize"
$authorizationUri = [String]::Format($authorizationUriFormat, $TenantId)
#endregion
#region Process
#-----------------------------------------------------------------------
# Building the necessary context to acquire the Access Token
#-----------------------------------------------------------------------
$authenticationContext = New-Object -TypeName "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authorizationUri, $false
$certificate = New-Object -TypeName "System.Security.Cryptography.X509Certificates.X509Certificate2" -ArgumentList $CertificatePath, $CertificatePassword, $keyStorageFlags
$assertionCertificate = New-Object -TypeName "Microsoft.IdentityModel.Clients.ActiveDirectory.ClientAssertionCertificate" -ArgumentList $ClientId, $certificate
#-----------------------------------------------------------------------
# Ask for the AccessToken based on the App-Only configuration
#-----------------------------------------------------------------------
$authenticationResult = $authenticationContext.AcquireToken($ResourceUri, $assertionCertificate)
#-----------------------------------------------------------------------
# Returns the an AccessToken valid for an hour
#-----------------------------------------------------------------------
return $authenticationResult.AccessToken
#endregion
}
Download
Please feel free to copy parts of the script or if you would like to download the entire script, simply click the download button. You can download the complete repository in a zip file by clicking the Download link in the menu bar on the left hand side of the page.
Report Issues
You can report an issue or contribute to this site on GitHub. Simply click the button below and add any relevant notes. I will attempt to respond to all issues as soon as possible.