< Back
Get-MsalToken
Post
NAME Get-MsalToken
SYNOPSIS
Acquire a token using MSAL.NET library.
SYNTAX
Get-MsalToken -ClientId <String> [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>]
[-ExtraScopesToConsent <String[]>] [-LoginHint <String>] [-Prompt <Prompt>] [-CorrelationId <Guid>]
[-extraQueryParameters <String>] [-ForceRefresh] [<CommonParameters>]
Get-MsalToken -ClientId <String> -ClientCertificate <X509Certificate2> -UserAssertion <String> [-UserAssertionType
<String>] [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>] [-CorrelationId
<Guid>] [-extraQueryParameters <String>] [<CommonParameters>]
Get-MsalToken -ClientId <String> -ClientCertificate <X509Certificate2> -AuthorizationCode <String> [-RedirectUri
<Uri>] [-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>] [-CorrelationId <Guid>] [-extraQueryParameters
<String>] [<CommonParameters>]
Get-MsalToken -ClientId <String> -ClientCertificate <X509Certificate2> [-RedirectUri <Uri>] [-TenantId <String>]
[-Authority <Uri>] [-Scopes <String[]>] [-CorrelationId <Guid>] [-extraQueryParameters <String>] [-ForceRefresh]
[<CommonParameters>]
Get-MsalToken -ClientId <String> -ClientSecret <SecureString> -UserAssertion <String> [-UserAssertionType
<String>] [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>] [-CorrelationId
<Guid>] [-extraQueryParameters <String>] [<CommonParameters>]
Get-MsalToken -ClientId <String> -ClientSecret <SecureString> -AuthorizationCode <String> [-RedirectUri <Uri>]
[-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>] [-CorrelationId <Guid>] [-extraQueryParameters
<String>] [<CommonParameters>]
Get-MsalToken -ClientId <String> -ClientSecret <SecureString> [-RedirectUri <Uri>] [-TenantId <String>]
[-Authority <Uri>] [-Scopes <String[]>] [-CorrelationId <Guid>] [-extraQueryParameters <String>] [-ForceRefresh]
[<CommonParameters>]
Get-MsalToken -ClientId <String> [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>]
[-CorrelationId <Guid>] [-extraQueryParameters <String>] [<CommonParameters>]
Get-MsalToken -ClientId <String> [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>]
-UserCredential <PSCredential> [-CorrelationId <Guid>] [-extraQueryParameters <String>] [<CommonParameters>]
Get-MsalToken -ClientId <String> [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>] -Silent [-Scopes
<String[]>] [-LoginHint <String>] [-CorrelationId <Guid>] [-extraQueryParameters <String>] [-ForceRefresh]
[<CommonParameters>]
Get-MsalToken -ClientId <String> [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>]
-IntegratedWindowsAuth [-Scopes <String[]>] [-LoginHint <String>] [-CorrelationId <Guid>] [-extraQueryParameters
<String>] [<CommonParameters>]
Get-MsalToken -ClientId <String> [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>] -Interactive
[-Scopes <String[]>] [-ExtraScopesToConsent <String[]>] [-LoginHint <String>] [-Prompt <Prompt>] [-CorrelationId
<Guid>] [-extraQueryParameters <String>] [<CommonParameters>]
Get-MsalToken [-AuthorizationCode <String>] [-UserAssertion <String>] [-UserAssertionType <String>] [-Authority
<Uri>] [-ConfidentialClientApplication] <ConfidentialClientApplication> [-Scopes <String[]>] [-CorrelationId
<Guid>] [-extraQueryParameters <String>] [-ForceRefresh] [<CommonParameters>]
Get-MsalToken [-Authority <Uri>] [-PublicClientApplication] <PublicClientApplication> [-Interactive]
[-IntegratedWindowsAuth] [-Silent] [-Scopes <String[]>] [-ExtraScopesToConsent <String[]>] [-LoginHint <String>]
[-Prompt <Prompt>] [-UserCredential <PSCredential>] [-CorrelationId <Guid>] [-extraQueryParameters <String>]
[-ForceRefresh] [<CommonParameters>]
DESCRIPTION
This command will acquire OAuth tokens for both public and confidential clients. Public clients authentication can
be interactive, integrated Windows auth, or silent (aka refresh token authentication).
PARAMETERS
-ClientId <String>
Identifier of the client requesting the token.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ClientSecret <SecureString>
Secure secret of the client requesting the token.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ClientCertificate <X509Certificate2>
Client assertion certificate of the client requesting the token.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-AuthorizationCode <String>
The authorization code received from service authorization endpoint.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-UserAssertion <String>
Assertion representing the user.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-UserAssertionType <String>
Type of the assertion representing the user.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-RedirectUri <Uri>
Address to return to upon receiving a response from the authority.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-TenantId <String>
Tenant identifier of the authority to issue token. It can also contain the value "consumers" or
"organizations".
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Authority <Uri>
Address of the authority to issue token.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-PublicClientApplication <PublicClientApplication>
Public client application
Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-ConfidentialClientApplication <ConfidentialClientApplication>
Confidential client application
Required? true
Position? 2
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-Interactive [<SwitchParameter>]
Interactive request to acquire a token for the specified scopes.
Required? true
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-IntegratedWindowsAuth [<SwitchParameter>]
Non-interactive request to acquire a security token for the signed-in user in Windows, via Integrated Windows
Authentication.
Required? true
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Silent [<SwitchParameter>]
Attempts to acquire an access token from the user token cache.
Required? true
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Scopes <String[]>
Array of scopes requested for resource
Required? false
Position? named
Default value https://graph.microsoft.com/.default
Accept pipeline input? false
Accept wildcard characters? false
-ExtraScopesToConsent <String[]>
Array of scopes for which a developer can request consent upfront.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-LoginHint <String>
Identifier of the user. Generally a UPN.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Prompt <Prompt>
Specifies the what the interactive experience is for the user.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-UserCredential <PSCredential>
Identifier of the user with associated password.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-CorrelationId <Guid>
Correlation id to be used in the authentication request.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-extraQueryParameters <String>
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ForceRefresh [<SwitchParameter>]
Ignore any access token in the user token cache and attempt to acquire new access token using the refresh
token for the account if one is available.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
Microsoft.Identity.Client.AuthenticationResult
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Get-MsalToken -ClientId '00000000-0000-0000-0000-000000000000' -Scope
'https://graph.microsoft.com/User.Read', ... .ReadWrite'
Get AccessToken (with MS Graph permissions User.Read and Files.ReadWrite) and IdToken using client id from
application registration (public client).
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Get-MsalToken -ClientId '00000000-0000-0000-0000-000000000000' -TenantId
'00000000-0000-0000-0000-000000000000' -Interactive -Scope 'https://graph.microsoft.com/User.Read' -LoginHint
user@domain.com
Force interactive authentication to get AccessToken (with MS Graph permissions User.Read) and IdToken for specific
Azure AD tenant and UPN using client id from application registration (public client).
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>Get-MsalToken -ClientId '00000000-0000-0000-0000-000000000000' -ClientSecret (ConvertTo-SecureString
'SuperSecretString' -AsPlainText -Force) -TenantId '00000000-0000-0000-0000-000000000000' -Scope
'https://graph.microsoft.com/.default'
Get AccessToken (with MS Graph permissions .Default) and IdToken for specific Azure AD tenant using client id and
secret from application registration (confidential client).
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>$ClientCertificate = Get-Item Cert:\\CurrentUser\\My\\0000000000000000000000000000000000000000
PS C:\\>$MsalClientApplication = Get-MsalClientApplication -ClientId '00000000-0000-0000-0000-000000000000'
-ClientCertificate $ClientCertificate -TenantId '00000000-0000-0000-0000-000000000000'
PS C:\\>$MsalClientApplication | Get-MsalToken -Scope 'https://graph.microsoft.com/.default'
Pipe in confidential client options object to get a confidential client application using a client certificate and
target a specific tenant.
RELATED LINKS
SYNOPSIS
Acquire a token using MSAL.NET library.
SYNTAX
Get-MsalToken -ClientId <String> [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>]
[-ExtraScopesToConsent <String[]>] [-LoginHint <String>] [-Prompt <Prompt>] [-CorrelationId <Guid>]
[-extraQueryParameters <String>] [-ForceRefresh] [<CommonParameters>]
Get-MsalToken -ClientId <String> -ClientCertificate <X509Certificate2> -UserAssertion <String> [-UserAssertionType
<String>] [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>] [-CorrelationId
<Guid>] [-extraQueryParameters <String>] [<CommonParameters>]
Get-MsalToken -ClientId <String> -ClientCertificate <X509Certificate2> -AuthorizationCode <String> [-RedirectUri
<Uri>] [-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>] [-CorrelationId <Guid>] [-extraQueryParameters
<String>] [<CommonParameters>]
Get-MsalToken -ClientId <String> -ClientCertificate <X509Certificate2> [-RedirectUri <Uri>] [-TenantId <String>]
[-Authority <Uri>] [-Scopes <String[]>] [-CorrelationId <Guid>] [-extraQueryParameters <String>] [-ForceRefresh]
[<CommonParameters>]
Get-MsalToken -ClientId <String> -ClientSecret <SecureString> -UserAssertion <String> [-UserAssertionType
<String>] [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>] [-CorrelationId
<Guid>] [-extraQueryParameters <String>] [<CommonParameters>]
Get-MsalToken -ClientId <String> -ClientSecret <SecureString> -AuthorizationCode <String> [-RedirectUri <Uri>]
[-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>] [-CorrelationId <Guid>] [-extraQueryParameters
<String>] [<CommonParameters>]
Get-MsalToken -ClientId <String> -ClientSecret <SecureString> [-RedirectUri <Uri>] [-TenantId <String>]
[-Authority <Uri>] [-Scopes <String[]>] [-CorrelationId <Guid>] [-extraQueryParameters <String>] [-ForceRefresh]
[<CommonParameters>]
Get-MsalToken -ClientId <String> [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>]
[-CorrelationId <Guid>] [-extraQueryParameters <String>] [<CommonParameters>]
Get-MsalToken -ClientId <String> [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>]
-UserCredential <PSCredential> [-CorrelationId <Guid>] [-extraQueryParameters <String>] [<CommonParameters>]
Get-MsalToken -ClientId <String> [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>] -Silent [-Scopes
<String[]>] [-LoginHint <String>] [-CorrelationId <Guid>] [-extraQueryParameters <String>] [-ForceRefresh]
[<CommonParameters>]
Get-MsalToken -ClientId <String> [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>]
-IntegratedWindowsAuth [-Scopes <String[]>] [-LoginHint <String>] [-CorrelationId <Guid>] [-extraQueryParameters
<String>] [<CommonParameters>]
Get-MsalToken -ClientId <String> [-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>] -Interactive
[-Scopes <String[]>] [-ExtraScopesToConsent <String[]>] [-LoginHint <String>] [-Prompt <Prompt>] [-CorrelationId
<Guid>] [-extraQueryParameters <String>] [<CommonParameters>]
Get-MsalToken [-AuthorizationCode <String>] [-UserAssertion <String>] [-UserAssertionType <String>] [-Authority
<Uri>] [-ConfidentialClientApplication] <ConfidentialClientApplication> [-Scopes <String[]>] [-CorrelationId
<Guid>] [-extraQueryParameters <String>] [-ForceRefresh] [<CommonParameters>]
Get-MsalToken [-Authority <Uri>] [-PublicClientApplication] <PublicClientApplication> [-Interactive]
[-IntegratedWindowsAuth] [-Silent] [-Scopes <String[]>] [-ExtraScopesToConsent <String[]>] [-LoginHint <String>]
[-Prompt <Prompt>] [-UserCredential <PSCredential>] [-CorrelationId <Guid>] [-extraQueryParameters <String>]
[-ForceRefresh] [<CommonParameters>]
DESCRIPTION
This command will acquire OAuth tokens for both public and confidential clients. Public clients authentication can
be interactive, integrated Windows auth, or silent (aka refresh token authentication).
PARAMETERS
-ClientId <String>
Identifier of the client requesting the token.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ClientSecret <SecureString>
Secure secret of the client requesting the token.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ClientCertificate <X509Certificate2>
Client assertion certificate of the client requesting the token.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-AuthorizationCode <String>
The authorization code received from service authorization endpoint.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-UserAssertion <String>
Assertion representing the user.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-UserAssertionType <String>
Type of the assertion representing the user.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-RedirectUri <Uri>
Address to return to upon receiving a response from the authority.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-TenantId <String>
Tenant identifier of the authority to issue token. It can also contain the value "consumers" or
"organizations".
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Authority <Uri>
Address of the authority to issue token.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-PublicClientApplication <PublicClientApplication>
Public client application
Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-ConfidentialClientApplication <ConfidentialClientApplication>
Confidential client application
Required? true
Position? 2
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-Interactive [<SwitchParameter>]
Interactive request to acquire a token for the specified scopes.
Required? true
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-IntegratedWindowsAuth [<SwitchParameter>]
Non-interactive request to acquire a security token for the signed-in user in Windows, via Integrated Windows
Authentication.
Required? true
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Silent [<SwitchParameter>]
Attempts to acquire an access token from the user token cache.
Required? true
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Scopes <String[]>
Array of scopes requested for resource
Required? false
Position? named
Default value https://graph.microsoft.com/.default
Accept pipeline input? false
Accept wildcard characters? false
-ExtraScopesToConsent <String[]>
Array of scopes for which a developer can request consent upfront.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-LoginHint <String>
Identifier of the user. Generally a UPN.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Prompt <Prompt>
Specifies the what the interactive experience is for the user.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-UserCredential <PSCredential>
Identifier of the user with associated password.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-CorrelationId <Guid>
Correlation id to be used in the authentication request.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-extraQueryParameters <String>
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ForceRefresh [<SwitchParameter>]
Ignore any access token in the user token cache and attempt to acquire new access token using the refresh
token for the account if one is available.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
Microsoft.Identity.Client.AuthenticationResult
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Get-MsalToken -ClientId '00000000-0000-0000-0000-000000000000' -Scope
'https://graph.microsoft.com/User.Read', ... .ReadWrite'
Get AccessToken (with MS Graph permissions User.Read and Files.ReadWrite) and IdToken using client id from
application registration (public client).
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Get-MsalToken -ClientId '00000000-0000-0000-0000-000000000000' -TenantId
'00000000-0000-0000-0000-000000000000' -Interactive -Scope 'https://graph.microsoft.com/User.Read' -LoginHint
user@domain.com
Force interactive authentication to get AccessToken (with MS Graph permissions User.Read) and IdToken for specific
Azure AD tenant and UPN using client id from application registration (public client).
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>Get-MsalToken -ClientId '00000000-0000-0000-0000-000000000000' -ClientSecret (ConvertTo-SecureString
'SuperSecretString' -AsPlainText -Force) -TenantId '00000000-0000-0000-0000-000000000000' -Scope
'https://graph.microsoft.com/.default'
Get AccessToken (with MS Graph permissions .Default) and IdToken for specific Azure AD tenant using client id and
secret from application registration (confidential client).
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>$ClientCertificate = Get-Item Cert:\\CurrentUser\\My\\0000000000000000000000000000000000000000
PS C:\\>$MsalClientApplication = Get-MsalClientApplication -ClientId '00000000-0000-0000-0000-000000000000'
-ClientCertificate $ClientCertificate -TenantId '00000000-0000-0000-0000-000000000000'
PS C:\\>$MsalClientApplication | Get-MsalToken -Scope 'https://graph.microsoft.com/.default'
Pipe in confidential client options object to get a confidential client application using a client certificate and
target a specific tenant.
RELATED LINKS