1. # LINKS
  2. <#
  3. https://blog.simonw.se/getting-an-access-token-for-azuread-using-powershell-and-device-login-flow/
  4. #>
  5.  
  6. # VARIABLES
  7.  
  8. $TenantID = "19e2d3e4-XXXX-XXXX-XXXX-94bff5fc46a2"
  9.  
  10. # MAIN
  11.  
  12. $ClientID = '1950a258-227b-4e31-a9cf-717495945fc2'
  13. $Resource = "https://graph.microsoft.com/"
  14.  
  15. $DeviceCodeRequestParams = @{
  16.     Method = 'POST'
  17.     Uri    = "https://login.microsoftonline.com/$TenantID/oauth2/devicecode"
  18.     Body   = @{
  19.         client_id = $ClientId
  20.         resource  = $Resource
  21.     }
  22. }
  23.  
  24. $DeviceCodeRequest = Invoke-RestMethod @DeviceCodeRequestParams
  25. Write-Host $DeviceCodeRequest.message -ForegroundColor Yellow
  26.  
  27. # To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code DP3XEJSAW to authenticate.
  28.  
  29. # Get auth token
  30.  
  31. $TokenRequestParams = @{
  32.     Method = 'POST'
  33.     Uri    = "https://login.microsoftonline.com/$TenantId/oauth2/token"
  34.     Body   = @{
  35.         grant_type = "urn:ietf:params:oauth:grant-type:device_code"
  36.         code       = $DeviceCodeRequest.device_code
  37.         client_id  = $ClientId
  38.     }
  39. }
  40. $TokenRequest = Invoke-RestMethod @TokenRequestParams
  41.  
  42. <# Get groups test 
  43.  
  44. $Token = $TokenRequest.access_token
  45. $AadGroupRequestParams = @{
  46.     Method  = 'GET'
  47.     Uri     = 'https://graph.microsoft.com/v1.0/groups?$top=1'
  48.     Headers = @{
  49.         'Authorization' = "Bearer $Token" 
  50.     }
  51. }
  52. $AadGroupRequest = Invoke-RestMethod @AadGroupRequestParams
  53. $AadGroupRequest.value
  54.  
  55. #>
  56.  
  57. # Group creation
  58. # https://docs.microsoft.com/en-us/graph/api/resources/groups-overview?view=graph-rest-1.0#dynamic-membership
  59.  
  60. $Token = $TokenRequest.access_token
  61. $Method = "POST"
  62. $Url = "https://graph.microsoft.com/v1.0/groups"
  63.  
  64. $Reference = '{
  65.     "description": "License Group E3",
  66.     "displayName": "LicenseGroupE3",
  67.     "groupTypes": [],
  68.     "mailEnabled": false,
  69.     "mailNickname": "LicenseGroupE3",
  70.     "securityEnabled": true,
  71. }'
  72.  
  73. $Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $token"} -Uri $url -Body $Reference -Method $Method -ContentType 'application/json' -ErrorAction Stop
  74. $Data
  75.  
  76. # License assignment
  77. # Get-AzureADSubscribedSku ked SkuIds
  78. # https://docs.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops&viewFallbackFrom=vsts
  79.  
  80. $GroupId = "6766ec7e-22bc-47c7-85bb-b01da3e04e1c" # change needed
  81. $Token = $TokenRequest.access_token
  82. $Method = "POST"
  83. $Url = "https://graph.microsoft.com/v1.0/groups/$GroupId/assignLicense"
  84.  
  85. $Reference = '{
  86.     "addLicenses": [
  87.       {
  88.         "disabledPlans": [ "b737dad2-2f6c-4c65-90e3-ca563267e8b9","76846ad7-7776-4c40-a281-a386362dd1b9"],
  89.         "skuId": "6fd2c87f-b296-42f0-b197-1e91e994b900"
  90.       }
  91.     ],
  92.     "removeLicenses": []
  93. }'
  94.  
  95. $Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $token"} -Uri $url -Body $Reference -Method $Method -ContentType 'application/json' -ErrorAction Stop
  96. $Data