Skip to content

Commit

Permalink
adding "-AT PoP" option to "Set-MgGraphOptions"
Browse files Browse the repository at this point in the history
  • Loading branch information
FehintolaObafemi committed May 21, 2024
1 parent 59d7e37 commit a81575b
Show file tree
Hide file tree
Showing 9 changed files with 66 additions and 6 deletions.
18 changes: 18 additions & 0 deletions docs/authentication.md
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,24 @@ When using `-AccessToken`, we won't have access to the refresh token and the cli

Before using the provided `-AccessToken` to get Microsoft Graph resources, customers should ensure that the access token has the necessary scopes/ permissions needed to access/modify a resource.

### Access Token Proof of Possession (AT PoP)

AT PoP is a security mechanism that binds an access token to a cryptographic key that only the intended recipient has. This prevents unauthorized use of the token by malicious actors. AT PoP enhances data protection, reduces token replay attacks, and enables fine-grained authorization policies.

Microsoft Graph PowerShell module supports AT PoP in the following scenario:

- To enable AT PoP on supported devices

```PowerShell
Set-MgGraphOption -EnableATPoP $true
```

- To disable AT PoP on supported devices

```PowerShell
Set-MgGraphOption -EnableATPoP $false
```

## Web Account Manager (WAM)

WAM is a Windows 10+ component that acts as an authentication broker allowing the users of an app benefit from integration with accounts known to Windows, such as the account already signed into an active Windows session.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,6 @@ namespace Microsoft.Graph.PowerShell.Authentication
public interface IGraphOption
{
bool EnableWAMForMSGraph { get; set; }
bool EnableATPoPForMSGraph { get; set; }
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,11 @@
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Azure.Identity" Version="1.11.0" />
<PackageReference Include="Azure.Identity.Broker" Version="1.1.0" />
<PackageReference Include="Azure.Identity.Broker" Version="1.0.0-beta.5" />
<PackageReference Include="Azure.Identity.BrokeredAuthentication" Version="1.0.0-beta.3" />
<PackageReference Include="Microsoft.Graph.Core" Version="3.0.9" />
<PackageReference Include="Microsoft.Identity.Client" Version="4.56.0" />
<PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.56.0" />
<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
</ItemGroup>
<Target Name="CopyFiles" AfterTargets="Build">
Expand Down
8 changes: 8 additions & 0 deletions src/Authentication/Authentication/Cmdlets/SetMgGraphOption.cs
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ public class SetMgGraphOption : PSCmdlet
{
[Parameter]
public bool EnableLoginByWAM { get; set; }

[Parameter]
public bool EnableATPoP { get; set; }

protected override void BeginProcessing()
{
Expand All @@ -27,6 +30,11 @@ protected override void ProcessRecord()
GraphSession.Instance.GraphOption.EnableWAMForMSGraph = EnableLoginByWAM;
WriteDebug($"Signin by Web Account Manager (WAM) is {(EnableLoginByWAM ? "enabled" : "disabled")}.");
}
if (this.IsParameterBound(nameof(EnableATPoP)))
{
GraphSession.Instance.GraphOption.EnableATPoPForMSGraph = EnableATPoP;
WriteDebug($"Access Token Proof of Posession (AT-PoP) is {(EnableATPoP ? "enabled" : "disabled")}.");
}
File.WriteAllText(Constants.GraphOptionsFilePath, JsonConvert.SerializeObject(GraphSession.Instance.GraphOption, Formatting.Indented));
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
#
# Generated by: Microsoft
#
# Generated on: 21/09/2023
# Generated on: 12/28/2023
#

@{
Expand All @@ -12,7 +12,7 @@
RootModule = './Microsoft.Graph.Authentication.psm1'

# Version number of this module.
ModuleVersion = '2.6.1'
ModuleVersion = '2.11.1'

# Supported PSEditions
CompatiblePSEditions = 'Core', 'Desktop'
Expand Down
1 change: 1 addition & 0 deletions src/Authentication/Authentication/Models/GraphOption.cs
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ namespace Microsoft.Graph.PowerShell.Authentication
internal class GraphOption : IGraphOption
{
public bool EnableWAMForMSGraph { get; set; }
public bool EnableATPoPForMSGraph { get; set; }
}

}
14 changes: 12 additions & 2 deletions src/Authentication/Authentication/test/Set-MgGraphOption.Tests.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,14 @@ Describe "Set-MgGraphOption" {
Import-Module $ModulePath -Force -ErrorAction SilentlyContinue
}
Context "When executing the command" {
it 'Should have one ParameterSets' {
it 'Should have two ParameterSets' {
$SetMgGraphOptionCommand = Get-Command Set-MgGraphOption
$SetMgGraphOptionCommand | Should -Not -BeNullOrEmpty
$SetMgGraphOptionCommand.ParameterSets | Should -HaveCount 1
$SetMgGraphOptionCommand.ParameterSets.Parameters | Should -HaveCount 13 # PS common parameters.
}

It 'Executes successfully whren toggling WAM on' {
It 'Executes successfully when toggling WAM on' {
{ Set-MgGraphOption -EnableLoginByWAM $true -Debug | Out-Null } | Should -Not -Be $null
{ Set-MgGraphOption -EnableLoginByWAM $true -ErrorAction SilentlyContinue } | Should -Not -Throw
}
Expand All @@ -25,5 +25,15 @@ Describe "Set-MgGraphOption" {
{ Set-MgGraphOption -EnableLoginByWAM $false -Debug | Out-Null } | Should -Not -Be $null
{ Set-MgGraphOption -EnableLoginByWAM $false -ErrorAction SilentlyContinue } | Should -Not -Throw
}

It 'Executes successfully when toggling AT PoP on' {
{ Set-MgGraphOption -EnableATPoP $true -Debug | Out-Null } | Should -Not -Be $null
{ Set-MgGraphOption -EnableATPoP $true -ErrorAction SilentlyContinue } | Should -Not -Throw
}

It 'Executes successfully when toggling AT PoP off' {
{ Set-MgGraphOption -EnableATPoP $false -Debug | Out-Null } | Should -Not -Be $null
{ Set-MgGraphOption -EnableATPoP $false -ErrorAction SilentlyContinue } | Should -Not -Throw
}
}
}
13 changes: 13 additions & 0 deletions src/Authentication/docs/Set-MgGraphOption.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ Sets global configurations that apply to the SDK. For example, toggle Web Accoun
```
Set-MgGraphOption [-EnableLoginByWAM <Boolean>] [<CommonParameters>]
```
```
Set-MgGraphOption [-EnableATPoP <Boolean>] [<CommonParameters>]
```

## DESCRIPTION
Sets global configurations that apply to the SDK. For example, toggle Web Account Manager (WAM) support.
Expand All @@ -28,11 +31,21 @@ PS C:\> Set-MgGraphOption -EnableLoginByWAM $True

Sets web account manager support

### Example 2: Set access token proof of possession support
```powershell
PS C:\> Set-MgGraphOption -EnableATPoP $True
```

Sets access token proof of possession support

## PARAMETERS

### -EnableLoginByWAM
{{ Fill EnableLoginByWAM Description }}

### -EnableATPoP
{{ Fill EnableATPoP Description }}

```yaml
Type: Boolean
Parameter Sets: (All)
Expand Down
8 changes: 7 additions & 1 deletion src/Authentication/examples/Set-MgGraphOption.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,10 @@
```powershell
PS C:\> Set-MgGraphOption -EnableLoginByWAM $True
```
Sets web account manager support
Sets web account manager support

### Example 2: Set access token proof of possession support
```powershell
PS C:\> Set-MgGraphOption -EnableATPoP $True
```
Sets access token proof of possession support

0 comments on commit a81575b

Please sign in to comment.