/// <summary> /// Tries to get a token for the provided audience /// </summary> /// <param name="tokenAudience">Audience to try to get a token for</param> /// <param name="orRoles">The specific roles to request access to (i.e. Group.ReadWrite.All). Optional, will use default groups assigned to clientId if not specified.</param> /// <returns><see cref="GenericToken"/> for the audience or NULL if unable to retrieve a token for the audience on the current connection</returns> internal GenericToken TryGetToken(TokenAudience tokenAudience, AzureEnvironment azureEnvironment, string[] orRoles = null, string[] andRoles = null, TokenType tokenType = TokenType.All) { GenericToken token = null; switch (tokenAudience) { case TokenAudience.MicrosoftGraph: if (ConnectionMethod == ConnectionMethod.DeviceLogin || ConnectionMethod == ConnectionMethod.GraphDeviceLogin) { var officeManagementApiScopes = Enum.GetNames(typeof(OfficeManagementApiPermission)).Select(s => s.Replace("_", ".")).Intersect(Scopes).ToArray(); // Take the remaining scopes and try requesting them from the Microsoft Graph API var scopes = Scopes.Except(officeManagementApiScopes).ToArray(); token = GraphToken.AcquireApplicationTokenDeviceLogin(PnPConnection.PnPManagementShellClientId, scopes, DeviceLoginCallback(null, false), AzureEnvironment); } else { if (!string.IsNullOrEmpty(Tenant)) { if (Certificate != null) { token = GraphToken.AcquireApplicationToken(Tenant, ClientId, Certificate, AzureEnvironment); } else if (ClientSecret != null) { token = GraphToken.AcquireApplicationToken(Tenant, ClientId, ClientSecret, AzureEnvironment); } else if (Scopes != null) { var officeManagementApiScopes = Enum.GetNames(typeof(OfficeManagementApiPermission)).Select(s => s.Replace("_", ".")).Intersect(Scopes).ToArray(); // Take the remaining scopes and try requesting them from the Microsoft Graph API var scopes = Scopes.Except(officeManagementApiScopes).ToArray(); if (scopes.Length > 0) { token = PSCredential == null?GraphToken.AcquireApplicationTokenInteractive(PnPManagementShellClientId, scopes, azureEnvironment) : GraphToken.AcquireDelegatedTokenWithCredentials(PnPManagementShellClientId, scopes, PSCredential.UserName, PSCredential.Password, azureEnvironment); } else { throw new PSSecurityException($"Access to {tokenAudience} failed because you did not connect with any permission scopes related to this service (for instance 'Group.Read.All')."); } } } } break; case TokenAudience.OfficeManagementApi: if (!string.IsNullOrEmpty(Tenant)) { if (Certificate != null) { token = OfficeManagementApiToken.AcquireApplicationToken(Tenant, ClientId, Certificate, AzureEnvironment); } else if (ClientSecret != null) { token = OfficeManagementApiToken.AcquireApplicationToken(Tenant, ClientId, ClientSecret, AzureEnvironment); } else if (Scopes != null) { var scopes = Enum.GetNames(typeof(OfficeManagementApiPermission)).Select(s => s.Replace("_", ".")).Intersect(Scopes).ToArray(); // Take the remaining scopes and try requesting them from the Microsoft Graph API if (scopes.Length > 0) { token = PSCredential == null?OfficeManagementApiToken.AcquireApplicationTokenInteractive(PnPManagementShellClientId, scopes, azureEnvironment) : OfficeManagementApiToken.AcquireDelegatedTokenWithCredentials(PnPManagementShellClientId, scopes, PSCredential.UserName, PSCredential.Password, azureEnvironment); } else { throw new PSSecurityException($"Access to {tokenAudience} failed because you did not connect with any permission scopes related to this service (for instance 'ServiceHealth.Read')."); } } } break; case TokenAudience.SharePointOnline: // This is not a token type we can request on demand return(null); } if (token != null) { var validationResults = ValidateTokenForPermissions(token, tokenAudience, orRoles, andRoles, tokenType); if (!validationResults.valid) { throw new PSSecurityException($"Access to {tokenAudience} failed because the app registration {ClientId} in tenant {Tenant} is not granted {validationResults.message}"); } return(token); } // Didn't have a token yet and unable to retrieve one return(null); }