Forum Discussion

JosLieben's avatar
Iron Contributor
Mar 26, 2018

Unsupported but very useful way to use the hidden Azure API

Obviously not supported, but for those of us managing many tenants and/or setting up (test/training/pilot) tenants often, you may want to automate certain Azure AD or Intune settings that are not available through supported API's or PS modules, there is a 'hidden' API at, here's an example:


If you want to use this in a production environment, I recommend doing only READ operations.

  • Fantastic information!!! Thank you for sharing!!


    I have discovered COUNTLESS uses for this, from obtaining all of the 'Conditional Access' policies that are configured in AzureAD, to obtaining a list of Azure Gallery/Marketplace Apps that are available as 'Enterprise Apps'.


    Thanks again!


  • AndyBrunner's avatar
    Copper Contributor

    Hi everyone

    I do have something to add here.


    Until recently, I was retrieving new access tokens by providing the API uri as a resource ( ). For me, this does not work anymore. I get a Bearer token, but it's useless... Now I do have to provide the resource's GUID to get a valid Bearer token. 

    I do work with the Az.Accounts module, and I know two ways to get a token:




    $resource = '74658136-14ec-4630-ad9b-26e160ff0fc6';
    # v1
    $token1 = (Get-AzAccessToken -ResourceUrl $resource -TenantId (Get-AzContext).Tenant.Id.ToString()).token
    # v2
    $currentAzureContext = Get-AzContext
    $token2 = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($currentAzureContext.Account, $currentAzureContext.Environment, $currentAzureContext.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, $resource).AccessToken





    • Evan Bachert's avatar
      Evan Bachert
      Copper Contributor

      Malathi Sekkappan 


      Here a few quick PowerShell samples that I've used previously:


      $adalversion = "2.28.4"
      $aadgraph = "1.61-internal"
      $adal = resolve-path "$pwd\.nuget\packages\Microsoft.IdentityModel.Clients.ActiveDirectory.$adalversion\lib\net45"


      And, once you have authenticated properly using the below method (NOTE the specific version of the ADAL client libraries being used!!!) and have your access token, you can create a PowerShell function to retrieve Conditional Access policies, Gallery Apps, Grant Admin Consent to apps programmatically, etc.


      Example functions to Get an access token to the 'hidden' API and an example function to retrieve Gallery apps:

      Function Get-PortalAPIAccessToken {
              [string]$clientId = "1950a258-227b-4e31-a9cf-717495945fc2",
              [string]$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
          $audgid = "74658136-14ec-4630-ad9b-26e160ff0fc6"
          $authority = "<tenant>"
          $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority, $false
          $authResult = $authContext.AcquireToken($audgid, $clientId, $redirectUri, 'Auto')
          $token = $authResult.AccessToken
          return $token;
      function Get-GalleryApps() {
          $global:apps = @()
          $header = @{
      	"Sec-Fetch-Dest"	 = "empty";
      	"Sec-Fetch-Mode"	 = "cors";
              "accept-encoding"        = "gzip, deflate, br";
              "accept-language"        = "en";
              "x-ms-effective-locale"  = "en.en-us"
              "Authorization"          = "Bearer $token";
              "Content-Type"           = "application/json";
              "x-ms-client-request-id" = (New-Guid).Guid;
              "x-ms-session-id"	 = "12345678910111213141516";
              "Accept"                 = "*/*";
              "x-requested-with"       = "XMLHttpRequest";
              "user-agent"             = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3829.0 Safari/537.36 Edg/";
              "method"                 = "GET"
          $url = "$nextLink"
          $global:res = Invoke-RestMethod -Uri $url -Headers $header -Method GET -ContentType "application/json"
          foreach ($global:app in $global:res.items) {
              $global:apps += ($global:app | ConvertTo-Json -Compress) -join ","
          if ($global:res.nextLink) {
              $global:apps += ((get-galleryapps -nextLink $global:res.nextLink) | ConvertTo-Json -Compress) -join ","
          $apps | ConvertTo-Json -Compress | Out-File ".\galleryapplist.json" -Force -Append
          return $global:apps


    • AndyBrunner's avatar
      Copper Contributor

      Malathi Sekkappan 


      Open a Browser like Firefox or Chrome, open the Developer Tools (F12), do the change you want to do by the API in the GUI on, and check what's going on on the Network-Tab of the Developer Tools, because the GUI is calling the same API.

      And there you'll see the call to the API with all the headers required

      Just lookout for the call to


      PS. Don't forget to provide the Bearer Token and the x-ms-client-request-id

  • Evan Bachert's avatar
    Evan Bachert
    Copper Contributor

    Fantastic information!!! Thank you for sharing!!


    I have discovered COUNTLESS uses for this, from obtaining all of the 'Conditional Access' policies that are configured in AzureAD, to obtaining a list of Azure Gallery/Marketplace Apps that are available as 'Enterprise Apps'.


    Thanks again!

