Powershell API rest v1 to v2 with oauth

%3CLINGO-SUB%20id%3D%22lingo-sub-276383%22%20slang%3D%22en-US%22%3EPowershell%20API%20rest%20v1%20to%20v2%20with%20oauth%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276383%22%20slang%3D%22en-US%22%3E%3CP%3EI%20recently%20recieved%20noticed%20that%20v1.0%20is%20going%20away%20by%20Nov%202018%20and%20v2.0%20should%20be%20used.%20I%20have%20some%20idea%20after%20researching%20this%20but%20need%20some%20help.%20Currently%20using%20below%20which%20I%20believe%20is%20going%20away.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24url%20%3D%20%22outlook.office365.com%2Fapi%2Fv1.0%2Fme%2Fmessages%22%3CBR%20%2F%3E%24messageQuery%20%3D%20%24url%20%2B%20%22%3F%60%24select%3DId%2CSubject%26amp%3B%60%24filter%3DHasAttachments%20eq%20true%20and%20DateTimeReceived%20ge%20%22%20%2B%20%24date%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20I%20have%20to%20register%20my%20app.%20I%20did%20that%20under%20that%20account%20that%20recieves%20the%20reports%20and%20gave%20permissions%20for%20mail.read.%20I'll%20probably%20end%20up%20changing%20the%20messagequery%20which%20if%20anyone%20knows%20the%20best%20resource%20to%20try%20a%20mimic%20my%20query%20to%20new%20version%20would%20be%20much%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20reading%20in%20other%20blogs%20saying%20that%20a%20user%20action%20must%20take%20place%20to%20receive%20token%20back.%3C%2FP%3E%3CP%3EAll%20this%20is%20a%20a%20powershell%20script%20that%20picks%20up%20attachments%20in%20emails%20and%20downloads%20them%20automatically%20on%20a%20daily%20scheduled%20run.%20Is%20there%20any%20resource%20or%20example%20PS%20scripts%20somewhere%20I%20can%20read%20about%20using%20simple%20powershell%20scripts%20with%20oauth%202.0%3F%20The%20idea%20is%20that%20no%20user%20action%20is%20needed....any%20additional%20help%20would%20be%20much%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-276383%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAPI%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277772%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20API%20rest%20v1%20to%20v2%20with%20oauth%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277772%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20it's%20the%20context%20of%20the%20actual%20user%2C%20it%20doesn't%20need%20any%20admin%20consent%2C%20or%20using%20the%20webapi%20type%20of%20app%2Fsecret%20keys.%20You%20can%20simply%20get%20a%20token%20via%20the%20credentials%20of%20the%20user.%20The%20problem%20is%20that%20almost%20all%20of%20the%20methods%20currently%20exposed%20in%20the%20API%20force%20you%20to%20do%20this%20interactively%2C%20so%20it's%20not%20a%20good%20fit%20for%20automated%20scripts.%20If%20I%20remember%20correctly%20there%20is%20still%20one%20method%20we%20can%20use%20to%20get%20the%20cred%20via%20username%2Fpassword%20directly%2C%20but%20since%20I'm%20not%20in%20front%20of%20my%20PC%20currently%20I%20cannot%20get%20you%20the%20right%20docs.%20In%20general%2C%20it%20boils%20down%20to%20what%20I'm%20using%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.michev.info%2FBlog%2FPost%2F1771%2Fhacking-your-way-around-modern-authentication-and-the-powershell-modules-for-office-365%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.michev.info%2FBlog%2FPost%2F1771%2Fhacking-your-way-around-modern-authentication-and-the-powershell-modules-for-office-365%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277424%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20API%20rest%20v1%20to%20v2%20with%20oauth%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277424%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20what%20you%20mean%20by%20your%20question%20but%20I'll%20try%20to%20clarify.%26nbsp%3B%20I%20have%20a%20mailbox%20joe.dirt%40abc.com.%26nbsp%3B%20I'm%20using%20this%20same%20account%20with%20its%20password%20associated%20in%20the%20script%20to%20download%20its%20own%20attachments%20that%20are%20in%20emails.%26nbsp%3B%20The%20script%20itself%20runs%20on%20our%20server%20on%20a%20schedule%20just%20to%20execute%20it.%26nbsp%3B%20In%20other%20words%20I'm%20not%20using%20an%20account%20that%20has%20higher%20permissions%20such%20as%20tenant%20admin%20account%20to%20authenticate.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277256%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20API%20rest%20v1%20to%20v2%20with%20oauth%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277256%22%20slang%3D%22en-US%22%3E%3CP%3EAdmin%20consent%20is%20needed%20when%20you%20want%20to%20be%20able%20to%20read%20messages%20across%20the%20company%2C%20and%20yes%20you%20need%20to%20be%20using%20the%20webapi%20type%20of%20application%20for%20this.%20Or%20do%20you%20want%20to%20simply%20run%20this%20in%20the%20context%20of%20the%20signed%20in%20user%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277095%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20API%20rest%20v1%20to%20v2%20with%20oauth%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277095%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20quick%20response.%26nbsp%3B%20I'm%20reading%20up%20on%20this%20oauth%202.0%20and%20when%20I'm%20registering%20my%20powershell%20script%20I'm%20confused%20because%20I%20keep%20seeing%20that%20its%20more%20app%20related%20than%20just%20a%20simple%20script%20running.%26nbsp%3B%20I%20registered%20the%20app%20under%20the%20account%20that%20receives%20the%20emails%20with%20reports%20so%20I'm%20not%20using%20a%20different%20account%20to%20access.%26nbsp%3B%20The%20PS1%20script%20I%20used%20for%20v1%20uses%20those%20credentials%20securely.%26nbsp%3B%20Also%20in%20the%20link%20you%20provided(much%20appreciated)%2C%20it%20mentions%20to%20get%20administrator%20consent%20via%20azure%20portal.%26nbsp%3B%20Is%20this%20necessary%20if%20using%20same%20account%20credentials%20to%20basically%20download%20its%20own%20files%20from%20emails%3F%26nbsp%3B%20There%20is%20no%20login%20url%20for%20this%20script.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20platform%2C%20when%20I%20choose%20%22Web%22%20I%20have%20to%20provide%20redirect%20URL%20which%20I'm%20not%20sure%20what%20this%20means%20as%20its%20just%20a%20powershell%20script%20running%20on%20windows%20scheduler%20on%20a%20server%2008%20we%20have%20on%20premise.%26nbsp%3B%20When%20I%20choose%20%22web%20API%22%20I%20seem%20to%20get%20app%20id%20uri%20already%20generated.%26nbsp%3B%20I'm%20not%20sure%20what%20Pre-auithorized%20applications%20part%20mean%20where%20it%20wants%20ID%20and%20scope.%26nbsp%3B%20I%20gave%20permissions%20for%20delegated%20permissions%20to%20mail.read%20and%20user.read%20and%20app%20permissions%20I%20gave%20mail.read(admin%20only)%2C%20user.read.all(admin%20only).%26nbsp%3B%20Should%20I%20be%20choosing%20%22web%20api%22%20for%20my%20simple%20powershell%20scripts%3F%26nbsp%3B%20Was%20hoping%20to%20see%20an%20example%20of%20someone%20else's%26nbsp%3Bpowershell%20script%20with%20oauth%26nbsp%3Bto%20compare%20how%20it%20was%20done.%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20below%20API%20endpoint%20is%20my%20fear%20that%20it%20will%20stop%20working%20soon.%26nbsp%3B%20Am%20I%20interpreting%20this%20incorrectly%3F%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23ff4500%22%20face%3D%22Lucida%20Console%22%20size%3D%221%22%3E%24url%3C%2FFONT%3E%3CFONT%20color%3D%22%23a9a9a9%22%20face%3D%22Lucida%20Console%22%20size%3D%221%22%3E%3D%3C%2FFONT%3E%3CFONT%20color%3D%22%238b0000%22%20face%3D%22Lucida%20Console%22%20size%3D%221%22%3E%22%3CA%20href%3D%22https%3A%2F%2Foutlook.office365.com%2Fapi%2Fv1.0%2Fme%2Fmessages%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office365.com%2Fapi%2Fv1.0%2Fme%2Fmessages%3C%2FA%3E%22%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-276431%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20API%20rest%20v1%20to%20v2%20with%20oauth%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276431%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20didn't%20really%20ask%20a%20question%20here%2C%20but%20assuming%20you%20want%20to%20automate%20this%20scenario%20by%20leveraging%20an%20app%20you've%20already%20registered%2C%20all%20you%20need%20to%20do%20is%20generate%20a%20new%20key%2Fsecret%20then%20use%20the%20corresponding%20method%20to%20get%20a%20token%20via%20it.%20Detailed%20instructions%20for%20example%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fdocs%2Fconcepts%2Fauth_v2_service%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fdocs%2Fconcepts%2Fauth_v2_service%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I recently recieved noticed that v1.0 is going away by Nov 2018 and v2.0 should be used. I have some idea after researching this but need some help. Currently using below which I believe is going away.

 

$url = "outlook.office365.com/api/v1.0/me/messages"
$messageQuery = $url + "?`$select=Id,Subject&`$filter=HasAttachments eq true and DateTimeReceived ge " + $date

 

I understand I have to register my app. I did that under that account that recieves the reports and gave permissions for mail.read. I'll probably end up changing the messagequery which if anyone knows the best resource to try a mimic my query to new version would be much appreciated.

 

I'm reading in other blogs saying that a user action must take place to receive token back.

All this is a a powershell script that picks up attachments in emails and downloads them automatically on a daily scheduled run. Is there any resource or example PS scripts somewhere I can read about using simple powershell scripts with oauth 2.0? The idea is that no user action is needed....any additional help would be much appreciated.

5 Replies

You didn't really ask a question here, but assuming you want to automate this scenario by leveraging an app you've already registered, all you need to do is generate a new key/secret then use the corresponding method to get a token via it. Detailed instructions for example here: https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service

Thanks for the quick response.  I'm reading up on this oauth 2.0 and when I'm registering my powershell script I'm confused because I keep seeing that its more app related than just a simple script running.  I registered the app under the account that receives the emails with reports so I'm not using a different account to access.  The PS1 script I used for v1 uses those credentials securely.  Also in the link you provided(much appreciated), it mentions to get administrator consent via azure portal.  Is this necessary if using same account credentials to basically download its own files from emails?  There is no login url for this script.  

 

For platform, when I choose "Web" I have to provide redirect URL which I'm not sure what this means as its just a powershell script running on windows scheduler on a server 08 we have on premise.  When I choose "web API" I seem to get app id uri already generated.  I'm not sure what Pre-auithorized applications part mean where it wants ID and scope.  I gave permissions for delegated permissions to mail.read and user.read and app permissions I gave mail.read(admin only), user.read.all(admin only).  Should I be choosing "web api" for my simple powershell scripts?  Was hoping to see an example of someone else's powershell script with oauth to compare how it was done. 

The below API endpoint is my fear that it will stop working soon.  Am I interpreting this incorrectly?

$url = "https://outlook.office365.com/api/v1.0/me/messages"

Admin consent is needed when you want to be able to read messages across the company, and yes you need to be using the webapi type of application for this. Or do you want to simply run this in the context of the signed in user?

Not sure what you mean by your question but I'll try to clarify.  I have a mailbox joe.dirt@abc.com.  I'm using this same account with its password associated in the script to download its own attachments that are in emails.  The script itself runs on our server on a schedule just to execute it.  In other words I'm not using an account that has higher permissions such as tenant admin account to authenticate. 

If it's the context of the actual user, it doesn't need any admin consent, or using the webapi type of app/secret keys. You can simply get a token via the credentials of the user. The problem is that almost all of the methods currently exposed in the API force you to do this interactively, so it's not a good fit for automated scripts. If I remember correctly there is still one method we can use to get the cred via username/password directly, but since I'm not in front of my PC currently I cannot get you the right docs. In general, it boils down to what I'm using here: https://www.michev.info/Blog/Post/1771/hacking-your-way-around-modern-authentication-and-the-powersh...