|
| 1 | +# Microsoft Graph PowerShell SDK: Access Token Proof of Possession (AT PoP) Capability |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +This README provides comprehensive details on the Access Token Proof of Possession (AT PoP) functionality introduced in the Microsoft Graph PowerShell SDK. This feature enhances security by binding tokens to specific HTTP methods and URIs, ensuring they are used only for their intended purposes. |
| 6 | + |
| 7 | +## Table of Contents |
| 8 | + |
| 9 | +- [Key Features](#key-features) |
| 10 | +- [Installation](#installation) |
| 11 | +- [Configuration](#configuration) |
| 12 | +- [Usage Examples](#usage-examples) |
| 13 | +- [Contributors](#contributors) |
| 14 | +- [References](#references) |
| 15 | + |
| 16 | +## Key Features |
| 17 | + |
| 18 | +- **Access Token Proof of Possession (AT PoP)**: This feature binds tokens to specific HTTP methods and URIs, preventing misuse of tokens by ensuring they are used only for the intended HTTP requests. |
| 19 | +- **Updated Dependencies**: Compatibility improvements with recent library changes. |
| 20 | +- **Enhanced Token Acquisition Options**: Users can now specify the HTTP method and URI during token acquisition to further secure token usage. |
| 21 | + |
| 22 | +### Token acquisition behaviors |
| 23 | + |
| 24 | +| Condition | Unbound (default) | Bound (PoP) | |
| 25 | +|-----------|-----------|-----------| |
| 26 | +| First sign-in | New token, interactive| New token, interactive | |
| 27 | +| Existing token, same URI | No new token, silent | No new token, silent | |
| 28 | +| Existing token, different URI | No new token, silent | New token, silent | |
| 29 | +| Existing expired token, below max token refreshes | New token, silent | New token, silent | |
| 30 | +| Existing expired token, exceeded max refreshes | New token, interactive | New token, interactive | |
| 31 | + |
| 32 | +## Installation |
| 33 | + |
| 34 | +To install the Microsoft Graph PowerShell SDK with the latest updates, use the following command: |
| 35 | + |
| 36 | +```powershell |
| 37 | +Install-Module -Name Microsoft.Graph -AllowClobber -Force |
| 38 | +``` |
| 39 | + |
| 40 | +Ensure you are using the latest version to access the AT PoP functionality. |
| 41 | + |
| 42 | +## Configuration |
| 43 | + |
| 44 | +### Enabling Access Token Proof of Possession |
| 45 | + |
| 46 | +To enable AT PoP, configure the Microsoft Graph SDK options as follows: |
| 47 | + |
| 48 | +```powershell |
| 49 | +Set-MgGraphOption -EnableATPoP $true |
| 50 | +``` |
| 51 | + |
| 52 | +### Specifying HTTP Method and URI |
| 53 | + |
| 54 | +When acquiring a token, you can specify the HTTP method and URI to which the token should be bound: |
| 55 | +```powershell |
| 56 | +Connect-MgGraph |
| 57 | +``` |
| 58 | + |
| 59 | +This configuration ensures that the acquired token is only valid for the specified HTTP method and URI. |
| 60 | + |
| 61 | +## Usage Examples |
| 62 | + |
| 63 | +### Example 1: Enabling AT PoP for a Specific Command |
| 64 | + |
| 65 | +```powershell |
| 66 | +Set-MgGraphOption -EnableATPoP $true |
| 67 | +
|
| 68 | +Connect-MgGraph |
| 69 | +
|
| 70 | +Invoke-MgGraphRequest -Method GET https://graph.microsoft.com/v1.0/me -Debug |
| 71 | +``` |
| 72 | + |
| 73 | +### Example 2: Binding Token to a Different HTTP Method |
| 74 | + |
| 75 | +```powershell |
| 76 | +Set-MgGraphOption -EnableATPoP $true |
| 77 | +
|
| 78 | +Connect-MgGraph |
| 79 | +
|
| 80 | +Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/me/sendMail" -Method POST -Debug |
| 81 | +``` |
| 82 | + |
| 83 | +## References |
| 84 | + |
| 85 | +This README provides a detailed guide on the new AT PoP functionality, offering users the ability to secure their token usage effectively. If you have any questions or need further assistance, please refer to the official [Microsoft Graph PowerShell SDK documentation](https://docs.microsoft.com/en-us/powershell/microsoftgraph/). |
0 commit comments