# Utility functions for SharePoint Online
# Gets the authentication cookie for SPO web interface
# Supports MFA, federation, etc.
# Jul 17th 2019
function Get-SPOAuthenticationHeader
{
<#
.SYNOPSIS
Gets authentication header for SharePoint Online
.DESCRIPTION
Gets authentication header for SharePoint Online, which is used for example to retrieve site users.
.Parameter Site
Url for the SharePoint Online
.Example
Get-AADIntSPOAuthenticationHeader
#>
[cmdletbinding()]
Param(
[Parameter(Mandatory=$True)]
[String]$Site
)
Process
{
# Check the site url
$Site = $Site.Trim("/")
$siteDomain=$Site.Split("/")[2]
$headers=@{
"User-Agent"="Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
"Upgrade-Insecure-Requests" = "1"
"Accept-Encoding" = "gzip, deflate, br"
"Accept-Language" = "en-US,en;q=0.9"
"Accept" = "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3"
}
# Step 1: Go to the requested site
$response = Invoke-WebRequest2 -uri $Site -MaximumRedirection 0 -ErrorAction SilentlyContinue
# Step 2: Go to "/_layouts/15/Authenticate.aspx?Source=%2F"
$url = $response.Headers.'Location'
$response = Invoke-WebRequest2 -uri $url -MaximumRedirection 0 -ErrorAction SilentlyContinue
$siteWebSession = Create-WebSession -SetCookieHeader $response.Headers.'Set-Cookie' -Domain $siteDomain
# Step 3: Go to "/_forms/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F&Source=cookie"
$html=$response.Content
$s=$html.IndexOf('href="')+6
$e=$html.IndexOf('"',$s)
$url=$html.Substring($s,$e-$s)
$url="https://$siteDomain$url"
$response = Invoke-WebRequest2 -uri $url -MaximumRedirection 0 -WebSession $siteWebSession -ErrorAction SilentlyContinue
# Create the cookie header for the login form
$cookieHeaderValue=""
$cookies = $response.Headers.'Set-Cookie'.Split(";,")
foreach($cookie in $cookies)
{
$name = $cookie.Split("=")[0].trim()
$value = $cookie.Substring($name.Length+1)
if($name.StartsWith("nSGt") -or $name -eq "RpsContextCookie")
{
# If not empty, append the separator
if(![String]::IsNullOrEmpty($cookieHeaderValue))
{
$cookieHeaderValue+="; "
}
$cookieHeaderValue+="$name=$value"
}
}
# Set variables
$auth_redirect="foobar"#"https://login.microsoftonline.com/common/federation/oauth2"#"https://login.microsoftonline.com/kmsi"
$url=$response.Headers.Location
# Create the form
$form = Create-LoginForm -Url $url -auth_redirect $auth_redirect -Headers "Cookie: $cookieHeaderValue"
# Show the form and wait for the return value
if($form.ShowDialog() -ne "OK") {
# Dispose the control
$form.Controls[0].Dispose()
Write-Verbose "Login cancelled"
return $null
}
# Extract the needed parameters
$forminputs=$form.Controls[0].Document.getElementsByTagName("input")
$code = $forminputs.GetElementsByName("code")[0].GetAttribute("value")
$session_state = $forminputs.GetElementsByName("session_state")[0].GetAttribute("value")
$id_token = $forminputs.GetElementsByName("id_token")[0].GetAttribute("value")
$correlation_id = $forminputs.GetElementsByName("correlation_id")[0].GetAttribute("value")
$url=$form.Controls[0].Document.Forms[0].DomElement.action
# Dispose the control
$form.Controls[0].Dispose()
# Create the body and get the cookie
$body=@{
"code" = $code
"session_state" = $session_state
"id_token" = $id_token
"correlation_id" = $correlation_id
}
$response = Invoke-WebRequest2 -Uri $url -Method Post -Body $body -MaximumRedirection 0 -WebSession $siteWebSession
# Extract the cookies
$cookieHeader = $response.Headers.'Set-Cookie'
$cookieHeaderValue=""
# Clean up the Set-Cookie header
$cookies = $cookieHeader.Split(";,")
foreach($cookie in $cookies)
{
$name = $cookie.Split("=")[0].trim()
$value = $cookie.Substring($name.Length+1)
if($name -eq "rtFA" -or $name -eq "FedAuth" -or $name -eq "RpsContextCookie")
{
# If not empty, append the separator
if(![String]::IsNullOrEmpty($cookieHeaderValue))
{
$cookieHeaderValue+="|"
}
$cookieHeaderValue+="$name=$value"
}
}
# Return
return $cookieHeaderValue
}
}
# Creates a list from xml collection
function Create-ListFromCollection
{
[cmdletbinding()]
Param(
[Parameter(Mandatory=$False)]
$Collection
)
Process
{
if($Collection -ne $null)
{
$list=@()
foreach($element in $Collection.element)
{
$list+=$element
}
return $list
}
else
{
return $null
}
}
}
function Get-IDCRLToken
{
[cmdletbinding()]
Param(
[Parameter(Mandatory=$True)]
[System.Management.Automation.PSCredential]$Credentials
)
Process
{
# Get the authentication realm info
$realmInfo = Get-UserRealmV2 -UserName $Credentials.UserName
# Create the date strings
$now=Get-Date
$created = $now.ToUniversalTime().ToString("o")
$expires = $now.AddDays(1).ToUniversalTime().ToString("o")
# Check the realm type. If federated, we must first get the SAML token
if($realmInfo.NameSpaceType -eq "Federated")
{
$url = $realmInfo.STSAuthURL
# Create the body
$body=@"
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
$url
$((New-Guid).ToString())
Managed IDCRL
6
1
AQAAAAIAAABsYwQAAAAxMDMz
$($Credentials.UserName)
$($Credentials.GetNetworkCredential().Password)
$created
$expires
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
urn:federation:MicrosoftOnline
http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
"@
# Invoke the command to get the SAML token
$response=Invoke-RestMethod -UseBasicParsing -Method Post -Uri $url -Body $body -ContentType "application/soap+xml; charset=utf-8" -Headers @{"User-Agent"=""}
$samlToken = $response.Envelope.Body.RequestSecurityTokenResponse.RequestedSecurityToken.InnerXml
# Oops, got an error?
if([string]::IsNullOrEmpty($samlToken))
{
if($error -eq $response.Envelope.Body.Fault.Detail.error.internalerror.text)
{
Throw $error
}
}
# Create the security block
$security="$samlToken"
}
else
{
# Create the security block
$security=@"
$($Credentials.UserName)
$($Credentials.GetNetworkCredential().Password)
$created
$expires
"@
}
$url = "https://login.microsoftonline.com/rst2.srf"
# Create the body
$body=@"
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
https://login.microsoftonline.com/rst2.srf
5
Managed IDCRL
$security
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
sharepoint.com
"@
# Invoke the command
$response=Invoke-RestMethod -UseBasicParsing -Method Post -Uri $url -Body $body -ContentType "application/soap+xml; charset=utf-8" -Headers @{"User-Agent"=""}
# Extract the token
$token = $response.Envelope.Body.RequestSecurityTokenResponse.RequestedSecurityToken.BinarySecurityToken.'#text'
# Ooops, got an error?
if([string]::IsNullOrEmpty($token))
{
if($error -eq $response.Envelope.Body.Fault.Detail.error.internalerror.text)
{
Throw $error
}
}
# Return
return $token.Replace("&","&")
}
}
function Get-IDCRLCookie
{
[cmdletbinding()]
Param(
[Parameter(Mandatory=$True)]
[string]$Token,
[Parameter(Mandatory=$True)]
[string]$Tenant
)
Process
{
# Set the headers
$headers=@{
"Authorization" = "BPOSIDCRL $token"
"X-IDCRL_ACCEPTED" = "t"
"User-Agent" = ""
}
# Invoke the API
$response=Invoke-WebRequest2 -Method Get "https://$Tenant-admin.sharepoint.com/_vti_bin/idcrl.svc/" -Headers $headers
# Extract the IDCRL cookie
$cookie=$response.Headers.'Set-Cookie'
$cookie = $cookie.split(";")[0]
# Return the cookie header
return $cookie
}
}
function Get-SPODigest
{
[cmdletbinding()]
Param(
[Parameter(Mandatory=$False)]
[string]$Cookie,
[Parameter(Mandatory=$False)]
[string]$AccessToken,
[Parameter(Mandatory=$True)]
[string]$Site
)
Process
{
# Set the headers
$headers=@{
"X-RequestForceAuthentication" = "true"
"X-FORMS_BASED_AUTH_ACCEPTED"= "f"
"SOAPAction" = "http://schemas.microsoft.com/sharepoint/soap/GetUpdatedFormDigestInformation"
"User-Agent" = ""
"X-ClientService-ClientTag" = "TAPS (16.0.20122.0)"
}
$Body=@"
"@
# Parse the tenant part
$tenant = $site.Split("/")[2].Split(".")[0]
if(![string]::IsNullOrEmpty($Cookie))
{
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$webCookie = New-Object System.Net.Cookie
$webCookie.Name = $Cookie.Split("=")[0]
$webCookie.Value = $Cookie.Substring($webCookie.Name.Length+1)
$webCookie.Domain = "$tenant.sharepoint.com"
$session.Cookies.Add($webCookie)
}
else
{
# Get from cache if not provided
$AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://$Tenant.sharepoint.com/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"
# Update the headers
$headers["Authorization"]="Bearer $AccessToken"
}
# Invoke the API
$response=Invoke-WebRequest2 -Method Post "$site/_vti_bin/sites.asmx" -Headers $headers -Body $Body -WebSession $session -ContentType "text/xml; charset=utf-8"
# Extract the Digest
[xml]$xmlContent=$response.Content
$digest=$xmlContent.Envelope.Body.GetUpdatedFormDigestInformationResponse.GetUpdatedFormDigestInformationResult.DigestValue
# Return the digest
return $digest
}
}
function Get-SPOTenantSettings
{
[cmdletbinding()]
Param(
[Parameter(Mandatory=$False)]
[string]$Cookie,
[Parameter(Mandatory=$False)]
[string]$AccessToken,
[Parameter(Mandatory=$True)]
[string]$Site
)
Process
{
$Body=@"
$Site
true
"@
# Invoke ProcessQuery
$response = Invoke-ProcessQuery -Cookie $Cookie -AccessToken $AccessToken -Site $site -Body $Body
$content = ($response.content | ConvertFrom-Json)
# Return
return $content[$content.Count-1]
}
}
# Invokes ProcessQuery
# Nov 23rd 2022
function Invoke-ProcessQuery
{
[cmdletbinding()]
Param(
[Parameter(Mandatory=$False)]
[string]$Cookie,
[Parameter(Mandatory=$False)]
[string]$AccessToken,
[Parameter(Mandatory=$True)]
[string]$Site,
[Parameter(Mandatory=$True)]
[string]$Body,
[Parameter(Mandatory=$False)]
[string]$Digest
)
Process
{
# Get the digest if not provided
if([String]::IsNullOrEmpty($Digest))
{
$Digest = Get-SPODigest -AccessToken $AccessToken -Cookie $Cookie -Site $Site
}
# Set the headers
$headers=@{
"X-RequestForceAuthentication" = "true"
"X-FORMS_BASED_AUTH_ACCEPTED"= "f"
"User-Agent" = ""
"X-RequestDigest" = $digest
}
# Parse the tenant part
$tenant = $site.Split("/")[2].Split(".")[0]
if(![string]::IsNullOrEmpty($Cookie))
{
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$webCookie = New-Object System.Net.Cookie
$webCookie.Name = $Cookie.Split("=")[0]
$webCookie.Value = $Cookie.Substring($webCookie.Name.Length+1)
$webCookie.Domain = "$tenant.sharepoint.com"
$session.Cookies.Add($webCookie)
}
else
{
# Get from cache if not provided
$AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -Resource "https://$Tenant.sharepoint.com/" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"
# Update the headers
$headers["Authorization"]="Bearer $AccessToken"
}
# Invoke the API
$response = Invoke-WebRequest2 -Method Post "$site/_vti_bin/client.svc/ProcessQuery" -Headers $headers -Body $Body -WebSession $session -ContentType "text/xml; charset=utf-8"
# Try to check error
$responseJson = $response.Content | ConvertFrom-Json
if($responseJson[0].ErrorInfo)
{
throw $responseJson[0].ErrorInfo.ErrorMessage
}
# return
$response
}
}
# Get migration container information
# Nov 22nd 2022
function Get-SPOMigrationContainersInfo
{
[cmdletbinding()]
Param(
[Parameter(Mandatory=$False)]
[string]$Cookie,
[Parameter(Mandatory=$False)]
[string]$AccessToken,
[Parameter(Mandatory=$True)]
[string]$Site
)
Process
{
# Get the digest to be used with two next requests
$digest = Get-SPODigest -AccessToken $AccessToken -Cookie $Cookie -Site $Site
$Body=@"
"@
# Invoke ProcessQuery to get container info
$response = Invoke-ProcessQuery -Cookie $Cookie -AccessToken $AccessToken -Site $site -Body $Body -Digest $digest
$content = ($response.content | ConvertFrom-Json)
$retVal = $content[$content.Count-1]
# Parse the encryption key
$retVal.EncryptionKey = $retVal.EncryptionKey.Split("(")[1].Split(")")[0]
# Body for migration queue
$Body=@"
"@
# Invoke ProcessQuery to get migration queue info
$response = Invoke-ProcessQuery -Cookie $Cookie -AccessToken $AccessToken -Site $site -Body $Body -Digest $digest
$content = ($response.content | ConvertFrom-Json)
$retVal | Add-Member -NotePropertyName "JobQueueUri" -NotePropertyValue $content[$content.Count-1].JobQueueUri.Replace(":443","")
# Return
return $retVal
}
}
# Get migration user loginname
# Nov 23rd 2022
function Get-SPOMigrationUser
{
[cmdletbinding()]
Param(
[Parameter(Mandatory=$False)]
[string]$Cookie,
[Parameter(Mandatory=$False)]
[string]$AccessToken,
[Parameter(Mandatory=$True)]
[string]$Site,
[Parameter(Mandatory=$True)]
[string]$UserName
)
Process
{
$Body=@"
$UserName
"@
# Invoke ProcessQuery
try
{
$response = Invoke-ProcessQuery -Cookie $Cookie -AccessToken $AccessToken -Site $site -Body $Body
$content = ($response.content | ConvertFrom-Json)
$details = $content[$content.Count -1]
$retVal = [PSCustomObject]@{
"LoginName" = $details.LoginName
"Title" = $details.Title
"IsSiteAdmin" = $details.IsSiteAdmin
"NameId" = $details.UserId.NameId
"ObjectIdentity" = $details._ObjectIdentity_
"Email" = $details.Email
"UserPrincipalName" = $details.UserPrincipalName
}
}
catch
{
$retVal = [PSCustomObject]@{
"LoginName" = $UserName
"Title" = ""
"IsSiteAdmin" = $true
"NameId" = $null
"ObjectIdentity" = ""
"Email" = ""
"UserPrincipalName" = ""
}
}
# NameId is null for guest users
if([string]::IsNullOrEmpty($retVal.NameId))
{
$retVal.NameId = "0"
}
return $retVal
}
}
# Gets SPOIDCRL authentication cookie for SPO web interface
# Supports only username and password! (and legacy BPOSIDCRL)
# Mar 3rd 2023
function Get-SPOIDCRL
{
<#
.SYNOPSIS
Gets SPOIDCRL authentication header for SharePoint Online
.DESCRIPTION
Gets SharePoint Identity Client Runtime librafy (SPOIDCRL) authentication header for SharePoint Online,
which is used for certain SPO APIs, such as /_vti_bin/webpartpages.asmx
.Parameter Site
Url of the SharePoint Online site (domain part will do)
.Parameter UserName
User's name
.Parameter Password
User's password
.Parameter Credential
User's credentials in PSCredential object
.Parameter BPOSIDCRL
User's BPOSIDCRL cookie
.Example
PS C:\>$cred = Get-Credential
PS C:\>Get-AADIntSPOIDCRL -Site "https://company.sharepoint.com/" -Credentials $cred
77u/PD94bWwgdmVyc2l[redacted]nM2RTJQUFpKSVZXSElKNDgvaTNFVHp4NVlpemdVT2lSUDdQL0JCV1k1NVhHQT09PC9TUD4=
#>
[cmdletbinding()]
Param(
[Parameter(Mandatory=$True)]
[String]$Site,
[Parameter(ParameterSetName='Credentials',Mandatory=$True)]
[System.Management.Automation.PSCredential]$Credentials,
[Parameter(ParameterSetName='UserNameAndPassword',Mandatory=$True)]
[String]$UserName,
[Parameter(ParameterSetName='UserNameAndPassword',Mandatory=$False)]
[String]$Password,
[Parameter(ParameterSetName='BPOSIDCRL',Mandatory=$True)]
[String]$BPOSIDCRL
)
Process
{
$siteDomain=$Site.Split("/")[2]
# Did we got BPOSIDCRL token?
if([string]::IsNullOrEmpty($BPOSIDCRL))
{
# We didn't. How about user name?
If([String]::IsNullOrEmpty($UserName))
{
# Nope, so parse from credential object
$UserName = $Credentials.UserName
$Password = $Credentials.GetNetworkCredential().password
}
# Get the BPOSIDCRL token
$BPOSIDCRL = Get-RSTToken -Url "https://login.microsoftonline.com/RST2.srf" -EndpointAddress "sharepoint.com" -UserName $UserName -Password $Password
}
$headers=@{
"Authorization" = "BPOSIDCRL $BPOSIDCRL"
}
# Get the SPOIDCRL cookie
$response = Invoke-WebRequest2 -uri "https://$siteDomain/_vti_bin/idcrl.svc/" -Headers $headers
$cookies = $response.Headers.'Set-Cookie'.Split(";")
$SPOIDCRL = $cookies[0].Substring(9)
# Return
return $SPOIDCRL
}
}