Add -Force to Get-AzAccessToken

[Agazoth]

Recently we have been working with different roles in Azure SQL databases and data masking. The masking is based on Azure AD group membership. We are testing masking by adding and removing users to and from Azure AD groups and then querying the database from PowerShell using the sqlserver cmdlets combined with Get-AzAccessToken.

Get-AzAccessToken uses the MSAL cache for tokens and only refreshes the token, if it is close to expiration. That is a god thing in stable scenarios, but in this scenario, where the token changes often, it would be great to be able to override the default behavior and force creation of a new token.

A -Force switch on the Get-AzAccessToken cmdlet would be a logical solution to this scenario, but looking at the code it seems there is no easy way to force a token refresh.

Would this be a useful feature? If so, is it on a backlog somewhere?

[isra-fel]

• @bgavrilovicMS hey, is this (force refreshing access token) a scenario MSAL would consider to support?

[bgavrilovicMS]

Hi, not sure if it's perhaps a wrong tag, but I don't think I can provide an answer here :)

[isra-fel]

My bad, I was trying to tag @bgavrilMS 😅

[bgavrilMS]

@Agazoth - how are you checking group membership? Are you parsing the access token? Clients should not parse access tokens - this is a security / resilience issue - access token is not meant for client, but for protected resource, e.g. Azure SQL or Graph; token format is not guranteed to stay JWT, OAUTH spec does not force JWT, e.g. AAD might start issuing encrypted JWT (JWE) and it'll break the client. Solution is to parse ID Token, as this is meant for the app.

But probably the better solution is to use Microsoft Graph to figure out the groups. You can even get it to issue change notifications.

@isra-fel yes you can use WithForceRefresh on the AcquireTokenSilent API which will have MSAL skip the Access Token lookup and go straight to refresh token flow.

[Agazoth]

@bgavrilMS I checked the groups in jwt.io. I just want to be able to force a new token via Get-AzAccessToken, when testing AAD group membership during configuration of new access. A -Force switch on Get-AzAccessToken would be great when doing that kind of test.

As @isra-fel suggests, it might be possigle to have Get-AzAccessToken use the WithForceRefresh option.

I cannot find any documentation on WithForceREfresh on the AcquireTokenSilent API. Is that awailable somewhere?

[bgavrilMS]

This is where it gets a little tricky.

PowerShell uses Azure SDK which uses MSAL SDK. So MSAL is 2 levels down. So it would require changes in Azure SDK first.

[bgavrilMS]

Might be easier to make a query to Graph to figure out group memberships - https://developer.microsoft.com/en-us/graph/graph-explorer

[Agazoth]

@bgavrilMS that was also what my debugging indicated. How can we request a change to the Azure SDK? I find it quite hard to navigate that project and find the exact spot where the functionality could be implemented.

I am fine with looking at group membership via Graph, but that does not enable me to test things like sql queries from a logged in PowerShell session until the current token expires, when using Get-AzAccessToken.