From 364c216244f1192deeea0cf7c26fc9929749f12a Mon Sep 17 00:00:00 2001
From: Michal Gajda <mgajda83@gmail.com>
Date: Mon, 7 Nov 2022 15:45:20 +0100
Subject: [PATCH] CertificateThumbprint authentication

---
 Common/Utils/AuthUtils.cs              | 30 ++++++++++++++++++++++++++
 PowerShellCmdlets/Utils/UtilCmdlets.cs | 20 ++++++++++++++++-
 PowerShellGraphSDK.csproj              |  2 +-
 3 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/Common/Utils/AuthUtils.cs b/Common/Utils/AuthUtils.cs
index 9c135b3..54fc1aa 100644
--- a/Common/Utils/AuthUtils.cs
+++ b/Common/Utils/AuthUtils.cs
@@ -9,6 +9,7 @@ namespace Microsoft.Intune.PowerShellGraphSDK
     using Microsoft.IdentityModel.Clients.ActiveDirectory;
     using Newtonsoft.Json;
     using Newtonsoft.Json.Linq;
+    using System.Security.Cryptography.X509Certificates;
 
     internal static partial class AuthUtils
     {
@@ -77,6 +78,35 @@ internal static SdkAuthResult AuthWithClientCredentials(string clientSecret)
             return authResult;
         }
 
+        internal static SdkAuthResult AuthWithCertificateThumbprint(string certificateThumbprint)
+        {
+            // Create auth context that we will use to connect to the AAD endpoint
+            AuthenticationContext authContext = new AuthenticationContext(CurrentEnvironmentParameters.AuthUrl);
+
+            //Find certificate
+            X509Certificate2 certificate = null;
+            using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
+            {
+                store.Open(OpenFlags.ReadOnly);
+                X509Certificate2Collection source = store.Certificates.Find(X509FindType.FindByTimeValid, DateTime.Now, false).Find(X509FindType.FindByThumbprint, certificateThumbprint, false);
+                if (source == null)
+                {
+                    throw new Exception(certificateThumbprint + " certificate was not found or has expired.");
+                }
+                certificate = source.OfType<X509Certificate2>().OrderByDescending(c => c.NotBefore).FirstOrDefault<X509Certificate2>();
+            }
+            ClientAssertionCertificate clientCertificate = new ClientAssertionCertificate(CurrentEnvironmentParameters.AppId, certificate);
+
+            // Get the AuthenticationResult from AAD
+            SdkAuthResult authResult = authContext.AcquireTokenAsync(CurrentEnvironmentParameters.GraphBaseAddress, clientCertificate).GetAwaiter().GetResult().ToSdkAuthResult();
+            
+            // Save the auth result
+            AuthUtils.LatestAdalAuthResult = authResult;
+            
+            return authResult;
+        }
+
+
         /// <summary>
         /// Refreshes the access token using ADAL if required, otherwise returns the most recent still-valid refresh token.
         /// </summary>
diff --git a/PowerShellCmdlets/Utils/UtilCmdlets.cs b/PowerShellCmdlets/Utils/UtilCmdlets.cs
index 1778875..98bcea7 100644
--- a/PowerShellCmdlets/Utils/UtilCmdlets.cs
+++ b/PowerShellCmdlets/Utils/UtilCmdlets.cs
@@ -38,6 +38,11 @@ public class Connect : PSCmdlet
         /// </summary>
         private const string ParameterSetAppOnly = "AppOnly";
 
+        /// <summary>
+        /// Parameter set for triggering app-only authentication.
+        /// </summary>
+        private const string ParameterSetCertificateThumbprint = "CertificateThumbprint";
+
 #if NETFRAMEWORK
 
         private const string ParameterSetForceInteractive = "ForceInteractive";
@@ -87,6 +92,14 @@ public class Connect : PSCmdlet
         [Parameter(ParameterSetName = ParameterSetAppOnly)]
         public string ClientSecret { get; set; }
 
+        /// <summary>
+        /// <para type="description">
+        /// If the certificate thumbprint is set, app-only authentication will be performed using the client ID specified by the AppId environment parameter.
+        /// </para>
+        /// </summary>
+        [Parameter(ParameterSetName = ParameterSetCertificateThumbprint)]
+        public string CertificateThumbprint { get; set; }
+
         /// <summary>
         /// <para type="description">
         /// If the AdminConsent flag is set, admin consent can be granted for the currently selected AppId
@@ -122,9 +135,14 @@ protected override void ProcessRecord()
             SdkAuthResult authResult;
             if (this.ParameterSetName == ParameterSetAppOnly)
             {
-                // App-only auth
+                // App-only auth - ClientSecret
                 authResult = AuthUtils.AuthWithClientCredentials(this.ClientSecret);
             }
+            else if(this.ParameterSetName == ParameterSetCertificateThumbprint)
+            {
+                // App-only auth - CertificateThumbprint
+                authResult = AuthUtils.AuthWithCertificateThumbprint(this.CertificateThumbprint);
+            }
             else
             {
                 // User auth
diff --git a/PowerShellGraphSDK.csproj b/PowerShellGraphSDK.csproj
index 8c88de7..2e1d878 100644
--- a/PowerShellGraphSDK.csproj
+++ b/PowerShellGraphSDK.csproj
@@ -2,7 +2,7 @@
 
     <PropertyGroup>
         <OutputType>Library</OutputType>
-        <Version>6.1907.1.0</Version>
+        <Version>6.1907.1.1</Version>
         <Authors>Rajesh Soy, Rohit Ramu</Authors>
         <Company>Microsoft Corporation</Company>
         <Product>Microsoft Intune Graph PowerShell Client SDK</Product>