Address WAM review feedback

Author: PrzemyslawKlys

Private/Get-O365BrokerAccessToken.ps1

@@ -9,11 +9,12 @@ function Get-O365BrokerAccessToken {
         [Parameter(Mandatory, ParameterSetName = 'Scope')][string] $Scope,
         [string] $Tenant = 'organizations',
         [string] $ClientId = '1950a258-227b-4e31-a9cf-717495945fc2',
+        [string] $Account,
         [switch] $ForcePrompt
     )
 
-    if ($PSEdition -ne 'Core') {
-        throw 'MSAL WAM broker authentication requires PowerShell 7 or newer.'
+    if ($PSEdition -ne 'Core' -or $PSVersionTable.PSVersion -lt [version] '7.4') {
+        throw 'MSAL WAM broker authentication requires PowerShell 7.4 or newer.'
     }
 
     $BrokerClientType = 'O365Essentials.Auth.BrokerTokenClient' -as [type]
@@ -23,9 +24,9 @@ function Get-O365BrokerAccessToken {
 
     try {
         if ($PSCmdlet.ParameterSetName -eq 'Scope') {
-            $Result = $BrokerClientType.GetMethod('AcquireTokenForScope').Invoke($null, @($Tenant, $Scope, $ClientId, [bool] $ForcePrompt))
+            $Result = $BrokerClientType.GetMethod('AcquireTokenForScope').Invoke($null, @($Tenant, $Scope, $ClientId, $Account, [bool] $ForcePrompt))
         } else {
-            $Result = $BrokerClientType.GetMethod('AcquireTokenForResource').Invoke($null, @($Tenant, $ResourceUrl, $ClientId, [bool] $ForcePrompt))
+            $Result = $BrokerClientType.GetMethod('AcquireTokenForResource').Invoke($null, @($Tenant, $ResourceUrl, $ClientId, $Account, [bool] $ForcePrompt))
         }
     } catch [System.Reflection.TargetInvocationException] {
         $Inner = $_.Exception.InnerException

Public/Connect-O365Admin.ps1

@@ -89,6 +89,7 @@ function Connect-O365Admin {
     $PortalUserId = $null
     $PortalTenantId = $null
     $HeadersPortal = $null
+    $RequestedUseWam = [bool] $UseWam
     if ($Headers) {
         if ($Headers.ExpiresOnUTC -gt [datetime]::UtcNow -and -not $ForceRefresh -and -not $HasPortalAttachInput) {
             Write-Verbose -Message "Connect-O365Admin - Using cache for connection $($Headers.UserName)"
@@ -102,7 +103,9 @@ function Connect-O365Admin {
             $Tenant = $Headers.Tenant
             $Subscription = $Headers.Subscription
             $RefreshToken = $Headers.RefreshToken
-            $UseWam = $Headers.Contains('AuthenticationMode') -and $Headers.AuthenticationMode -eq 'WAM'
+            if (-not $RequestedUseWam) {
+                $UseWam = $Headers.Contains('AuthenticationMode') -and $Headers.AuthenticationMode -eq 'WAM'
+            }
             if ($Headers.Contains('PortalWebSession')) { $PortalWebSession = $Headers.PortalWebSession }
             if ($Headers.Contains('AjaxSessionKey')) { $AjaxSessionKey = $Headers.AjaxSessionKey }
             if ($Headers.Contains('PortalRouteKey')) { $PortalRouteKey = $Headers.PortalRouteKey }
@@ -123,7 +126,9 @@ function Connect-O365Admin {
             $Tenant = $Script:AuthorizationO365Cache.Tenant
             $Subscription = $Script:AuthorizationO365Cache.Subscription
             $RefreshToken = $Script:AuthorizationO365Cache.RefreshToken
-            $UseWam = $Script:AuthorizationO365Cache.Contains('AuthenticationMode') -and $Script:AuthorizationO365Cache.AuthenticationMode -eq 'WAM'
+            if (-not $RequestedUseWam) {
+                $UseWam = $Script:AuthorizationO365Cache.Contains('AuthenticationMode') -and $Script:AuthorizationO365Cache.AuthenticationMode -eq 'WAM'
+            }
             if ($Script:AuthorizationO365Cache.Contains('PortalWebSession')) { $PortalWebSession = $Script:AuthorizationO365Cache.PortalWebSession }
             if ($Script:AuthorizationO365Cache.Contains('AjaxSessionKey')) { $AjaxSessionKey = $Script:AuthorizationO365Cache.AjaxSessionKey }
             if ($Script:AuthorizationO365Cache.Contains('PortalRouteKey')) { $PortalRouteKey = $Script:AuthorizationO365Cache.PortalRouteKey }
@@ -234,16 +239,17 @@ function Connect-O365Admin {
     # Read tenant information from the token so subsequent requests use the correct tenant
     $jwtTenant = if ($tokenGraph.id_token) { $tokenGraph.id_token } else { $tokenGraph.access_token }
     $tenantInfo = ConvertFrom-JSONWebToken -Token $jwtTenant
-    if (-not $PSBoundParameters.ContainsKey('Tenant') -or $Tenant -eq 'organizations') {
-        $Tenant = $tenantInfo.tid
-    }
+    if (-not $PSBoundParameters.ContainsKey('Tenant') -or $Tenant -eq 'organizations') {
+        $Tenant = $tenantInfo.tid
+    }
     $refresh = if ($UseWam) { $null } else { $tokenGraph.refresh_token }
+    $WamAccount = if ($UseWam) { $tokenGraph.account } else { $null }
     $tokenO365 = $null
     $tokenAzure = $null
     try {
         Write-Verbose -Message "Connect-O365Admin - Acquiring token for admin.microsoft.com"
         if ($UseWam) {
-            $tokenO365 = Get-O365BrokerAccessToken -Tenant $Tenant -ResourceUrl 'https://admin.microsoft.com/'
+            $tokenO365 = Get-O365BrokerAccessToken -Tenant $Tenant -ResourceUrl 'https://admin.microsoft.com/' -Account $WamAccount
         } elseif ($PSCmdlet.ParameterSetName -eq 'App') {
             $tokenO365 = Get-O365OAuthToken -Tenant $Tenant -Scope $ScopesO365 -ClientId $ClientId -ClientSecret $ClientSecret -Certificate $Certificate -CertificatePassword $CertificatePassword
         } else {
@@ -253,7 +259,7 @@ function Connect-O365Admin {
         Write-Verbose -Message "Connect-O365Admin - admin.microsoft.com scope token failed. Falling back to portal resource audience. Error: $($_.Exception.Message)"
         try {
             if ($UseWam) {
-                $tokenO365 = Get-O365BrokerAccessToken -Tenant $Tenant -ResourceUrl $ResourceAzure
+                $tokenO365 = Get-O365BrokerAccessToken -Tenant $Tenant -ResourceUrl $ResourceAzure -Account $WamAccount
             } elseif ($PSCmdlet.ParameterSetName -eq 'App') {
                 $tokenO365 = Get-O365OAuthToken -Tenant $Tenant -Resource $ResourceAzure -ClientId $ClientId -ClientSecret $ClientSecret -Certificate $Certificate -CertificatePassword $CertificatePassword
             } else {
@@ -269,7 +275,7 @@ function Connect-O365Admin {
     try {
         Write-Verbose -Message "Connect-O365Admin - Acquiring token for Teams (api.spaces.skype.com)"
         if ($UseWam) {
-            $tokenTeams = Get-O365BrokerAccessToken -Tenant $Tenant -ResourceUrl 'https://api.spaces.skype.com/'
+            $tokenTeams = Get-O365BrokerAccessToken -Tenant $Tenant -ResourceUrl 'https://api.spaces.skype.com/' -Account $WamAccount
         } elseif ($PSCmdlet.ParameterSetName -eq 'App') {
             $tokenTeams = Get-O365OAuthToken -Tenant $Tenant -Scope $ScopesTeams -ClientId $ClientId -ClientSecret $ClientSecret -Certificate $Certificate -CertificatePassword $CertificatePassword
         } else {
@@ -283,7 +289,7 @@ function Connect-O365Admin {
         try {
             Write-Verbose -Message "Connect-O365Admin - Acquiring token for Azure"
             if ($UseWam) {
-                $tokenAzure = Get-O365BrokerAccessToken -Tenant $Tenant -ResourceUrl $ResourceAzure
+                $tokenAzure = Get-O365BrokerAccessToken -Tenant $Tenant -ResourceUrl $ResourceAzure -Account $WamAccount
             } elseif ($PSCmdlet.ParameterSetName -eq 'App') {
                 $tokenAzure = Get-O365OAuthToken -Tenant $Tenant -Resource $ResourceAzure -ClientId $ClientId -ClientSecret $ClientSecret -Certificate $Certificate -CertificatePassword $CertificatePassword
             } else {
@@ -297,7 +303,7 @@ function Connect-O365Admin {
     try {
         Write-Verbose -Message "Connect-O365Admin - Acquiring token for Azure management"
         if ($UseWam) {
-            $tokenARM = Get-O365BrokerAccessToken -Tenant $Tenant -ResourceUrl 'https://management.azure.com/'
+            $tokenARM = Get-O365BrokerAccessToken -Tenant $Tenant -ResourceUrl 'https://management.azure.com/' -Account $WamAccount
         } elseif ($PSCmdlet.ParameterSetName -eq 'App') {
             $tokenARM = Get-O365OAuthToken -Tenant $Tenant -Scope $ScopesARM -ClientId $ClientId -ClientSecret $ClientSecret -Certificate $Certificate -CertificatePassword $CertificatePassword
         } else {
@@ -333,9 +339,9 @@ function Connect-O365Admin {
                 Write-Verbose -Message "Connect-O365Admin - Acquiring token for Substrate using $($attempt.type): $($attempt.value)"
                 if ($UseWam) {
                     if ($attempt.type -eq 'scope') {
-                        $tokenSubstrate = Get-O365BrokerAccessToken -Tenant $Tenant -Scope $attempt.value
+                        $tokenSubstrate = Get-O365BrokerAccessToken -Tenant $Tenant -Scope $attempt.value -Account $WamAccount
                     } else {
-                        $tokenSubstrate = Get-O365BrokerAccessToken -Tenant $Tenant -ResourceUrl $attempt.value
+                        $tokenSubstrate = Get-O365BrokerAccessToken -Tenant $Tenant -ResourceUrl $attempt.value -Account $WamAccount
                     }
                 } elseif ($attempt.type -eq 'resource') {
                     if ($PSCmdlet.ParameterSetName -eq 'App') {

README.MD

@@ -76,10 +76,10 @@ If we have MFA we simply let it query you for MFA code.
 $null = Connect-O365Admin -Verbose
 ```
 
-On Windows PowerShell 7+, you can opt into the Web Account Manager broker through
-the bundled MSAL helper. This allows Windows Hello, Conditional Access, FIDO, and
-the Windows account picker to participate in delegated sign-in while the MSAL
-assemblies stay isolated inside the packaged module:
+On Windows PowerShell 7.4+, you can opt into the Web Account Manager broker
+through the bundled MSAL helper. This allows Windows Hello, Conditional Access,
+FIDO, and the Windows account picker to participate in delegated sign-in while
+the MSAL assemblies stay isolated inside the packaged module:
 
 ```powershell
 $null = Connect-O365Admin -UseWam -Tenant 'contoso.onmicrosoft.com' -Verbose

Sources/O365Essentials.Auth/BrokerTokenClient.cs

@@ -25,16 +25,18 @@ public static BrokerTokenResult AcquireTokenForResource(
         string? tenant,
         string resourceUrl,
         string clientId,
+        string? accountUsername,
         bool forcePrompt)
     {
         var scopeCandidates = BuildScopeCandidatesFromResource(resourceUrl);
-        return AcquireTokenAsync(tenant, scopeCandidates, clientId, forcePrompt).GetAwaiter().GetResult();
+        return AcquireTokenAsync(tenant, scopeCandidates, clientId, accountUsername, forcePrompt).GetAwaiter().GetResult();
     }
 
     public static BrokerTokenResult AcquireTokenForScope(
         string? tenant,
         string scope,
         string clientId,
+        string? accountUsername,
         bool forcePrompt)
     {
         var scopes = SplitScopes(scope);
@@ -43,13 +45,14 @@ public static BrokerTokenResult AcquireTokenForScope(
             throw new ArgumentException("At least one scope must be provided.", nameof(scope));
         }
 
-        return AcquireTokenAsync(tenant, new[] { scopes }, clientId, forcePrompt).GetAwaiter().GetResult();
+        return AcquireTokenAsync(tenant, new[] { scopes }, clientId, accountUsername, forcePrompt).GetAwaiter().GetResult();
     }
 
     private static async Task<BrokerTokenResult> AcquireTokenAsync(
         string? tenant,
         IReadOnlyList<string[]> scopeCandidates,
         string clientId,
+        string? accountUsername,
         bool forcePrompt)
     {
         if (!OperatingSystem.IsWindows())
@@ -86,7 +89,8 @@ private static async Task<BrokerTokenResult> AcquireTokenAsync(
         {
             try
             {
-                var result = await AcquireTokenForScopesAsync(application, scopes, forcePrompt).ConfigureAwait(false);
+                var result = await AcquireTokenForScopesAsync(application, scopes, accountUsername, forcePrompt).ConfigureAwait(false);
+                EnsureAccountMatches(result, accountUsername);
                 return ToResult(result);
             }
             catch (MsalException ex) when (CanTryNextScopeCandidate(ex))
@@ -105,12 +109,20 @@ private static async Task<BrokerTokenResult> AcquireTokenAsync(
     private static async Task<AuthenticationResult> AcquireTokenForScopesAsync(
         IPublicClientApplication application,
         string[] scopes,
+        string? accountUsername,
         bool forcePrompt)
     {
+        var expectedUsername = string.IsNullOrWhiteSpace(accountUsername) ? null : accountUsername.Trim();
         if (!forcePrompt)
         {
             var accounts = await application.GetAccountsAsync().ConfigureAwait(false);
-            foreach (var account in accounts)
+            var candidateAccounts = string.IsNullOrWhiteSpace(expectedUsername)
+                ? accounts
+                : accounts.Where(account =>
+                    !string.IsNullOrWhiteSpace(account.Username)
+                    && account.Username.Equals(expectedUsername, StringComparison.OrdinalIgnoreCase));
+
+            foreach (var account in candidateAccounts)
             {
                 try
                 {
@@ -121,20 +133,29 @@ private static async Task<AuthenticationResult> AcquireTokenForScopesAsync(
                 }
             }
 
-            try
-            {
-                return await application
-                    .AcquireTokenSilent(scopes, PublicClientApplication.OperatingSystemAccount)
-                    .ExecuteAsync()
-                    .ConfigureAwait(false);
-            }
-            catch (MsalUiRequiredException)
+            if (string.IsNullOrWhiteSpace(expectedUsername))
             {
+                try
+                {
+                    return await application
+                        .AcquireTokenSilent(scopes, PublicClientApplication.OperatingSystemAccount)
+                        .ExecuteAsync()
+                        .ConfigureAwait(false);
+                }
+                catch (MsalUiRequiredException)
+                {
+                }
             }
         }
 
-        return await application
-            .AcquireTokenInteractive(scopes)
+        var interactiveBuilder = application
+            .AcquireTokenInteractive(scopes);
+        if (!string.IsNullOrWhiteSpace(expectedUsername))
+        {
+            interactiveBuilder = interactiveBuilder.WithLoginHint(expectedUsername);
+        }
+
+        return await interactiveBuilder
             .WithPrompt(Prompt.SelectAccount)
             .ExecuteAsync()
             .ConfigureAwait(false);
@@ -193,12 +214,43 @@ private static bool CanTryNextScopeCandidate(MsalException exception)
             || exception.ErrorCode.Equals("invalid_request", StringComparison.OrdinalIgnoreCase);
     }
 
+    private static void EnsureAccountMatches(AuthenticationResult result, string? expectedUsername)
+    {
+        if (string.IsNullOrWhiteSpace(expectedUsername) || result.Account is null)
+        {
+            return;
+        }
+
+        if (string.IsNullOrWhiteSpace(result.Account.Username)
+            || !result.Account.Username.Equals(expectedUsername.Trim(), StringComparison.OrdinalIgnoreCase))
+        {
+            throw new InvalidOperationException(
+                $"MSAL WAM returned account '{result.Account.Username}' while O365Essentials expected '{expectedUsername}'.");
+        }
+    }
+
     private static IntPtr GetConsoleOrTerminalWindow()
     {
         var consoleHandle = GetConsoleWindow();
-        return consoleHandle == IntPtr.Zero
-            ? IntPtr.Zero
-            : GetAncestor(consoleHandle, GetAncestorFlags.GetRootOwner);
+        if (consoleHandle != IntPtr.Zero)
+        {
+            var owner = GetAncestor(consoleHandle, GetAncestorFlags.GetRootOwner);
+            return owner == IntPtr.Zero ? consoleHandle : owner;
+        }
+
+        var foregroundHandle = GetForegroundWindow();
+        if (foregroundHandle != IntPtr.Zero)
+        {
+            return foregroundHandle;
+        }
+
+        var shellHandle = GetShellWindow();
+        if (shellHandle != IntPtr.Zero)
+        {
+            return shellHandle;
+        }
+
+        return GetDesktopWindow();
     }
 
     private enum GetAncestorFlags
@@ -209,6 +261,15 @@ private enum GetAncestorFlags
     [DllImport("kernel32.dll")]
     private static extern IntPtr GetConsoleWindow();
 
+    [DllImport("user32.dll")]
+    private static extern IntPtr GetForegroundWindow();
+
+    [DllImport("user32.dll")]
+    private static extern IntPtr GetShellWindow();
+
+    [DllImport("user32.dll")]
+    private static extern IntPtr GetDesktopWindow();
+
     [DllImport("user32.dll", ExactSpelling = true)]
     private static extern IntPtr GetAncestor(IntPtr hwnd, GetAncestorFlags flags);
 }

Tests/Get-O365OAuthToken.Tests.ps1

@@ -152,7 +152,7 @@ Describe 'Connect-O365Admin portal token' {
             }
         }
         Mock -ModuleName O365Essentials Get-O365BrokerAccessToken -MockWith {
-            param($Tenant, $ResourceUrl, $Scope, $ForcePrompt)
+            param($Tenant, $ResourceUrl, $Scope, $Account, $ForcePrompt)
             $Target = if ($ResourceUrl) { $ResourceUrl } else { $Scope }
             [pscustomobject]@{
                 access_token = "token:$Target"
@@ -172,7 +172,51 @@ Describe 'Connect-O365Admin portal token' {
         $result.HeadersO365.Authorization | Should -Be 'Bearer token:https://admin.microsoft.com/'
         Assert-MockCalled Get-O365OAuthToken -ModuleName O365Essentials -Exactly 0
         Assert-MockCalled Get-O365BrokerAccessToken -ModuleName O365Essentials -ParameterFilter {
-            $ResourceUrl -eq 'https://admin.microsoft.com/'
+            $ResourceUrl -eq 'https://admin.microsoft.com/' -and $Account -eq 'user@contoso.com'
+        } -Exactly 1
+    }
+
+    It 'honors explicit WAM refresh when an expired OAuth cache exists' {
+        InModuleScope O365Essentials {
+            $script:AuthorizationO365Cache = [ordered] @{
+                Credential         = $null
+                ClientId           = $null
+                ClientSecret       = $null
+                Certificate        = $null
+                CertificatePassword = $null
+                AuthenticationMode = 'OAuth'
+                UserName           = 'old@contoso.com'
+                Tenant             = 'tenant-id'
+                Subscription       = $null
+                RefreshToken       = 'old-refresh-token'
+                ExpiresOnUTC       = ([datetime]::UtcNow).AddMinutes(-5)
+            }
+        }
+        Mock -ModuleName O365Essentials ConvertFrom-JSONWebToken -MockWith {
+            [pscustomobject]@{
+                tid = 'tenant-id'
+                upn = 'user@contoso.com'
+            }
+        }
+        Mock -ModuleName O365Essentials Get-O365BrokerAccessToken -MockWith {
+            param($Tenant, $ResourceUrl, $Scope, $Account, $ForcePrompt)
+            $Target = if ($ResourceUrl) { $ResourceUrl } else { $Scope }
+            [pscustomobject]@{
+                access_token = "token:$Target"
+                expires_on   = ([datetime]::UtcNow).AddHours(1)
+                tenant_id    = 'tenant-id'
+                account      = 'user@contoso.com'
+            }
+        }
+        Mock -ModuleName O365Essentials Get-O365OAuthToken -MockWith { throw 'legacy OAuth path should not be used' }
+
+        $result = Connect-O365Admin -UseWam -ForceRefresh
+
+        $result.AuthenticationMode | Should -Be 'WAM'
+        $result.UserName | Should -Be 'user@contoso.com'
+        Assert-MockCalled Get-O365OAuthToken -ModuleName O365Essentials -Exactly 0
+        Assert-MockCalled Get-O365BrokerAccessToken -ModuleName O365Essentials -ParameterFilter {
+            $ResourceUrl -eq 'https://graph.microsoft.com/' -and $ForcePrompt
         } -Exactly 1
     }