adding "-AT PoP" option to "Set-MgGraphOptions"

Author: FehintolaObafemi

docs/authentication.md

@@ -112,6 +112,24 @@ When using `-AccessToken`, we won't have access to the refresh token and the cli
 
 Before using the provided `-AccessToken` to get Microsoft Graph resources, customers should ensure that the access token has the necessary scopes/ permissions needed to access/modify a resource.
 
+### Access Token Proof of Possession (AT PoP)
+
+AT PoP is a security mechanism that binds an access token to a cryptographic key that only the intended recipient has. This prevents unauthorized use of the token by malicious actors. AT PoP enhances data protection, reduces token replay attacks, and enables fine-grained authorization policies.
+
+Microsoft Graph PowerShell module supports AT PoP in the following scenario:
+
+- To enable AT PoP on supported devices
+
+```PowerShell
+Set-MgGraphOption -EnableATPoP $true
+```
+
+- To disable AT PoP on supported devices
+
+```PowerShell
+Set-MgGraphOption -EnableATPoP $false
+```
+
 ## Web Account Manager (WAM)
 
 WAM is a Windows 10+ component that acts as an authentication broker allowing the users of an app benefit from integration with accounts known to Windows, such as the account already signed into an active Windows session.

src/Authentication/Authentication.Core/Interfaces/IGraphOptions.cs

@@ -11,5 +11,6 @@ namespace Microsoft.Graph.PowerShell.Authentication
     public interface IGraphOption
     {
         bool EnableWAMForMSGraph { get; set; }
+        bool EnableATPoPForMSGraph { get; set; }
     }
 }

src/Authentication/Authentication.Core/Microsoft.Graph.Authentication.Core.csproj

@@ -13,7 +13,10 @@
   <ItemGroup>
     <PackageReference Include="Azure.Identity" Version="1.10.3" />
     <PackageReference Include="Azure.Identity.Broker" Version="1.0.0-beta.5" />
+    <PackageReference Include="Azure.Identity.BrokeredAuthentication" Version="1.0.0-beta.3" />
     <PackageReference Include="Microsoft.Graph.Core" Version="3.0.9" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.56.0" />
+    <PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.56.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
   </ItemGroup>
   <Target Name="CopyFiles" AfterTargets="Build">

src/Authentication/Authentication/Cmdlets/SetMgGraphOption.cs

@@ -13,6 +13,9 @@ public class SetMgGraphOption : PSCmdlet
     {
         [Parameter]
         public bool EnableLoginByWAM { get; set; }
+        
+        [Parameter]
+        public bool EnableATPoP { get; set; }
 
         protected override void BeginProcessing()
         {
@@ -27,6 +30,11 @@ protected override void ProcessRecord()
                 GraphSession.Instance.GraphOption.EnableWAMForMSGraph = EnableLoginByWAM;
                 WriteDebug($"Signin by Web Account Manager (WAM) is {(EnableLoginByWAM ? "enabled" : "disabled")}.");
             }
+            if (this.IsParameterBound(nameof(EnableATPoP)))
+            {
+                GraphSession.Instance.GraphOption.EnableATPoPForMSGraph = EnableATPoP;
+                WriteDebug($"Access Token Proof of Posession (AT-PoP) is {(EnableATPoP ? "enabled" : "disabled")}.");
+            }
             File.WriteAllText(Constants.GraphOptionsFilePath, JsonConvert.SerializeObject(GraphSession.Instance.GraphOption, Formatting.Indented));
         }
 

src/Authentication/Authentication/Microsoft.Graph.Authentication.psd1

@@ -3,7 +3,7 @@
 #
 # Generated by: Microsoft
 #
-# Generated on: 21/09/2023
+# Generated on: 12/28/2023
 #
 
 @{
@@ -12,7 +12,7 @@
 RootModule = './Microsoft.Graph.Authentication.psm1'
 
 # Version number of this module.
-ModuleVersion = '2.6.1'
+ModuleVersion = '2.11.1'
 
 # Supported PSEditions
 CompatiblePSEditions = 'Core', 'Desktop'

src/Authentication/Authentication/Models/GraphOption.cs

@@ -9,6 +9,7 @@ namespace Microsoft.Graph.PowerShell.Authentication
     internal class GraphOption : IGraphOption
     {
         public bool EnableWAMForMSGraph { get; set; }
+        public bool EnableATPoPForMSGraph { get; set; }
     }
 
 }

src/Authentication/Authentication/test/Set-MgGraphOption.Tests.ps1

@@ -9,14 +9,14 @@ Describe "Set-MgGraphOption" {
         Import-Module $ModulePath -Force -ErrorAction SilentlyContinue
     }
     Context "When executing the command" {
-        it 'Should have one ParameterSets' {
+        it 'Should have two ParameterSets' {
             $SetMgGraphOptionCommand = Get-Command Set-MgGraphOption
             $SetMgGraphOptionCommand | Should -Not -BeNullOrEmpty
             $SetMgGraphOptionCommand.ParameterSets | Should -HaveCount 1
             $SetMgGraphOptionCommand.ParameterSets.Parameters | Should -HaveCount 13 # PS common parameters.
         }
 
-        It 'Executes successfully whren toggling WAM on' {
+        It 'Executes successfully when toggling WAM on' {
             { Set-MgGraphOption -EnableLoginByWAM $true -Debug | Out-Null } | Should -Not -Be $null
             { Set-MgGraphOption -EnableLoginByWAM $true -ErrorAction SilentlyContinue } | Should -Not -Throw
         }
@@ -25,5 +25,15 @@ Describe "Set-MgGraphOption" {
             { Set-MgGraphOption -EnableLoginByWAM $false -Debug | Out-Null } | Should -Not -Be $null
             { Set-MgGraphOption -EnableLoginByWAM $false -ErrorAction SilentlyContinue } | Should -Not -Throw
         }
+
+        It 'Executes successfully when toggling AT PoP on' {
+            { Set-MgGraphOption -EnableATPoP $true -Debug | Out-Null } | Should -Not -Be $null
+            { Set-MgGraphOption -EnableATPoP $true -ErrorAction SilentlyContinue } | Should -Not -Throw
+        }
+
+        It 'Executes successfully when toggling AT PoP off' {
+            { Set-MgGraphOption -EnableATPoP $false -Debug | Out-Null } | Should -Not -Be $null
+            { Set-MgGraphOption -EnableATPoP $false -ErrorAction SilentlyContinue } | Should -Not -Throw
+        }
     }
 }

src/Authentication/docs/Set-MgGraphOption.md

@@ -15,6 +15,9 @@ Sets global configurations that apply to the SDK. For example, toggle Web Accoun
 ```
 Set-MgGraphOption [-EnableLoginByWAM <Boolean>] [<CommonParameters>]
 ```
+```
+Set-MgGraphOption [-EnableATPoP <Boolean>] [<CommonParameters>]
+```
 
 ## DESCRIPTION
 Sets global configurations that apply to the SDK. For example, toggle Web Account Manager (WAM) support.
@@ -28,11 +31,21 @@ PS C:\> Set-MgGraphOption -EnableLoginByWAM $True
 
  Sets web account manager support
 
+### Example 2: Set access token proof of possession support
+```powershell
+PS C:\> Set-MgGraphOption -EnableATPoP $True
+```
+
+ Sets access token proof of possession support
+
 ## PARAMETERS
 
 ### -EnableLoginByWAM
 {{ Fill EnableLoginByWAM Description }}
 
+### -EnableATPoP
+{{ Fill EnableATPoP Description }}
+
 ```yaml
 Type: Boolean
 Parameter Sets: (All)

src/Authentication/examples/Set-MgGraphOption.md

@@ -2,4 +2,10 @@
 ```powershell
 PS C:\> Set-MgGraphOption -EnableLoginByWAM $True
 ```
- Sets web account manager support
+ Sets web account manager support
+
+### Example 2: Set access token proof of possession support
+```powershell
+PS C:\> Set-MgGraphOption -EnableATPoP $True
+```
+ Sets access token proof of possession support