Generating Tokens

Learn how to generate access tokens using different OAuth2 flows and configurations.

Quick Reference

TaskCommand
Get token with profileentratool get-token -p PROFILE
Override scopeentratool get-token -p PROFILE --scope "SCOPE"
Specify flowentratool get-token -p PROFILE -f FLOW
Silent modeentratool get-token -p PROFILE --silent
Save to fileentratool get-token -p PROFILE -o token.txt
Refresh tokenentratool refresh -p PROFILE

Basic Token Generation

Using a Profile 

1

entratool get-token -p my-profile

Output:

Authenticating with profile 'my-profile'...
✓ Token acquired successfully

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ij...

What happens:

  1. Profile loaded from ~/.entratool/profiles.json
  2. Secrets retrieved from secure storage
  3. Authentication flow executed
  4. Access token printed to stdout

Specifying a Flow

Override the default flow:

1

entratool get-token -p my-profile -f ClientCredentials

Available flows:

  • ClientCredentials
  • AuthorizationCode
  • DeviceCode
  • InteractiveBrowser

Learn about flows →

Client Credentials Flow

Non-Interactive Service Authentication 

1

entratool get-token -p service-principal -f ClientCredentials

Requirements:

  • Client secret or certificate configured
  • Application permissions granted
  • Admin consent completed

Example:

1
2

# Service principal for Graph API
entratool get-token -p graph-sp -f ClientCredentials

Output:

✓ Token acquired successfully
eyJ0eXAiOiJKV1QiLCJh...

Detailed guide →

Interactive Browser Flow

User Authentication with Browser 

1

entratool get-token -p user-app -f InteractiveBrowser

What happens:

  1. Browser opens to Entra ID login page
  2. User enters credentials
  3. User consents to permissions (if required)
  4. Browser redirects to localhost with code
  5. Tool exchanges code for token

Example:

1

entratool get-token -p personal-graph -f InteractiveBrowser

Output:

Opening browser for authentication...
✓ Authentication successful
✓ Token acquired

eyJ0eXAiOiJKV1QiLCJh...

Detailed guide →

Device Code Flow

Authentication on Limited-Input Devices 

1

entratool get-token -p iot-device -f DeviceCode

What happens:

  1. Tool displays code and URL
  2. User visits URL on another device
  3. User enters code
  4. User authenticates
  5. Tool polls and receives token

Example:

1

entratool get-token -p headless-server -f DeviceCode

Output:

Device Code Authentication
To sign in, use a web browser to open:
  https://microsoft.com/devicelogin
and enter the code: ABCD-1234

Waiting for authentication...
✓ Token acquired successfully

Detailed guide →

Authorization Code Flow

Web Application Authentication 

1

entratool get-token -p webapp -f AuthorizationCode

Requirements:

  • Redirect URI configured in app registration
  • Delegated permissions
  • User credentials

Example:

1

entratool get-token -p web-backend -f AuthorizationCode

Output:

Opening browser for authentication...
Redirect URI: http://localhost:8080
✓ Authorization code received
✓ Token acquired

eyJ0eXAiOiJKV1QiLCJh...

Detailed guide →

Scope Override

Runtime Scope Specification

Override profile’s default scope:

1
2

entratool get-token -p myprofile \
  --scope "https://graph.microsoft.com/User.Read Mail.Read"

Use cases:

  • Different operations need different permissions
  • Testing with minimal scopes
  • Temporary scope changes

Multiple Scopes

Space-separated:

1
2

entratool get-token -p myprofile \
  --scope "https://graph.microsoft.com/User.Read Mail.Read Calendars.Read"

Comma-separated:

1
2

entratool get-token -p myprofile \
  --scope "https://graph.microsoft.com/User.Read,Mail.Read,Calendars.Read"

.default Scope

Request all configured permissions:

1
2

entratool get-token -p myprofile \
  --scope "https://graph.microsoft.com/.default"

Learn about scopes →

Certificate Authentication

Using Certificates Instead of Secrets 

1

entratool get-token -p cert-profile -f ClientCredentials

Profile configuration:

1
2
3
4
5
6
7

{
  "name": "cert-profile",
  "clientId": "...",
  "tenantId": "...",
  "certificatePath": "/path/to/cert.pfx",
  "useCertificate": true
}

Certificate password:

  • Stored securely in platform-specific storage
  • Prompted once during profile creation
  • Never stored in plaintext

Advantages

✅ More secure than secrets
✅ Longer validity periods
✅ Better for automation
✅ Certificate rotation support

Detailed certificate guide →

Output Options

Silent Mode

Suppress all output except the token:

1

entratool get-token -p myprofile --silent

Output:

eyJ0eXAiOiJKV1QiLCJh...

Use in scripts:

1
2

TOKEN=$(entratool get-token -p myprofile --silent)
curl -H "Authorization: Bearer $TOKEN" https://graph.microsoft.com/v1.0/me

Save to File 

1

entratool get-token -p myprofile -o token.txt

Output:

✓ Token saved to token.txt

Use later:

1
2

TOKEN=$(cat token.txt)
curl -H "Authorization: Bearer $TOKEN" ...

JSON Output 

1

entratool get-token -p myprofile --json

Output:

1
2
3
4
5
6

{
  "accessToken": "eyJ0eXAiOiJKV1QiLCJh...",
  "expiresOn": "2024-12-01T12:00:00Z",
  "tokenType": "Bearer",
  "scopes": ["https://graph.microsoft.com/.default"]
}

Token Inspection

Inspect Token Claims 

1
2

# Generate and inspect in one command
entratool get-token -p myprofile --silent | entratool inspect

Or separately:

1
2

TOKEN=$(entratool get-token -p myprofile --silent)
entratool inspect -t "$TOKEN"

Output:

1
2
3
4
5
6
7
8
9

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/...",
  "iat": 1701432000,
  "exp": 1701435600,
  "appid": "12345678-1234-1234-1234-123456789abc",
  "scp": "User.Read Mail.Read",
  "roles": []
}

Learn about token inspection →

Token Refresh

Refreshing Expired Tokens

If you have a refresh token:

1

entratool refresh -p myprofile

Requirements:

  • Original token acquired with offline_access scope
  • Refresh token stored in cache

Output:

Refreshing token for profile 'myprofile'...
✓ Token refreshed successfully

eyJ0eXAiOiJKV1QiLCJh...

Note: Client Credentials flow doesn’t support refresh tokens. Just request a new token instead.

Learn about token refreshing →

Common Patterns

Pattern 1: Script Automation 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

#!/bin/bash
set -e

# Get token
TOKEN=$(entratool get-token -p automation --silent)

# Use token
curl -H "Authorization: Bearer $TOKEN" \
     https://graph.microsoft.com/v1.0/users \
     | jq

Pattern 2: Environment Variable 

1
2
3
4
5

export ACCESS_TOKEN=$(entratool get-token -p myprofile --silent)

# Use in multiple commands
curl -H "Authorization: Bearer $ACCESS_TOKEN" https://api1.example.com
curl -H "Authorization: Bearer $ACCESS_TOKEN" https://api2.example.com

Pattern 3: Token Caching 

1
2
3
4
5
6
7
8

TOKEN_FILE=~/.cache/entratool-token.txt

# Check if token exists and is valid
if [ ! -f "$TOKEN_FILE" ] || ! entratool discover -f "$TOKEN_FILE" &>/dev/null; then
  entratool get-token -p myprofile --silent > "$TOKEN_FILE"
fi

TOKEN=$(cat "$TOKEN_FILE")

Pattern 4: Multi-API Access 

1
2
3
4
5
6
7

# Get tokens for different APIs
TOKEN_GRAPH=$(entratool get-token -p graph-profile --silent)
TOKEN_AZURE=$(entratool get-token -p azure-profile --silent)

# Use with different APIs
curl -H "Authorization: Bearer $TOKEN_GRAPH" https://graph.microsoft.com/v1.0/me
curl -H "Authorization: Bearer $TOKEN_AZURE" https://management.azure.com/subscriptions

Troubleshooting

“Profile not found”

Cause: Profile name is incorrect

Fix:

1
2
3
4
5

# List profiles
entratool config list

# Use correct name
entratool get-token -p correct-name

“AADSTS70011: Invalid scope”

Cause: Requested scope is not configured in app registration

Fix:

  1. Go to Azure Portal → App registrations
  2. Select your app → API permissions
  3. Add the required permission
  4. Grant admin consent (if needed)

“AADSTS7000215: Invalid client secret”

Cause: Client secret is expired or incorrect

Fix:

1
2
3
4
5

# Rotate secret in Azure Portal
# Update profile
entratool config edit -p myprofile
# Select: Client Secret
# Enter: new-secret

“Insufficient privileges”

Cause: Token has scope but lacks underlying permission

Fix:

  1. Verify API permissions in Azure Portal
  2. Grant admin consent
  3. For users: Assign appropriate Azure AD role

“Browser did not respond”

Cause: Browser authentication timed out

Fix:

  • Try Device Code flow instead:
    1

    entratool get-token -p myprofile -f DeviceCode
  • Check redirect URI configuration
  • Ensure localhost port is not blocked

Best Practices

✅ Use Appropriate Flows

  • Automation: Client Credentials
  • User apps: Interactive Browser
  • Headless/SSH: Device Code
  • Web apps: Authorization Code

✅ Request Minimal Scopes 

1
2
3
4
5

# ❌ Over-privileged
--scope "https://graph.microsoft.com/.default"

# ✓ Minimal
--scope "https://graph.microsoft.com/User.Read"

✅ Handle Token Expiration 

1
2
3
4
5
6
7

# Check expiration before use
entratool discover -f token.txt

# Refresh if needed
if [ $? -ne 0 ]; then
  entratool get-token -p myprofile --silent > token.txt
fi

✅ Secure Token Storage 

1
2
3
4

# Set restrictive permissions
TOKEN_FILE=~/.cache/my-token.txt
entratool get-token -p myprofile --silent > "$TOKEN_FILE"
chmod 600 "$TOKEN_FILE"

❌ Avoid

  • ❌ Hard-coding tokens
  • ❌ Committing tokens to git
  • ❌ Sharing tokens via email/Slack
  • ❌ Using expired tokens
  • ❌ Requesting excessive scopes

Next Steps