New-AdmAccountToken

Generates a new REST API access token for a specified account.

New-AdmAccountToken
- [-Identity] <ADAccount> required parameter
- [-Name] <string> required parameter
- [-Description <string>]
- [-ExpiresAt <DateTime>]
- [-AdaxesService] <string> required parameter
- [-Credential <PSCredential>]
- [-Server <string>]
- [-Confirm]
- [-WhatIf]
- [<CommonParameters>]

Description

The New-AdmAccountToken cmdlet creates a token for authentication to the Adaxes REST API. The token operates within the security context of the account specified by the Identity parameter, granting the same permissions as that account has. The token value is displayed only once, immediately after it is generated.

To authenticate, include the token in the Adm-Authorization header of your HTTP requests to the API.

Access tokens carry the full permissions of the associated account. Ensure they are stored securely and access is limited to authorized principals.

Examples

Example 1 – Create a non-expiring token with description

New-AdmAccountToken -Identity "CN=SvcAcc_HR,OU=Service Accounts,DC=domain,DC=com" `
                    -Name "HRToken" `
                    -Description "Token for HR system integration" `
                    -AdaxesService "adaxes.domain.com"

This command creates a non-expiring token named HRToken for the SvcAcc_HR service account.

Example 2 – Create a token that expires in a month

$username = "domain\SvcAcc_Admin"
$tokenName = "SuperAdminToken"
$expiry = (Get-Date).AddMonths(1)
$serviceHost = "adaxes.domain.com"
New-AdmAccountToken $username $tokenName -ExpiresAt $expiry -AdaxesService $serviceHost

This command creates a token named SuperAdminToken that expires in one month. It uses positional parameters for Identity and Name.

Parameters

-Identity

Specifies the account for which to generate the token. You can identify the account by one of the following properties:

Distinguished name (DN)
GUID (objectGUID)
Security identifier (objectSid)
SAM account name (sAMAccountName)
Username (userPrincipalName)

This parameter can also get an account object through the pipeline, or you can set this parameter to an account object instance from a variable.

Type:
ADAccount
Position:
0
Required:
True
Default Value:
None
Accept pipeline input:
True (ByValue)
Accept wildcard characters:
False

-Name

Specifies a unique name for the access token, which can be used to retrieve information about the token later.

An account can have multiple tokens, but each token name must be unique. Duplicate token names for different accounts are allowed.

Type:
string
Position:
1
Required:
True
Default Value:
None
Accept pipeline input:
False
Accept wildcard characters:
False

-Description

Specifies an optional description for the token.

Type:
string
Position:
Named
Required:
False
Default Value:
None
Accept pipeline input:
False
Accept wildcard characters:
False

-ExpiresAt

Specifies the date and time when the token expires. If this parameter is omitted, the token does not expire.

Type:
DateTime
Position:
Named
Required:
False
Default Value:
None
Accept pipeline input:
False
Accept wildcard characters:
False

-AdaxesService

Specifies the DNS host name of the Adaxes service that will be used to execute this cmdlet.

Type:
string
Position:
Named
Required:
True
Default Value:
None
Accept pipeline input:
False
Accept wildcard characters:
False

-Credential

Specifies the user account credentials to run this cmdlet as.

Adaxes service administrators can generate tokens for any account
Entra users cannot generate tokens at all
Other users can generate tokens only for their own account

To specify this parameter, you can type a username, such as j.smith@domain.com or DOMAIN\j.smith or you can specify a PSCredential object. If you specify a username for this parameter, the cmdlet prompts for a password.

You can also create a PSCredential object by using a script or the Get-Credential cmdlet.

By default, the cmdlet uses the credentials of the signed in user when run from an external PowerShell session, and the credentials of the Adaxes service account when run from a script inside Adaxes.

Type:
PSCredential
Position:
Named
Required:
False
Default Value:
None
Accept pipeline input:
False
Accept wildcard characters:
False

-Server

Specifies the domain or directory server to connect to. The cmdlet will attempt to locate the account from the Identity parameter via the specified server.

You can specify a domain or server in one of the following formats.

Domain names:

NetBIOS name (e.g. CORP)
Fully qualified domain name (e.g. corp.contoso.com)

Directory servers:

NetBIOS name (e.g. DC01)
Fully qualified host name (e.g. dc01.corp.contoso.com)
Fully qualified host name and port (e.g. dc01.corp.contoso.com:3268)

The default value is determined in the following order:

From the Server property of objects passed through the pipeline.
From the Adaxes PowerShell provider drive, if applicable.
From the domain of the local computer.

Type:
string
Position:
Named
Required:
False
Default Value:
None
Accept pipeline input:
False
Accept wildcard characters:
False

-Confirm

Prompts you for confirmation before executing the command.

Type:
SwitchParameter
Position:
Named
Required:
False
Default Value:
False
Accept pipeline input:
False
Accept wildcard characters:
False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:
SwitchParameter
Position:
Named
Required:
False
Default Value:
None
Accept pipeline input:
False
Accept wildcard characters:
False

Inputs

None or Softerra.Adaxes.PowerShellModule.Directory.ADAccount

You can pipe account objects from Adaxes cmdlets (e.g. Get-AdmUser) to the Identity parameter.

Derived types, such as the following are also accepted:

Softerra.Adaxes.PowerShellModule.Directory.ADUser
Softerra.Adaxes.PowerShellModule.Directory.ADComputer

Outputs

String

Returns the string value of the access token. Securely store the token value, as this is the only time it is displayed.