@@ -5,8 +5,7 @@ function Add-CIPPDelegatedPermission {
55 $TemplateId ,
66 $ApplicationId ,
77 $NoTranslateRequired ,
8- $TenantFilter ,
9- [bool ]$AsApp = $false
8+ $TenantFilter
109 )
1110 Write-Information ' Adding Delegated Permissions'
1211 $ApplicationId = $ApplicationId ?? $env: ApplicationID
@@ -72,34 +71,19 @@ function Add-CIPPDelegatedPermission {
7271 }
7372
7473 $Translator = Get-Content (Join-Path $env: CIPPRootPath ' Config\PermissionsTranslator.json' ) | ConvertFrom-Json
75-
76- # Use app auth when requested, but fall back to delegated on the first failure - the app may not
77- # hold the application permissions needed. $UseAsApp latches to $false for the rest of the run.
78- $UseAsApp = $AsApp
79- $GetServicePrincipalList = { New-GraphGETRequest - uri " https://graph.microsoft.com/beta/servicePrincipals?`$ select=appId,id,displayName&`$ top=999" - tenantid $TenantFilter - skipTokenCache $true - NoAuthCheck $true - AsApp $UseAsApp }
80- try {
81- $ServicePrincipalList = & $GetServicePrincipalList
82- } catch {
83- if ($UseAsApp ) {
84- Write-Information " App-auth request failed, falling back to delegated permissions: $ ( $_.Exception.Message ) "
85- $UseAsApp = $false
86- $ServicePrincipalList = & $GetServicePrincipalList
87- } else {
88- throw
89- }
90- }
74+ $ServicePrincipalList = New-GraphGETRequest - uri " https://graph.microsoft.com/beta/servicePrincipals?`$ select=appId,id,displayName&`$ top=999" - tenantid $TenantFilter - skipTokenCache $true - NoAuthCheck $true
9175 $Results = [System.Collections.Generic.List [string ]]::new()
9276
9377 $ourSVCPrincipal = $ServicePrincipalList | Where-Object - Property AppId -EQ $ApplicationId | Select-Object - First 1
9478 if (! $ourSVCPrincipal ) {
95- $ourSvcPrincipal = New-GraphGETRequest - uri " https://graph.microsoft.com/beta/servicePrincipals(appId='$ApplicationId ')?`$ select=appId,id,displayName" - tenantid $TenantFilter - skipTokenCache $true - NoAuthCheck $true - AsApp $UseAsApp
79+ $ourSvcPrincipal = New-GraphGETRequest - uri " https://graph.microsoft.com/beta/servicePrincipals(appId='$ApplicationId ')?`$ select=appId,id,displayName" - tenantid $TenantFilter - skipTokenCache $true - NoAuthCheck $true
9680 }
9781 if (! $ourSVCPrincipal ) {
9882 $Results.Add (" Failed to find service principal for application $ApplicationId in tenant $TenantFilter " )
9983 return $Results
10084 }
10185
102- $CurrentDelegatedScopes = New-GraphGETRequest - uri " https://graph.microsoft.com/beta/servicePrincipals/$ ( $ourSVCPrincipal.id ) /oauth2PermissionGrants" - skipTokenCache $true - tenantid $TenantFilter - NoAuthCheck $true - AsApp $UseAsApp
86+ $CurrentDelegatedScopes = New-GraphGETRequest - uri " https://graph.microsoft.com/beta/servicePrincipals/$ ( $ourSVCPrincipal.id ) /oauth2PermissionGrants" - skipTokenCache $true - tenantid $TenantFilter - NoAuthCheck $true
10387
10488 foreach ($App in $RequiredResourceAccess ) {
10589 if (! $App ) {
@@ -111,7 +95,7 @@ function Add-CIPPDelegatedPermission {
11195 $Body = @ {
11296 appId = $App.resourceAppId
11397 } | ConvertTo-Json - Compress
114- $svcPrincipalId = New-GraphPOSTRequest - uri ' https://graph.microsoft.com/v1.0/servicePrincipals' - tenantid $TenantFilter - body $Body - type POST - NoAuthCheck $true - AsApp $UseAsApp
98+ $svcPrincipalId = New-GraphPOSTRequest - uri ' https://graph.microsoft.com/v1.0/servicePrincipals' - tenantid $TenantFilter - body $Body - type POST - NoAuthCheck $true
11599 } catch {
116100 $Results.add (" Failed to create service principal for $ ( $App.resourceAppId ) : $ ( Get-NormalizedError - message $_.Exception.Message ) " )
117101 continue
@@ -150,7 +134,7 @@ function Add-CIPPDelegatedPermission {
150134 resourceId = $svcPrincipalId.id
151135 scope = $NewScope
152136 } | ConvertTo-Json - Compress
153- $CreateRequest = New-GraphPOSTRequest - uri ' https://graph.microsoft.com/v1.0/oauth2PermissionGrants' - tenantid $TenantFilter - body $Createbody - type POST - NoAuthCheck $true - AsApp $UseAsApp
137+ $CreateRequest = New-GraphPOSTRequest - uri ' https://graph.microsoft.com/v1.0/oauth2PermissionGrants' - tenantid $TenantFilter - body $Createbody - type POST - NoAuthCheck $true
154138 $Results.add (" Successfully added permissions for $ ( $svcPrincipalId.displayName ) " )
155139 } catch {
156140 $Results.add (" Failed to add permissions for $ ( $svcPrincipalId.displayName ) : $ ( Get-NormalizedError - message $_.Exception.Message ) " )
@@ -163,7 +147,7 @@ function Add-CIPPDelegatedPermission {
163147 $OldScope.id | ForEach-Object {
164148 if ($_ -ne $OldScopeId ) {
165149 try {
166- $null = New-GraphPOSTRequest - uri " https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$_ " - tenantid $TenantFilter - type DELETE - NoAuthCheck $true - AsApp $UseAsApp
150+ $null = New-GraphPOSTRequest - uri " https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$_ " - tenantid $TenantFilter - type DELETE - NoAuthCheck $true
167151 } catch {
168152 }
169153 }
@@ -187,7 +171,7 @@ function Add-CIPPDelegatedPermission {
187171 scope = " $NewScope "
188172 } | ConvertTo-Json - Compress
189173 try {
190- $null = New-GraphPOSTRequest - uri " https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$ ( $OldScopeId ) " - tenantid $TenantFilter - body $Patchbody - type PATCH - NoAuthCheck $true - AsApp $UseAsApp
174+ $null = New-GraphPOSTRequest - uri " https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$ ( $OldScopeId ) " - tenantid $TenantFilter - body $Patchbody - type PATCH - NoAuthCheck $true
191175 } catch {
192176 $Results.add (" Failed to update permissions for $ ( $svcPrincipalId.displayName ) : $ ( Get-NormalizedError - message $_.Exception.Message ) " )
193177 continue
0 commit comments