Skip to content

Commit 532b20b

Browse files
committed
fix(permissions): scope role dedupe by resource
Tightens app role existence checks in `Add-CIPPApplicationPermission` to match both `appRoleId` and `resourceId` instead of only role ID. This prevents skipping valid role assignments when the same role ID appears across different service principals.
1 parent 495a545 commit 532b20b

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

Modules/CIPPCore/Public/Add-CIPPApplicationPermission.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -122,7 +122,7 @@ function Add-CIPPApplicationPermission {
122122
if (!$svcPrincipalId) { continue }
123123

124124
foreach ($SingleResource in $App.ResourceAccess | Where-Object -Property Type -EQ 'Role') {
125-
if ($SingleResource.id -in $CurrentRoles.appRoleId) { continue }
125+
if ($CurrentRoles | Where-Object { $_.appRoleId -eq $SingleResource.id -and $_.resourceId -eq $svcPrincipalId.id }) { continue }
126126
[pscustomobject]@{
127127
principalId = $($ourSVCPrincipal.id)
128128
resourceId = $($svcPrincipalId.id)

0 commit comments

Comments
 (0)