File tree Expand file tree Collapse file tree
Modules/CIPPCore/Public/Entrypoints/HTTP Functions Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -43,6 +43,24 @@ function New-CippCoreRequest {
4343 $FunctionName = ' Invoke-{0}' -f $Request.Params.CIPPEndpoint
4444 Write-Information " API Endpoint: $ ( $Request.Params.CIPPEndpoint ) | Frontend Version: $ ( $Request.Headers .' X-CIPP-Version' ?? ' Not specified' ) "
4545
46+ # For now, while we're in read-only we force the role of the MCP API cred.
47+ # When we remove the feature flag, in NG, we move this to use the users role/ident.
48+ if ($Request.Params.CIPPEndpoint -eq ' ExecMcp' -and
49+ $Request.Headers .' x-ms-client-principal' -and
50+ $Request.Headers .' x-ms-client-principal-name' -notmatch ' ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$' ) {
51+ try {
52+ $McpPrincipal = [System.Text.Encoding ]::UTF8.GetString([System.Convert ]::FromBase64String($Request.Headers .' x-ms-client-principal' )) | ConvertFrom-Json
53+ $McpAppId = ($McpPrincipal.claims | Where-Object { $_.typ -in @ (' azp' , ' appid' ) } | Select-Object - First 1 ).val
54+ if ($McpAppId -and (Get-CippApiClient - AppId $McpAppId )) {
55+ $Request.Headers | Add-Member - NotePropertyName ' x-ms-client-principal-name' - NotePropertyValue $McpAppId - Force
56+ $Request.Headers | Add-Member - NotePropertyName ' x-ms-client-principal-idp' - NotePropertyValue ' aad' - Force
57+ Write-Information " MCP request mapped to API client $McpAppId (running at the app's CIPP role)"
58+ }
59+ } catch {
60+ Write-Information " MCP principal app resolution failed: $ ( $_.Exception.Message ) "
61+ }
62+ }
63+
4664 # Check if endpoint is disabled via feature flags
4765 $FeatureFlags = Get-CIPPFeatureFlag
4866 $DisabledEndpoint = $FeatureFlags | Where-Object {
You can’t perform that action at this time.
0 commit comments