@@ -4,53 +4,74 @@ function Get-CippApiAuth {
44 [string ]$FunctionAppName
55 )
66
7- $AuthSettings = $null
7+ if ($env: CIPPNG ) {
8+ $AuthSettings = $null
89
9- # When the auth config is available as an env var, use it directly (no ARM call needed)
10- if ($env: CIPPNG -and $env: WEBSITE_AUTH_V2_CONFIG_JSON ) {
11- $AuthSettings = $env: WEBSITE_AUTH_V2_CONFIG_JSON | ConvertFrom-Json - ErrorAction SilentlyContinue
12- }
10+ # When the auth config is available as an env var, use it directly (no ARM call needed)
11+ if ($env: WEBSITE_AUTH_V2_CONFIG_JSON ) {
12+ $AuthSettings = $env: WEBSITE_AUTH_V2_CONFIG_JSON | ConvertFrom-Json - ErrorAction SilentlyContinue
13+ }
14+
15+ # Fall back to reading via ARM REST
16+ if (-not $AuthSettings ) {
17+ $SubscriptionId = Get-CIPPAzFunctionAppSubId
18+ try {
19+ $uri = " https://management.azure.com/subscriptions/$SubscriptionId /resourceGroups/$RGName /providers/Microsoft.Web/sites/$ ( $FunctionAppName ) /config/authsettingsV2/list?api-version=2020-06-01"
20+ $response = New-CIPPAzRestRequest - Uri $uri - Method POST - ErrorAction Stop
21+ $AuthSettings = $response.properties
22+ } catch {
23+ Write-Warning " Failed to get auth settings via REST: $ ( $_.Exception.Message ) "
24+ }
25+ }
26+
27+ if ($AuthSettings ) {
28+ $AAD = $AuthSettings.identityProviders.azureActiveDirectory
29+ $Issuer = $AAD.registration.openIdIssuer ?? ' '
30+ $AllowedApps = @ ($AAD.validation.defaultAuthorizationPolicy.allowedApplications )
31+
32+ # When SSO EasyAuth is in use, filter out its clientId — the frontend only tracks API clients
33+ $SSOClientId = $AAD.registration.clientId
34+ if ($SSOClientId ) {
35+ $AllowedApps = @ ($AllowedApps | Where-Object { $_ -ne $SSOClientId })
36+ }
1337
14- # Fall back to reading via ARM REST
15- if (-not $AuthSettings ) {
38+ $ExtractedTenantId = $Issuer -replace ' https://sts.windows.net/' , ' ' -replace ' https://login.microsoftonline.com/' , ' ' -replace ' /v2.0' , ' '
39+ $TenantId = if ($ExtractedTenantId -eq ' common' ) { $env: TenantID } else { $ExtractedTenantId }
40+
41+ [PSCustomObject ]@ {
42+ ApiUrl = " https://$ ( $env: WEBSITE_HOSTNAME ) "
43+ TenantID = $TenantId
44+ ClientIDs = $AllowedApps
45+ Enabled = $AAD.enabled
46+ }
47+ } else {
48+ throw ' No auth settings found'
49+ }
50+ } else {
1651 $SubscriptionId = Get-CIPPAzFunctionAppSubId
52+
1753 try {
54+ # Get auth settings via REST
1855 $uri = " https://management.azure.com/subscriptions/$SubscriptionId /resourceGroups/$RGName /providers/Microsoft.Web/sites/$ ( $FunctionAppName ) /config/authsettingsV2/list?api-version=2020-06-01"
1956 $response = New-CIPPAzRestRequest - Uri $uri - Method POST - ErrorAction Stop
2057 $AuthSettings = $response.properties
2158 } catch {
2259 Write-Warning " Failed to get auth settings via REST: $ ( $_.Exception.Message ) "
2360 }
24- }
2561
26- # Fallback to env var if ARM failed
27- if (-not $AuthSettings -and $env: WEBSITE_AUTH_V2_CONFIG_JSON ) {
28- $AuthSettings = $env: WEBSITE_AUTH_V2_CONFIG_JSON | ConvertFrom-Json - ErrorAction SilentlyContinue
29- }
30-
31- if ($AuthSettings ) {
32- $AAD = $AuthSettings.identityProviders.azureActiveDirectory
33- $Issuer = $AAD.registration.openIdIssuer ?? ' '
34- $AllowedApps = @ ($AAD.validation.defaultAuthorizationPolicy.allowedApplications )
35-
36- # When SSO EasyAuth is in use, filter out its clientId — the frontend only tracks API clients
37- if ($env: CIPPNG ) {
38- $SSOClientId = $AAD.registration.clientId
39- if ($SSOClientId ) {
40- $AllowedApps = @ ($AllowedApps | Where-Object { $_ -ne $SSOClientId })
41- }
62+ if (! $AuthSettings -and $env: WEBSITE_AUTH_V2_CONFIG_JSON ) {
63+ $AuthSettings = $env: WEBSITE_AUTH_V2_CONFIG_JSON | ConvertFrom-Json - ErrorAction SilentlyContinue
4264 }
4365
44- $ExtractedTenantId = $Issuer -replace ' https://sts.windows.net/' , ' ' -replace ' https://login.microsoftonline.com/' , ' ' -replace ' /v2.0' , ' '
45- $TenantId = if ($ExtractedTenantId -eq ' common' ) { $env: TenantID } else { $ExtractedTenantId }
46-
47- [PSCustomObject ]@ {
48- ApiUrl = " https://$ ( $env: WEBSITE_HOSTNAME ) "
49- TenantID = $TenantId
50- ClientIDs = $AllowedApps
51- Enabled = $AAD.enabled
66+ if ($AuthSettings ) {
67+ [PSCustomObject ]@ {
68+ ApiUrl = " https://$ ( $env: WEBSITE_HOSTNAME ) "
69+ TenantID = $AuthSettings.identityProviders.azureActiveDirectory.registration.openIdIssuer -replace ' https://sts.windows.net/' , ' ' -replace ' /v2.0' , ' '
70+ ClientIDs = $AuthSettings.identityProviders.azureActiveDirectory.validation.defaultAuthorizationPolicy.allowedApplications
71+ Enabled = $AuthSettings.identityProviders.azureActiveDirectory.enabled
72+ }
73+ } else {
74+ throw ' No auth settings found'
5275 }
53- } else {
54- throw ' No auth settings found'
5576 }
5677}
0 commit comments