Skip to content

Website: don't require an API key on Microsoft compliance proxy requests#49434

Open
lucasmrod wants to merge 1 commit into
mainfrom
47699-website-microsoft-proxy-no-api-key
Open

Website: don't require an API key on Microsoft compliance proxy requests#49434
lucasmrod wants to merge 1 commit into
mainfrom
47699-website-microsoft-proxy-no-api-key

Conversation

@lucasmrod

@lucasmrod lucasmrod commented Jul 16, 2026

Copy link
Copy Markdown
Member

Related issue: Resolves #47699

Testing

  • QA'd all new/changed functionality manually

What & why

Entra conditional access is becoming available to self-hosted Fleet Premium instances, which don't have the shared MS-API-KEY that cloud-managed customers use. This makes the microsoft-proxy/* endpoints reachable without that key by dropping the is-cloud-customer policy gate (and the now-unused shared-secret config comments / policy file).

A replacement auth mechanism for the proxy is tracked separately in #47702.

Split out of #49414 so the website change can ship independently.

Summary by CodeRabbit

  • Changes
    • Updated Microsoft proxy access handling so requests no longer require cloud-customer verification.
    • Removed the associated shared-secret configuration settings.

Entra conditional access is becoming available to self-hosted Fleet Premium
instances, which don't have the shared MS-API-KEY that cloud-managed
customers use. Make the microsoft-proxy endpoints reachable without that
key by removing the is-cloud-customer policy gate.

Related to #47699 (auth replacement tracked in #47702).
Copilot AI review requested due to automatic review settings July 16, 2026 18:04
@fleet-release
fleet-release requested a review from eashaw July 16, 2026 18:04

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Fleet website (Sails) policy configuration for the Microsoft compliance proxy so self-hosted Fleet Premium instances can use the proxy endpoints without requiring the shared MS-API-KEY header, and removes now-unused shared-secret configuration comments/policy.

Changes:

  • Removes the is-cloud-customer policy gate from microsoft-proxy/* routes.
  • Deletes the is-cloud-customer policy implementation and removes unused shared-secret config comments.
  • Keeps the Microsoft compliance proxy endpoints reachable without a website session.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
website/config/policies.js Makes microsoft-proxy/* requests bypass the default is-logged-in policy.
website/config/custom.js Removes obsolete commented config entries for shared secrets.
website/api/policies/is-cloud-customer.js Deletes the no-longer-used policy that validated MS-API-KEY.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

'admin/*': 'is-super-admin',
'query-generator/*': 'has-query-generator-access',
'microsoft-proxy/*': 'is-cloud-customer',
'microsoft-proxy/*': true,
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d3898050-b7ee-4c62-a58d-149c76265eef

📥 Commits

Reviewing files that changed from the base of the PR and between 01bb250 and 820668c.

📒 Files selected for processing (3)
  • website/api/policies/is-cloud-customer.js
  • website/config/custom.js
  • website/config/policies.js
💤 Files with no reviewable changes (2)
  • website/api/policies/is-cloud-customer.js
  • website/config/custom.js

Walkthrough

The Microsoft proxy route policy is changed from is-cloud-customer validation to an unconditional bypass. The obsolete commented shared-secret configuration fields for the compliance proxy are removed.

Possibly related issues

Possibly related PRs

  • fleetdm/fleet#49414: Also removes Microsoft proxy shared-secret gating and changes access control to Fleet Premium licensing.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the main change: removing the API key requirement for Microsoft compliance proxy requests.
Description check ✅ Passed The description includes the related issue, testing, and a clear what/why summary, which matches the template well.
Linked Issues check ✅ Passed The changes satisfy the issue's coding objective by allowing Microsoft proxy requests without the MS-API-KEY.
Out of Scope Changes check ✅ Passed The config comment cleanup and policy removal are directly related to dropping the API key requirement.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch 47699-website-microsoft-proxy-no-api-key

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Entra conditional access for self-hosted customers

3 participants