Surface errors correctly for secret reset

Zacgoose · Zacgoose · commit 70642a2ed575 · 2026-04-29T15:09:14.000+08:00
diff --git a/Modules/CIPPCore/Public/Authentication/New-CIPPAPIConfig.ps1 b/Modules/CIPPCore/Public/Authentication/New-CIPPAPIConfig.ps1
@@ -193,6 +193,20 @@ function New-CIPPAPIConfig {
             if ($PSCmdlet.ShouldProcess($APIApp.displayName, 'Reset API Secret')) {
                 $Step = 'Resetting Application Password'
                 Write-Information 'Removing all old passwords'
+
+                $AppManagementPolicy = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/policies/defaultAppManagementPolicy' -AsApp $true -NoAuthCheck $true
+                $PasswordExpirationPolicy = $AppManagementPolicy.applicationRestrictions.passwordcredentials |
+                    Where-Object { $_.restrictionType -eq 'passwordLifetime' }
+
+                $NewPasswordCredential = @{
+                    displayName = 'Generated by API Setup'
+                }
+                if (-not ($PasswordExpirationPolicy.state -eq 'disabled' -or $null -eq $PasswordExpirationPolicy.state)) {
+                    $TimeToExpiration = [System.Xml.XmlConvert]::ToTimeSpan($PasswordExpirationPolicy.maxLifetime)
+                    $ExpirationDate = (Get-Date).AddDays($TimeToExpiration.Days).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.fffZ')
+                    $NewPasswordCredential.endDateTime = $ExpirationDate
+                }
+
                 $Requests = @(
                     @{
                         id      = 'removeOldPasswords'
@@ -213,15 +227,19 @@ function New-CIPPAPIConfig {
                             'Content-Type' = 'application/json'
                         }
                         body      = @{
-                            passwordCredential = @{
-                                displayName = 'Generated by API Setup'
-                            }
+                            passwordCredential = $NewPasswordCredential
                         }
                         dependsOn = @('removeOldPasswords')
                     }
                 )
                 $BatchResponse = New-GraphBulkRequest -tenantid $env:TenantID -NoAuthCheck $true -asapp $true -Requests $Requests
-                $APIPassword = $BatchResponse | Where-Object { $_.id -eq 'addNewPassword' } | Select-Object -ExpandProperty body
+                $AddPasswordResponse = $BatchResponse | Where-Object { $_.id -eq 'addNewPassword' }
+                if ($AddPasswordResponse.status -ge 400) {
+                    $ErrorBody = $AddPasswordResponse.body
+                    $ErrorMsg = $ErrorBody.error.message ?? ($ErrorBody | ConvertTo-Json -Compress -Depth 5)
+                    throw "Failed to add new password during secret reset: $ErrorMsg"
+                }
+                $APIPassword = $AddPasswordResponse.body
                 Write-LogMessage -headers $Headers -API $APINAME -tenant 'None '-message "Reset CIPP-API Password for '$($APIApp.displayName)'." -Sev 'info'
             }
         }
