npm - @pnp/cli-microsoft365 - Versions diffs - 5.7.0-beta.8be35f8 → 5.7.0-beta.9e8cf99 - Mend

@pnp/cli-microsoft365 5.7.0-beta.8be35f8 → 5.7.0-beta.9e8cf99

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/.devcontainer/Dockerfile +3 -1
package/.devcontainer/devcontainer.json +1 -0
package/dist/m365/aad/commands/app/app-add.js +161 -22
package/docs/docs/cmd/aad/app/app-add.md +11 -0
package/package.json +1 -1

package/.devcontainer/Dockerfile CHANGED Viewed

@@ -27,7 +27,9 @@ RUN apt-get update && apt-get install -y \
   && apt-get install nodejs -y \
   && rm -rf /var/lib/apt/lists/*
-RUN pip3 install mkdocs-material==7.1.7 pymdown-extensions==9.0 pygments==2.11
+COPY ../docs/pip_requirements.txt .
+RUN pip install -r pip_requirements.txt
 RUN useradd \
   --user-group \

package/.devcontainer/devcontainer.json CHANGED Viewed

@@ -1,6 +1,7 @@
 {
   "name": "CLI for Microsoft 365",
   "dockerFile": "Dockerfile",
+  "context": "..",
   "settings": {
     "terminal.integrated.profiles.linux": {
       "zsh": {

package/dist/m365/aad/commands/app/app-add.js CHANGED Viewed

@@ -27,6 +27,7 @@ class AadAppAddCommand extends GraphCommand_1.default {
         super();
         _AadAppAddCommand_instances.add(this);
         this.appName = '';
+        this.appPermissions = [];
         __classPrivateFieldGet(this, _AadAppAddCommand_instances, "m", _AadAppAddCommand_initTelemetry).call(this);
         __classPrivateFieldGet(this, _AadAppAddCommand_instances, "m", _AadAppAddCommand_initOptions).call(this);
         __classPrivateFieldGet(this, _AadAppAddCommand_instances, "m", _AadAppAddCommand_initValidators).call(this);
@@ -50,6 +51,7 @@ class AadAppAddCommand extends GraphCommand_1.default {
             return Promise.resolve(appInfo);
         })
             .then(appInfo => this.updateAppFromManifest(args, appInfo))
+            .then(appInfo => this.grantAdminConsent(appInfo, args.options.grantAdminConsent, logger))
             .then(appInfo => this.configureUri(args, appInfo, logger))
             .then(appInfo => this.configureSecret(args, appInfo, logger))
             .then(appInfo => this.saveAppInfo(args, appInfo, logger))
@@ -120,6 +122,81 @@ class AadAppAddCommand extends GraphCommand_1.default {
             return request_1.default.post(createApplicationRequestOptions);
         });
     }
+    grantAdminConsent(appInfo, adminConsent, logger) {
+        if (!adminConsent || this.appPermissions.length === 0) {
+            return Promise.resolve(appInfo);
+        }
+        return this.createServicePrincipal(appInfo.appId)
+            .then((sp) => {
+            if (this.debug) {
+                logger.logToStderr("Service principal created, returned object id: " + sp.id);
+            }
+            const tasks = [];
+            this.appPermissions.forEach(permission => {
+                if (permission.scope.length > 0) {
+                    tasks.push(this.grantOAuth2Permission(sp.id, permission.resourceId, permission.scope.join(' ')));
+                    if (this.debug) {
+                        logger.logToStderr(`Admin consent granted for following resource ${permission.resourceId}, with delegated permissions: ${permission.scope.join(',')}`);
+                    }
+                }
+                permission.resourceAccess.filter(access => access.type === "Role").forEach((access) => {
+                    tasks.push(this.addRoleToServicePrincipal(sp.id, permission.resourceId, access.id));
+                    if (this.debug) {
+                        logger.logToStderr(`Admin consent granted for following resource ${permission.resourceId}, with application permission: ${access.id}`);
+                    }
+                });
+            });
+            return Promise.all(tasks)
+                .then(_ => {
+                return appInfo;
+            });
+        });
+    }
+    addRoleToServicePrincipal(objectId, resourceId, appRoleId) {
+        const requestOptions = {
+            url: `${this.resource}/v1.0/myorganization/servicePrincipals/${objectId}/appRoleAssignments`,
+            headers: {
+                'Content-Type': 'application/json'
+            },
+            responseType: 'json',
+            data: {
+                appRoleId: appRoleId,
+                principalId: objectId,
+                resourceId: resourceId
+            }
+        };
+        return request_1.default.post(requestOptions);
+    }
+    grantOAuth2Permission(appId, resourceId, scopeName) {
+        const grantAdminConsentApplicationRequestOptions = {
+            url: `${this.resource}/v1.0/myorganization/oauth2PermissionGrants`,
+            headers: {
+                accept: 'application/json;odata.metadata=none'
+            },
+            responseType: 'json',
+            data: {
+                clientId: appId,
+                consentType: "AllPrincipals",
+                principalId: null,
+                resourceId: resourceId,
+                scope: scopeName
+            }
+        };
+        return request_1.default.post(grantAdminConsentApplicationRequestOptions);
+    }
+    createServicePrincipal(appId) {
+        const requestOptions = {
+            url: `${this.resource}/v1.0/myorganization/servicePrincipals`,
+            headers: {
+                'content-type': 'application/json'
+            },
+            data: {
+                appId: appId
+            },
+            responseType: 'json'
+        };
+        return request_1.default.post(requestOptions);
+    }
     updateAppFromManifest(args, appInfo) {
         if (!args.options.manifest) {
             return Promise.resolve(appInfo);
@@ -135,6 +212,11 @@ class AadAppAddCommand extends GraphCommand_1.default {
         // separately
         const secrets = this.getSecretsFromManifest(v2Manifest);
         // Azure Portal returns v2 manifest whereas the Graph API expects a v1.6
+        if (args.options.apisApplication || args.options.apisDelegated) {
+            // take submitted delegated / application permissions as options
+            // otherwise, they will be skipped in the app update
+            v2Manifest.requiredResourceAccess = appInfo.requiredResourceAccess;
+        }
         const graphManifest = this.transformManifest(v2Manifest);
         const updateAppRequestOptions = {
             url: `${this.resource}/v1.0/myorganization/applications/${appInfo.id}`,
@@ -334,36 +416,69 @@ class AadAppAddCommand extends GraphCommand_1.default {
             .then(_ => appInfo);
     }
     resolveApis(args, logger) {
-        if (!args.options.apisDelegated && !args.options.apisApplication) {
+        var _a;
+        if (!args.options.apisDelegated && !args.options.apisApplication
+            && (typeof ((_a = this.manifest) === null || _a === void 0 ? void 0 : _a.requiredResourceAccess) === 'undefined' || this.manifest.requiredResourceAccess.length === 0)) {
             return Promise.resolve([]);
         }
         if (this.verbose) {
             logger.logToStderr('Resolving requested APIs...');
         }
         return utils_1.odata
-            .getAllItems(`${this.resource}/v1.0/myorganization/servicePrincipals?$select=servicePrincipalNames,appId,oauth2PermissionScopes,appRoles`)
+            .getAllItems(`${this.resource}/v1.0/myorganization/servicePrincipals?$select=appId,appRoles,id,oauth2PermissionScopes,servicePrincipalNames`)
             .then(servicePrincipals => {
+            var _a;
+            let resolvedApis = [];
             try {
-                const resolvedApis = this.getRequiredResourceAccessForApis(servicePrincipals, args.options.apisDelegated, 'Scope', logger);
-                if (this.debug) {
-                    logger.logToStderr(`Resolved delegated permissions: ${JSON.stringify(resolvedApis, null, 2)}`);
-                }
-                const resolvedApplicationApis = this.getRequiredResourceAccessForApis(servicePrincipals, args.options.apisApplication, 'Role', logger);
-                if (this.debug) {
-                    logger.logToStderr(`Resolved application permissions: ${JSON.stringify(resolvedApplicationApis, null, 2)}`);
-                }
-                // merge resolved application APIs onto resolved delegated APIs
-                resolvedApplicationApis.forEach(resolvedRequiredResource => {
-                    const requiredResource = resolvedApis.find(api => api.resourceAppId === resolvedRequiredResource.resourceAppId);
-                    if (requiredResource) {
-                        requiredResource.resourceAccess.push(...resolvedRequiredResource.resourceAccess);
+                if (args.options.apisDelegated || args.options.apisApplication) {
+                    resolvedApis = this.getRequiredResourceAccessForApis(servicePrincipals, args.options.apisDelegated, 'Scope', logger);
+                    if (this.verbose) {
+                        logger.logToStderr(`Resolved delegated permissions: ${JSON.stringify(resolvedApis, null, 2)}`);
                     }
-                    else {
-                        resolvedApis.push(resolvedRequiredResource);
+                    const resolvedApplicationApis = this.getRequiredResourceAccessForApis(servicePrincipals, args.options.apisApplication, 'Role', logger);
+                    if (this.verbose) {
+                        logger.logToStderr(`Resolved application permissions: ${JSON.stringify(resolvedApplicationApis, null, 2)}`);
                     }
-                });
-                if (this.debug) {
+                    // merge resolved application APIs onto resolved delegated APIs
+                    resolvedApplicationApis.forEach(resolvedRequiredResource => {
+                        const requiredResource = resolvedApis.find(api => api.resourceAppId === resolvedRequiredResource.resourceAppId);
+                        if (requiredResource) {
+                            requiredResource.resourceAccess.push(...resolvedRequiredResource.resourceAccess);
+                        }
+                        else {
+                            resolvedApis.push(resolvedRequiredResource);
+                        }
+                    });
+                }
+                if (typeof ((_a = this.manifest) === null || _a === void 0 ? void 0 : _a.requiredResourceAccess) !== 'undefined' && this.manifest.requiredResourceAccess.length > 0) {
+                    const manifestApis = this.manifest.requiredResourceAccess;
+                    manifestApis.forEach(manifestApi => {
+                        const requiredResource = resolvedApis.find(api => api.resourceAppId === manifestApi.resourceAppId);
+                        if (requiredResource) {
+                            // exclude if any duplicate required resources in both manifest and submitted options
+                            requiredResource.resourceAccess.push(...manifestApi.resourceAccess.filter(manRes => !requiredResource.resourceAccess.some(res => res.id === manRes.id)));
+                        }
+                        else {
+                            resolvedApis.push(manifestApi);
+                        }
+                        const app = servicePrincipals.find(servicePrincipals => servicePrincipals.appId === manifestApi.resourceAppId);
+                        if (app) {
+                            manifestApi.resourceAccess.forEach((res => {
+                                var _a;
+                                const resourceAccessPermission = {
+                                    id: res.id,
+                                    type: res.type
+                                };
+                                const oAuthValue = (_a = app.oauth2PermissionScopes.find(scp => scp.id === res.id)) === null || _a === void 0 ? void 0 : _a.value;
+                                this.updateAppPermissions(app.id, resourceAccessPermission, oAuthValue);
+                            }));
+                        }
+                    });
+                }
+                if (this.verbose) {
                     logger.logToStderr(`Merged delegated and application permissions: ${JSON.stringify(resolvedApis, null, 2)}`);
+                    logger.logToStderr(`App role assignments: ${JSON.stringify(this.appPermissions.flatMap(permission => permission.resourceAccess.filter(access => access.type === "Role")), null, 2)}`);
+                    logger.logToStderr(`OAuth2 permissions: ${JSON.stringify(this.appPermissions.flatMap(permission => permission.scope), null, 2)}`);
                 }
                 return Promise.resolve(resolvedApis);
             }
@@ -405,13 +520,34 @@ class AadAppAddCommand extends GraphCommand_1.default {
                 };
                 resolvedApis.push(resolvedApi);
             }
-            resolvedApi.resourceAccess.push({
+            const resourceAccessPermission = {
                 id: permission.id,
                 type: scopeType
-            });
+            };
+            resolvedApi.resourceAccess.push(resourceAccessPermission);
+            this.updateAppPermissions(servicePrincipal.id, resourceAccessPermission, permission.value);
         });
         return resolvedApis;
     }
+    updateAppPermissions(spId, resourceAccessPermission, oAuth2PermissionValue) {
+        // During API resolution, we store globally both app role assignments and oauth2permissions
+        // So that we'll be able to parse them during the admin consent process
+        let existingPermission = this.appPermissions.find(oauth => oauth.resourceId === spId);
+        if (!existingPermission) {
+            existingPermission = {
+                resourceId: spId,
+                resourceAccess: [],
+                scope: []
+            };
+            this.appPermissions.push(existingPermission);
+        }
+        if (resourceAccessPermission.type === 'Scope' && oAuth2PermissionValue && !existingPermission.scope.find(scp => scp === oAuth2PermissionValue)) {
+            existingPermission.scope.push(oAuth2PermissionValue);
+        }
+        if (!existingPermission.resourceAccess.find(res => res.id === resourceAccessPermission.id)) {
+            existingPermission.resourceAccess.push(resourceAccessPermission);
+        }
+    }
     configureSecret(args, appInfo, logger) {
         if (!args.options.withSecret) {
             return Promise.resolve(appInfo);
@@ -523,7 +659,8 @@ _AadAppAddCommand_instances = new WeakSet(), _AadAppAddCommand_initTelemetry = f
             withSecret: args.options.withSecret,
             certificateFile: typeof args.options.certificateFile !== 'undefined',
             certificateBase64Encoded: typeof args.options.certificateBase64Encoded !== 'undefined',
-            certificateDisplayName: typeof args.options.certificateDisplayName !== 'undefined'
+            certificateDisplayName: typeof args.options.certificateDisplayName !== 'undefined',
+            grantAdminConsent: typeof args.options.grantAdminConsent !== 'undefined'
         });
     });
 }, _AadAppAddCommand_initOptions = function _AadAppAddCommand_initOptions() {
@@ -565,6 +702,8 @@ _AadAppAddCommand_instances = new WeakSet(), _AadAppAddCommand_initTelemetry = f
         option: '--manifest [manifest]'
     }, {
         option: '--save'
+    }, {
+        option: '--grantAdminConsent'
     });
 }, _AadAppAddCommand_initValidators = function _AadAppAddCommand_initValidators() {
     this.validators.push((args) => __awaiter(this, void 0, void 0, function* () {

package/docs/docs/cmd/aad/app/app-add.md CHANGED Viewed

@@ -58,6 +58,9 @@ m365 aad app add [options]
 `--certificateDisplayName [certificateDisplayName]`
 : Display name for the certificate. If not given, the displayName will be set to the certificate subject. When specified, also specify either `certificateFile` or `certificateBase64Encoded`
+`--grantAdminConsent`
+: When specified, grants application & delegated permissions through admin consent
 `--manifest [manifest]`
 : Azure AD app manifest as retrieved from the Azure Portal to create the app registration from
@@ -94,6 +97,8 @@ After creating the Azure AD app registration, this command returns the app ID an
 If you want to store the information about the created Azure AD app registration, use the `--save` option. This is useful when you build solutions connected to Microsoft 365 and want to easily manage app registrations used with your solution. When you use the `--save` option, after you create the app registration, the command will write its ID and name to the `.m365rc.json` file in the current directory. If the file already exists, it will add the information about the to it, allowing you to track multiple apps. If the file doesn't exist, the command will create it.
+When specifying `--grantAdminConsent` option, a service principal will be created for the app registration.
 ## Examples
 Create new Azure AD app registration with the specified name
@@ -156,6 +161,12 @@ Create new Azure AD app registration with Application ID URI set to a value that
 m365 aad app add --name 'My AAD app' --uri api://caf406b91cd4.ngrok.io/_appId_ --scopeName access_as_user --scopeAdminConsentDescription 'Access as a user' --scopeAdminConsentDisplayName 'Access as a user' --scopeConsentBy adminsAndUsers
 ```
+Create new Azure AD app registration for a deamon app with specified Microsoft Graph application permissions, including admin consent
+```sh
+ m365 aad app add --name 'My AAD app' --apisApplication 'https://graph.microsoft.com/Group.ReadWrite.All' --grantAdminConsent
+```
 Create new Azure AD app registration with the specified name. Store information about the created app registration in the _.m365rc.json_ file in the current directory.
 ```sh

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@pnp/cli-microsoft365",
-  "version": "5.7.0-beta.8be35f8",
+  "version": "5.7.0-beta.9e8cf99",
   "description": "Manage Microsoft 365 and SharePoint Framework projects on any platform",
   "license": "MIT",
   "main": "./dist/api.js",