Skip to content

Commit

Permalink
service principal support for key creds and password creds
Browse files Browse the repository at this point in the history
chloenguyen committed Oct 28, 2024

Verified

This commit was signed with the committer’s verified signature.
fbac Francisco de Borja Aranda Castillejo
1 parent 7653231 commit 8926c94
Showing 5 changed files with 247 additions and 3 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -2,6 +2,8 @@

# UNRELEASED

* AADServicePrincipal
* Added support for KeyCredentials and PasswordCredentials.
* AADAccessReviewDefinition
* Initial release.
* AADAuthenticationMethodPolicyExternal
Original file line number Diff line number Diff line change
@@ -76,6 +76,14 @@ function Get-TargetResource
[System.String[]]
$Tags,

[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$KeyCredentials,

[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$PasswordCredentials,

[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
@@ -226,6 +234,60 @@ function Get-TargetResource
$complexDelegatedPermissionClassifications += $hashtable
}

$complexKeyCredentials = @()
foreach ($currentkeyCredentials in $AADServicePrincipal.keyCredentials)
{
$mykeyCredentials = @{}
if($null -ne $currentkeyCredentials.customKeyIdentifier)
{
$mykeyCredentials.Add('CustomKeyIdentifier', [convert]::ToBase64String($currentkeyCredentials.customKeyIdentifier))
}
$mykeyCredentials.Add('DisplayName', $currentkeyCredentials.displayName)
if ($null -ne $currentkeyCredentials.endDateTime)
{
$mykeyCredentials.Add('EndDateTime', ([DateTimeOffset]$currentkeyCredentials.endDateTime).ToString('o'))
}
$mykeyCredentials.Add('KeyId', $currentkeyCredentials.keyId)


if($null -ne $currentkeyCredentials.Key)
{
$mykeyCredentials.Add('Key', [convert]::ToBase64String($currentkeyCredentials.key))
}

if ($null -ne $currentkeyCredentials.startDateTime)
{
$mykeyCredentials.Add('StartDateTime', ([DateTimeOffset]$currentkeyCredentials.startDateTime).ToString('o'))
}
$mykeyCredentials.Add('Type', $currentkeyCredentials.type)
$mykeyCredentials.Add('Usage', $currentkeyCredentials.usage)
if ($mykeyCredentials.values.Where({$null -ne $_}).Count -gt 0)
{
$complexKeyCredentials += $mykeyCredentials
}
}

$complexPasswordCredentials = @()
foreach ($currentpasswordCredentials in $AADServicePrincipal.passwordCredentials)
{
$mypasswordCredentials = @{}
$mypasswordCredentials.Add('DisplayName', $currentpasswordCredentials.displayName)
if ($null -ne $currentpasswordCredentials.endDateTime)
{
$mypasswordCredentials.Add('EndDateTime', ([DateTimeOffset]$currentpasswordCredentials.endDateTime).ToString('o'))
}
$mypasswordCredentials.Add('Hint', $currentpasswordCredentials.hint)
$mypasswordCredentials.Add('KeyId', $currentpasswordCredentials.keyId)
if ($null -ne $currentpasswordCredentials.startDateTime)
{
$mypasswordCredentials.Add('StartDateTime', ([DateTimeOffset]$currentpasswordCredentials.startDateTime).ToString('o'))
}
if ($mypasswordCredentials.values.Where({$null -ne $_}).Count -gt 0)
{
$complexPasswordCredentials += $mypasswordCredentials
}
}

$result = @{
AppId = $AADServicePrincipal.AppId
AppRoleAssignedTo = $AppRoleAssignedToValues
@@ -245,6 +307,8 @@ function Get-TargetResource
ServicePrincipalNames = $AADServicePrincipal.ServicePrincipalNames
ServicePrincipalType = $AADServicePrincipal.ServicePrincipalType
Tags = $AADServicePrincipal.Tags
KeyCredentials = $complexKeyCredentials
PasswordCredentials = $complexPasswordCredentials
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
@@ -348,6 +412,14 @@ function Set-TargetResource
[System.String[]]
$Tags,

[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$KeyCredentials,

[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$PasswordCredentials,

[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
@@ -441,7 +513,7 @@ function Set-TargetResource
$newOwner = New-MgServicePrincipalOwnerByRef -ServicePrincipalId $newSP.Id -BodyParameter $body
}

#adding delegated permissions classifications
# Adding delegated permissions classifications
if($null -ne $DelegatedPermissionClassifications){
foreach ($permissionClassification in $DelegatedPermissionClassifications){
$params = @{
@@ -686,6 +758,14 @@ function Test-TargetResource
[System.String[]]
$Tags,

[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$KeyCredentials,

[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$PasswordCredentials,

[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
@@ -815,6 +895,7 @@ function Export-TargetResource
[Parameter()]
[System.String[]]
$AccessTokens

)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
@@ -873,6 +954,18 @@ function Export-TargetResource
{
$Results.DelegatedPermissionClassifications = Get-M365DSCAzureADServicePrincipalDelegatedPermissionClassifications -PermissionClassifications $Results.DelegatedPermissionClassifications
}
if ($Results.KeyCredentials.Count -gt 0)
{
$Results.KeyCredentials = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.KeyCredentials `
-CIMInstanceName 'MicrosoftGraphkeyCredential'
}
if ($Results.PasswordCredentials -gt 0)
{
$Results.PasswordCredentials = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.PasswordCredentials `
-CIMInstanceName 'MicrosoftGraphpasswordCredential'
}
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
@@ -888,6 +981,18 @@ function Export-TargetResource
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock `
-ParameterName 'DelegatedPermissionClassifications'
}
if ($null -ne $Results.KeyCredentials)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock `
-ParameterName "KeyCredentials" -IsCIMArray:$True
}

if ($null -ne $Results.PasswordCredentials)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock `
-ParameterName "PasswordCredentials" -IsCIMArray:$True
}

$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
Original file line number Diff line number Diff line change
@@ -42,4 +42,6 @@ class MSFT_AADServicePrincipal : OMI_BaseResource
[Write, Description("Credentials of the Azure AD Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
[Write, Description("The collection of password credentials associated with the service principal. Not nullable."), EmbeddedInstance("MSFT_MicrosoftGraphpasswordCredential")] String PasswordCredentials[];
[Write, Description("The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, NOT, ge, le)."), EmbeddedInstance("MSFT_MicrosoftGraphkeyCredential")] String KeyCredentials[];
};
Original file line number Diff line number Diff line change
@@ -68,6 +68,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
ServicePrincipalNames = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
ServicePrincipalType = 'Application'
Tags = '{WindowsAzureActiveDirectoryIntegratedApp}'
PasswordCredentials = @(
New-CimInstance -ClassName MSFT_MicrosoftGraphpasswordCredential -Property @{
KeyId = 'keyid'
EndDateTime = '2025-03-15T19:50:29.0310000+00:00'
Hint = 'VsO'
DisplayName = 'Super Secret'
StartDateTime = '2024-09-16T19:50:29.0310000+00:00'
} -ClientOnly
)
KeyCredentials = @(
New-CimInstance -ClassName MSFT_MicrosoftGraphkeyCredential -Property @{
Usage = 'Verify'
StartDateTime = '2024-09-25T09:13:11.0000000+00:00'
Type = 'AsymmetricX509Cert'
KeyId = 'Key ID'
EndDateTime = '2025-09-25T09:33:11.0000000+00:00'
DisplayName = 'anexas_test_2'
} -ClientOnly
)
Ensure = 'Present'
Credential = $Credscredential
}
@@ -107,6 +126,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
ServicePrincipalNames = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
ServicePrincipalType = 'Application'
Tags = '{WindowsAzureActiveDirectoryIntegratedApp}'
PasswordCredentials = @(
New-CimInstance -ClassName MSFT_MicrosoftGraphpasswordCredential -Property @{
KeyId = 'keyid'
EndDateTime = '2025-03-15T19:50:29.0310000+00:00'
Hint = 'VsO'
DisplayName = 'Super Secret'
StartDateTime = '2024-09-16T19:50:29.0310000+00:00'
} -ClientOnly
)
KeyCredentials = @(
New-CimInstance -ClassName MSFT_MicrosoftGraphkeyCredential -Property @{
Usage = 'Verify'
StartDateTime = '2024-09-25T09:13:11.0000000+00:00'
Type = 'AsymmetricX509Cert'
KeyId = 'Key ID'
EndDateTime = '2025-09-25T09:33:11.0000000+00:00'
DisplayName = 'anexas_test_2'
} -ClientOnly
)
Ensure = 'Absent'
Credential = $Credscredential
}
@@ -132,6 +170,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
$AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
$AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application'
$AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}'
$AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{
Usage = 'Verify'
StartDateTime = '2024-09-25T09:13:11.0000000+00:00'
Type = 'AsymmetricX509Cert'
KeyId = 'Key ID'
EndDateTime = '2025-09-25T09:33:11.0000000+00:00'
DisplayName = 'anexas_test_2'
}
$AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{
KeyId = 'keyid'
EndDateTime = '2025-03-15T19:50:29.0310000+00:00'
Hint = 'VsO'
DisplayName = 'Super Secret'
StartDateTime = '2024-09-16T19:50:29.0310000+00:00'
}
return $AADSP
}
}
@@ -167,6 +220,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
ServicePrincipalNames = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
ServicePrincipalType = 'Application'
Tags = '{WindowsAzureActiveDirectoryIntegratedApp}'
PasswordCredentials = @(
New-CimInstance -ClassName MSFT_MicrosoftGraphpasswordCredential -Property @{
KeyId = 'keyid'
EndDateTime = '2025-03-15T19:50:29.0310000+00:00'
Hint = 'VsO'
DisplayName = 'Super Secret'
StartDateTime = '2024-09-16T19:50:29.0310000+00:00'
} -ClientOnly
)
KeyCredentials = @(
New-CimInstance -ClassName MSFT_MicrosoftGraphkeyCredential -Property @{
Usage = 'Verify'
StartDateTime = '2024-09-25T09:13:11.0000000+00:00'
Type = 'AsymmetricX509Cert'
KeyId = 'Key ID'
EndDateTime = '2025-09-25T09:33:11.0000000+00:00'
DisplayName = 'anexas_test_2'
} -ClientOnly
)
Ensure = 'Present'
Credential = $Credscredential
}
@@ -192,6 +264,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
$AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
$AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application'
$AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}'
$AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{
Usage = 'Verify'
StartDateTime = '2024-09-25T09:13:11.0000000+00:00'
Type = 'AsymmetricX509Cert'
KeyId = 'Key ID'
EndDateTime = '2025-09-25T09:33:11.0000000+00:00'
DisplayName = 'anexas_test_2'
}
$AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{
KeyId = 'keyid'
EndDateTime = '2025-03-15T19:50:29.0310000+00:00'
Hint = 'VsO'
DisplayName = 'Super Secret'
StartDateTime = '2024-09-16T19:50:29.0310000+00:00'
}
return $AADSP
}
}
@@ -223,6 +310,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
ServicePrincipalNames = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
ServicePrincipalType = 'Application'
Tags = '{WindowsAzureActiveDirectoryIntegratedApp}'
PasswordCredentials = @()
KeyCredentials = @()
Ensure = 'Present'
Credential = $Credscredential
}
@@ -247,6 +336,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
$AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
$AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application'
$AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}'
$AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{
Usage = 'Verify'
StartDateTime = '2024-09-25T09:13:11.0000000+00:00'
Type = 'AsymmetricX509Cert'
KeyId = 'Key ID'
EndDateTime = '2025-09-25T09:33:11.0000000+00:00'
DisplayName = 'anexas_test_2'
}
$AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{
KeyId = 'keyid'
EndDateTime = '2025-03-15T19:50:29.0310000+00:00'
Hint = 'VsO'
DisplayName = 'Super Secret'
StartDateTime = '2024-09-16T19:50:29.0310000+00:00'
}
return $AADSP
}
}
@@ -295,6 +399,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
$AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
$AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application'
$AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}'
$AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{
Usage = 'Verify'
StartDateTime = '2024-09-25T09:13:11.0000000+00:00'
Type = 'AsymmetricX509Cert'
KeyId = 'Key ID'
EndDateTime = '2025-09-25T09:33:11.0000000+00:00'
DisplayName = 'anexas_test_2'
}
$AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{
KeyId = 'keyid'
EndDateTime = '2025-03-15T19:50:29.0310000+00:00'
Hint = 'VsO'
DisplayName = 'Super Secret'
StartDateTime = '2024-09-16T19:50:29.0310000+00:00'
}
return $AADSP
}
}
20 changes: 18 additions & 2 deletions Tests/Unit/Stubs/Generic.psm1
Original file line number Diff line number Diff line change
@@ -115,7 +115,15 @@ function Update-MgServicePrincipal

[Parameter()]
[System.String[]]
$Tags
$Tags,

[Parameter()]
[PSObject]
$PasswordCredentials,

[Parameter()]
[PSObject]
$KeyCredentials
)
}

@@ -187,7 +195,15 @@ function New-MGServicePrincipal

[Parameter()]
[System.String[]]
$Tags
$Tags,

[Parameter()]
[PSObject]
$PasswordCredentials,

[Parameter()]
[PSObject]
$KeyCredentials
)
}

0 comments on commit 8926c94

Please sign in to comment.