Merge pull request #1 from nguyen-chloe/servicePrincipalKeyCredsPassw…

…ordCreds Add service principal support for key creds and password creds
FabienTschanz · Oct 28, 2024 · fe1877d · fe1877d
2 parents 7653231 + 8926c94
commit fe1877d
Show file tree

Hide file tree

Showing 5 changed files with 247 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 # UNRELEASED
 
+* AADServicePrincipal
+  * Added support for KeyCredentials and PasswordCredentials.
 * AADAccessReviewDefinition
   * Initial release.
 * AADAuthenticationMethodPolicyExternal

diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1
@@ -76,6 +76,14 @@ function Get-TargetResource
         [System.String[]]
         $Tags,
 
+        [Parameter()]
+        [Microsoft.Management.Infrastructure.CimInstance[]]
+        $KeyCredentials,
+
+        [Parameter()]
+        [Microsoft.Management.Infrastructure.CimInstance[]]
+        $PasswordCredentials,
+
         [Parameter()]
         [ValidateSet('Present', 'Absent')]
         [System.String]
@@ -226,6 +234,60 @@ function Get-TargetResource
                 $complexDelegatedPermissionClassifications += $hashtable
             }
 
+            $complexKeyCredentials = @()
+            foreach ($currentkeyCredentials in $AADServicePrincipal.keyCredentials)
+            {
+                $mykeyCredentials = @{}
+                if($null -ne $currentkeyCredentials.customKeyIdentifier)
+                {
+                    $mykeyCredentials.Add('CustomKeyIdentifier', [convert]::ToBase64String($currentkeyCredentials.customKeyIdentifier))
+                }
+                $mykeyCredentials.Add('DisplayName', $currentkeyCredentials.displayName)
+                if ($null -ne $currentkeyCredentials.endDateTime)
+                {
+                    $mykeyCredentials.Add('EndDateTime', ([DateTimeOffset]$currentkeyCredentials.endDateTime).ToString('o'))
+                }
+                $mykeyCredentials.Add('KeyId', $currentkeyCredentials.keyId)
+
+
+                if($null -ne $currentkeyCredentials.Key)
+                {
+                    $mykeyCredentials.Add('Key', [convert]::ToBase64String($currentkeyCredentials.key))
+                }
+
+                if ($null -ne $currentkeyCredentials.startDateTime)
+                {
+                    $mykeyCredentials.Add('StartDateTime', ([DateTimeOffset]$currentkeyCredentials.startDateTime).ToString('o'))
+                }
+                $mykeyCredentials.Add('Type', $currentkeyCredentials.type)
+                $mykeyCredentials.Add('Usage', $currentkeyCredentials.usage)
+                if ($mykeyCredentials.values.Where({$null -ne $_}).Count -gt 0)
+                {
+                    $complexKeyCredentials += $mykeyCredentials
+                }
+            }
+
+            $complexPasswordCredentials = @()
+            foreach ($currentpasswordCredentials in $AADServicePrincipal.passwordCredentials)
+            {
+                $mypasswordCredentials = @{}
+                $mypasswordCredentials.Add('DisplayName', $currentpasswordCredentials.displayName)
+                if ($null -ne $currentpasswordCredentials.endDateTime)
+                {
+                    $mypasswordCredentials.Add('EndDateTime', ([DateTimeOffset]$currentpasswordCredentials.endDateTime).ToString('o'))
+                }
+                $mypasswordCredentials.Add('Hint', $currentpasswordCredentials.hint)
+                $mypasswordCredentials.Add('KeyId', $currentpasswordCredentials.keyId)
+                if ($null -ne $currentpasswordCredentials.startDateTime)
+                {
+                    $mypasswordCredentials.Add('StartDateTime', ([DateTimeOffset]$currentpasswordCredentials.startDateTime).ToString('o'))
+                }
+                if ($mypasswordCredentials.values.Where({$null -ne $_}).Count -gt 0)
+                {
+                    $complexPasswordCredentials += $mypasswordCredentials
+                }
+            }
+
             $result = @{
                 AppId                              = $AADServicePrincipal.AppId
                 AppRoleAssignedTo                  = $AppRoleAssignedToValues
@@ -245,6 +307,8 @@ function Get-TargetResource
                 ServicePrincipalNames              = $AADServicePrincipal.ServicePrincipalNames
                 ServicePrincipalType               = $AADServicePrincipal.ServicePrincipalType
                 Tags                               = $AADServicePrincipal.Tags
+                KeyCredentials                     = $complexKeyCredentials
+                PasswordCredentials                = $complexPasswordCredentials
                 Ensure                             = 'Present'
                 Credential                         = $Credential
                 ApplicationId                      = $ApplicationId
@@ -348,6 +412,14 @@ function Set-TargetResource
         [System.String[]]
         $Tags,
 
+        [Parameter()]
+        [Microsoft.Management.Infrastructure.CimInstance[]]
+        $KeyCredentials,
+
+        [Parameter()]
+        [Microsoft.Management.Infrastructure.CimInstance[]]
+        $PasswordCredentials,
+
         [Parameter()]
         [ValidateSet('Present', 'Absent')]
         [System.String]
@@ -441,7 +513,7 @@ function Set-TargetResource
             $newOwner = New-MgServicePrincipalOwnerByRef -ServicePrincipalId $newSP.Id -BodyParameter $body
         }
 
-        #adding delegated permissions classifications
+        # Adding delegated permissions classifications
         if($null -ne $DelegatedPermissionClassifications){
             foreach ($permissionClassification in $DelegatedPermissionClassifications){
                 $params = @{
@@ -686,6 +758,14 @@ function Test-TargetResource
         [System.String[]]
         $Tags,
 
+        [Parameter()]
+        [Microsoft.Management.Infrastructure.CimInstance[]]
+        $KeyCredentials,
+
+        [Parameter()]
+        [Microsoft.Management.Infrastructure.CimInstance[]]
+        $PasswordCredentials,
+
         [Parameter()]
         [ValidateSet('Present', 'Absent')]
         [System.String]
@@ -815,6 +895,7 @@ function Export-TargetResource
         [Parameter()]
         [System.String[]]
         $AccessTokens
+
     )
     $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
         -InboundParameters $PSBoundParameters
@@ -873,6 +954,18 @@ function Export-TargetResource
                 {
                     $Results.DelegatedPermissionClassifications = Get-M365DSCAzureADServicePrincipalDelegatedPermissionClassifications -PermissionClassifications $Results.DelegatedPermissionClassifications
                 }
+                if ($Results.KeyCredentials.Count -gt 0)
+                {
+                    $Results.KeyCredentials = Get-M365DSCDRGComplexTypeToString `
+                    -ComplexObject $Results.KeyCredentials `
+                    -CIMInstanceName 'MicrosoftGraphkeyCredential'
+                }
+                if ($Results.PasswordCredentials -gt 0)
+                {
+                    $Results.PasswordCredentials = Get-M365DSCDRGComplexTypeToString `
+                    -ComplexObject $Results.PasswordCredentials `
+                    -CIMInstanceName 'MicrosoftGraphpasswordCredential'
+                }
                 $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
                     -ConnectionMode $ConnectionMode `
                     -ModulePath $PSScriptRoot `
@@ -888,6 +981,18 @@ function Export-TargetResource
                     $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock `
                         -ParameterName 'DelegatedPermissionClassifications'
                 }
+                if ($null -ne $Results.KeyCredentials)
+                {
+                    $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock `
+                        -ParameterName "KeyCredentials" -IsCIMArray:$True
+                }
+
+                if ($null -ne $Results.PasswordCredentials)
+                {
+                    $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock `
+                        -ParameterName "PasswordCredentials" -IsCIMArray:$True
+                }
+
                 $dscContent += $currentDSCBlock
                 Save-M365DSCPartialExport -Content $currentDSCBlock `
                     -FileName $Global:PartialExportFileName

diff --git a/...Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof b/...Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof
@@ -42,4 +42,6 @@ class MSFT_AADServicePrincipal : OMI_BaseResource
     [Write, Description("Credentials of the Azure AD Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
     [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
     [Write, Description("Access token used for authentication.")] String AccessTokens[];
+    [Write, Description("The collection of password credentials associated with the service principal. Not nullable."), EmbeddedInstance("MSFT_MicrosoftGraphpasswordCredential")] String PasswordCredentials[];
+    [Write, Description("The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, NOT, ge, le)."), EmbeddedInstance("MSFT_MicrosoftGraphkeyCredential")] String KeyCredentials[];
 };
diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADServicePrincipal.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADServicePrincipal.Tests.ps1
@@ -68,6 +68,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                     ServicePrincipalNames     = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
                     ServicePrincipalType      = 'Application'
                     Tags                      = '{WindowsAzureActiveDirectoryIntegratedApp}'
+                    PasswordCredentials       = @(
+                        New-CimInstance -ClassName MSFT_MicrosoftGraphpasswordCredential -Property @{
+                            KeyId = 'keyid'
+                            EndDateTime = '2025-03-15T19:50:29.0310000+00:00'
+                            Hint = 'VsO'
+                            DisplayName = 'Super Secret'
+                            StartDateTime = '2024-09-16T19:50:29.0310000+00:00'
+                        } -ClientOnly
+                    )
+                    KeyCredentials = @(
+                        New-CimInstance -ClassName MSFT_MicrosoftGraphkeyCredential -Property @{
+                            Usage = 'Verify'
+                            StartDateTime = '2024-09-25T09:13:11.0000000+00:00'
+                            Type = 'AsymmetricX509Cert'
+                            KeyId = 'Key ID'
+                            EndDateTime = '2025-09-25T09:33:11.0000000+00:00'
+                            DisplayName = 'anexas_test_2'
+                        } -ClientOnly
+                    )
                     Ensure                    = 'Present'
                     Credential                = $Credscredential
                 }
@@ -107,6 +126,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                     ServicePrincipalNames     = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
                     ServicePrincipalType      = 'Application'
                     Tags                      = '{WindowsAzureActiveDirectoryIntegratedApp}'
+                    PasswordCredentials       = @(
+                        New-CimInstance -ClassName MSFT_MicrosoftGraphpasswordCredential -Property @{
+                            KeyId = 'keyid'
+                            EndDateTime = '2025-03-15T19:50:29.0310000+00:00'
+                            Hint = 'VsO'
+                            DisplayName = 'Super Secret'
+                            StartDateTime = '2024-09-16T19:50:29.0310000+00:00'
+                        } -ClientOnly
+                    )
+                    KeyCredentials            = @(
+                        New-CimInstance -ClassName MSFT_MicrosoftGraphkeyCredential -Property @{
+                            Usage = 'Verify'
+                            StartDateTime = '2024-09-25T09:13:11.0000000+00:00'
+                            Type = 'AsymmetricX509Cert'
+                            KeyId = 'Key ID'
+                            EndDateTime = '2025-09-25T09:33:11.0000000+00:00'
+                            DisplayName = 'anexas_test_2'
+                        } -ClientOnly
+                    )
                     Ensure                    = 'Absent'
                     Credential                = $Credscredential
                 }
@@ -132,6 +170,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                     $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
                     $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application'
                     $AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}'
+                    $AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{
+                        Usage = 'Verify'
+                        StartDateTime = '2024-09-25T09:13:11.0000000+00:00'
+                        Type = 'AsymmetricX509Cert'
+                        KeyId = 'Key ID'
+                        EndDateTime = '2025-09-25T09:33:11.0000000+00:00'
+                        DisplayName = 'anexas_test_2'
+                    }
+                    $AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{
+                        KeyId = 'keyid'
+                        EndDateTime = '2025-03-15T19:50:29.0310000+00:00'
+                        Hint = 'VsO'
+                        DisplayName = 'Super Secret'
+                        StartDateTime = '2024-09-16T19:50:29.0310000+00:00'
+                    }
                     return $AADSP
                 }
             }
@@ -167,6 +220,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                     ServicePrincipalNames     = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
                     ServicePrincipalType      = 'Application'
                     Tags                      = '{WindowsAzureActiveDirectoryIntegratedApp}'
+                    PasswordCredentials       = @(
+                        New-CimInstance -ClassName MSFT_MicrosoftGraphpasswordCredential -Property @{
+                            KeyId = 'keyid'
+                            EndDateTime = '2025-03-15T19:50:29.0310000+00:00'
+                            Hint = 'VsO'
+                            DisplayName = 'Super Secret'
+                            StartDateTime = '2024-09-16T19:50:29.0310000+00:00'
+                        } -ClientOnly
+                    )
+                    KeyCredentials            = @(
+                        New-CimInstance -ClassName MSFT_MicrosoftGraphkeyCredential -Property @{
+                            Usage = 'Verify'
+                            StartDateTime = '2024-09-25T09:13:11.0000000+00:00'
+                            Type = 'AsymmetricX509Cert'
+                            KeyId = 'Key ID'
+                            EndDateTime = '2025-09-25T09:33:11.0000000+00:00'
+                            DisplayName = 'anexas_test_2'
+                        } -ClientOnly
+                    )
                     Ensure                    = 'Present'
                     Credential                = $Credscredential
                 }
@@ -192,6 +264,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                     $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
                     $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application'
                     $AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}'
+                    $AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{
+                        Usage = 'Verify'
+                        StartDateTime = '2024-09-25T09:13:11.0000000+00:00'
+                        Type = 'AsymmetricX509Cert'
+                        KeyId = 'Key ID'
+                        EndDateTime = '2025-09-25T09:33:11.0000000+00:00'
+                        DisplayName = 'anexas_test_2'
+                    }
+                    $AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{
+                        KeyId = 'keyid'
+                        EndDateTime = '2025-03-15T19:50:29.0310000+00:00'
+                        Hint = 'VsO'
+                        DisplayName = 'Super Secret'
+                        StartDateTime = '2024-09-16T19:50:29.0310000+00:00'
+                    }
                     return $AADSP
                 }
             }
@@ -223,6 +310,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                     ServicePrincipalNames     = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
                     ServicePrincipalType      = 'Application'
                     Tags                      = '{WindowsAzureActiveDirectoryIntegratedApp}'
+                    PasswordCredentials       = @()
+                    KeyCredentials            = @()
                     Ensure                    = 'Present'
                     Credential                = $Credscredential
                 }
@@ -247,6 +336,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                     $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
                     $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application'
                     $AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}'
+                    $AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{
+                        Usage = 'Verify'
+                        StartDateTime = '2024-09-25T09:13:11.0000000+00:00'
+                        Type = 'AsymmetricX509Cert'
+                        KeyId = 'Key ID'
+                        EndDateTime = '2025-09-25T09:33:11.0000000+00:00'
+                        DisplayName = 'anexas_test_2'
+                    }
+                    $AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{
+                        KeyId = 'keyid'
+                        EndDateTime = '2025-03-15T19:50:29.0310000+00:00'
+                        Hint = 'VsO'
+                        DisplayName = 'Super Secret'
+                        StartDateTime = '2024-09-16T19:50:29.0310000+00:00'
+                    }
                     return $AADSP
                 }
             }
@@ -295,6 +399,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                     $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com'
                     $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application'
                     $AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}'
+                    $AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{
+                        Usage = 'Verify'
+                        StartDateTime = '2024-09-25T09:13:11.0000000+00:00'
+                        Type = 'AsymmetricX509Cert'
+                        KeyId = 'Key ID'
+                        EndDateTime = '2025-09-25T09:33:11.0000000+00:00'
+                        DisplayName = 'anexas_test_2'
+                    }
+                    $AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{
+                        KeyId = 'keyid'
+                        EndDateTime = '2025-03-15T19:50:29.0310000+00:00'
+                        Hint = 'VsO'
+                        DisplayName = 'Super Secret'
+                        StartDateTime = '2024-09-16T19:50:29.0310000+00:00'
+                    }
                     return $AADSP
                 }
             }