Skip to content

Commit

Permalink
fixes #3426
Browse files Browse the repository at this point in the history
  • Loading branch information
@andikrueger
andikrueger committed Jun 29, 2023
1 parent c1cec69 commit 1329aef
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 19 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@
FIXES #3417
* Update-M365DSCModule now forces a reload of the latest version of the Microsoft365DSC module.
FIXES [#3326](https://github.com/microsoft/Microsoft365DSC/issues/3326)
* Update-M365DSCAyureADApplication
Added retry logic to catch the "Key credential end date is invalid" error when updating the application certificate.
FIXES [#3426](https://github.com/microsoft/Microsoft365DSC/issues/3426)
* DEPENDENCIES
* Updated ReverseDSC to version 2.0.0.16.

Expand Down
72 changes: 53 additions & 19 deletions Modules/Microsoft365DSC/Modules/M365DSCPermissions.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,17 +67,17 @@ function Get-M365DSCCompiledPermissionList
@{
API = 'Graph'
Permission = @{
Name = "Organization.Read.All"
Type = "Application"
Name = 'Organization.Read.All'
Type = 'Application'
}
}
)
Update = @(
@{
API = 'Graph'
Permission = @{
Name = "Organization.Read.All"
Type = "Application"
Name = 'Organization.Read.All'
Type = 'Application'
}
}
)
Expand Down Expand Up @@ -1419,7 +1419,7 @@ function Update-M365DSCAzureAdApplication
$allRequiredAccess = @{}
foreach ($permission in $Permissions)
{
if ($permission.Api -eq $null -or $permission.Api -notin @('Graph', 'SharePoint', 'Exchange'))
if ($null -eq $permission.Api -or $permission.Api -notin @('Graph', 'SharePoint', 'Exchange'))
{
Write-LogEntry "Specified permission is invalid $(Convert-M365DscHashtableToString -Hashtable $permission)" -Type Warning
continue
Expand Down Expand Up @@ -1456,7 +1456,7 @@ function Update-M365DSCAzureAdApplication
if ($null -eq $role)
{
$ObjectGuid = [System.Guid]::empty
if ([System.Guid]::TryParse($permission.PermissionName ,[System.Management.Automation.PSReference]$ObjectGuid))
if ([System.Guid]::TryParse($permission.PermissionName , [System.Management.Automation.PSReference]$ObjectGuid))
{
$appPermission = @{
Id = $permission.PermissionName
Expand Down Expand Up @@ -1509,7 +1509,7 @@ function Update-M365DSCAzureAdApplication

if ($AdminConsent)
{
if (-not $PSBoundParameters.ContainsKey("Credential"))
if (-not $PSBoundParameters.ContainsKey('Credential'))
{
Write-LogEntry '[ERROR] You need to provide admin credentials when specifying the AdminConsent parameter.'
}
Expand All @@ -1532,18 +1532,18 @@ function Update-M365DSCAzureAdApplication
$password = $Credential.GetNetworkCredential().password

$url = "https://main.iam.ad.ext.azure.com/api/Directories/$($tenant.tenantId)/Details"
$uri = "https://login.microsoftonline.com/{0}/oauth2/token" -f $tenantid
$body = "resource=74658136-14ec-4630-ad9b-26e160ff0fc6&client_id=1950a258-227b-4e31-a9cf-717495945fc2&grant_type=password&username={1}&password={0}" -f [System.Web.HttpUtility]::UrlEncode($password), $username
$uri = 'https://login.microsoftonline.com/{0}/oauth2/token' -f $tenantid
$body = 'resource=74658136-14ec-4630-ad9b-26e160ff0fc6&client_id=1950a258-227b-4e31-a9cf-717495945fc2&grant_type=password&username={1}&password={0}' -f [System.Web.HttpUtility]::UrlEncode($password), $username
$token = Invoke-RestMethod $uri `
-Method POST `
-Body $body `
-ContentType "application/x-www-form-urlencoded" `
-ContentType 'application/x-www-form-urlencoded' `
-ErrorAction SilentlyContinue

$headers = @{
Authorization = "Bearer $($token.access_token)";
"x-ms-client-request-id" = [guid]::NewGuid().ToString();
"x-ms-client-session-id" = [guid]::NewGuid().ToString()
Authorization = "Bearer $($token.access_token)"
'x-ms-client-request-id' = [guid]::NewGuid().ToString()
'x-ms-client-session-id' = [guid]::NewGuid().ToString()
}

$applicationId = $azureADApp.AppId
Expand Down Expand Up @@ -1596,8 +1596,8 @@ function Update-M365DSCAzureAdApplication
$passwordCred = @{
displayName = 'Created by Microsoft365DSC'
endDateTime = $endDate
}
$appCred = Add-MgApplicationPassword -ApplicationId $azureADApp.Id -PasswordCredential $passwordCred
}
$appCred = Add-MgApplicationPassword -ApplicationId $azureADApp.Id -PasswordCredential $passwordCred
}
}
'Certificate'
Expand Down Expand Up @@ -1660,12 +1660,46 @@ function Update-M365DSCAzureAdApplication

Write-LogEntry " Certificate details: $($cerCert.Subject) ($($cerCert.Thumbprint))"
$params = @{
Type = "AsymmetricX509Cert"
Usage = "Verify"
Key = $cerCert.GetRawCertData()
Type = 'AsymmetricX509Cert'
Usage = 'Verify'
Key = $cerCert.GetRawCertData()
EndDateTime = $endDate
}
$appCred = Update-MgApplication -ApplicationId $azureAdApp.Id -KeyCredentials $params

$maxRetries = 3
$retryCount = 0
$retryDelay = 10 # seconds

do
{
try
{
$appCred = Update-MgApplication -ApplicationId $azureAdApp.Id -KeyCredentials $params
break # exit the loop if the operation succeeds
}
catch
{
if ($_.Exception.Message -match 'Key credential end date is invalid')
{
Write-Host "Caught error: $($_.Exception.Message)"
if ($retryCount -lt $maxRetries)
{
$retryCount++
Write-Host "Retrying in $retryDelay seconds..."
Start-Sleep -Seconds $retryDelay
}
else
{
Write-Host 'Maximum number of retries reached.'
throw # re-throw the exception if the maximum number of retries is reached
}
}
else
{
throw # re-throw the exception if it's not the expected error
}
}
} while ($true)
}
}
}
Expand Down

0 comments on commit 1329aef

Please sign in to comment.