Update-M365DSCAzureAdApplication with AppOwnerTenantID Filter #2566
Conversation
| $graphSvcprincipal = Get-AzADServicePrincipal | Where-Object -FilterScript { $_.DisplayName -eq "Microsoft Graph" } | ||
| $spSvcprincipal = Get-AzADServicePrincipal | Where-Object -FilterScript { $_.DisplayName -eq "Office 365 SharePoint Online" } | ||
| $exSvcprincipal = Get-AzADServicePrincipal | Where-Object -FilterScript { $_.DisplayName -eq "Office 365 Exchange Online" } | ||
| $graphSvcprincipal = Get-AzADServicePrincipal | Where-Object -FilterScript { $_.DisplayName -eq 'Microsoft Graph' -and $_.AppOwnerTenantId -eq 'f8cdef31-a31e-4b4a-93e4-5f571e91255a' } |
There was a problem hiding this comment.
Why are we doing this, and also, it looks like the property is appOwnerOrganizationId and not appOwnerTenantId
Will this owner id be the same in foreign clouds?
There was a problem hiding this comment.
Good point.
The display name is not unique across all tenants. At the moment, any other application with the same name could be the first and we would try to add permissions to this app.
Do you have any insight on other clouds, if the IDs are the same?
There was a problem hiding this comment.
Not at the moment. I'll need to ask around and investigate
There was a problem hiding this comment.
Get-AzureADServicePrincipal -> appOwnerTenantId
Get-AzADServicePrincipal/Get-MgServicePrincipal -> AppOwnerOrganizationId
f8cdef31-a31e-4b4a-93e4-5f571e91255a is the 1st party tenant for commercial and usgov, can't speak to other dedicated clouds.
There was a problem hiding this comment.
…what a mess. I’ll look into moving to MG methods tomorrow. Maybe there is another criteria available to make sure the apps are published by Microsoft.
There was a problem hiding this comment.
Sounds good. For the sake of efficiency, I'd provide the displayname as part of the query rather than filter on the complete results set - the difference in query time can be significant when there are a large number of SPs in the tenant.
There was a problem hiding this comment.
Just had another thought: How does PnP PowerShell do it?
This is the answer: https://github.com/pnp/powershell/blob/ed883559841bb89e8bb08515d0fdfed4f69faf17/src/Commands/Model/PermissionScopes.cs#L11-L13
public static string ResourceAppId_Graph = "00000003-0000-0000-c000-000000000000";
public static string ResourceAppId_SPO = "00000003-0000-0ff1-ce00-000000000000";
public static string ResourceAppID_O365Management = "c5393580-f805-4401-95e8-94b7a6ef2fc2";Maybe we can go with fixed IDs within our code as well and just warn, if we do not find a thing. As soon as we do not find any app, we could switch back to the old "query".
There was a problem hiding this comment.
I was thinking about that as well, create a table of well-known GUIDs and call it a day.
There was a problem hiding this comment.
Will update accordingly.
|
Will create a new PR to add the points that were discussed above. |
Pull Request (PR) description
Added addtional filter for AppOwernTenantId in Update-M365DSCAzureAdApplication
This Pull Request (PR) fixes the following issues