-
Notifications
You must be signed in to change notification settings - Fork 5.4k
/
Copy pathSet-CippApiAuth.ps1
74 lines (65 loc) · 2.77 KB
/
Set-CippApiAuth.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
function Set-CippApiAuth {
[CmdletBinding(SupportsShouldProcess)]
param(
[string]$RGName,
[string]$FunctionAppName,
[string]$TenantId,
[string[]]$ClientIds
)
if ($env:MSI_SECRET) {
Disable-AzContextAutosave -Scope Process | Out-Null
$null = Connect-AzAccount -Identity
$SubscriptionId = $ENV:WEBSITE_OWNER_NAME -split '\+' | Select-Object -First 1
$Context = Set-AzContext -SubscriptionId $SubscriptionId
} else {
$Context = Get-AzContext
}
# Get subscription id
$SubscriptionId = $Context.Subscription.Id
# Get auth settings
$AuthSettings = Invoke-AzRestMethod -Uri "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$RGName/providers/Microsoft.Web/sites/$($FunctionAppName)/config/authsettingsV2/list?api-version=2020-06-01" | Select-Object -ExpandProperty Content | ConvertFrom-Json
# Set allowed audiences
$AllowedAudiences = foreach ($ClientId in $ClientIds) {
"api://$ClientId"
}
if (!$AllowedAudiences) { $AllowedAudiences = @() }
if (!$ClientIds) { $ClientIds = @() }
# Set auth settings
if (($ClientIds | Measure-Object).Count -gt 0) {
$AuthSettings.properties.identityProviders.azureActiveDirectory = @{
enabled = $true
registration = @{
clientId = $ClientIds[0] ?? $ClientIds
openIdIssuer = "https://sts.windows.net/$TenantID/v2.0"
}
validation = @{
allowedAudiences = @($AllowedAudiences)
defaultAuthorizationPolicy = @{
allowedApplications = @($ClientIds)
}
}
}
} else {
$AuthSettings.properties.identityProviders.azureActiveDirectory = @{
enabled = $false
registration = @{}
validation = @{}
}
}
$AuthSettings.properties.globalValidation = @{
unauthenticatedClientAction = 'Return401'
}
$AuthSettings.properties.login = @{
tokenStore = @{
enabled = $true
tokenRefreshExtensionHours = 72
}
}
if ($PSCmdlet.ShouldProcess('Update auth settings')) {
# Update auth settings
$null = Invoke-AzRestMethod -Uri "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$RGName/providers/Microsoft.Web/sites/$($FunctionAppName)/config/authsettingsV2?api-version=2020-06-01" -Method PUT -Payload ($AuthSettings | ConvertTo-Json -Depth 10)
}
if ($PSCmdlet.ShouldProcess('Update allowed tenants')) {
$null = Update-AzFunctionAppSetting -Name $FunctionAppName -ResourceGroupName $RGName -AppSetting @{ 'WEBSITE_AUTH_AAD_ALLOWED_TENANTS' = $TenantId }
}
}