direct tenant add

KelvinTegelaar · KelvinTegelaar · commit 3822556cb91d · 2025-05-19T10:35:15.000+02:00
diff --git a/Modules/CIPPCore/Public/Get-CIPPAuthentication.ps1 b/Modules/CIPPCore/Public/Get-CIPPAuthentication.ps1
@@ -19,6 +19,18 @@ function Get-CIPPAuthentication {
                 }
             }
             Write-Host "Got secrets from dev storage. ApplicationID: $env:ApplicationID"
+            #Get list of tenants that have 'directTenant' set to true
+            $tenants = Get-Tenants | Where-Object -Property delegatedPrivilegeStatus -EQ 'directTenant'
+            if ($tenants) {
+                Write-Host "Found $($tenants.Count) tenants with directTenant set to true"
+                $tenants | ForEach-Object {
+                    $name = $_.customerId -replace '-', '_'
+                    if ($secret.$name) {
+                        $name = $_.customerId
+                        Set-Item -Path env:$name -Value $secret.$name -Force
+                    }
+                }
+            }
         } else {
             Write-Information 'Connecting to Azure'
             Connect-AzAccount -Identity
@@ -37,6 +49,19 @@ function Get-CIPPAuthentication {
             }
 
             $keyvaultname = ($env:WEBSITE_DEPLOYMENT_ID -split '-')[0]
+            #Get list of tenants that have 'directTenant' set to true
+            $tenants = Get-Tenants | Where-Object -Property delegatedPrivilegeStatus -EQ 'directTenant'
+            if ($tenants) {
+                $tenants | ForEach-Object {
+                    $name = $_.tenantId -replace '-', '_'
+                    $secret = Get-AzKeyVaultSecret -VaultName $keyvaultname -Name $name -AsPlainText -ErrorAction Stop
+                    if ($secret) {
+                        #set the name back to the original tenantId
+                        $name = $_.customerId
+                        Set-Item -Path env:$name -Value $secret -Force
+                    }
+                }
+            }
             $Variables | ForEach-Object {
                 Set-Item -Path env:$_ -Value (Get-AzKeyVaultSecret -VaultName $keyvaultname -Name $_ -AsPlainText -ErrorAction Stop) -Force
             }
diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-GraphToken.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-GraphToken.ps1
@@ -6,11 +6,18 @@ function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $AppSecret, $refreshT
     if (!$scope) { $scope = 'https://graph.microsoft.com/.default' }
     if (!$env:SetFromProfile) { $CIPPAuth = Get-CIPPAuthentication; Write-Host 'Could not get Refreshtoken from environment variable. Reloading token.' }
     #If the $env:<$tenantid> is set, use that instead of the refreshtoken for all tenants.
+    $ClientRefreshToken = Get-Item env:$tenantid -ErrorAction SilentlyContinue
+    if ($ClientRefreshToken) {
+        $refreshToken = $ClientRefreshToken
+    } else {
+        $refreshToken = $env:RefreshToken
+    }
+
     $AuthBody = @{
         client_id     = $env:ApplicationID
         client_secret = $env:ApplicationSecret
         scope         = $Scope
-        refresh_token = $env:RefreshToken
+        refresh_token = $refreshToken
         grant_type    = 'refresh_token'
     }
     if ($asApp -eq $true) {
@@ -25,7 +32,7 @@ function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $AppSecret, $refreshT
     if ($null -ne $AppID -and $null -ne $refreshToken) {
         $AuthBody = @{
             client_id     = $appid
-            refresh_token = $RefreshToken
+            refresh_token = $refreshToken
             scope         = $Scope
             grant_type    = 'refresh_token'
         }
