Update power apps and power platform resource to the correct values.#4460
Update power apps and power platform resource to the correct values.#4460alanc-msft wants to merge 5 commits intopnp:mainfrom
Conversation
Both services are in the process of stop accepting the ARM resource.
|
Thank you! @pnp/cli-for-microsoft-365-maintainers is anyone aware of this change? |
Hi Milan, I'm the EM owner for api.powerapps.com and I also work closely with the team that owns api.bap.microsoft.com, accepting the ARM audience has been a longstanding issue which we are in the process of correcting (effectively by stop accepting it). |
|
Hi @milanholemans - Considering the audience has changed, I am thinking will just updating the API endpoint domain will work? because I tried to get a token with "https://service.powerapps.com/" and currently CLI does not have token with this new aud
|
This means that users would need to consent to these audiences. This is part of the issue we are trying to solve, right now there is no consent required for these resources which bypasses the security expectations of tenant admins. |
|
thanks @milanholemans for rising this up 👍. |
|
The old resource name is still working for my tenant. |
hmm... so our current implementation, at least for now, works fine on my tenant. When double checked this change on two tenants that I have on both I get the same error message on both I did the reconsent for the CLI app 🤔. @alanc-msft could you provide more detail on the issue? I guess before it is not solved we should not merge this one. |
My guess is that the permission scope still has to be added to the PnP app registration, but no clue which one 😊. |
Hi Adam, how does the process to consent to the ARM audience work for this library? Typically for a multitenant third-party application to get access to a specific resource, users need to consent. The consent can be done explicitly in Azure portal by an admin, or by directing the users to the right consent url. I would expect the same process to be the same for these resources. |
yes. that is exactly how it works in this case as well. The user when login goes over CLI uses the following permissions:
this is the list: maybe there is something we are missing here 🤔 |
|
@nanddeepn since you are already experiencing this issue as you mentioned in #4491 may I kindly ask you to help us out and retest changes done in this PR? |
|
@alanc-msft there are some resources that can be granted only to first-party (Microsoft's) applications. I wonder if |
|
I just found out that we can get an access token for service.powerapps.com by adding to our consent list:
Before we do, let's verify that all commands will work with this new token. After we confirmed this, we can add the scope to our app reg and update the code to use the new resource for PP-related commands. |
Yes, 475226c6-020e-4fb2-8a90-7a972cbfc1d4 is the correct application id |
|
TBH I am having little luck testing this change 😟. What I did is I added a custom app registration that has all the CLI scopes and this new additional one which @waldekmastykarz pointed out I logged in to CLI using my custom app registration with this additional scope. The CLI was build based on this branch.
@waldekmastykarz am I missing something 🤔 |
|
@Adam-it have you tried running |
Logged out and logged in. On login I guess we check for scopes that need consent right? |
|
Nope, reconsent is a different flow |
🤦♂️. Will recheck it today 🫡. Thanks for the tip |
Ok after I reconsent the but still the @waldekmastykarz did you maybe find time to check it on your side? |
|
I can't seem to find any service principal linked to |
|
Hi @alanc-msft - checking if you have any updates on this ? |
|
@alanc-msft do you maybe found some time to give it a check? I think the finish line is just around the corner and we need a bit more help from you to point us in the right direction (scope/permission 😉) 🙏 |
Hey I apologize for the delay, I believe the issue is that the audience for the BAP API, maps to a different first party application, so the preauthorization will also need to be added to that one. The problem with that one is that there may not be guarantee that it exists in the tenant, this is the app as a reference: "Power Platform Environment Service" app id: 0e0bf3cc-3078-4fd4-9ef3-cb6dc0245b10 For now I will go ahead and revert that application and leave just the Power Apps one, which is the one we are trying to fix sooner and I'll talk to the team owning the BAP API to figure out their own approach. |
https://service.powerapps.com/ is still better than the arm audience.
Update test audience for bap with 'https://service.powerapps.com/')
|
ok seems clear. |
I ended up updating both to the same resource, as it is still better than the ARM one (BAP api accepts the PA resource and will continue to do so for longer) |
thanks for the additional comment 👍 I will give it a check 👍 |
|
Thank you so much for your help @alanc-msft. We really appreciate it 👏 |
Adam-it
left a comment
There was a problem hiding this comment.
checked locally and works ✅
looks good 👍
👏
|
This was a long one but I guess we are at the finish line 👍 |
No problem!, does somebody with write access needs to merge this pull request? |
Yes, @Adam-it will merge it pretty soon I guess. |
Yep, will do that ASAP 👍 |
|
hi @Adam-it - once you merge it - please let us know which CLI beta version to install and test? |
|
merged manually |
Don't forget the |
Both services are in the process of stop accepting the ARM resource.