Skip to content

[pull] dev from KelvinTegelaar:dev#1081

Merged
pull[bot] merged 13 commits into
bmsimp:devfrom
KelvinTegelaar:dev
Jul 9, 2026
Merged

[pull] dev from KelvinTegelaar:dev#1081
pull[bot] merged 13 commits into
bmsimp:devfrom
KelvinTegelaar:dev

Conversation

@pull

@pull pull Bot commented Jul 9, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

KelvinTegelaar and others added 13 commits July 9, 2026 15:44
Introduces full SAM certificate lifecycle support: create, load (with cache), store (Key Vault cert with secret fallback), and renew with app-registration key credential sync/rollback logic. The weekly token timer now auto-renews the SAM cert when missing or near expiry.

Graph/EXO helpers gain a `UseCertificate` path so app-only requests can authenticate via the stored SAM certificate, and certificate-based token acquisition now includes token caching plus transient AADSTS700027 retry handling. Adds a new `Invoke-ExecSAMCertificate` HTTP endpoint for status and forced renewal, and blocks SAM certificate management commands from scheduler/ExecCippFunction execution.
Ensure SAM certificate creation works during initial setup and renewal when app management policies restrict key credentials. This updates the exemption policy logic to disable certificate-related restrictions, lets SAM certificate rotation use delegated Graph headers for setup-time calls, and attempts to create the certificate immediately after provisioning the SAM app instead of waiting for the scheduled renewal.
Adds a shared `New-CIPPCertificateAssertion` helper and refactors Graph/EXO request helpers to route `-UseCertificate` through `Get-GraphToken` for both delegated refresh-token and app-only flows. Updates token cache grant-type keys for certificate auth, defaults EXO tenant ID to env TenantID, and blocks the new assertion helper from scheduler/exec invocation. Also changes `CIPPRestClient` to use `ResponseHeadersRead` so malformed EXO content-encoding responses don’t fail in `SendAsync` before status/body handling.
Use `ResponseHeadersRead` in `CIPPRestClient` so mislabelled compressed Exchange error bodies do not fail inside `SendAsync`. This keeps the HTTP status available for the existing defensive response handling path.
@pull pull Bot locked and limited conversation to collaborators Jul 9, 2026
@pull pull Bot added the ⤵️ pull label Jul 9, 2026
@pull pull Bot merged commit 43879bd into bmsimp:dev Jul 9, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants