[pull] dev from KelvinTegelaar:dev#1081
Merged
Merged
Conversation
Introduces full SAM certificate lifecycle support: create, load (with cache), store (Key Vault cert with secret fallback), and renew with app-registration key credential sync/rollback logic. The weekly token timer now auto-renews the SAM cert when missing or near expiry. Graph/EXO helpers gain a `UseCertificate` path so app-only requests can authenticate via the stored SAM certificate, and certificate-based token acquisition now includes token caching plus transient AADSTS700027 retry handling. Adds a new `Invoke-ExecSAMCertificate` HTTP endpoint for status and forced renewal, and blocks SAM certificate management commands from scheduler/ExecCippFunction execution.
Ensure SAM certificate creation works during initial setup and renewal when app management policies restrict key credentials. This updates the exemption policy logic to disable certificate-related restrictions, lets SAM certificate rotation use delegated Graph headers for setup-time calls, and attempts to create the certificate immediately after provisioning the SAM app instead of waiting for the scheduled renewal.
Adds a shared `New-CIPPCertificateAssertion` helper and refactors Graph/EXO request helpers to route `-UseCertificate` through `Get-GraphToken` for both delegated refresh-token and app-only flows. Updates token cache grant-type keys for certificate auth, defaults EXO tenant ID to env TenantID, and blocks the new assertion helper from scheduler/exec invocation. Also changes `CIPPRestClient` to use `ResponseHeadersRead` so malformed EXO content-encoding responses don’t fail in `SendAsync` before status/body handling.
Use `ResponseHeadersRead` in `CIPPRestClient` so mislabelled compressed Exchange error bodies do not fail inside `SendAsync`. This keeps the HTTP status available for the existing defensive response handling path.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )