We have a lot of duplicated code for working with entra service principals and app registrations in the codebase.
Consider the following commands:
- aad app add
- aad app permission add
- app permission add
- aad oauth2grant add / get / list / remove
- aad approleassignment add / get / list / remove
All these commands work with service principals and permissions and use the same code in some places. I'd like for us to move this code to util files.
servicePrincipal.ts
The file may contain the following functions, which already exist in like 3 or 4 places. Let's centralize it here:
/**
* Adds a delegated permission scope to a service principal.
*/
function addOAuth2PermissionGrant(servicePrincipalObjectId: string, resourceId: string, scope: string): Promise<void>;
/**
* Adds an app only role to a service principal.
*/
function addAppRoleAssignment(servicePrincipalObjectId: string, resourceId: string, appRoleId: string): Promise<void>;
aadPermissions.ts
There's quite some code involved in translating from textual names of scopes / roles (like "https://graph.microsoft.com/Sites.Read.All") to the resource Id's that you need to work with entra permissions.
This can be clearly seen in similar functions called something like getRequiredResourceAccessForApis which takes a complete list of all serviceprincipals and a list of scopes or roles and finds out what that ResourceAccess array (for an app registration) that would lead to. This code is already duplicated across 3 or 4 files.
/**
* Translate a list of scopes to a resource access array for an App Registration
*/
function getRequiredResourceAccessList(delegatedPermissions: string[], applicationPermissions: string[], logger: Logger, debug: boolean): Promise<RequiredResourceAccess[]>;
This function would retrieve all servicePrincipals from Entra, and translate the scope and role names to a list of RequiredResourceAccess
There are probably more things that could benefit a little centralization.
Would such a thing be useful @pnp/cli-for-microsoft-365-maintainers?
We have a lot of duplicated code for working with entra service principals and app registrations in the codebase.
Consider the following commands:
All these commands work with service principals and permissions and use the same code in some places. I'd like for us to move this code to util files.
servicePrincipal.ts
The file may contain the following functions, which already exist in like 3 or 4 places. Let's centralize it here:
aadPermissions.ts
There's quite some code involved in translating from textual names of scopes / roles (like "https://graph.microsoft.com/Sites.Read.All") to the resource Id's that you need to work with entra permissions.
This can be clearly seen in similar functions called something like
getRequiredResourceAccessForApiswhich takes a complete list of all serviceprincipals and a list of scopes or roles and finds out what that ResourceAccess array (for an app registration) that would lead to. This code is already duplicated across 3 or 4 files.This function would retrieve all servicePrincipals from Entra, and translate the scope and role names to a list of
RequiredResourceAccessThere are probably more things that could benefit a little centralization.
Would such a thing be useful @pnp/cli-for-microsoft-365-maintainers?