Implementing Federated Identity when running in GitHub Actions should be added to the CLI so we can start supporting deployment of apps without adding certificates to CI/CD. The explanation of this blog post needs to be followed to set this up.
Options
My proposition is to add the value federatedIdentity to the authType option of the login command:
| Option |
Description |
-t, --authType [authType] |
The type of authentication to use. Allowed values certificate, deviceCode, password, identity, federatedIdentity, browser, secret. Default deviceCode. |
For using FI within GitHub actions, this is all we need in terms of options.
Remarks
We need to add the following remark:
Federated identity is currently only supported in GitHub Actions.
Implementation
We'll check if the $ACTIONS_ID_TOKEN_REQUEST_TOKEN and $ACTIONS_ID_TOKEN_REQUEST_URL environment variables are present, and if so: assume we are running in GitHub Actions. We can then request a GitHub federation token using these environment variables, as explained in the blog post. Posting this token to login.microsoftonline.com is easy.
Adding this to the CLI login action can be done afterwards.
How to test this out
I've created a POC PR that showcases how this works.
I've also published a test package to npm that can be installed and used to test this on GH Actions:
npm install @martinlingstuyl/cli-microsoft365@next -g
You'll need an App Registration in Entra ID with app only permissions on the SharePoint resource. You'll need to add a Federated Credential like I've done below. But you'll need to configure your own github repository where you'll run the GH workflow.
The following example pipeline can be used to test the created npm package on a repository.
name: Test Federated Credential CLI for Microsoft 365
on:
workflow_dispatch:
push:
permissions:
id-token: write
contents: read
jobs:
test:
name: 'Test'
runs-on: ubuntu-latest
steps:
- name: 'Checkout GitHub Action'
uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
- name: 'Install CLI'
run: "npm install @martinlingstuyl/cli-microsoft365@next -g"
- name: 'Get version'
shell: pwsh
run: "m365 version"
- name: 'Connect using Federated Identity'
run: "m365 login --authType federatedIdentity --appId "<some-client-id>" --tenant "<some-tenant-id>"
- name: 'Get status'
run: "m365 status"
- name: 'Get some info'
shell: bash
run: |
m365 spo set --url https://contoso.sharepoint.com
m365 spo site get --url https://contoso.sharepoint.com/sites/salesThe result:
Implementing Federated Identity when running in GitHub Actions should be added to the CLI so we can start supporting deployment of apps without adding certificates to CI/CD. The explanation of this blog post needs to be followed to set this up.
Options
My proposition is to add the value
federatedIdentityto theauthTypeoption of the login command:-t, --authType [authType]certificate,deviceCode,password,identity,federatedIdentity,browser,secret. DefaultdeviceCode.For using FI within GitHub actions, this is all we need in terms of options.
Remarks
We need to add the following remark:
Implementation
We'll check if the
$ACTIONS_ID_TOKEN_REQUEST_TOKENand$ACTIONS_ID_TOKEN_REQUEST_URLenvironment variables are present, and if so: assume we are running in GitHub Actions. We can then request a GitHub federation token using these environment variables, as explained in the blog post. Posting this token to login.microsoftonline.com is easy.Adding this to the CLI login action can be done afterwards.
How to test this out
I've created a POC PR that showcases how this works.
I've also published a test package to npm that can be installed and used to test this on GH Actions:
You'll need an App Registration in Entra ID with app only permissions on the SharePoint resource. You'll need to add a Federated Credential like I've done below. But you'll need to configure your own github repository where you'll run the GH workflow.
The following example pipeline can be used to test the created npm package on a repository.
The result: