Prepare ConfigureExchangeHybridApplication script to use 1P HCW app#2549
Open
lusassl-msft wants to merge 7 commits into
Open
Prepare ConfigureExchangeHybridApplication script to use 1P HCW app#2549lusassl-msft wants to merge 7 commits into
lusassl-msft wants to merge 7 commits into
Conversation
lusassl-msft
added
Do not merge
lusassl-msft
added
documentation
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the hybrid-application onboarding/authentication flow across the repo, switching token acquisition to the first-party “Microsoft Exchange Hybrid Wizard” app and adding device-code authentication support for browser-less hosts (notably Windows Server Core). It also updates ConfigureExchangeHybridApplication to enable the Graph MailTips routing setting override and improves the Setting Override “Enabled=” detection when overrides contain multiple parameters.
Changes:
- Updated
Get-GraphAccessTokento use the HCW first-party client ID, default to.default openid profile, and add OAuth 2.0 device code flow support. - Removed Graph-call dependency for signed-in user/admin-consent eligibility checks by decoding access token claims (
oid/wids) instead. - Added Server Core detection helper and integrated device-code selection into ConfigureExchangeHybridApplication and the CVE-2023-23397 script; updated docs and spelling dictionary.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| Shared/Test-IsServerCoreOperatingSystem.ps1 | Adds a helper to detect Windows Server Core to drive browser-less auth decisions. |
| Shared/ScriptUpdateFunctions/Invoke-WebRequestWithProxyDetection.ps1 | Adds an opt-in mode to surface HTTP error responses (needed for device-code polling). |
| Shared/GraphApiFunctions/Update-ExchangeAzureApplication.ps1 | Updates signed-in user lookup to use the new token-claims-based helper signature. |
| Shared/GraphApiFunctions/New-ExchangeAzureApplication.ps1 | Updates signed-in user lookup to use the new token-claims-based helper signature. |
| Shared/GraphApiFunctions/Get-AzureSignedInUserInformation.ps1 | Reworks signed-in user/admin-consent eligibility to read JWT claims instead of calling Graph. |
| Shared/AzureFunctions/Get-GraphAccessToken.ps1 | Switches to HCW app + .default scopes, and adds device code flow support. |
| Security/src/CVE-2023-23397/CVE-2023-23397.ps1 | Adds -UseDeviceCodeFlow and automatic Server Core device-code selection for Graph auth. |
| Hybrid/ConfigureExchangeHybridApplication/ConfigureExchangeHybridApplication.ps1 | Adds -UseDeviceCodeFlow, auto Server Core device-code selection, fixes override detection, and enables MailTips routing override parameters. |
| docs/Security/CVE-2023-23397/index.md | Documents the new UseDeviceCodeFlow switch. |
| docs/Hybrid/ConfigureExchangeHybridApplication.md | Documents UseGraphApiOnly, RemoveApiPermissions, and UseDeviceCodeFlow. |
| .build/cspell-words.txt | Adds new terms used by the device-code flow and token-claim logic. |
Comment on lines
+234
to
+239
| if (-not $connectionSuccessful) { | ||
| Write-Host "Timed out waiting for the device code sign-in to complete." -ForegroundColor Red | ||
| } | ||
|
|
||
| return | ||
| } |
Comment on lines
+186
to
+190
| if (($null -ne $redeemDeviceCodeResponse) -and | ||
| ($redeemDeviceCodeResponse.StatusCode -eq 200)) { | ||
| $tokens = $redeemDeviceCodeResponse.Content | ConvertFrom-Json | ||
| $idTokenPayload = (Convert-JsonWebTokenToObject $tokens.id_token).Payload | ||
| $connectionSuccessful = $true |
| return | ||
| } | ||
|
|
||
| $idTokenPayload = (Convert-JsonWebTokenToObject $tokens.id_token).Payload |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
With this PR, we change several things:
Microsoft Exchange Hybrid Wizardfirst-party application to acquire the identity and access tokenDevice Code Flowtoken workflow on Windows Server Core - this removes the dependency to a web browserValidation:
Lab / Test Team (validation pending)