Avoid querying graph APIs for ASO #724
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Tatsinnit
approved these changes
Jun 20, 2024
There was a problem hiding this comment.
Thank you so much for this, it will be nice to document this for the knowledge and loop back of @qpetraroia as well.
I have nothing much to add, given this is specific to the fix, let's get it in. I have trust that we have tested this. Thanks heaps.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses #552.
Ideally, we would want to query graph APIs to get the service principal associated with the specified application client ID.
We cannot do that at the moment, because the client application used to obtain an access token does not have the appropriate delegated permissions. We can add this in the future, but it would require defining our own first party application (which would also be required for #253).
Until then we need to remove the service principal retrieval and role assignment checking. The onus will now be on the user to specify the correct application client ID and secret, and ensure the service principal has access to the selected subscription. This is how the feature was originally designed, so it's not an excessively severe limitation.