Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve support for dynamic consent #6524

Open
waldekmastykarz opened this issue Dec 20, 2024 · 4 comments
Open

Improve support for dynamic consent #6524

waldekmastykarz opened this issue Dec 20, 2024 · 4 comments

Comments

@waldekmastykarz
Copy link
Member

waldekmastykarz commented Dec 20, 2024

Consider the following scenario: you want to use the CLI for M365 in a setup script to automate creating a new Entra app reg for the project. The user might not have CLI installed, and you don't want to bother them with it, so you use npx to download it on demand. To simplify the usage, you use an existing Entra app, such as Microsoft Graph CLI, so that the user doesn't need to do setup first.

You can see this implemented in a script here: https://github.com/microsoft/learn-microsoft-graph-connectors-typescript/blob/main/setup.sh.

What's challenging is that the Graph CLI app by default has no permissions, so you need to use dynamic consent to grant it consent for the necessary permissions to create Entra app reges. Right now, this is a gap in the CLI, which is why in the script we're doing it manually.

Let's consider different ways in which we could simplify it, such as:

1. Extend the login command with --scopes which allows you to specify scopes that it should be included in the login flow
2. Extend the cli consent command with --scopes to let users specify separate scopes rather than just the service

Thoughts @pnp/cli-for-microsoft-365-maintainers? Any other solutions that we should consider?

@milanholemans
Copy link
Contributor

Nice suggestion, I'd vote for option 2.

@waldekmastykarz
Copy link
Member Author

Nice suggestion, I'd vote for option 2.

Out of curiosity, why do you prefer 2?

@milanholemans
Copy link
Contributor

In scenarios where you are already logged in and want to consent to an extra scope, It looks easier to just run a command to include the extra scope instead of having to log in again.

@waldekmastykarz
Copy link
Member Author

In scenarios where you are already logged in and want to consent to an extra scope, It looks easier to just run a command to include the extra scope instead of having to log in again.

Good call. It feels like there are two different use cases (first-time sign in vs. adding an extra scope) and the second solution (separate command) supports both of them. Let's go with it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants