Fix PowerShell app update flow

2026-02-07 13:21:09 +01:00
parent c2820c0320
commit 932d1e0dda
2 changed files with 88 additions and 42 deletions
--- a/scripts/New-PublicClientApplication.ps1
+++ b/scripts/New-PublicClientApplication.ps1
@@ -92,15 +92,20 @@ $existingAppId = az ad app list --display-name $AppName --query "[0].appId" -o t
 if ($LASTEXITCODE -ne 0) {
    throw "Failed to query existing applications."
 }
-if (-not [string]::IsNullOrWhiteSpace($existingAppId)) {
-    Write-Error "Application '$AppName' already exists."
-    exit 1
-}

-# Create the app
-$appId = az ad app create --display-name $AppName --query "appId" -o tsv
-if ($LASTEXITCODE -ne 0 -or [string]::IsNullOrWhiteSpace($appId)) {
-    throw "Failed to create application '$AppName'."
+if (-not [string]::IsNullOrWhiteSpace($existingAppId)) {
+    $confirmation = Read-Host "Application '$AppName' already exists. Update it? [y/N]"
+    if ($confirmation -notmatch '^(?i:y|yes)$') {
+        Write-Host "Canceled."
+        exit 0
+    }
+    $appId = $existingAppId
+} else {
+    # Create the app
+    $appId = az ad app create --display-name $AppName --query "appId" -o tsv
+    if ($LASTEXITCODE -ne 0 -or [string]::IsNullOrWhiteSpace($appId)) {
+        throw "Failed to create application '$AppName'."
+    }
 }

 $requiredResourceAccess = Get-RequiredResourceAccess `
@@ -110,26 +115,24 @@ $requiredResourceAccess = Get-RequiredResourceAccess `
    -AzureDevOpsScopeId $azureDevOpsScopeId `
    -AzureServiceMgmtAppId $azureServiceMgmtAppId `
    -AzureServiceMgmtScopeId $azureServiceMgmtScopeId | ConvertTo-Json -Depth 10 -Compress
-
-$publicClientRedirectUris = @(
-    "http://localhost",
-    "msal${appId}://auth"
-) | ConvertTo-Json -Compress
+$requiredResourceAccessFile = [System.IO.Path]::GetTempFileName()
+Set-Content -Path $requiredResourceAccessFile -Value $requiredResourceAccess -NoNewline

 # Configure app to match "Azure Node Playground Public".
 az ad app update `
    --id $appId `
-    --set `
-    "signInAudience=AzureADMyOrg" `
-    "isFallbackPublicClient=true" `
-    "requiredResourceAccess=$requiredResourceAccess" `
-    "publicClient.redirectUris=$publicClientRedirectUris" `
-    "web.implicitGrantSettings.enableAccessTokenIssuance=true" `
-    "web.implicitGrantSettings.enableIdTokenIssuance=true" | Out-Null
+    --sign-in-audience AzureADMyOrg `
+    --is-fallback-public-client true `
+    --required-resource-accesses "@$requiredResourceAccessFile" `
+    --public-client-redirect-uris "http://localhost" "msal${appId}://auth" `
+    --enable-access-token-issuance true `
+    --enable-id-token-issuance true | Out-Null

 if ($LASTEXITCODE -ne 0) {
+    Remove-Item -Path $requiredResourceAccessFile -Force -ErrorAction SilentlyContinue
    throw "Failed to configure application '$AppName'."
 }
+Remove-Item -Path $requiredResourceAccessFile -Force -ErrorAction SilentlyContinue

 # Azure CLI is used to grant admin consent.

@@ -145,5 +148,23 @@ if ($LASTEXITCODE -ne 0) {
    throw "Failed to grant admin consent for '$AppName' ($appId)."
 }

-Write-Host "Created application '$AppName'"
+$tenantId = az account show --query tenantId -o tsv
+if ($LASTEXITCODE -ne 0 -or [string]::IsNullOrWhiteSpace($tenantId)) {
+    throw "Failed to resolve tenantId from current Azure CLI context."
+}
+
+if ([string]::IsNullOrWhiteSpace($existingAppId)) {
+    Write-Host "Created application '$AppName'"
+} else {
+    Write-Host "Updated application '$AppName'"
+}
 Write-Host "appId: $appId"
+
+$configTemplate = @"
+export const config = {
+    "appName": "$AppName",
+    "tenantId": "$tenantId",
+    "clientId": "$appId"
+};
+"@
+Write-Output $configTemplate