Cli-microsoft365: Automatically switch between tenant admin and regular site

Created on 21 Nov 2017  路  9Comments  路  Source: pnp/cli-microsoft365

Currently, commands that require connection to the tenant admin site (contoso-admin.sharepoint.com), check if the user connected to the tenant admin site using the spo connect site. If not, they display an error telling the user to explicitly connect to the tenant admin site before running the command. We could improve this experience by automatically getting the access token for an access token to the tenant admin site without bothering the user. Doing this is possible, because AAD issues multi-resource refresh tokens that can be used for obtaining access tokens to different resources in the same AAD.

Any opinions @estruyf, @andrewconnell, @wictorwilen?

question
Source
picture waldekmastykarz

All 9 comments

Automatically switching is great, but it might have an impact. What if the user accidentally adds a command which is tenant scoped in his script? At this moment the user will get an error to log in to the tenant admin sites, which makes him aware he is going to use a higher scoped command.

When it is all done automatically, the user will not notice it, and if he accidentally took the wrong command, it can mess things up. Of course, this can also happen when the user is already logged in.

estruyf picture estruyf on 22 Nov 2017

That could potentially be an issue. If we look at the non-interactive mode, we could require users to include an extra spo connect <tenant-admin-url> command in their script, which would make it more explicit. When we can store credentials, we could silently switch without halting the script flow.

@erwinvanhunen how is context switching handled in scripts built using PnP PowerShell when some commands apply to tenant and some to a site? Do you require users to call Connect-PnPOnline each time they want to work on a different site or do they switch automatically based on the provided URL/called cmdlet?

waldekmastykarz picture waldekmastykarz on 22 Nov 2017

Would an additional flag be an option? That way, the user has to explicitly tell the CLI that it wants to use that automatic flow.

estruyf picture estruyf on 22 Nov 2017

You mean something like spo connect <random-site> --autoswitch?

waldekmastykarz picture waldekmastykarz on 22 Nov 2017
👍1

Yes, that is exactly what I meant.

estruyf picture estruyf on 22 Nov 2017
👍1

Let's see what others think

waldekmastykarz picture waldekmastykarz on 22 Nov 2017
👍1

In the case of the PnP Cmdlets the cmdlets only autoswitch to tenant level if the cmdlet is based upon the PnPAdminCmdlet baseclass. Those are all called < verb >-PnPTenant< noun >

There is one cmdlet that does an under the hood switching to another side: Remove-PnPApp. It switches context to the Tenant App Catalog

erwinvanhunen picture erwinvanhunen on 22 Nov 2017

@erwinvanhunen but when they do switch there is no confirmation or explicit flag the user has to set to make it happen seamlessly?

waldekmastykarz picture waldekmastykarz on 22 Nov 2017

At this moment we support automatically switching from tenant admin to regular sites but not the other way around. We use this approach in a few commands and seems to be working. Let's keep using it for now and revise in the future if necessary.

waldekmastykarz picture waldekmastykarz on 16 Dec 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

waldekmastykarz picture waldekmastykarz  路  3Comments
OodapowUiPath picture OodapowUiPath  路  3Comments
StfBauer picture StfBauer  路  3Comments
VelinGeorgiev picture VelinGeorgiev  路  3Comments
waldekmastykarz picture waldekmastykarz  路  3Comments