fix confidential client auth on china cloud

jazuntee · jazuntee · commit 7d88addcca08 · 2023-01-27T14:28:30.000-05:00
diff --git a/src/Invoke-AADAssessmentDataCollection.ps1 b/src/Invoke-AADAssessmentDataCollection.ps1
@@ -184,7 +184,7 @@ function Invoke-AADAssessmentDataCollection {
             Write-AppInsightsTrace ("{0} - Directory Role Assignments" -f $MyInvocation.MyCommand.Name) -SeverityLevel Verbose -IncludeProcessStatistics -OrderedProperties (Get-ReferencedIdCacheDetail $ReferencedIdCache)
             Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment - {0}' -f $InitialTenantDomain) -Status 'Directory Role Assignments' -PercentComplete 30
 
-            if ($script:ConnectState.CloudEnvironment -in 'USGov', 'USGovDoD') {
+            if ($script:ConnectState.CloudEnvironment -in 'USGov', 'USGovDoD', 'China') {
                 ## MS Graph endpoint roleManagement/directory/roleAssignments must still have filter on Gov tenants
                 $roleDefinitions | Get-MsGraphResults 'roleManagement/directory/roleAssignments' -Select 'id,directoryScopeId,principalId' -Filter "roleDefinitionId eq '{0}'" -QueryParameters @{ '$expand' = 'roleDefinition($select=id,templateId,displayName)' } `
                 | Add-AadReferencesToCache -Type roleAssignments -ReferencedIdCache $ReferencedIdCache -PassThru `
diff --git a/src/internal/Confirm-ModuleAuthentication.ps1 b/src/internal/Confirm-ModuleAuthentication.ps1
@@ -93,7 +93,7 @@ function Confirm-ModuleAuthentication {
         Write-Warning 'Using a confidential client is non-interactive and requires that the necessary scopes/permissions be added to the application or have permissions on-behalf-of a user.'
         $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
         try {
-            $MsGraphToken = Get-MsalToken -ConfidentialClientApplication $ClientApplication -Scopes 'https://graph.microsoft.com/.default' -CorrelationId $CorrelationId -Verbose:$false -ErrorAction Stop
+            $MsGraphToken = Get-MsalToken -ConfidentialClientApplication $ClientApplication -Scopes ([IO.Path]::Combine($script:mapMgEnvironmentToMgEndpoint[$CloudEnvironment], '.default')) -CorrelationId $CorrelationId -Verbose:$false -ErrorAction Stop
         }
         catch { throw }
         finally {

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ function Confirm-ModuleAuthentication {`
`93`	`93`	`Write-Warning 'Using a confidential client is non-interactive and requires that the necessary scopes/permissions be added to the application or have permissions on-behalf-of a user.'`
`94`	`94`	`$Stopwatch = [System.Diagnostics.Stopwatch]::StartNew()`
`95`	`95`	`try {`
`96`		`- $MsGraphToken = Get-MsalToken -ConfidentialClientApplication $ClientApplication -Scopes 'https://graph.microsoft.com/.default' -CorrelationId $CorrelationId -Verbose:$false -ErrorAction Stop`
	`96`	`+ $MsGraphToken = Get-MsalToken -ConfidentialClientApplication $ClientApplication -Scopes ([IO.Path]::Combine($script:mapMgEnvironmentToMgEndpoint[$CloudEnvironment], '.default')) -CorrelationId $CorrelationId -Verbose:$false -ErrorAction Stop`
`97`	`97`	`}`
`98`	`98`	`catch { throw }`
`99`	`99`	`finally {`