prevent missing refresh_token in claims

JohnDuprey · JohnDuprey · commit 49741ff0fb57 · 2025-06-12T13:26:01.000-04:00
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecAddTenant.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecAddTenant.ps1
@@ -22,7 +22,11 @@ function Invoke-ExecAddTenant {
         # Check if tenant already exists
         $ExistingTenant = Get-CIPPAzDataTableEntity @TenantsTable -Filter "PartitionKey eq 'Tenants' and RowKey eq '$tenantId'"
 
-        if ($ExistingTenant) {
+        if ($tenantId -eq $env:TenantID) {
+            # If the tenant is the partner tenant, return an error because you cannot add the partner tenant as direct tenant
+            $Results = @{'message' = 'You cannot add the partner tenant as a direct tenant.'; 'severity' = 'error'; 'state' = 'error' }
+            Write-LogMessage -API 'Add-Tenant' -message "Attempted to add partner tenant $tenantId as direct tenant." -Sev 'Error'
+        } elseif ($ExistingTenant) {
             # Update existing tenant
             $ExistingTenant.delegatedPrivilegeStatus = 'directTenant'
             Add-CIPPAzDataTableEntity @TenantsTable -Entity $ExistingTenant -Force | Out-Null
diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-GraphToken.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-GraphToken.ps1
@@ -21,7 +21,7 @@ function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $AppSecret, $refreshT
     $TenantsTable = Get-CippTable -tablename 'Tenants'
     $Filter = "PartitionKey eq 'Tenants' and delegatedPrivilegeStatus eq 'directTenant'"
     $ClientType = Get-CIPPAzDataTableEntity @TenantsTable -Filter $Filter | Where-Object { $_.customerId -eq $tenantid -or $_.defaultDomainName -eq $tenantid }
-    if ($clientType.delegatedPrivilegeStatus -eq 'directTenant') {
+    if ($tenantid -ne $env:TenantID -and $clientType.delegatedPrivilegeStatus -eq 'directTenant') {
         Write-Host "Using direct tenant refresh token for $($clientType.customerId)"
         $ClientRefreshToken = Get-Item -Path "env:\$($clientType.customerId)" -ErrorAction SilentlyContinue
         $refreshToken = $ClientRefreshToken.Value
