Added support for different Azure Environments

Author: erwinvanhunen

CHANGELOG.md

@@ -9,10 +9,12 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ### Added
 - Added -AzureEnvironment parameter to `Initialize-PnPPowerShellAuthentication` to create an Azure AD App in other Azure environments than the default one. 
+- Added -AzureEnvironment parameter to all Connect-PnPOnline options which result in an OAuth based authentication connection, supporting the various Azure Environments available. 
 
 ### Changed
 - Fixed issue with Submit-PnPTeamsChannelMessage not posting HTML message when setting the content type to Html.
 - The content type that Submit-PnPTeamsChannelMessage uses defaults now to HTML.
+- Fixed an issue with the PnP Provisioning Engine not being able to correctly acquire a token for the Microsoft Graph when provisioning a tenant template containing a Team.
 
 ### Contributors
 

Commands/Base/ConnectOnline.cs

@@ -522,6 +522,9 @@ public class ConnectOnline : BasePSCmdlet
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_APPONLYAADCER, HelpMessage = "The Azure environment to use for authentication, the defaults to 'Production' which is the main Azure environment.")]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_TOKEN, HelpMessage = "The Azure environment to use for authentication, the defaults to 'Production' which is the main Azure environment.")]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_APPONLYCLIENTIDCLIENTSECRETURL, HelpMessage = "The Azure environment to use for authentication, the defaults to 'Production' which is the main Azure environment.")]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_AADWITHSCOPE, HelpMessage = "The Azure environment to use for authentication, the defaults to 'Production' which is the main Azure environment.")]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_DEVICELOGIN, HelpMessage = "The Azure environment to use for authentication, the defaults to 'Production' which is the main Azure environment.")]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_GRAPHDEVICELOGIN, HelpMessage = "The Azure environment to use for authentication, the defaults to 'Production' which is the main Azure environment.")]
         public AzureEnvironment AzureEnvironment = AzureEnvironment.Production;
 
         [Parameter(Mandatory = true, ParameterSetName = ParameterSet_AADWITHSCOPE, HelpMessage = "The array of permission scopes to request from Azure Active Directory")]
@@ -710,7 +713,7 @@ protected void Connect()
                     break;
 
                 case ParameterSet_AADWITHSCOPE:
-                    connection = ConnectAadWithScope(credentials);
+                    connection = ConnectAadWithScope(credentials, AzureEnvironment);
                     break;
                 case ParameterSet_ACCESSTOKEN:
                     connection = ConnectAccessToken();
@@ -889,7 +892,7 @@ private PnPConnection ConnectDeviceLogin()
             {
                 Url += "/";
             }
-            var connection = PnPConnectionHelper.InstantiateDeviceLoginConnection(Url, LaunchBrowser, MinimalHealthScore, RetryCount, RetryWait, RequestTimeout, TenantAdminUrl, Host, NoTelemetry);
+            var connection = PnPConnectionHelper.InstantiateDeviceLoginConnection(Url, LaunchBrowser, MinimalHealthScore, RetryCount, RetryWait, RequestTimeout, TenantAdminUrl, Host, NoTelemetry, AzureEnvironment);
 
             if (Host.Name == "ConsoleHost")
             {
@@ -939,7 +942,7 @@ private PnPConnection ConnectGraphDeviceLogin(string accessToken)
                         }
                     }
                     return false;
-                }, Host, NoTelemetry);
+                }, Host, NoTelemetry, AzureEnvironment);
                 if (Host.Name == "ConsoleHost")
                 {
                     Console.TreatControlCAsInput = ctrlCAsInput;
@@ -1076,7 +1079,7 @@ private PnPConnection ConnectAppOnlyAadCer()
         /// </summary>
         /// <param name="credentials">Credentials to authenticate with for delegated access or NULL for application permissions</param>
         /// <returns>PnPConnection based on the parameters provided in the parameter set</returns>
-        private PnPConnection ConnectAadWithScope(PSCredential credentials)
+        private PnPConnection ConnectAadWithScope(PSCredential credentials, AzureEnvironment azureEnvironment)
         {
 #if !ONPREMISES
             // Filter out the scopes for the Microsoft Office 365 Management API
@@ -1100,7 +1103,7 @@ private PnPConnection ConnectAadWithScope(PSCredential credentials)
                 //    TokenManager.InitializeAsync(TokenManager.CLIENTID_PNPMANAGEMENTSHELL, officeManagementApiScopes.Select(s => $"https://manage.office.com/{s}").ToArray(), credentials.UserName, credentials.Password, cacheIdentifierName: "OfficeManagementApi").GetAwaiter().GetResult();
                 //}
 
-                var officeManagementApiToken = credentials == null ? OfficeManagementApiToken.AcquireApplicationTokenInteractive(PnPConnection.PnPManagementShellClientId, officeManagementApiScopes) : OfficeManagementApiToken.AcquireDelegatedTokenWithCredentials(PnPConnection.PnPManagementShellClientId, officeManagementApiScopes, credentials.UserName, credentials.Password);
+                var officeManagementApiToken = credentials == null ? OfficeManagementApiToken.AcquireApplicationTokenInteractive(PnPConnection.PnPManagementShellClientId, officeManagementApiScopes, azureEnvironment) : OfficeManagementApiToken.AcquireDelegatedTokenWithCredentials(PnPConnection.PnPManagementShellClientId, officeManagementApiScopes, credentials.UserName, credentials.Password, azureEnvironment);
 #else
                 var officeManagementApiToken = credentials == null ? OfficeManagementApiToken.AcquireApplicationTokenDeviceLogin(PnPConnection.PnPManagementShellClientId, officeManagementApiScopes, PnPConnection.DeviceLoginCallback(this.Host, true)) : OfficeManagementApiToken.AcquireDelegatedTokenWithCredentials(PnPConnection.PnPManagementShellClientId, officeManagementApiScopes, credentials.UserName, credentials.Password);
 #endif
@@ -1111,7 +1114,7 @@ private PnPConnection ConnectAadWithScope(PSCredential credentials)
             if (graphScopes.Length > 0)
             {
 #if !PNPPSCORE
-                var graphToken = credentials == null ? GraphToken.AcquireApplicationTokenInteractive(PnPConnection.PnPManagementShellClientId, graphScopes) : GraphToken.AcquireDelegatedTokenWithCredentials(PnPConnection.PnPManagementShellClientId, graphScopes, credentials.UserName, credentials.Password);
+                var graphToken = credentials == null ? GraphToken.AcquireApplicationTokenInteractive(PnPConnection.PnPManagementShellClientId, graphScopes, azureEnvironment) : GraphToken.AcquireDelegatedTokenWithCredentials(PnPConnection.PnPManagementShellClientId, graphScopes, credentials.UserName, credentials.Password, azureEnvironment);
 #else
                 var graphToken = credentials == null ? GraphToken.AcquireApplicationTokenDeviceLogin(PnPConnection.PnPManagementShellClientId, graphScopes, PnPConnection.DeviceLoginCallback(this.Host, true)) : GraphToken.AcquireDelegatedTokenWithCredentials(PnPConnection.PnPManagementShellClientId, graphScopes, credentials.UserName, credentials.Password);
 #endif
@@ -1341,6 +1344,7 @@ private PnPConnection ConnectCredentials(PSCredential credentials)
                                                                      RequestTimeout,
                                                                      TenantAdminUrl,
                                                                      NoTelemetry,
+                                                                     AzureEnvironment,
                                                                      SkipTenantAdminCheck,
                                                                      AuthenticationMode);
 #else

Commands/Base/PnPConnection.cs

@@ -18,6 +18,7 @@
 using System.Web;
 using TextCopy;
 using PnP.PowerShell.CmdletHelpAttributes;
+using OfficeDevPnP.Core;
 
 namespace PnP.PowerShell.Commands.Base
 {
@@ -116,6 +117,8 @@ public HttpClient HttpClient
         /// </summary>
         public string Tenant { get; set; }
 
+        public AzureEnvironment AzureEnvironment { get; set; } = AzureEnvironment.Production;
+
         #endregion
 
         #region Fields
@@ -137,7 +140,7 @@ public HttpClient HttpClient
         /// <returns>AccessToken for the audience or NULL if unable to retrieve an access token for the audience on the current connection</returns>
         internal string TryGetAccessToken(TokenAudience tokenAudience, string[] roles = null)
         {
-            return TryGetToken(tokenAudience, roles)?.AccessToken;
+            return TryGetToken(tokenAudience, AzureEnvironment, roles)?.AccessToken;
         }
 
         internal static Action<DeviceCodeResult> DeviceLoginCallback(PSHost host, bool launchBrowser)
@@ -163,7 +166,7 @@ internal static Action<DeviceCodeResult> DeviceLoginCallback(PSHost host, bool l
         /// <param name="tokenAudience">Audience to try to get a token for</param>
         /// <param name="orRoles">The specific roles to request access to (i.e. Group.ReadWrite.All). Optional, will use default groups assigned to clientId if not specified.</param>
         /// <returns><see cref="GenericToken"/> for the audience or NULL if unable to retrieve a token for the audience on the current connection</returns>
-        internal GenericToken TryGetToken(TokenAudience tokenAudience, string[] orRoles = null, string[] andRoles = null, TokenType tokenType = TokenType.All)
+        internal GenericToken TryGetToken(TokenAudience tokenAudience, AzureEnvironment azureEnvironment, string[] orRoles = null, string[] andRoles = null, TokenType tokenType = TokenType.All)
         {
             GenericToken token = null;
 
@@ -176,19 +179,19 @@ internal GenericToken TryGetToken(TokenAudience tokenAudience, string[] orRoles
                         var officeManagementApiScopes = Enum.GetNames(typeof(OfficeManagementApiPermission)).Select(s => s.Replace("_", ".")).Intersect(Scopes).ToArray();
                         // Take the remaining scopes and try requesting them from the Microsoft Graph API
                         var scopes = Scopes.Except(officeManagementApiScopes).ToArray();
-                        token = GraphToken.AcquireApplicationTokenDeviceLogin(PnPConnection.PnPManagementShellClientId, scopes, DeviceLoginCallback(null, false));
+                        token = GraphToken.AcquireApplicationTokenDeviceLogin(PnPConnection.PnPManagementShellClientId, scopes, DeviceLoginCallback(null, false), AzureEnvironment);
                     }
                     else
                     {
                         if (!string.IsNullOrEmpty(Tenant))
                         {
                             if (Certificate != null)
                             {
-                                token = GraphToken.AcquireApplicationToken(Tenant, ClientId, Certificate);
+                                token = GraphToken.AcquireApplicationToken(Tenant, ClientId, Certificate, AzureEnvironment);
                             }
                             else if (ClientSecret != null)
                             {
-                                token = GraphToken.AcquireApplicationToken(Tenant, ClientId, ClientSecret);
+                                token = GraphToken.AcquireApplicationToken(Tenant, ClientId, ClientSecret, AzureEnvironment);
                             }
                             else if (Scopes != null)
                             {
@@ -197,7 +200,7 @@ internal GenericToken TryGetToken(TokenAudience tokenAudience, string[] orRoles
                                 var scopes = Scopes.Except(officeManagementApiScopes).ToArray();
                                 if (scopes.Length > 0)
                                 {
-                                    token = PSCredential == null ? GraphToken.AcquireApplicationTokenInteractive(PnPManagementShellClientId, scopes) : GraphToken.AcquireDelegatedTokenWithCredentials(PnPManagementShellClientId, scopes, PSCredential.UserName, PSCredential.Password);
+                                    token = PSCredential == null ? GraphToken.AcquireApplicationTokenInteractive(PnPManagementShellClientId, scopes, azureEnvironment) : GraphToken.AcquireDelegatedTokenWithCredentials(PnPManagementShellClientId, scopes, PSCredential.UserName, PSCredential.Password, azureEnvironment);
                                 }
                                 else
                                 {
@@ -213,19 +216,19 @@ internal GenericToken TryGetToken(TokenAudience tokenAudience, string[] orRoles
                     {
                         if (Certificate != null)
                         {
-                            token = OfficeManagementApiToken.AcquireApplicationToken(Tenant, ClientId, Certificate);
+                            token = OfficeManagementApiToken.AcquireApplicationToken(Tenant, ClientId, Certificate, AzureEnvironment);
                         }
                         else if (ClientSecret != null)
                         {
-                            token = OfficeManagementApiToken.AcquireApplicationToken(Tenant, ClientId, ClientSecret);
+                            token = OfficeManagementApiToken.AcquireApplicationToken(Tenant, ClientId, ClientSecret, AzureEnvironment);
                         }
                         else if (Scopes != null)
                         {
                             var scopes = Enum.GetNames(typeof(OfficeManagementApiPermission)).Select(s => s.Replace("_", ".")).Intersect(Scopes).ToArray();
                             // Take the remaining scopes and try requesting them from the Microsoft Graph API
                             if (scopes.Length > 0)
                             {
-                                token = PSCredential == null ? OfficeManagementApiToken.AcquireApplicationTokenInteractive(PnPManagementShellClientId, scopes) : OfficeManagementApiToken.AcquireDelegatedTokenWithCredentials(PnPManagementShellClientId, scopes, PSCredential.UserName, PSCredential.Password);
+                                token = PSCredential == null ? OfficeManagementApiToken.AcquireApplicationTokenInteractive(PnPManagementShellClientId, scopes, azureEnvironment) : OfficeManagementApiToken.AcquireDelegatedTokenWithCredentials(PnPManagementShellClientId, scopes, PSCredential.UserName, PSCredential.Password, azureEnvironment);
                             }
                             else
                             {
@@ -514,13 +517,15 @@ public static PnPConnection GetConnectionWithToken(GenericToken token,
                                                            ClientContext clientContext = null,
                                                            int? minimalHealthScore = null,
                                                            string pnpVersionTag = null,
-                                                           bool disableTelemetry = false)
+                                                           bool disableTelemetry = false,
+                                                           AzureEnvironment azureEnvironment = AzureEnvironment.Production)
         {
             var connection = new PnPConnection(host, initializationType, url, clientContext, new Dictionary<TokenAudience, GenericToken>(1) { { tokenAudience, token } }, minimalHealthScore, pnpVersionTag, disableTelemetry)
             {
                 ConnectionMethod = ConnectionMethod.AccessToken,
                 Tenant = token.ParsedToken.Claims.FirstOrDefault(c => c.Type.Equals("tid", StringComparison.InvariantCultureIgnoreCase))?.Value,
-                ClientId = token.ParsedToken.Claims.FirstOrDefault(c => c.Type.Equals("appid", StringComparison.InvariantCultureIgnoreCase))?.Value
+                ClientId = token.ParsedToken.Claims.FirstOrDefault(c => c.Type.Equals("appid", StringComparison.InvariantCultureIgnoreCase))?.Value,
+                AzureEnvironment = azureEnvironment
             };
             connection.PSCredential = credentials;
             return connection;