search

WaelHamze / dyn365-ce-vsts-tasks

VSTS Extension for Dynamics 365 Customer Engagement
https://marketplace.visualstudio.com/items?itemName=WaelHamze.xrm-ci-framework-build-tasks
GNU General Public License v3.0
117 stars 56 forks source link

Backup online instance and Set instance to Admin mode (MFA) #167

Open petercroston opened 4 years ago

petercroston commented 4 years ago

Hi @WaelHamze

Firstly thank you for the epic tool set!

My question is regarding the tasks Backup online instance and Set to Admin mode.

I get a following warning when i try to run them in our pipeline: [warning]ERROR REQUESTING Token FROM THE Authentication context - USER intervention required

I believe this is due to MFA.... is there anyway around this so we can can use these in our pipeline and remove the manual process?

Many thanks. :-)

WaelHamze commented 4 years ago

@petercroston

I normally use a service account that is not subject to MFA.

Hopefully there will be support for service principals at some point too.

petercroston commented 4 years ago

@WaelHamze, thanks i will see if our client will allow for an account without MFA, and agree hopefully they will bring in support for service principals.

gertjants commented 4 years ago

@WaelHamze In certain environments that's not possible.

The main problem here is in Microsoft.Xrm.OnlineManagementAPI.Auth.AuthManager. The "ExecuteAuthenticateServiceProcess" doesn't have any overloads other than for ClientCredentials.

I did some digging into what admin.powerplatform.com does[1], and this is how it disables/enables admin mode. This is provided you of course generate an oath token for your application credentials[2]:

GET https://admin.powerplatform.microsoft.com/api/environments?token={token}

This will give you all environments and subsequent IDs. Probably you can replace ?token= with a proper authentication header. In any case this will allow to the perform the next request.

POST https://admin.powerplatform.microsoft.com/api/environments/updatesettings?geo={region, EMEA for Europe) { instanceId: "{instance guid}" environmentId: "{environment guid}" name: "{display name}" domain: "{url you want}" type: "Sandbox" purpose: "{Description you want}" securityGroupId: "00000000-0000-0000-0000-000000000000" adminModeEnabled: false backgroundOperationsEnabled: false updateCadence: "Moderate" isUnlinkedEnvironmentUpdate: "false" } [1] = In my experience it's a whole lot easier to intercept the HTTP requests MS makes in their admin portals than to rely on the SDKs. [2] = Create OAuth request, type client_credentials, resource={url to environment}