Add support for Federated Identity Credentials in connection methods and parameters

documentation/Connect-PnPOnline.md

@@ -112,6 +112,21 @@ Connect-PnPOnline -OSLogin [-ReturnConnection] [-Url] <String> [-PersistLogin] [
  [-ClientId <String>] [-AzureEnvironment <AzureEnvironment>] [-TenantAdminUrl <String>] [-ForceAuthentication] [-ValidateConnection] [-MicrosoftGraphEndPoint <string>] [-AzureADLoginEndPoint <string>] [-Connection <PnPConnection>]
 ```
 
+### Federated Identity Credentials with User Assigned Managed Identity by Client Id
+```powershell
+Connect-PnPOnline [-Url <String>] [-Tenant <String>] -FederatedIdentityCredentials -UserAssignedManagedIdentityClientId <String> [-AzureEnvironment <AzureEnvironment>] [-TenantAdminUrl <String>] [-ValidateConnection] [-MicrosoftGraphEndPoint <string>] [-AzureADLoginEndPoint <string>] [-Connection <PnPConnection>]
+```
+
+### Federated Identity Credentials with User Assigned Managed Identity by Principal Id
+```powershell
+Connect-PnPOnline [-Url <String>] -FederatedIdentityCredentials -UserAssignedManagedIdentityObjectId <String> [-AzureEnvironment <AzureEnvironment>] [-TenantAdminUrl <String>] [-ValidateConnection] [-MicrosoftGraphEndPoint <string>] [-AzureADLoginEndPoint <string>] [-Connection <PnPConnection>]
+```
+
+### Federated Identity Credentials with User Assigned Managed Identity by Azure Resource Id
+```powershell
+Connect-PnPOnline [-Url <String>] -FederatedIdentityCredentials -UserAssignedManagedIdentityAzureResourceId <String> [-AzureEnvironment <AzureEnvironment>] [-TenantAdminUrl <String>] [-ValidateConnection] [-MicrosoftGraphEndPoint <string>] [-AzureADLoginEndPoint <string>] [-Connection <PnPConnection>]
+```
+
 ## DESCRIPTION
 Connects to a SharePoint site or another API and creates a context that is required for the other PnP Cmdlets.
 See https://pnp.github.io/powershell/articles/connecting.html for more information on the options to connect.
@@ -289,6 +304,13 @@ Connect to SharePoint using Credentials (username and password) from Credential
 
 On Windows, this entry needs to be under "Generic Credentials".
 
+### EXAMPLE 20
+```powershell
+Connect-PnPOnline -Url "https://contoso.sharepoint.com" -ClientId 6c5c98c7-e05a-4a0f-bcfa-0cfc65aa1f28 -Tenant 'contoso.onmicrosoft.com' -FederatedIdentityCredentials -UserAssignedManagedIdentityObjectId 363c1b31-6872-47fd-a616-574d3aec2a51
+```
+
+Connect to SharePoint/Microsoft Graph using federated identity credentials.
+
 ## PARAMETERS
 
 ### -AccessToken
@@ -715,7 +737,7 @@ Can be used in combination with `-ManagedIdentity` to specify the object/princip
 
 ```yaml
 Type: String
-Parameter Sets: User Assigned Managed Identity by Principal Id
+Parameter Sets: User Assigned Managed Identity by Principal Id, Federated Identity Credentials, Federated Identity Credentials by Principal Id
 Aliases: UserAssignedManagedIdentityPrincipalId
 
 Required: False
@@ -730,7 +752,7 @@ Can be used in combination with `-ManagedIdentity` to specify the client id of t
 
 ```yaml
 Type: String
-Parameter Sets: User Assigned Managed Identity by Client Id
+Parameter Sets: User Assigned Managed Identity by Client Id, Federated Identity Credentials, Federated Identity Credentials by Client Id
 Aliases:
 
 Required: False
@@ -745,7 +767,7 @@ Can be used in combination with `-ManagedIdentity` to specify the Azure Resource
 
 ```yaml
 Type: String
-Parameter Sets: User Assigned Managed Identity by Azure Resource Id
+Parameter Sets: User Assigned Managed Identity by Azure Resource Id, Federated Identity Credentials, Federated Identity Credentials by Azure Resource Id
 Aliases:
 
 Required: False
@@ -876,6 +898,22 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -FederatedIdentityCredentials
+
+Connects using Federated Identity credentials. For more information on this, you can visit [this link](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-rest).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: Federated Identity Credentials, Federated Identity Credentials by Client Id, Federated Identity Credentials by Principal Id, Federated Identity Credentials by Azure Resource Id
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ## RELATED LINKS
 
 [Microsoft 365 Patterns and Practices](https://aka.ms/m365pnp)

src/Commands/Base/ConnectOnline.cs

@@ -37,6 +37,10 @@ public class ConnectOnline : BasePSCmdlet
         private const string ParameterSet_ENVIRONMENTVARIABLE = "Environment Variable";
         private const string ParameterSet_AZUREAD_WORKLOAD_IDENTITY = "Azure AD Workload Identity";
         private const string ParameterSet_OSLOGIN = "OS login";
+        private const string ParameterSet_FEDERATEDIDENTITYCREDENTIALS = "Federated Identity Credentials";
+        private const string ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYCLIENTID = "Federated Identity Credentials by Client Id";
+        private const string ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYPRINCIPALID = "Federated Identity Credentials by Principal Id";
+        private const string ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYAZURERESOURCEID = "Federated Identity Credentials by Azure Resource Id";
 
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_CREDENTIALS, ValueFromPipeline = true)]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_ACSAPPONLY, ValueFromPipeline = true)]
@@ -52,6 +56,10 @@ public class ConnectOnline : BasePSCmdlet
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_USERASSIGNEDMANAGEDIDENTITYBYAZURERESOURCEID)]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_AZUREAD_WORKLOAD_IDENTITY)]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_OSLOGIN, ValueFromPipeline = true)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALS)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYCLIENTID)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYPRINCIPALID)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYAZURERESOURCEID)]
         public SwitchParameter ReturnConnection;
 
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_CREDENTIALS, ValueFromPipeline = true)]
@@ -68,6 +76,10 @@ public class ConnectOnline : BasePSCmdlet
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_USERASSIGNEDMANAGEDIDENTITYBYAZURERESOURCEID, ValueFromPipeline = true)]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_AZUREAD_WORKLOAD_IDENTITY, ValueFromPipeline = true)]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_OSLOGIN, ValueFromPipeline = true)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALS, ValueFromPipeline = true)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYCLIENTID, ValueFromPipeline = true)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYPRINCIPALID, ValueFromPipeline = true)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYAZURERESOURCEID, ValueFromPipeline = true)]
         public SwitchParameter ValidateConnection;
 
         [Parameter(Mandatory = true, Position = 0, ParameterSetName = ParameterSet_CREDENTIALS, ValueFromPipeline = true)]
@@ -84,6 +96,10 @@ public class ConnectOnline : BasePSCmdlet
         [Parameter(Mandatory = true, Position = 0, ParameterSetName = ParameterSet_ENVIRONMENTVARIABLE, ValueFromPipeline = true)]
         [Parameter(Mandatory = false, Position = 0, ParameterSetName = ParameterSet_AZUREAD_WORKLOAD_IDENTITY, ValueFromPipeline = true)]
         [Parameter(Mandatory = true, Position = 0, ParameterSetName = ParameterSet_OSLOGIN, ValueFromPipeline = true)]
+        [Parameter(Mandatory = false, Position = 0, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALS, ValueFromPipeline = true)]
+        [Parameter(Mandatory = false, Position = 0, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYCLIENTID, ValueFromPipeline = true)]
+        [Parameter(Mandatory = false, Position = 0, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYPRINCIPALID, ValueFromPipeline = true)]
+        [Parameter(Mandatory = false, Position = 0, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYAZURERESOURCEID, ValueFromPipeline = true)]
         public string Url;
 
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_CREDENTIALS)]
@@ -140,6 +156,10 @@ public class ConnectOnline : BasePSCmdlet
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_INTERACTIVE)]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_DEVICELOGIN)]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_OSLOGIN)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALS)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYCLIENTID)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYPRINCIPALID)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYAZURERESOURCEID)]
         [Alias("ApplicationId")]
         public string ClientId;
 
@@ -153,6 +173,10 @@ public class ConnectOnline : BasePSCmdlet
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_DEVICELOGIN)]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_ENVIRONMENTVARIABLE)]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_OSLOGIN)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALS)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYCLIENTID)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYPRINCIPALID)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYAZURERESOURCEID)]
         public string Tenant;
 
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_APPONLYAADCERTIFICATE)]
@@ -184,6 +208,10 @@ public class ConnectOnline : BasePSCmdlet
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_USERASSIGNEDMANAGEDIDENTITYBYCLIENTID)]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_USERASSIGNEDMANAGEDIDENTITYBYPRINCIPALID)]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_USERASSIGNEDMANAGEDIDENTITYBYAZURERESOURCEID)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALS)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYCLIENTID)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYPRINCIPALID)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYAZURERESOURCEID)]
         public Framework.AzureEnvironment AzureEnvironment = Framework.AzureEnvironment.Production;
 
         // [Parameter(Mandatory = true, ParameterSetName = ParameterSet_APPONLYCLIENTIDCLIENTSECRETAADDOMAIN)]
@@ -204,14 +232,23 @@ public class ConnectOnline : BasePSCmdlet
         [Parameter(Mandatory = true, ParameterSetName = ParameterSet_USERASSIGNEDMANAGEDIDENTITYBYAZURERESOURCEID)]
         public SwitchParameter ManagedIdentity;
 
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALS)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYCLIENTID)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYPRINCIPALID)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYAZURERESOURCEID)]
+        public SwitchParameter FederatedIdentityCredentials;
+
         [Parameter(Mandatory = true, ParameterSetName = ParameterSet_USERASSIGNEDMANAGEDIDENTITYBYPRINCIPALID)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYPRINCIPALID)]
         [Alias("UserAssignedManagedIdentityPrincipalId")]
         public string UserAssignedManagedIdentityObjectId;
 
         [Parameter(Mandatory = true, ParameterSetName = ParameterSet_USERASSIGNEDMANAGEDIDENTITYBYCLIENTID)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYCLIENTID)]
         public string UserAssignedManagedIdentityClientId;
 
         [Parameter(Mandatory = true, ParameterSetName = ParameterSet_USERASSIGNEDMANAGEDIDENTITYBYAZURERESOURCEID)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYAZURERESOURCEID)]
         public string UserAssignedManagedIdentityAzureResourceId;
 
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_CREDENTIALS)]
@@ -244,6 +281,10 @@ public class ConnectOnline : BasePSCmdlet
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_USERASSIGNEDMANAGEDIDENTITYBYPRINCIPALID)]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_USERASSIGNEDMANAGEDIDENTITYBYAZURERESOURCEID)]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_OSLOGIN)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALS)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYCLIENTID)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYPRINCIPALID)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYAZURERESOURCEID)]
         public string MicrosoftGraphEndPoint;
 
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_CREDENTIALS)]
@@ -259,6 +300,10 @@ public class ConnectOnline : BasePSCmdlet
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_USERASSIGNEDMANAGEDIDENTITYBYPRINCIPALID)]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_USERASSIGNEDMANAGEDIDENTITYBYAZURERESOURCEID)]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet_OSLOGIN)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALS)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYCLIENTID)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYPRINCIPALID)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYAZURERESOURCEID)]
         public string AzureADLoginEndPoint;
 
         [Parameter(Mandatory = true, ParameterSetName = ParameterSet_AZUREAD_WORKLOAD_IDENTITY)]
@@ -376,6 +421,12 @@ protected void Connect(ref CancellationToken cancellationToken)
                 case ParameterSet_OSLOGIN:
                     newConnection = ConnectWithOSLogin();
                     break;
+                case ParameterSet_FEDERATEDIDENTITYCREDENTIALS:
+                case ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYAZURERESOURCEID:
+                case ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYCLIENTID:
+                case ParameterSet_FEDERATEDIDENTITYCREDENTIALSBYPRINCIPALID:
+                    newConnection = ConnectFederatedIdentityCredentials();
+                    break;
             }
 
             // Ensure a connection instance has been created by now
@@ -916,6 +967,21 @@ private PnPConnection ConnectWithOSLogin()
             return PnPConnection.CreateWithInteractiveLogin(new Uri(Url.ToLower()), ClientId, TenantAdminUrl, AzureEnvironment, cancellationTokenSource, ForceAuthentication, Tenant, true, PersistLogin, Host);
         }
 
+        private PnPConnection ConnectFederatedIdentityCredentials()
+        {
+            // Add validation for FederatedIdentityCredentials to ensure at least one identity parameter is specified
+            if (!ParameterSpecified(nameof(UserAssignedManagedIdentityClientId)) &&
+                !ParameterSpecified(nameof(UserAssignedManagedIdentityObjectId)) &&
+                !ParameterSpecified(nameof(UserAssignedManagedIdentityAzureResourceId)))
+            {
+                throw new PSArgumentException("When using FederatedIdentityCredentials, you must specify at least one of the following parameters: UserAssignedManagedIdentityClientId, UserAssignedManagedIdentityObjectId, or UserAssignedManagedIdentityAzureResourceId.");
+            }
+            LogDebug("Connecting using Federated Identity Credentials");
+
+            var tenantId = TenantExtensions.GetTenantIdByUrl(Url, AzureEnvironment);
+
+            return PnPConnection.CreateWithFederatedIdentityCredentials(Url, TenantAdminUrl, ClientId, tenantId, UserAssignedManagedIdentityObjectId, UserAssignedManagedIdentityClientId, UserAssignedManagedIdentityAzureResourceId);
+        }
         #endregion
 
         #region Helper methods