Using a managed identity and tokens - Help needed

[gmenziesint]

Hey,

Has anyone managed to get managed identities and tokens working? I'm having difficulty getting the authentication piece to work.

I can see I'm authenticating with the managed identity but the backup piece with IntuneCD is saying I have an invalid audience, just wanted to check I'm not missing anything. I've supplied a Tenant name in pipeline variables.

Full pipeline

# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml

pool:
  vmImage: ubuntu-latest

jobs:
  - job: backup_document
    displayName: Backup Intune configuration
    pool:
      vmImage: ubuntu-latest
    continueOnError: false
    steps:
    - checkout: self
      persistCredentials: true

# Get Managed Identity token
    - task: AzureCLI@2
      displayName: 'Get login Credentials'
      inputs:
        addSpnToEnvironment: true
        azureSubscription: IntuneCD-ServiceConnection
        scriptType: bash
        scriptLocation: inlineScript
        inlineScript: |
          echo "##vso[task.setvariable variable=UAMI_CLIENT_ID]$servicePrincipalId" 
          echo "##vso[task.setvariable variable=UAMI_ID_TOKEN]$idToken"
          echo "##vso[task.setvariable variable=TENANT_ID]$tenantId"

    - task: Bash@3
      inputs:
        targetType: 'inline'
        script: |
         echo '$(UAMI_ID_TOKEN)' \
         echo '$(TENANT_ID)' \
         echo '$(UAMI_CLIENT_ID)'
#Remove existing prod-backup directory
    - task: Bash@3
      displayName: Remove existing prod-backup directory
      inputs:
        targetType: 'inline'
        script: |
          rm -rfv "$(Build.SourcesDirectory)/prod-backup"
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: false
        
# Install IntuneCD
# https://github.com/almenscorner/IntuneCD
    - task: Bash@3
      displayName: Install IntuneCD Package V2.3.4
      inputs:
        targetType: 'inline'
        script: |
          pip3 install IntuneCD==2.3.4
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: true

# Backup the latest configuration, using the current directory
    - task: Bash@3
      displayName: IntuneCD backup Start
      inputs:
        targetType: 'inline'
        script: |
          mkdir -p "$(Build.SourcesDirectory)/prod-backup"
          IntuneCD-startbackup \
          --mode=1 \
          --token '$(UAMI_ID_TOKEN)' \
          --path "$(Build.SourcesDirectory)/prod-backup" \
          --exclude ConditionalAccess \
          --ignore-omasettings \
          --append-id \
          --autopilot \
          --audit
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: true
      env:
        TENANT_NAME: $(TENANT_NAME)
       # CLIENT_ID: $(CLIENT_ID)
       # CLIENT_SECRET: $(CLIENT_SECRET)
        
# Set git settings
    - task: Bash@3
      displayName: Configure Git Global Settings
      inputs:
        targetType: 'inline'
        script: |
          git config user.name $(USER_NAME)
          git config user.email $(USER_EMAIL)
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: true
# Commit changes and push to Azure DevOps repo
    - task: Bash@3
      displayName: Commit changes to Azure DevOps repo
      name: commitAndsetVariable
      inputs:
        targetType: 'inline'
        script: |
          DATEF=`date +%Y.%m.%d`
          git add --all
          # modified files in folder prod-backup
          var=$(git diff --name-only --staged -- prod-backup)
          echo "##vso[task.setVariable variable=CHANGE_DETECTED;isOutput=true;]$var"
          git commit -m "Intune config backup $DATEF"
          git push origin HEAD:main
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: false
        
# Create markdown documentation
    - task: Bash@3
      displayName: Generate markdown document
      inputs:
        targetType: 'inline'
        script: |
          if [ ! -z "$(commitAndsetVariable.CHANGE_DETECTED)" ]
          then
            INTRO="Intune backup and documentation generated at $(Build.Repository.Uri) <img align=\"right\" width=\"96\" height=\"96\" src=\"./logo.png\">"
            IntuneCD-startdocumentation \
                --path="$(Build.SourcesDirectory)/prod-backup" \
                --outpath="$(Build.SourcesDirectory)/prod-as-built.md" \
                --tenantname=$TENANT_NAME \
                --intro="$INTRO" \
                #--split=Y
          else
            echo "no configuration backup change detected in the last commit, documentation will not be created"
          fi
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: true
      env:
        TENANT_NAME: $(TENANT_NAME)

# Commit changes and push to repo
    - task: Bash@3
      displayName: Commit changes
      inputs:
        targetType: 'inline'
        script: |
          DATEF=`date +%Y.%m.%d`
          git add --all
          git commit -m "Intune config as-built $DATEF"
          git push origin HEAD:main
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: false

  - job: tag
    displayName: Tag repo
    dependsOn: backup_document
    condition: and(succeeded(), ne(dependencies.backup_document.outputs['commitAndsetVariable.CHANGE_DETECTED'], ''))
    pool:
      vmImage: ubuntu-latest
    continueOnError: false
    steps:
    - checkout: self
      persistCredentials: true

# Set git global settings
    - task: Bash@3
      displayName: Configure Git
      inputs:
        targetType: 'inline'
        script: |
          git config user.name $(USER_NAME)
          git config user.email $(USER_EMAIL)
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: true

    - task: Bash@3
      displayName: Pull origin
      inputs:
        targetType: 'inline'
        script: |
          git pull origin main
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: false

    - task: PowerShell@2
      displayName: Git tag
      inputs:
        targetType: 'inline'
        script: |
          # change in configuration backup folder detected, create TAG
          $DATEF= Get-Date -format "yyyy-MM-dd_THH-mm"
          git tag -a "v$DATEF" -m "Microsoft Intune configuration snapshot $DATEF"
          git push origin "v$DATEF" *> $null # even status information goes to stderr :(
        failOnStderr: true
        pwsh: false
        workingDirectory: '$(Build.SourcesDirectory)'

  - job: publish
    displayName: Publish as-built artifacts
    dependsOn: tag
    condition: and(succeeded(), ne(dependencies.backup_document.outputs['commitAndsetVariable.CHANGE_DETECTED'], ''))
    pool:
      vmImage: ubuntu-latest
    continueOnError: false
    steps:
    - checkout: self
      persistCredentials: true

Starting: IntuneCD backup Start
==============================================================================
Task         : Bash
Description  : Run a Bash script on macOS, Linux, or Windows
Version      : 3.244.1
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/bash
==============================================================================
Generating script.
========================== Starting Command Output ===========================
/usr/bin/bash /home/vsts/work/_temp/be458a79-6eef-4215-b0d0-0ef0b2fecc02.sh
Traceback (most recent call last):
  File "/home/vsts/.local/bin/IntuneCD-startbackup", line 8, in <module>
    sys.exit(start())
  File "/home/vsts/.local/lib/python3.10/site-packages/IntuneCD/run_backup.py", line 319, in start
    run_backup(
  File "/home/vsts/.local/lib/python3.10/site-packages/IntuneCD/run_backup.py", line 272, in run_backup
    backup_intune(results, path, output, exclude, token, prefix, append_id, args)
  File "/home/vsts/.local/lib/python3.10/site-packages/IntuneCD/backup_intune.py", line 14, in backup_intune
    scope_tags = process_scope_tags.get_scope_tags()
  File "/home/vsts/.local/lib/python3.10/site-packages/IntuneCD/intunecdlib/process_scope_tags.py", line 22, in get_scope_tags
    data = self.make_graph_request(endpoint)
  File "/home/vsts/.local/lib/python3.10/site-packages/IntuneCD/intunecdlib/BaseGraphModule.py", line 156, in make_graph_request
    raise requests.exceptions.HTTPError(
requests.exceptions.HTTPError: Request failed with 401 - {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2024-09-02T13:54:36","request-id":"da34ef62-e9b9-4e12-92b2-54e43b85d027","client-request-id":"da34ef62-e9b9-4e12-92b2-54e43b85d027"}}}

##[error]Bash exited with code '1'.
##[error]Bash wrote one or more lines to the standard error stream.
##[error]Traceback (most recent call last):
  File "/home/vsts/.local/bin/IntuneCD-startbackup", line 8, in <module>

##[error]    sys.exit(start())
  File "/home/vsts/.local/lib/python3.10/site-packages/IntuneCD/run_backup.py", line 319, in start
    run_backup(
  File "/home/vsts/.local/lib/python3.10/site-packages/IntuneCD/run_backup.py", line 272, in run_backup
    backup_intune(results, path, output, exclude, token, prefix, append_id, args)
  File "/home/vsts/.local/lib/python3.10/site-packages/IntuneCD/backup_intune.py", line 14, in backup_intune
    scope_tags = process_scope_tags.get_scope_tags()
  File "/home/vsts/.local/lib/python3.10/site-packages/IntuneCD/intunecdlib/process_scope_tags.py", line 22, in get_scope_tags
    data = self.make_graph_request(endpoint)
  File "/home/vsts/.local/lib/python3.10/site-packages/IntuneCD/intunecdlib/BaseGraphModule.py", line 156, in make_graph_request
    raise requests.exceptions.HTTPError(
requests.exceptions.HTTPError: Request failed with 401 - {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2024-09-02T13:54:36","request-id":"da34ef62-e9b9-4e12-92b2-54e43b85d027","client-request-id":"da34ef62-e9b9-4e12-92b2-54e43b85d027"}}}

Finishing: IntuneCD backup Start

Below is the part where I get the token, this seems to working correctly.

Starting: Get login Credentials
==============================================================================
Task         : Azure CLI
Description  : Run Azure CLI commands against an Azure subscription in a PowerShell Core/Shell script when running on Linux agent or PowerShell/PowerShell Core/Batch script when running on Windows agent.
Version      : 2.244.1
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-cli
==============================================================================
/usr/bin/az --version
azure-cli                         2.63.0

core                              2.63.0
telemetry                          1.1.0

Extensions:
azure-devops                       1.0.1

Dependencies:
msal                              1.30.0
azure-mgmt-resource               23.1.1

Python location '/opt/az/bin/python3'
Extensions directory '/opt/az/azcliextensions'

Python (Linux) 3.11.8 (main, Jul 31 2024, 03:39:39) [GCC 11.4.0]

Legal docs and information: aka.ms/AzureCliLegal


Your CLI is up-to-date.
Setting AZURE_CONFIG_DIR env variable to: /home/vsts/work/_temp/.azclitask
Setting active cloud to: AzureCloud
/usr/bin/az cloud set -n AzureCloud
/usr/bin/az login --service-principal -u *** --tenant REDACTED --allow-no-subscriptions --federated-token ***
[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "REDACTED",
    "id": "0eed42ab-a999-4c48-816e-386926be949e",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Visual Studio Enterprise Subscription",
    "state": "Enabled",
    "tenantId": "REDACTED",
    "user": {
/usr/bin/bash /home/vsts/work/_temp/azureclitaskscript1725285261175.sh

/usr/bin/az account clear
Finishing: Get login Credentials

Thanks for your help!

[almenscorner]

As far as I know the Managed Identity option is still not available in the Python MSAL module from MS, using tokens, this is what I have been able to use,

trigger:
- none
 
pool:
  vmImage: windows-latest
 
steps:
- task: AzureCLI@2
  displayName: 'Get Graph Token for Workload Federated Credential'
  inputs:
    azureSubscription: 'test'
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: |
      $token = az account get-access-token --resource-type ms-graph
      $accessToken = ($token | ConvertFrom-Json).accessToken
      Write-Host "##vso[task.setvariable variable=secretToken;issecret=true]$accessToken"

- task: PowerShell@2
  displayName: 'Install IntuneCD'
  inputs:
    targetType: 'inline'
    script: |
      pip3 install IntuneCD==2.3.0b4
       
    pwsh: true

- task: PowerShell@2
  displayName: 'Run IntuneCD with token'
  inputs:
    targetType: 'inline'
    script: |
      IntuneCD-startbackup -t $(secretToken) -p $(Build.SourcesDirectory)
       
    pwsh: true

[almenscorner]

Unfortunately I haven't had the time yet

[gmenziesint]

Hey, I was wondering if you were planning to implement this for the 2.4.0 release or anytime soon? I've been testing it recently and it's been working well so thanks for that :)

[almenscorner]

2.4.0 is set to be released soon, I'm just finishing up with some final touches. Though I have not dug deeper in to Managed Identity support. Is this something you've tested and can provide more info on?

[gmenziesint]

Hey, I wasn't looked at integrating it into the code base, I'm not overly familiar with Python, I was just re-reading through the comment and I maybe missed the code you had sent so I'm going to retry using the auth token again for this and see how far I can get and get back to you as I can't remember if I tested this or not!

[almenscorner]

I'm just thinking how the Managed Identity would be used as I do not think they work with hosted agents in Azure DevOps