diff --git a/developer-assist-dashboard/infra/azure.bicep b/developer-assist-dashboard/infra/azure.bicep index 20d1d263..4001c689 100644 --- a/developer-assist-dashboard/infra/azure.bicep +++ b/developer-assist-dashboard/infra/azure.bicep @@ -39,6 +39,7 @@ var officeWebAppClientId2 = '4765445b-32c6-49b0-83e6-1d93765276ca' var outlookDesktopAppClientId = 'd3590ed6-52b3-4102-aeff-aad2292ab01c' var outlookWebAppClientId = '00000002-0000-0ff1-ce00-000000000000' var authorizedClientApplicationIds = '${teamsMobileOrDesktopAppClientId};${teamsWebAppClientId};${officeWebAppClientId1};${officeWebAppClientId2};${outlookDesktopAppClientId};${outlookWebAppClientId}' +var allowedClientApplications = '"${teamsMobileOrDesktopAppClientId}","${teamsWebAppClientId}","${officeWebAppClientId1}","${officeWebAppClientId2}","${outlookDesktopAppClientId}","${outlookWebAppClientId}"' // Azure Storage that hosts your static web site resource storage 'Microsoft.Storage/storageAccounts@2021-06-01' = { @@ -173,6 +174,10 @@ resource functionApp 'Microsoft.Web/sites@2021-02-01' = { name: 'PLANNER_BUCKET_ID' value: plannerBucketId } + { + name: 'WEBSITE_AUTH_AAD_ACL' + value: '{"allowed_client_applications": [${allowedClientApplications}]}' + } ] ftpsState: 'FtpsOnly' } diff --git a/graph-connector-app/infra/azure.bicep b/graph-connector-app/infra/azure.bicep index b35fb525..816f0deb 100644 --- a/graph-connector-app/infra/azure.bicep +++ b/graph-connector-app/infra/azure.bicep @@ -23,6 +23,7 @@ var officeWebAppClientId2 = '4765445b-32c6-49b0-83e6-1d93765276ca' var outlookDesktopAppClientId = 'd3590ed6-52b3-4102-aeff-aad2292ab01c' var outlookWebAppClientId = '00000002-0000-0ff1-ce00-000000000000' var authorizedClientApplicationIds = '${teamsMobileOrDesktopAppClientId};${teamsWebAppClientId};${officeWebAppClientId1};${officeWebAppClientId2};${outlookDesktopAppClientId};${outlookWebAppClientId}' +var allowedClientApplications = '["${aadAppClientId}","${teamsMobileOrDesktopAppClientId}","${teamsWebAppClientId}","${officeWebAppClientId1}","${officeWebAppClientId2}","${outlookDesktopAppClientId}","${outlookWebAppClientId}"]' // Azure Storage that hosts your static web site resource storage 'Microsoft.Storage/storageAccounts@2021-06-01' = { @@ -97,6 +98,10 @@ resource functionApp 'Microsoft.Web/sites@2021-02-01' = { name: 'ALLOWED_APP_IDS' value: authorizedClientApplicationIds } + { + name: 'WEBSITE_AUTH_AAD_ACL' + value: '{"allowed_client_applications": ${allowedClientApplications}}}' + } { name: 'M365_CLIENT_ID' value: aadAppClientId diff --git a/hello-world-tab-with-backend/infra/azure.bicep b/hello-world-tab-with-backend/infra/azure.bicep index c17e9441..978da515 100644 --- a/hello-world-tab-with-backend/infra/azure.bicep +++ b/hello-world-tab-with-backend/infra/azure.bicep @@ -23,6 +23,7 @@ var officeWebAppClientId2 = '4765445b-32c6-49b0-83e6-1d93765276ca' var outlookDesktopAppClientId = 'd3590ed6-52b3-4102-aeff-aad2292ab01c' var outlookWebAppClientId = '00000002-0000-0ff1-ce00-000000000000' var authorizedClientApplicationIds = '${teamsMobileOrDesktopAppClientId};${teamsWebAppClientId};${officeWebAppClientId1};${officeWebAppClientId2};${outlookDesktopAppClientId};${outlookWebAppClientId}' +var allowedClientApplications = '"${teamsMobileOrDesktopAppClientId}","${teamsWebAppClientId}","${officeWebAppClientId1}","${officeWebAppClientId2}","${outlookDesktopAppClientId}","${outlookWebAppClientId}"' // Azure Storage that hosts your static web site resource storage 'Microsoft.Storage/storageAccounts@2021-06-01' = { @@ -118,6 +119,10 @@ resource functionApp 'Microsoft.Web/sites@2021-02-01' = { name: 'M365_APPLICATION_ID_URI' value: aadApplicationIdUri } + { + name: 'WEBSITE_AUTH_AAD_ACL' + value: '{"allowed_client_applications": [${allowedClientApplications}]}' + } ] ftpsState: 'FtpsOnly' } diff --git a/share-now/infra/teamsFx/function.bicep b/share-now/infra/teamsFx/function.bicep index 1acc9e57..5f911197 100644 --- a/share-now/infra/teamsFx/function.bicep +++ b/share-now/infra/teamsFx/function.bicep @@ -18,8 +18,7 @@ var administratorLogin = contains(provisionParameters, 'azureSqlAdmin') ? provis var administratorLoginPassword = contains(provisionParameters, 'azureSqlAdminPassword') ? provisionParameters['azureSqlAdminPassword'] : '' var oauthAuthority = uri(m365OauthAuthorityHost, m365TenantId) var tabAppDomain = provisionOutputs.frontendHostingOutput.value.domain -var tabAppEndpoint = provisionOutputs.frontendHostingOutput.value.endpoint -var botId = provisionParameters['botAadAppClientId'] +var tabAppEndpoint = provisionOutputs.frontendHostingOutput.value.endpoint var m365ApplicationIdUri = 'api://${tabAppDomain}/${m365ClientId}' var teamsMobileOrDesktopAppClientId = '1fec8e78-bce4-4aaf-ab1b-5451cc387264' @@ -30,6 +29,7 @@ var outlookDesktopAppClientId = 'd3590ed6-52b3-4102-aeff-aad2292ab01c' var outlookWebAppClientId = '00000002-0000-0ff1-ce00-000000000000' var authorizedClientApplicationIds = '${teamsMobileOrDesktopAppClientId};${teamsWebAppClientId};${officeWebAppClientId1};${officeWebAppClientId2};${outlookDesktopAppClientId};${outlookWebAppClientId}' +var allowedClientApplications = '["${m365ClientId}","${teamsMobileOrDesktopAppClientId}","${teamsWebAppClientId}","${officeWebAppClientId1}","${officeWebAppClientId2}","${outlookDesktopAppClientId}","${outlookWebAppClientId}"]' var currentAllowedOrigins = empty(currentConfigs.cors) ? [] : currentConfigs.cors.allowedOrigins resource appConfig 'Microsoft.Web/sites/config@2021-02-01' = { @@ -38,8 +38,8 @@ resource appConfig 'Microsoft.Web/sites/config@2021-02-01' = { properties: { cors: { allowedOrigins: union(currentAllowedOrigins, [ - tabAppEndpoint - ]) + tabAppEndpoint + ]) } } } @@ -48,6 +48,7 @@ resource appSettings 'Microsoft.Web/sites/config@2021-02-01' = { properties: union({ API_ENDPOINT: provisionOutputs.functionOutput.value.functionEndpoint ALLOWED_APP_IDS: authorizedClientApplicationIds + WEBSITE_AUTH_AAD_ACL: '{"allowed_client_applications": ${allowedClientApplications}}}' M365_CLIENT_ID: m365ClientId M365_CLIENT_SECRET: m365ClientSecret M365_TENANT_ID: m365TenantId diff --git a/team-central-dashboard/infra/azure.bicep b/team-central-dashboard/infra/azure.bicep index a9f9a1f7..2b56868c 100644 --- a/team-central-dashboard/infra/azure.bicep +++ b/team-central-dashboard/infra/azure.bicep @@ -26,6 +26,7 @@ var officeWebAppClientId2 = '4765445b-32c6-49b0-83e6-1d93765276ca' var outlookDesktopAppClientId = 'd3590ed6-52b3-4102-aeff-aad2292ab01c' var outlookWebAppClientId = '00000002-0000-0ff1-ce00-000000000000' var authorizedClientApplicationIds = '${teamsMobileOrDesktopAppClientId};${teamsWebAppClientId};${officeWebAppClientId1};${officeWebAppClientId2};${outlookDesktopAppClientId};${outlookWebAppClientId}' +var allowedClientApplications = '"${teamsMobileOrDesktopAppClientId}","${teamsWebAppClientId}","${officeWebAppClientId1}","${officeWebAppClientId2}","${outlookDesktopAppClientId}","${outlookWebAppClientId}"' // Azure Storage that hosts your static web site resource storage 'Microsoft.Storage/storageAccounts@2021-06-01' = { @@ -124,6 +125,10 @@ resource functionApp 'Microsoft.Web/sites@2021-02-01' = { name: 'TEAMS_APP_ID' value: teamsAppId } + { + name: 'WEBSITE_AUTH_AAD_ACL' + value: '{"allowed_client_applications": [${allowedClientApplications}]}' + } ] ftpsState: 'FtpsOnly' } diff --git a/todo-list-with-Azure-backend-M365/infra/teamsFx/function.bicep b/todo-list-with-Azure-backend-M365/infra/teamsFx/function.bicep index 49c095c9..2aed368d 100644 --- a/todo-list-with-Azure-backend-M365/infra/teamsFx/function.bicep +++ b/todo-list-with-Azure-backend-M365/infra/teamsFx/function.bicep @@ -33,6 +33,7 @@ var outlookDesktopAppClientId = 'd3590ed6-52b3-4102-aeff-aad2292ab01c' var outlookWebAppClientId1 = '00000002-0000-0ff1-ce00-000000000000' var outlookWebAppClientId2 = 'bc59ab01-8403-45c6-8796-ac3ef710b3e3' var authorizedClientApplicationIds = '${teamsMobileOrDesktopAppClientId};${teamsWebAppClientId};${officeWebAppClientId1};${officeWebAppClientId2};${officeDesktopAppClientId};${outlookDesktopAppClientId};${outlookWebAppClientId1};${outlookWebAppClientId2}' +var allowedClientApplications = '["${m365ClientId}","${teamsMobileOrDesktopAppClientId}","${teamsWebAppClientId}","${officeWebAppClientId1}","${officeWebAppClientId2}","${officeDesktopAppClientId}","${outlookDesktopAppClientId}","${outlookWebAppClientId1}","${outlookWebAppClientId2}"]' var currentAllowedOrigins = empty(currentConfigs.cors) ? [] : currentConfigs.cors.allowedOrigins @@ -58,6 +59,7 @@ resource appSettings 'Microsoft.Web/sites/config@2021-02-01' = { M365_AUTHORITY_HOST: m365OauthAuthorityHost // AAD authority host M365_APPLICATION_ID_URI: m365ApplicationIdUri // Application ID URI of AAD application IDENTITY_ID: provisionOutputs.identityOutput.value.identityClientId // User assigned identity id, the identity is used to access other Azure resources + WEBSITE_AUTH_AAD_ACL: '{"allowed_client_applications": ${allowedClientApplications}}}' }, currentAppSettings) // Merge new settings with existing settings } diff --git a/todo-list-with-Azure-backend/infra/teamsFx/function.bicep b/todo-list-with-Azure-backend/infra/teamsFx/function.bicep index fd51299e..ab593461 100644 --- a/todo-list-with-Azure-backend/infra/teamsFx/function.bicep +++ b/todo-list-with-Azure-backend/infra/teamsFx/function.bicep @@ -28,6 +28,7 @@ var officeWebAppClientId2 = '4765445b-32c6-49b0-83e6-1d93765276ca' var outlookDesktopAppClientId = 'd3590ed6-52b3-4102-aeff-aad2292ab01c' var outlookWebAppClientId = '00000002-0000-0ff1-ce00-000000000000' var authorizedClientApplicationIds = '${teamsMobileOrDesktopAppClientId};${teamsWebAppClientId};${officeWebAppClientId1};${officeWebAppClientId2};${outlookDesktopAppClientId};${outlookWebAppClientId}' +var allowedClientApplications = '["${m365ClientId}","${teamsMobileOrDesktopAppClientId}","${teamsWebAppClientId}","${officeWebAppClientId1}","${officeWebAppClientId2}","${outlookDesktopAppClientId}","${outlookWebAppClientId}"]' var currentAllowedOrigins = empty(currentConfigs.cors) ? [] : currentConfigs.cors.allowedOrigins @@ -57,6 +58,7 @@ resource appSettings 'Microsoft.Web/sites/config@2021-02-01' = { SQL_ENDPOINT: provisionOutputs.azureSqlOutput.value.sqlEndpoint SQL_USER_NAME: administratorLogin SQL_PASSWORD: administratorLoginPassword + WEBSITE_AUTH_AAD_ACL: '{"allowed_client_applications": ${allowedClientApplications}}}' }, currentAppSettings) }