Feature Request - GCC High support

[tehmichael]

Hey!

Wanted to say that you make a pretty awesome tool here and I really appreciate you putting this together. This might be a big ask - are there any plans to support GCC High (or any non commercial cloud environments) by any chance? I'd love to be able to use this tool in GCC High tenants, but I'm only able to hack together enough for a few functions to work.

Thanks for such an awesome tool!

[Micke-K]

Hello!

Thank you for the support!

The tool is built on modules where the core foundation is doing nothing but managing settings, main window, loading modules etc. The idea from the beginning was to support multiple cloud environments that can be managed by public APIs. I don't work with any GCC High tenants so I am not sure what the APIs would look like, if there is a difference in authentication etc. Not even sure if there are any GCC High implementations here in Australia.

[tehmichael]

Hiya! Apologize for the delay with my response here.

I did find that some functions (such as configuration policy export) worked when I changed endpoint URLs (.com to .us) in one of your connection modules, but I haven't dug too deep into it quite yet. Other utilities that use AzureAD and Microsoft.Graph.Intune modules seem to connect just fine to GCC High tenants as well (since arguments can target different clouds).

[Micke-K]

Hello!

I uploaded a new version so download a copy of the master branch and try. You can change Cloud in Settings. Note that I have not tested this at all since I have no access to US Government or China Clouds. I am not sure how it is going to react when swapping between Azure AD Clouds, if it works, requires a restart of the script etc. Please test and let me know how it goes.

Thank you!

[tehmichael]

Hiya! Excited to give it a try, I'll report back here after giving the new build a spin.

Thanks!

[tehmichael]

Hey! So I had to change the following lines to get connected to my test GCC High tenant:
MSALAuthentication.psm1:
-Line 528
--FROM: return (?? $loginEnv.Environment "login.microsoftonline.com")
--TO: return (?? $loginEnv.Environment "login.microsoftonline.us")
-Line 647
--FROM: [string[]] $Scopes = "https://graph.microsoft.com/.default"
--TO: [string[]] $Scopes = "https://graph.microsoft.us/.default"

MSGraph.psm1:
-Line 25
--FROM: $global:graphURL = "https://graph.microsoft.com/beta"
--TO: $global:graphURL = "https://graph.microsoft.us/beta"
-Line 746
--FROM: "https://graph.microsoft.com/beta/`$metadata"
--TO: "https://graph.microsoft.us/beta/`$metadata"

After making those adjustments I was able to review GCC high supported configurations (some items like feature updates will error because it currently isn't supported). I haven't had a chance to test anything other than navigation today, so I'll update tomorrow.

[Micke-K]

Thank you for testing. Sorry that I missed changing the graph. I'll include that in the next release.

[tehmichael]

No problem! Thanks for looking at this! I'll continue testing tomorrow.

[tehmichael]

So far, exporting and importing seem to work just fine. Documentation tasks as well. Still running through each feature!

[Micke-K]

Thank you for the update!

I am adding an option in Settings where you can select which GCC you are connecting to. It's the same endpoint for login but different Graph. Do you use the same account in different GCC environments or is that impossible?

[tehmichael]

Just to clarify, 'GCC' itself uses public endpoints (Worldwide +GCC is how they label it), but 'GCC High' will use gov-related endpoints. In my experience, GCC High shares no endpoints with any public cloud endpoints (these typically end in *.us).

Right now you'll have to use a unique account for each different GCC High environment.

[Micke-K]

Hello!

I uploaded a new version where you can select GCC type in Settings. It would be interesting to see how the test goes. It would also be good to see if there is a property on the Organisation or the user that specifies the GCC level.

Can GCC account be a guest of another GCC tenant at any level?

Cheers

[Micke-K]

Hello!

How are you going with the testing? Can I close this or do you want me to look at anything else for the GCC support?

Cheers!

[tehmichael]

Hello! Apologize for the delay here. I'm going to try your latest build and get back to you during the day tomorrow.

Thanks!

[tehmichael]

I had a moment to test tonight, so I'm still unable to connect without making modifications to the MSALAuthentication module, changing some endpoints from .com to .us.

Here's the log result of Tenant Settings > Azure Login set to "Azure AD US Government" and Tenant Settings > GCC Environment set to "GCC High" only - no MSALAuthentication module changes:

Trigger function Invoke-SettingsUpdated
Trigger Invoke-SettingsUpdated in MSALAuthentication
Trigger Invoke-SettingsUpdated in MSGraph
Save settings
Trigger function Invoke-SettingsUpdated
Trigger Invoke-SettingsUpdated in MSALAuthentication
Trigger Invoke-SettingsUpdated in MSGraph
Use Graph environment: graph.microsoft.us
Initiate interactive logon
Scopes: https://graph.microsoft.us/.default
Authority: https://login.microsoftonline.com/organizations/
Failed to login. Error: invalid_request. Description: AADSTS900384: JWT token failed signature validation [Reason - The provided signature value did not match the expected signature value., Thumbprint of key used by client: '0EA52EF207FE9C081CCA33F7F92BA994D0170277', Found key 'Start=12/21/2020 00:00:00, End=12/21/2025 00:00:00'].
Trace ID: 52a4320a-6519-40cc-a97a-930145e3f600
Correlation ID: 1c0f9530-67ad-4855-9176-7356319c2d29
Timestamp: 2022-03-08 03:07:37Z
Use Graph environment: graph.microsoft.us
Initiate interactive logon
Scopes: https://graph.microsoft.us/.default
Authority: https://login.microsoftonline.com/organizations/
Failed to login Exception: User canceled authentication.

This is the result after I make the following changes to the MSALAuthentication module. After the changes below, it seems to work within GCC High environments.

MSALAuthentication.psm1 > Line 193 from    $graphEnv = "graph.microsoft.com" to $graphEnv = "graph.microsoft.us"
MSALAuthentication.psm1 > Line 557 from $authority = "https://login.microsoftonline.com/$tenantId" to $authority = "https://login.microsoftonline.com/$tenantId"
MSALAuthentication.psm1 > Line 557 from return (?? $loginEnv.Environment "login.microsoftonline.com") to return (?? $loginEnv.Environment "login.microsoftonline.us")

Using MSAL file C:\w\IntuneManagement-master\Microsoft.Identity.Client.dll. Version: 4.29.0.0
Trigger Invoke-InitializeModule in MSGraph
Add settings and menu items
Change view to Intune Manager
Add MSAL App d1ddf0e4-d672-4dae-b554-9d5bdfd93547 https://login.microsoftonline.us/organizations/
Use Graph environment: graph.microsoft.us
Invalid token
Invalid token
Invalid token
Trigger function Invoke-GraphAuthenticationUpdated
Trigger Invoke-GraphAuthenticationUpdated in EndpointManager
Trigger Invoke-GraphAuthenticationUpdated in MSGraph
Activating View Intune Manager
Trigger function Invoke-ViewActivated
Trigger Invoke-ViewActivated in Compare
Trigger Invoke-ViewActivated in Copy
Trigger Invoke-ViewActivated in Documentation
Trigger function Invoke-ShowMainWindow
Trigger Invoke-ShowMainWindow in Compare
Trigger Invoke-ShowMainWindow in Documentation
Use Graph environment: graph.microsoft.us
Initiate interactive logon
Scopes: https://graph.microsoft.us/.default
Authority: https://login.microsoftonline.us/organizations/
c3@helloworld.onmicrosoft.us authenticated successfully (Interactively). CorrelationId: 111e196b-d43e-46b4-aead-14d0804362f1
Get current user
Get profile picture
Failed to invoke MS Graph with URL https://graph.microsoft.us/BETA/me/photos/48x48/$value (Request ID: df4a4df0-a7e6-4ede-a842-e9a8c117affc). Status code: NotFound
Get organization info
Loading Administrative Templates objects
Trigger function Invoke-GraphObjectsChanged
Trigger Invoke-GraphObjectsChanged in Documentation
Trigger function Invoke-GraphAuthenticationUpdated
Trigger Invoke-GraphAuthenticationUpdated in EndpointManager
Trigger Invoke-GraphAuthenticationUpdated in MSGraph
Loading Administrative Templates objects
Loading App Configuration (App) objects
Trigger function Invoke-GraphObjectsChanged
Trigger Invoke-GraphObjectsChanged in Documentation
Loading App Protection objects
Trigger function Invoke-GraphObjectsChanged
Trigger Invoke-GraphObjectsChanged in Documentation
Trigger function Invoke-EMSelectedItemsChanged
Trigger Invoke-EMSelectedItemsChanged in Compare
Trigger Invoke-EMSelectedItemsChanged in Documentation
Trigger Invoke-EMSelectedItemsChanged in EndpointManager

For some reason the tenant settings don't appear to work. One way to test if this works is if the login UI isn't pointing to commercial/public endpoints right away, but instead to GCC High/USGov (.us) endpoints.

Hopefully this is clear - let me know if you need anything at all! Thank you very much!

[Micke-K]

Thank you for testing!

Well, that didn't go as planned. For a couple of reasons so I went back to the drawing board and redesigned it completely.

I added a new option: Show Azure AD login menu. Go in to Settings and enable it (NOT Tenant settings!)
You will now get a pre-login prompt when you click Login or Sign in with a different account. This is so you can select Cloud and GCC environment.

Unpack the Zip file. Copy
Core.psm1 -> To the IntuneManagement folder (Replace existing)
MSALAuthentication.psm1 ->To the IntuneManagement\Extensions folder (Replace existing)
MSALLoginMenu.xaml -> To the IntuneManagement\Xaml folder (New file)

There might be on thing left to change in the code but I hope this will be enough and that this includes all the changes.

Let me know how it goes
Updates.zip
!

[tehmichael]

Wow you're fast! This is working wonderfully! Tested in both GCC High and GCC tenants and everything is working from what I can tell. I'll let you know if any problems come up in future use. Thanks!

[Micke-K]

Hello!

That is great news!

Do you cache your user tokens? If you do, does it work swapping between them?

Cheers!

[tehmichael]

Hiya! Yes and it appears to work so far! I've loaded up a few different tenants with the same build and things appear to cache correctly.

[Micke-K]

This is now included in 3.5.0 but I will send you a new version to test.

The new MSAL.DLL supports logging in to US/China cloud via public endpoints. I'll let you know when I have a version for you to test

[Micke-K]

Closing this issue since it has been confirmed working in both GCC and China.

Please reopen a case if there are any additional issues.

Cheers