Update New-CIPPAPIConfig.ps1

Respect expiration policies

Author: James-Tarran

Modules/CIPPCore/Public/Authentication/New-CIPPAPIConfig.ps1

@@ -75,13 +75,34 @@ function New-CIPPAPIConfig {
 
                 Write-Information 'Creating password'
                 $Step = 'Creating Application Password'
-                $APIPassword = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)/addPassword" -AsApp $true -NoAuthCheck $true -type POST -body "{`"passwordCredential`":{`"displayName`":`"Generated by API Setup`"}}" -maxRetries 3
+                $AppManagementPolicy = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/policies/defaultAppManagementPolicy" -AsApp $true -NoAuthCheck $true
+                $PasswordExpirationPolicy =  $AppManagementPolicy.applicationRestrictions.passwordcredentials |
+                    Where-Object { $_.restrictionType -eq 'passwordLifetime' }
+                if (-not ($PasswordExpirationPolicy.state -eq 'disabled' -or $null -eq $PasswordExpirationPolicy.state)) {
+                    $TimeToExpiration = [System.Xml.XmlConvert]::ToTimeSpan($PasswordExpirationPolicy.maxLifetime)
+                    $ExpirationDate = (Get-Date).AddDays($TimeToExpiration.Days).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.fffZ')
+                    $APIPassword = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)/addPassword" -AsApp $true -NoAuthCheck $true -type POST -body "{`"passwordCredential`":{`"displayName`":`"Generated by API Setup`",`"endDateTime`":`"$ExpirationDate`"}}" -maxRetries 3
+                } else {
+                    $APIPassword = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)/addPassword" -AsApp $true -NoAuthCheck $true -type POST -body "{`"passwordCredential`":{`"displayName`":`"Generated by API Setup`"}}" -maxRetries 3
+                }
                 Write-Information 'Adding App URL'
                 $Step = 'Adding Application Identifier URI'
                 $APIIdUrl = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)" -AsApp $true -NoAuthCheck $true -type PATCH -body "{`"identifierUris`":[`"api://$($APIApp.appId)`"]}" -maxRetries 3
                 Write-Information 'Adding serviceprincipal'
                 $Step = 'Creating Service Principal'
-                $ServicePrincipal = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/serviceprincipals' -AsApp $true -NoAuthCheck $true -type POST -body "{`"accountEnabled`":true,`"appId`":`"$($APIApp.appId)`",`"displayName`":`"$AppName`",`"tags`":[`"WindowsAzureActiveDirectoryIntegratedApp`",`"AppServiceIntegratedApp`"]}" -maxRetries 3
+                $ServicePrincipalBody = "{`"accountEnabled`":true,`"appId`":`"$($APIApp.appId)`",`"displayName`":`"$AppName`",`"tags`":[`"WindowsAzureActiveDirectoryIntegratedApp`",`"AppServiceIntegratedApp`"]}"
+                for ($Attempt = 1; $Attempt -le 4; $Attempt++) {
+                    try {
+                        $ServicePrincipal = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/serviceprincipals' -AsApp $true -NoAuthCheck $true -type POST -body $ServicePrincipalBody -maxRetries 3
+                        break
+                    } catch {
+                        if ($Attempt -lt 4) {
+                            Start-Sleep -Seconds 1
+                            continue
+                        }
+                        throw
+                    }
+                }
                 Write-LogMessage -headers $Headers -API $APINAME -tenant 'None '-message "Created CIPP-API App with name '$($APIApp.displayName)'." -Sev 'info'
             }
         }