Azure DevOps Spfx Deployment Workload Identity Federation

Introduction

Thanks to Kinga Kazala for her timely article Deploy SPFx app using pipeline’s Workload Identity federation, which showcases how to use Workload Identity Federation to alleviate the need for using Entra app secrets or certificates. This method simplifies the setup process, especially when there’s reliance on a single person who might be unavailable.

We initially set up the SPFx pipeline for the Test environment using certificates with CLI for M365. However, to set the stages to UAT and PROD, we had to wait for the only person authorized to create the Entra App with certificates, which delayed the process. We tried the ‘Workload Identity Federation’ option, and it worked great. Unfortunately, CLI for M365 does not support this option yet (as of November 2024), so we had to switch to PnP PowerShell.

This article details my experience following the steps from Deploy SPFx app using pipeline’s Workload Identity federation and my insights.

Steps to Configure Workload Identity Federation

  1. Navigate to Project Settings in Azure DevOps: Go to the project settings and click on Service Connections. New Service Connection

  2. Choose ARM: Choose ARM

  3. Select Workload Identity Federation (Automatic): WorkLoadIdentityFederation

  4. Fill in the Details: Note that Workload Identity Federation (automatic) depends on an existing Azure Resource Group. Azure Service Connection Details

    Refer to Help choosing connection type.

  5. Click on Manage Service Principal: ClickOnManagePrincipal

  6. Add Sites.Selected Permission: Click on API permissions and add the sites.selected permission. AddSites.Selected

  7. Grant Admin Consent for Sites.Selected: GrantAdminConsent.png

  8. Rename the Service Principal: Rename the service principal to a more meaningful name. Rename Service Principal

    The Federated identity is granted the contributor role to the selected Azure resource group. Federated Identity Granted Contributor role

    Revoking access to the resource group for the federated identity results in an error message. Specify valid subscription

    Consider downgrading the permissions of the federated identity to the reader role if possible.

  9. Grant the Service Principal Full Control to the App Catalog Site:

connect-PnPOnline -Url https://reshmeeauckloo.sharepoint.com/sites/apps -interactive

Grant-PnPAzureADAppSitePermission -AppId b879348c-359b-4272-9e47-6ac785fa991f -DisplayName  m365-p-spfx-deployment  -Permissions FullControl

Replace the AppId with the service principal ID from step 5.

Add Sites Selected

  1. Create the YAML file

I downloaded the package ‘pnp-modern-search-parts-v4.sppkg’ and uploaded it to a repository to test the deployment using Workload Identity Federation.

Repo

Create a pipeline using the YAML file with the sample YAML code.

Create Pipeline to Existing file

variables:
    - name: tenantName
      value: "reshmeeauckloo" #update with your tenant name
    - name: siteName
      value: "apps"
    - name: spfxPackage
      value: "pnp-modern-search-parts-v4.sppkg" #update with a path to your package

steps:
    - task: AzurePowerShell@5
      name: DeploySPFx
      inputs:
          azureSubscription: p-m365
          azurePowerShellVersion: latestVersion
          ScriptType: InlineScript
          Inline: |
              Write-Host "##[group]Install PS modules"
              Write-Host "##[command] Install PnP.PowerShell"

              Write-Host "##[command] Get Module PowerShellGet"
              Get-Module -Name PowerShellGet -ListAvailable
              Write-Host "##[command] Get Module PowerShellGet"
              Get-Module -Name Microsoft.PowerShell.PSResourceGet -ListAvailable
              
              Install-Module -Name PnP.PowerShell -Scope CurrentUser -SkipPublisherCheck -Force
              Write-Host "##[endgroup]"

              ############## You may use the following section to retrieve details of the account used to execute the pipeline
              # You probably won't use it productively :)
              ##############
               Write-Host "##[group]Who am I"
               $azContext = (Get-AzContext).Account.Id
               $sp = Get-AzADServicePrincipal -ApplicationId $azContext
               Write-Host "##[debug] ServicePrincipal: $($sp.Id)"
               Write-Host "##[endgroup]"
              $PSVersionTable
              $url = "https://$(tenantName).sharepoint.com"
              $path="$(Build.SourcesDirectory)/$(spfxPackage)"

              try {
                  $azAccessToken = Get-AzAccessToken -ResourceUrl $url
                  $conn = Connect-PnPOnline -Url "$url/sites/$(siteName)" -AccessToken $azAccessToken.Token -ReturnConnection
                  #
                  Write-Host "##[debug] Get-PnPConnection $($conn.Url)"              
        
                  $packageInSite = Add-PnPApp -Path $path -Overwrite  -Publish -SkipFeatureDeployment  -Connection $conn
              }
              catch {
                  Write-Host "##[error]$($_.Exception.Message)"
              }              
      displayName: Deploy spfx
  1. Issue with install-module

Install module failed

Fortunately Kingla had the solution which she commented in her example, uncommenting the lines helps to get round the issue. The issue happens randomly.

Refer to her post Azure DevOps and “The term ‘Install-Module’ is not recognized” issue for more details.

  1. Attempt to Use the Authentication Type Workload Identity

Azure Workload Identity

I was looking forward to implementing the same with CLI for M365. However, the ability to authenticate with access tokens or workload identity was missing.

Refer to WIP: Implements accessToken as new authType. for the outstanding issue to make it possible within CLI for M365.

References

WIP: Implements accessToken as new authType.

Azure DevOps and “The term ‘Install-Module’ is not recognized” issue

Deploy SPFx app using pipeline’s Workload Identity federation