BadSubscriptionIdInvalid and other fixes (#2362)

Fix #2361 and #2360

common.props

@@ -34,7 +34,7 @@
   </PropertyGroup>
   <ItemGroup Condition="$(NO_GIT) == ''">
     <PackageReference Include="Microsoft.SourceLink.GitHub" Version="8.0.0" PrivateAssets="All"/>
-    <PackageReference Include="Nerdbank.GitVersioning" Version="3.6.143" PrivateAssets="All"/>
+    <PackageReference Include="Nerdbank.GitVersioning" Version="3.6.146" PrivateAssets="All"/>
   </ItemGroup>
   <PropertyGroup>
     <IncludeOpenAPIAnalyzers>true</IncludeOpenAPIAnalyzers>
@@ -44,8 +44,8 @@
     <!--<TreatWarningsAsErrors>true</TreatWarningsAsErrors>-->
   </PropertyGroup>
   <ItemGroup Condition="$(NO_RCS) == ''">
-    <PackageReference Include="Roslynator.Analyzers" Version="4.12.8" PrivateAssets="All"/>
-    <PackageReference Include="Roslynator.Formatting.Analyzers" Version="4.12.8" PrivateAssets="All"/>
+    <PackageReference Include="Roslynator.Analyzers" Version="4.12.9" PrivateAssets="All"/>
+    <PackageReference Include="Roslynator.Formatting.Analyzers" Version="4.12.9" PrivateAssets="All"/>
   </ItemGroup>
   <!-- only create the SARIF files for the SDL build step in cloud builds -->
   <PropertyGroup Condition="'$(NBGV_NugetPackageVersion)' != ''">

deploy/iotedge/eflow-setup.ps1

@@ -40,6 +40,8 @@ param(
    [switch] $NoCleanup
 )
 
+#Requires -RunAsAdministrator
+
 $eflowMsiUri = "https://aka.ms/AzEFLOWMSI_1_4_LTS_X64"
 
 $ErrorActionPreference = "Stop"

deploy/scripts/deploy.ps1

@@ -37,29 +37,14 @@
 
  .PARAMETER tenantId
     The Azure Active Directory tenant tied to the subscription(s)
-     that should be listed as options.
-
- .PARAMETER authTenantId
-    Specifies an Azure Active Directory tenant for authentication
-    that is different from the one tied to the subscription.
-
- .PARAMETER accountName
-    The account name to use if not to use default.
+    that should be listed as options.
 
  .PARAMETER applicationName
     The name of the application, if not local deployment.
 
- .PARAMETER aadConfig
-    The aad configuration object (use aad-register.ps1 to create
-    object). If not provided, calls aad-register.ps1.
-
  .PARAMETER context
     A previously created az context to be used for authentication.
 
- .PARAMETER aadApplicationName
-    The application name to use when registering aad application.
-    If not set, uses applicationName.
-
  .PARAMETER containerRegistryServer
     The container registry server to use to pull images
 
@@ -111,10 +96,31 @@
     Suggestion: use VM with at least 1 core and 2 GB of memory.
     Must Support Generation 1.
 
+ .PARAMETER noAadAppRegistration
+    Do not deploy service with Azure Active Directory authentication
+    support. Do not use in production!.
+
+ .PARAMETER authTenantId
+    Specifies an Azure Active Directory tenant for authentication
+    that is different from the one tied to the subscription.
+
+ .PARAMETER aadConfig
+    The aad configuration object (use aad-register.ps1 to create
+    object). If not provided, calls aad-register.ps1.
+
+ .PARAMETER aadApplicationName
+    The application name to use when registering aad application.
+    If not set, uses applicationName.
+
  .PARAMETER credentials
     Use these credentials to log in. If not provided you are
     prompted to provide credentials
 
+ .PARAMETER disableRbacAuthorization
+    Disable using Azure RBAC authorization using role assignments
+    to the managed identity and use legacy style keys and shared
+    access tokens to access services.
+
  .PARAMETER isServicePrincipal
     The credentials provided are service principal credentials.
 
@@ -136,10 +142,7 @@ param(
     [string] $resourceGroupLocation,
     [string] $subscriptionName,
     [string] $subscriptionId,
-    [string] $accountName,
     [string] $tenantId,
-    [string] $authTenantId,
-    [string] $aadApplicationName,
     [string] $containerRegistryServer,
     [string] $containerRegistryUsername,
     [securestring] $containerRegistryPassword,
@@ -156,6 +159,10 @@ param(
     [pscredential] $credentials,
     [secureString] $accessToken,
     [switch] $isServicePrincipal,
+    [switch] $noAadAppRegistration,
+    [switch] $disableRbacAuthorization,
+    [string] $authTenantId,
+    [string] $aadApplicationName,
     [object] $aadConfig,
     [object] $context,
     [string] $environmentName = "AzureCloud",
@@ -785,6 +792,14 @@ Function New-Deployment() {
         $templateParameters.Add("templateUrl", $templateUrl)
     }
 
+    if ($script:disableRbacAuthorization.IsPresent) {
+        Write-Host "Deploying without Azure RBAC role based authorization."
+        $templateParameters.Add("enableRbacAuthorization", $false)
+    }
+    else {
+        $templateParameters.Add("enableRbacAuthorization", $true)
+    }
+
     # Select an application name
     if (($script:type -eq "local") -or ($script:type -eq "simulation")) {
         if ([string]::IsNullOrEmpty($script:applicationName) `
@@ -998,33 +1013,35 @@ Write-Warning "Standard_D4s_v4 VM with Nested virtualization for IoT Edge Eflow
 
     $aadAddReplyUrls = $false
     if (!$script:aadConfig) {
-        if ([string]::IsNullOrEmpty($script:aadApplicationName)) {
-            $script:aadApplicationName = $script:applicationName
-        }
+        if (!$script:noAadAppRegistration.IsPresent) {
+            if ([string]::IsNullOrEmpty($script:aadApplicationName)) {
+                $script:aadApplicationName = $script:applicationName
+            }
 
-        # register aad application
-        Write-Host
-        Write-Host "Registering client and services AAD applications in your tenant..."
-        $aadRegisterContext = $context
-
-        # Use context of auth tenant
-        if (![string]::IsNullOrEmpty($authTenantId)) {
-            Write-Host "Connecting to AAD tenant $($authTenantId)..."
-            Connect-AzAccount -Tenant $authTenantId -ContextName AuthTenantId -Force
-            $aadRegisterContext = Select-AzContext AuthTenantId
-        }
+            # register aad application
+            Write-Host
+            Write-Host "Registering client and services AAD applications in your tenant..."
+            $aadRegisterContext = $context
 
-        $script:aadConfig = & (Join-Path $script:ScriptDir "aad-register.ps1") `
-            -Context $aadRegisterContext -Name $script:aadApplicationName
+            # Use context of auth tenant
+            if (![string]::IsNullOrEmpty($authTenantId)) {
+                Write-Host "Connecting to AAD tenant $($authTenantId)..."
+                Connect-AzAccount -Tenant $authTenantId -ContextName AuthTenantId -Force
+                $aadRegisterContext = Select-AzContext AuthTenantId
+            }
 
-        Write-Host "Client and services AAD applications registered..."
-        Write-Host
-        $aadAddReplyUrls = $true
+            $script:aadConfig = & (Join-Path $script:ScriptDir "aad-register.ps1") `
+                -Context $aadRegisterContext -Name $script:aadApplicationName
 
-        # Restore AD context
-        if (![string]::IsNullOrEmpty($authTenantId)) {
-            Write-Host "Switching to AAD tenant $($context.Tenant)..."
-            Set-AzContext -Context $context
+            Write-Host "Client and services AAD applications registered..."
+            Write-Host
+            $aadAddReplyUrls = $true
+
+            # Restore AD context
+            if (![string]::IsNullOrEmpty($authTenantId)) {
+                Write-Host "Switching to AAD tenant $($context.Tenant)..."
+                Set-AzContext -Context $context
+            }
         }
     }
     elseif (($script:aadConfig -is [string]) -and (Test-Path $script:aadConfig)) {
@@ -1060,16 +1077,16 @@ Write-Warning "Standard_D4s_v4 VM with Nested virtualization for IoT Edge Eflow
 
     # Register current aad user to access keyvault
     if (![string]::IsNullOrEmpty($script:aadConfig.UserPrincipalId)) {
-        $templateParameters.Add("keyVaultPrincipalId", $script:aadConfig.UserPrincipalId)
+        $templateParameters.Add("userPrincipalId", $script:aadConfig.UserPrincipalId)
     }
     else {
         $userPrincipalId = (Get-AzADUser -UserPrincipalName (Get-AzContext).Account.Id).Id
 
         if (![string]::IsNullOrEmpty($userPrincipalId)) {
-            $templateParameters.Add("keyVaultPrincipalId", $userPrincipalId)
+            $templateParameters.Add("userPrincipalId", $userPrincipalId)
         }
         else {
-            $templateParameters.Add("keyVaultPrincipalId", $script:aadConfig.FallBackPrincipalId)
+            $templateParameters.Add("userPrincipalId", $script:aadConfig.FallBackPrincipalId)
         }
     }
 
@@ -1125,16 +1142,15 @@ Write-Warning "Standard_D4s_v4 VM with Nested virtualization for IoT Edge Eflow
             #
             # Add reply urls
             #
-            $replyUrls = New-Object System.Collections.Generic.List[System.String]
-            if ($aadAddReplyUrls) {
+            if ($aadAddReplyUrls -and ![string]::IsNullOrEmpty($script:aadConfig.WebAppId)) {
+                $replyUrls = New-Object System.Collections.Generic.List[System.String]
+
                 # retrieve existing urls
                 $app = Get-AzADApplication -ApplicationId $script:aadConfig.WebAppId
                 if ($app.ReplyUrls -and ($app.ReplyUrls.Count -ne 0)) {
                     $replyUrls = $app.ReplyUrls;
                 }
-            }
 
-            if ($aadAddReplyUrls -and ![string]::IsNullOrEmpty($script:aadConfig.WebAppId)) {
                 $serviceUri = $deployment.Outputs["serviceUrl"].Value
 
                 if (![string]::IsNullOrEmpty($serviceUri)) {
@@ -1145,9 +1161,7 @@ Write-Warning "Standard_D4s_v4 VM with Nested virtualization for IoT Edge Eflow
 
                 $replyUrls.Add("http://localhost:5000/signin-oidc")
                 $replyUrls.Add("https://localhost:5001/signin-oidc")
-            }
 
-            if ($aadAddReplyUrls) {
                 # register reply urls in web application registration
                 Write-Host
                 Write-Host "Registering reply urls for $($script:aadConfig.WebAppId)..."