Fixing update done through #3958

documentation/Set-PnPMicrosoft365Group.md

@@ -73,6 +73,23 @@ Sets the sensitivity label of the group
 
 ## PARAMETERS
 
+### -AllowExternalSenders
+Allows configuring if the Microsoft 365 Group should accept e-mail from senders outside of the organisation (true) or if both internal as well as external senders can send e-mail to the e-mail address of the Microsoft 365 group (false).
+
+In the Exchange Online PowerShell cmdlet this would be the RequireSenderAuthenticationEnabled property, but then inversed, so when that would be set to $true it would not accept e-mail from outside the organisation and when set to $false it would.
+
+This property can only be set using a Delegated logon, not with an Application logon.
+
+```yaml
+Type: Boolean
+Parameter Sets: (All)
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -AutoSubscribeNewMembers
 The AutoSubscribeNewMembers switch specifies whether to automatically subscribe new members that are added to the Microsoft 365 Group to conversations and calendar events. Only users that are added to the group after you enable this setting are automatically subscribed to the group.
 
@@ -81,6 +98,8 @@ If you don't want to subscribe new members to conversations and calendar events,
 
 Note: This property is evaluated only when you add internal members from your organization. Guest user accounts are always subscribed when added as a member.
 
+This property can only be set using a Delegated logon, not with an Application logon.
+
 ```yaml
 Type: SwitchParameter
 Parameter Sets: (All)
@@ -246,21 +265,6 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
-### -RequireSenderAuthenticationEnabled
-Allows configuring if the Microsoft 365 Group should accept e-mail from senders outside of the organisation (false) or if both internal as well as external senders can send e-mail to the e-mail address of the Microsoft 365 group (true).
-
-Alias: AllowExternalSenders
-
-```yaml
-Type: Boolean
-Parameter Sets: (All)
-Required: False
-Position: Named
-Default value: None
-Accept pipeline input: False
-Accept wildcard characters: False
-```
-
 ### -SensitivityLabels
 The Sensitivity label to be set to the Microsoft 365 Group. To retrieve the sensitivity label Ids you can use [Get-PnPAvailableSensitivityLabel](Get-PnPAvailableSensitivityLabel.md).
 

src/Commands/Base/TokenHandling.cs

@@ -13,6 +13,36 @@
 {
     internal static class TokenHandler
     {
+        /// <summary>
+        /// Returns the type of oAuth JWT token being passed in (Delegate/AppOnly)
+        /// </summary>
+        /// <param name="token">The oAuth JWT token</param>
+        /// <returns>Enum indicating the type of oAuth JWT token</returns>
+        internal static Enums.IdType RetrieveTokenType(string token)
+        {
+            var decodedToken = new JwtSecurityToken(token);
+
+            // The idType is stored in the token as a claim
+            var idType = decodedToken.Claims.FirstOrDefault(c => c.Type == "idtyp");
+
+            // Check if the token contains an idType
+            if (idType == null) return Enums.IdType.Unknown;
+
+            // Parse the idType to the corresponding enum value
+            return idType.Value.ToLowerInvariant() switch
+            {
+                "user" => Enums.IdType.Delegate,
+                "app" => Enums.IdType.Application,
+                _ => Enums.IdType.Unknown
+            };
+        }
+
+        /// <summary>
+        /// Extracts the oAuth JWT token to compare the permissions in it (roles) with the required permissions for the cmdlet provided through an attribute
+        /// </summary>
+        /// <param name="cmdletType">The cmdlet that will be executed. Used to check for the permissions attribute.</param>
+        /// <param name="token">The oAuth JWT token that needs to be validated for its roles</param>
+        /// <exception cref="PSArgumentException">Thrown if the permissions set through the permissions attribute do not match the roles in the JWT token</exception>
         internal static void ValidateTokenForPermissions(Type cmdletType, string token)
         {
             string[] requiredScopes = null;
@@ -273,7 +303,7 @@
             var tokenPath = Environment.GetEnvironmentVariable("AZURE_FEDERATED_TOKEN_FILE");
             var tenantID = Environment.GetEnvironmentVariable("AZURE_TENANT_ID");
 
             var _confidentialClientApp = ConfidentialClientApplicationBuilder.Create(clientID)
                 .WithClientAssertion(ReadJWTFromFS(tokenPath))
                 .WithTenantId(tenantID).Build();
 

src/Commands/Enums/IdType.cs

@@ -0,0 +1,23 @@
+namespace PnP.PowerShell.Commands.Enums
+{
+    /// <summary>
+    /// Possible IdType values inside an oAuth JWT token
+    /// </summary>
+    public enum IdType : short
+    {
+        /// <summary>
+        /// Unable to identify the token type
+        /// </summary>
+        Unknown,
+
+        /// <summary>
+        /// IdType user, indicates a delegate token
+        /// </summary>
+        Delegate,
+
+        /// <summary>
+        /// IdType app, indicates an application token
+        /// </summary>
+        Application
+    }
+}

src/Commands/Microsoft365Groups/SetMicrosoft365Group.cs

@@ -54,9 +54,8 @@ public class SetMicrosoft365Group : PnPGraphCmdlet
         [Parameter(Mandatory = false)]
         public string MailNickname;
 
-        [Parameter(Mandatory = false)]
-        [Alias("AllowExternalSenders")] // This is the name used in Microsoft Graph while the name below is the one used within Exchange Online. They both are about the same feature.
-        public bool? RequireSenderAuthenticationEnabled;
+        [Parameter(Mandatory = false)] // This is the name used in Microsoft Graph while the name RequireSenderAuthenticationEnabled is the one used within Exchange Online, but there its inversed, so we cannot easily add it as an alias here. They both are about the same feature.
+        public bool? AllowExternalSenders;
 
         [Parameter(Mandatory = false)]
         public bool? AutoSubscribeNewMembers;
@@ -103,14 +102,24 @@ protected override void ExecuteCmdlet()
                     group = Microsoft365GroupsUtility.UpdateAsync(Connection, AccessToken, group).GetAwaiter().GetResult();
                 }
 
-                if (ParameterSpecified(nameof(RequireSenderAuthenticationEnabled)) && RequireSenderAuthenticationEnabled.HasValue)
+                if (ParameterSpecified(nameof(AllowExternalSenders)) && AllowExternalSenders.HasValue)
                 {
-                    group.AllowExternalSenders = RequireSenderAuthenticationEnabled.Value;
+                    if(TokenHandler.RetrieveTokenType(AccessToken) != Enums.IdType.Delegate)
+                    {
+                        WriteWarning($"{nameof(AllowExternalSenders)} can only be used with a delegate token. You're currently connected through an application token.");
+                    }
+
+                    group.AllowExternalSenders = AllowExternalSenders.Value;
                     exchangeOnlinePropertiesChanged = true;
                 }
 
                 if (ParameterSpecified(nameof(AutoSubscribeNewMembers)) && AutoSubscribeNewMembers.HasValue)
                 {
+                    if (TokenHandler.RetrieveTokenType(AccessToken) != Enums.IdType.Delegate)
+                    {
+                        WriteWarning($"{nameof(AllowExternalSenders)} can only be used with a delegate token. You're currently connected through an application token.");
+                    }
+
                     group.AutoSubscribeNewMembers = AutoSubscribeNewMembers.Value;
                     exchangeOnlinePropertiesChanged = true;
                 }