[BRE-831] migrate secrets AKV (#796 )

[PM-32177] - Fixing Backward Compatibility with Azure AD (#813 )
* Updating the fetching of the config and key to check entra and check azure afterwards. * Making this camelCase to match other values. (cherry picked from commit 284206b735)
2026-01-07 11:03:23 +00:00 · 2025-07-10 12:05:51 -05:00 · 2025-07-02 09:36:03 -05:00 · 2025-06-30 14:08:03 -05:00 · 2025-06-27 08:28:04 -05:00
18 changed files with 238 additions and 103 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -16,6 +16,8 @@ jobs:
  cloc:
    name: CLOC
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
    steps:
      - name: Checkout repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -32,6 +34,8 @@ jobs:
  setup:
    name: Setup
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
    outputs:
      package_version: ${{ steps.retrieve-version.outputs.package_version }}
    steps:
@@ -53,6 +57,8 @@ jobs:
      _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
      _PKG_FETCH_NODE_VERSION: 18.5.0
      _PKG_FETCH_VERSION: 3.4
+    permissions:
+      contents: read
    steps:
      - name: Checkout repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -132,6 +138,8 @@ jobs:
    name: Build Mac CLI
    runs-on: macos-13
    needs: setup
+    permissions:
+      contents: read
    env:
      _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
      _PKG_FETCH_NODE_VERSION: 18.5.0
@@ -208,6 +216,8 @@ jobs:
    name: Build Windows CLI
    runs-on: windows-2022
    needs: setup
+    permissions:
+      contents: read
    env:
      _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
      _WIN_PKG_FETCH_VERSION: 18.5.0
@@ -341,6 +351,9 @@ jobs:
    name: Build Windows GUI
    runs-on: windows-2022
    needs: setup
+    permissions:
+      contents: read
+      id-token: write
    env:
      NODE_OPTIONS: --max_old_space_size=4096
      _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
@@ -372,10 +385,12 @@ jobs:
      - name: Install Node dependencies
        run: npm install

-      - name: Login to Azure
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Retrieve secrets
        id: retrieve-secrets
@@ -388,6 +403,9 @@ jobs:
            code-signing-client-secret,
            code-signing-cert-name"

+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
      - name: Build & Sign
        run: npm run dist:win
        env:
@@ -431,6 +449,8 @@ jobs:
    name: Build Linux GUI
    runs-on: ubuntu-24.04
    needs: setup
+    permissions:
+      contents: read
    env:
      NODE_OPTIONS: --max_old_space_size=4096
      _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
@@ -485,6 +505,9 @@ jobs:
    name: Build MacOS GUI
    runs-on: macos-13
    needs: setup
+    permissions:
+      contents: read
+      id-token: write
    env:
      NODE_OPTIONS: --max_old_space_size=4096
      _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
@@ -512,10 +535,19 @@ jobs:
          echo "GitHub ref: $GITHUB_REF"
          echo "GitHub event: $GITHUB_EVENT"

-      - name: Login to Azure
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-directory-connector
+          secrets: "KEYCHAIN-PASSWORD,APP-STORE-CONNECT-AUTH-KEY,APP-STORE-CONNECT-TEAM-ISSUER"

      - name: Get certificates
        run: |
@@ -530,9 +562,12 @@ jobs:
          az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert |
            jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12

+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
      - name: Set up keychain
        env:
-          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }}
        run: |
          security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
          security default-keychain -s build.keychain
@@ -566,13 +601,13 @@ jobs:
        run: |
          mkdir ~/private_keys
          cat << EOF > ~/private_keys/AuthKey_UFD296548T.p8
-          ${{ secrets.APP_STORE_CONNECT_AUTH_KEY }}
+          ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }}
          EOF

      - name: Build application
        run: npm run dist:mac
        env:
-          APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }}
+          APP_STORE_CONNECT_TEAM_ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }}
          APP_STORE_CONNECT_AUTH_KEY: UFD296548T
          APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_UFD296548T.p8
          CSC_FOR_PULL_REQUEST: true
@@ -618,6 +653,8 @@ jobs:
      - windows-gui
      - linux-gui
      - macos-gui
+    permissions:
+      id-token: write
    steps:
      - name: Check if any job failed
        if: |
@@ -627,11 +664,13 @@ jobs:
          && contains(needs.*.result, 'failure')
        run: exit 1

-      - name: Login to Azure - CI subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Log in to Azure
        if: failure()
+        uses: bitwarden/gh-actions/azure-login@main
        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Retrieve secrets
        id: retrieve-secrets
@@ -641,6 +680,9 @@ jobs:
          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
      - name: Notify Slack on failure
        uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
        if: failure()
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,6 +20,8 @@ jobs:
  setup:
    name: Setup
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
    outputs:
      release_version: ${{ steps.version.outputs.version }}
    steps:
@@ -48,6 +50,10 @@ jobs:
    name: Release
    runs-on: ubuntu-24.04
    needs: setup
+    permissions:
+      actions: read
+      packages: read
+      contents: write
    steps:
      - name: Download all artifacts
        if: ${{ inputs.release_type != 'Dry Run' }}
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -12,7 +12,7 @@ on:
  pull_request_target:
    types: [opened, synchronize, reopened]
    branches:
-      - "main"
+      - main

 permissions: {}

@@ -31,6 +31,7 @@ jobs:
      contents: read
      pull-requests: write
      security-events: write
+      id-token: write

    steps:
      - name: Check out repo
@@ -38,16 +39,33 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}

+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-org-bitwarden
+          secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET"
+
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
      - name: Scan with Checkmarx
        uses: checkmarx/ast-github-action@184bf2f64f55d1c93fd6636d539edf274703e434 # 2.0.41
        env:
          INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
        with:
          project_name: ${{ github.repository }}
-          cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
+          cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }}
          base_uri: https://ast.checkmarx.net/
-          cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
-          cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
+          cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }}
+          cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }}
          additional_params: |
            --report-format sarif \
            --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
@@ -67,6 +85,7 @@ jobs:
    permissions:
      contents: read
      pull-requests: write
+      id-token: write

    steps:
      - name: Check out repo
@@ -75,10 +94,27 @@ jobs:
          fetch-depth: 0
          ref: ${{ github.event.pull_request.head.sha }}

+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-org-bitwarden
+          secrets: "SONAR-TOKEN"
+
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
      - name: Scan with SonarCloud
        uses: sonarsource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # v5.2.0
        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
        with:
          args: >
            -Dsonar.organization=${{ github.repository_owner }}
--- a/.github/workflows/version-bump.yml
+++ b/.github/workflows/version-bump.yml
@@ -12,6 +12,9 @@ jobs:
  bump_version:
    name: Bump Version
    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      id-token: write
    steps:
      - name: Validate version input
        if: ${{ inputs.version_number_override != '' }}
@@ -19,12 +22,29 @@ jobs:
        with:
          version: ${{ inputs.version_number_override }}

+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
+
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
      - name: Generate GH App token
        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
        id: app-token
        with:
-          app-id: ${{ secrets.BW_GHAPP_ID }}
-          private-key: ${{ secrets.BW_GHAPP_KEY }}
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}

      - name: Checkout Branch
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ Supported directories:

 - Active Directory
 - Any other LDAP-based directory
- Azure Active Directory
+- Microsoft Entra ID
 - G Suite (Google)
 - Okta

--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
  "name": "@bitwarden/directory-connector",
  "productName": "Bitwarden Directory Connector",
  "description": "Sync your user directory to your Bitwarden organization.",
-  "version": "2025.6.0",
+  "version": "2025.6.1",
  "keywords": [
    "bitwarden",
    "password",
--- a/src/abstractions/state.service.ts
+++ b/src/abstractions/state.service.ts
@@ -3,7 +3,7 @@ import { StorageOptions } from "@/jslib/common/src/models/domain/storageOptions"

 import { DirectoryType } from "@/src/enums/directoryType";
 import { Account } from "@/src/models/account";
-import { AzureConfiguration } from "@/src/models/azureConfiguration";
+import { EntraIdConfiguration } from "@/src/models/entraIdConfiguration";
 import { GSuiteConfiguration } from "@/src/models/gsuiteConfiguration";
 import { LdapConfiguration } from "@/src/models/ldapConfiguration";
 import { OktaConfiguration } from "@/src/models/oktaConfiguration";
@@ -17,7 +17,7 @@ export abstract class StateService extends BaseStateServiceAbstraction<Account>
    config:
      | LdapConfiguration
      | GSuiteConfiguration
-      | AzureConfiguration
+      | EntraIdConfiguration
      | OktaConfiguration
      | OneLoginConfiguration,
  ) => Promise<any>;
@@ -25,8 +25,8 @@ export abstract class StateService extends BaseStateServiceAbstraction<Account>
  setLdapConfiguration: (value: LdapConfiguration, options?: StorageOptions) => Promise<void>;
  getGsuiteConfiguration: (options?: StorageOptions) => Promise<GSuiteConfiguration>;
  setGsuiteConfiguration: (value: GSuiteConfiguration, options?: StorageOptions) => Promise<void>;
-  getAzureConfiguration: (options?: StorageOptions) => Promise<AzureConfiguration>;
-  setAzureConfiguration: (value: AzureConfiguration, options?: StorageOptions) => Promise<void>;
+  getEntraConfiguration: (options?: StorageOptions) => Promise<EntraIdConfiguration>;
+  setEntraConfiguration: (value: EntraIdConfiguration, options?: StorageOptions) => Promise<void>;
  getOktaConfiguration: (options?: StorageOptions) => Promise<OktaConfiguration>;
  setOktaConfiguration: (value: OktaConfiguration, options?: StorageOptions) => Promise<void>;
  getOneLoginConfiguration: (options?: StorageOptions) => Promise<OneLoginConfiguration>;
--- a/src/app/tabs/settings.component.html
+++ b/src/app/tabs/settings.component.html
@@ -242,7 +242,7 @@
            </div>
          </div>
        </div>
-        <div [hidden]="directory != directoryType.AzureActiveDirectory">
+        <div [hidden]="directory != directoryType.EntraID">
          <div class="mb-3">
            <label for="identityAuthority" class="form-label">{{
              "identityAuthority" | i18n
@@ -251,10 +251,10 @@
              class="form-select"
              id="identityAuthority"
              name="IdentityAuthority"
-              [(ngModel)]="azure.identityAuthority"
+              [(ngModel)]="entra.identityAuthority"
            >
-              <option value="login.microsoftonline.com">Azure AD Public</option>
-              <option value="login.microsoftonline.us">Azure AD Government</option>
+              <option value="login.microsoftonline.com">Entra Id Public</option>
+              <option value="login.microsoftonline.us">Entra Id Government</option>
            </select>
          </div>
          <div class="mb-3">
@@ -264,7 +264,7 @@
              class="form-control"
              id="tenant"
              name="Tenant"
-              [(ngModel)]="azure.tenant"
+              [(ngModel)]="entra.tenant"
            />
            <div class="form-text">{{ "ex" | i18n }} companyad.onmicrosoft.com</div>
          </div>
@@ -275,29 +275,29 @@
              class="form-control"
              id="applicationId"
              name="ApplicationId"
-              [(ngModel)]="azure.applicationId"
+              [(ngModel)]="entra.applicationId"
            />
          </div>
          <div class="mb-3">
            <label for="secretKey" class="form-label">{{ "secretKey" | i18n }}</label>
            <div class="input-group">
              <input
-                type="{{ showAzureKey ? 'text' : 'password' }}"
+                type="{{ showEntraKey ? 'text' : 'password' }}"
                class="form-control"
                id="secretKey"
                name="SecretKey"
-                [(ngModel)]="azure.key"
+                [(ngModel)]="entra.key"
              />
              <button
                type="button"
                class="btn btn-outline-secondary"
                appA11yTitle="{{ 'toggleVisibility' | i18n }}"
-                (click)="toggleAzureKey()"
+                (click)="toggleEntraKey()"
              >
                <i
                  class="bwi bwi-lg"
                  aria-hidden="true"
-                  [ngClass]="showAzureKey ? 'bwi-eye-slash' : 'bwi-eye'"
+                  [ngClass]="showEntraKey ? 'bwi-eye-slash' : 'bwi-eye'"
                ></i>
              </button>
            </div>
@@ -607,7 +607,7 @@
            <div class="form-text" *ngIf="directory === directoryType.Ldap">
              {{ "ex" | i18n }} (&amp;(givenName=John)(|(l=Dallas)(l=Austin)))
            </div>
-            <div class="form-text" *ngIf="directory === directoryType.AzureActiveDirectory">
+            <div class="form-text" *ngIf="directory === directoryType.EntraID">
              {{ "ex" | i18n }} exclude:joe&#64;company.com
            </div>
            <div class="form-text" *ngIf="directory === directoryType.Okta">
@@ -684,7 +684,7 @@
            <div class="form-text" *ngIf="directory === directoryType.Ldap">
              {{ "ex" | i18n }} (&amp;(objectClass=group)(!(cn=Sales*))(!(cn=IT*)))
            </div>
-            <div class="form-text" *ngIf="directory === directoryType.AzureActiveDirectory">
+            <div class="form-text" *ngIf="directory === directoryType.EntraID">
              {{ "ex" | i18n }} include:Sales,IT
            </div>
            <div class="form-text" *ngIf="directory === directoryType.Okta">
--- a/src/app/tabs/settings.component.ts
+++ b/src/app/tabs/settings.component.ts
@@ -5,7 +5,7 @@ import { LogService } from "@/jslib/common/src/abstractions/log.service";

 import { StateService } from "../../abstractions/state.service";
 import { DirectoryType } from "../../enums/directoryType";
-import { AzureConfiguration } from "../../models/azureConfiguration";
+import { EntraIdConfiguration } from "../../models/entraIdConfiguration";
 import { GSuiteConfiguration } from "../../models/gsuiteConfiguration";
 import { LdapConfiguration } from "../../models/ldapConfiguration";
 import { OktaConfiguration } from "../../models/oktaConfiguration";
@@ -22,13 +22,13 @@ export class SettingsComponent implements OnInit, OnDestroy {
  directoryType = DirectoryType;
  ldap = new LdapConfiguration();
  gsuite = new GSuiteConfiguration();
-  azure = new AzureConfiguration();
+  entra = new EntraIdConfiguration();
  okta = new OktaConfiguration();
  oneLogin = new OneLoginConfiguration();
  sync = new SyncConfiguration();
  directoryOptions: any[];
  showLdapPassword = false;
-  showAzureKey = false;
+  showEntraKey = false;
  showOktaKey = false;
  showOneLoginSecret = false;

@@ -42,7 +42,7 @@ export class SettingsComponent implements OnInit, OnDestroy {
    this.directoryOptions = [
      { name: this.i18nService.t("select"), value: null },
      { name: "Active Directory / LDAP", value: DirectoryType.Ldap },
-      { name: "Azure Active Directory", value: DirectoryType.AzureActiveDirectory },
+      { name: "Entra ID", value: DirectoryType.EntraID },
      { name: "G Suite (Google)", value: DirectoryType.GSuite },
      { name: "Okta", value: DirectoryType.Okta },
      { name: "OneLogin", value: DirectoryType.OneLogin },
@@ -56,10 +56,9 @@ export class SettingsComponent implements OnInit, OnDestroy {
    this.gsuite =
      (await this.stateService.getDirectory<GSuiteConfiguration>(DirectoryType.GSuite)) ||
      this.gsuite;
-    this.azure =
-      (await this.stateService.getDirectory<AzureConfiguration>(
-        DirectoryType.AzureActiveDirectory,
-      )) || this.azure;
+    this.entra =
+      (await this.stateService.getDirectory<EntraIdConfiguration>(DirectoryType.EntraID)) ||
+      this.entra;
    this.okta =
      (await this.stateService.getDirectory<OktaConfiguration>(DirectoryType.Okta)) || this.okta;
    this.oneLogin =
@@ -80,7 +79,7 @@ export class SettingsComponent implements OnInit, OnDestroy {
    await this.stateService.setDirectoryType(this.directory);
    await this.stateService.setDirectory(DirectoryType.Ldap, this.ldap);
    await this.stateService.setDirectory(DirectoryType.GSuite, this.gsuite);
-    await this.stateService.setDirectory(DirectoryType.AzureActiveDirectory, this.azure);
+    await this.stateService.setDirectory(DirectoryType.EntraID, this.entra);
    await this.stateService.setDirectory(DirectoryType.Okta, this.okta);
    await this.stateService.setDirectory(DirectoryType.OneLogin, this.oneLogin);
    await this.stateService.setSync(this.sync);
@@ -135,8 +134,8 @@ export class SettingsComponent implements OnInit, OnDestroy {
    document.getElementById("password").focus();
  }

-  toggleAzureKey() {
-    this.showAzureKey = !this.showAzureKey;
+  toggleEntraKey() {
+    this.showEntraKey = !this.showEntraKey;
    document.getElementById("secretKey").focus();
  }

--- a/src/commands/config.command.ts
+++ b/src/commands/config.command.ts
@@ -8,7 +8,7 @@ import { MessageResponse } from "@/jslib/node/src/cli/models/response/messageRes

 import { StateService } from "../abstractions/state.service";
 import { DirectoryType } from "../enums/directoryType";
-import { AzureConfiguration } from "../models/azureConfiguration";
+import { EntraIdConfiguration } from "../models/entraIdConfiguration";
 import { GSuiteConfiguration } from "../models/gsuiteConfiguration";
 import { LdapConfiguration } from "../models/ldapConfiguration";
 import { OktaConfiguration } from "../models/oktaConfiguration";
@@ -20,7 +20,7 @@ export class ConfigCommand {
  private directory: DirectoryType;
  private ldap = new LdapConfiguration();
  private gsuite = new GSuiteConfiguration();
-  private azure = new AzureConfiguration();
+  private entra = new EntraIdConfiguration();
  private okta = new OktaConfiguration();
  private oneLogin = new OneLoginConfiguration();
  private sync = new SyncConfiguration();
@@ -54,8 +54,11 @@ export class ConfigCommand {
        case "gsuite.key":
          await this.setGSuiteKey(value);
          break;
+        // Azure Active Directory was renamed to Entra ID, but we've kept the old key name
+        // to be backwards compatible with existing configurations.
        case "azure.key":
-          await this.setAzureKey(value);
+        case "entra.key":
+          await this.setEntraIdKey(value);
          break;
        case "okta.token":
          await this.setOktaToken(value);
@@ -102,9 +105,9 @@ export class ConfigCommand {
    await this.saveConfig();
  }

-  private async setAzureKey(key: string) {
+  private async setEntraIdKey(key: string) {
    await this.loadConfig();
-    this.azure.key = key;
+    this.entra.key = key;
    await this.saveConfig();
  }

@@ -127,10 +130,9 @@ export class ConfigCommand {
    this.gsuite =
      (await this.stateService.getDirectory<GSuiteConfiguration>(DirectoryType.GSuite)) ||
      this.gsuite;
-    this.azure =
-      (await this.stateService.getDirectory<AzureConfiguration>(
-        DirectoryType.AzureActiveDirectory,
-      )) || this.azure;
+    this.entra =
+      (await this.stateService.getDirectory<EntraIdConfiguration>(DirectoryType.EntraID)) ||
+      this.entra;
    this.okta =
      (await this.stateService.getDirectory<OktaConfiguration>(DirectoryType.Okta)) || this.okta;
    this.oneLogin =
@@ -144,7 +146,7 @@ export class ConfigCommand {
    await this.stateService.setDirectoryType(this.directory);
    await this.stateService.setDirectory(DirectoryType.Ldap, this.ldap);
    await this.stateService.setDirectory(DirectoryType.GSuite, this.gsuite);
-    await this.stateService.setDirectory(DirectoryType.AzureActiveDirectory, this.azure);
+    await this.stateService.setDirectory(DirectoryType.EntraID, this.entra);
    await this.stateService.setDirectory(DirectoryType.Okta, this.okta);
    await this.stateService.setDirectory(DirectoryType.OneLogin, this.oneLogin);
    await this.stateService.setSync(this.sync);
--- a/src/enums/directoryType.ts
+++ b/src/enums/directoryType.ts
@@ -1,6 +1,6 @@
 export enum DirectoryType {
  Ldap = 0,
-  AzureActiveDirectory = 1,
+  EntraID = 1,
  GSuite = 2,
  Okta = 3,
  OneLogin = 4,
--- a/src/models/account.ts
+++ b/src/models/account.ts
@@ -2,7 +2,7 @@ import { Account as BaseAccount } from "@/jslib/common/src/models/domain/account

 import { DirectoryType } from "@/src/enums/directoryType";

-import { AzureConfiguration } from "./azureConfiguration";
+import { EntraIdConfiguration } from "./entraIdConfiguration";
 import { GSuiteConfiguration } from "./gsuiteConfiguration";
 import { LdapConfiguration } from "./ldapConfiguration";
 import { OktaConfiguration } from "./oktaConfiguration";
@@ -29,7 +29,10 @@ export class ClientKeys {
 export class DirectoryConfigurations {
  ldap: LdapConfiguration;
  gsuite: GSuiteConfiguration;
-  azure: AzureConfiguration;
+  entra: EntraIdConfiguration;
+  // Azure Active Directory was renamed to Entra ID, but we've kept the old account property name
+  // to be backwards compatible with existing configurations.
+  azure: EntraIdConfiguration;
  okta: OktaConfiguration;
  oneLogin: OneLoginConfiguration;
 }
--- a/src/models/entraIdConfiguration.ts
+++ b/src/models/entraIdConfiguration.ts
@@ -1,6 +1,6 @@
 import { IConfiguration } from "./IConfiguration";

-export class AzureConfiguration implements IConfiguration {
+export class EntraIdConfiguration implements IConfiguration {
  identityAuthority: string;
  tenant: string;
  applicationId: string;
--- a/src/program.ts
+++ b/src/program.ts
@@ -190,7 +190,7 @@ export class Program extends BaseProgram {
        writeLn("    server - On-premise hosted installation URL.");
        writeLn("    directory - The type of directory to use.");
        writeLn("    ldap.password - The password for connection to this LDAP server.");
-        writeLn("    azure.key - The Azure AD secret key.");
+        writeLn("    entra.key - The Entra Id secret key.");
        writeLn("    gsuite.key - The G Suite private key.");
        writeLn("    okta.token - The Okta token.");
        writeLn("    onelogin.secret - The OneLogin client secret.");
@@ -202,7 +202,7 @@ export class Program extends BaseProgram {
        writeLn("    bwdc config directory 1");
        writeLn("    bwdc config ldap.password <password>");
        writeLn("    bwdc config ldap.password --secretenv LDAP_PWD");
-        writeLn("    bwdc config azure.key <key>");
+        writeLn("    bwdc config entra.key <key>");
        writeLn("    bwdc config gsuite.key <key>");
        writeLn("    bwdc config okta.token <token>");
        writeLn("    bwdc config onelogin.secret <secret>");
--- a/src/services/directory-factory.service.ts
+++ b/src/services/directory-factory.service.ts
@@ -5,7 +5,7 @@ import { DirectoryFactoryService } from "../abstractions/directory-factory.servi
 import { StateService } from "../abstractions/state.service";
 import { DirectoryType } from "../enums/directoryType";

-import { AzureDirectoryService } from "./azure-directory.service";
+import { EntraIdDirectoryService } from "./entra-id-directory.service";
 import { GSuiteDirectoryService } from "./gsuite-directory.service";
 import { LdapDirectoryService } from "./ldap-directory.service";
 import { OktaDirectoryService } from "./okta-directory.service";
@@ -22,8 +22,8 @@ export class DefaultDirectoryFactoryService implements DirectoryFactoryService {
    switch (directoryType) {
      case DirectoryType.GSuite:
        return new GSuiteDirectoryService(this.logService, this.i18nService, this.stateService);
-      case DirectoryType.AzureActiveDirectory:
-        return new AzureDirectoryService(this.logService, this.i18nService, this.stateService);
+      case DirectoryType.EntraID:
+        return new EntraIdDirectoryService(this.logService, this.i18nService, this.stateService);
      case DirectoryType.Ldap:
        return new LdapDirectoryService(this.logService, this.i18nService, this.stateService);
      case DirectoryType.Okta:
--- a/src/services/entra-id-directory.service.ts
+++ b/src/services/entra-id-directory.service.ts
@@ -9,7 +9,7 @@ import { LogService } from "@/jslib/common/src/abstractions/log.service";

 import { StateService } from "../abstractions/state.service";
 import { DirectoryType } from "../enums/directoryType";
-import { AzureConfiguration } from "../models/azureConfiguration";
+import { EntraIdConfiguration } from "../models/entraIdConfiguration";
 import { GroupEntry } from "../models/groupEntry";
 import { SyncConfiguration } from "../models/syncConfiguration";
 import { UserEntry } from "../models/userEntry";
@@ -17,10 +17,10 @@ import { UserEntry } from "../models/userEntry";
 import { BaseDirectoryService } from "./baseDirectory.service";
 import { IDirectoryService } from "./directory.service";

-const AzurePublicIdentityAuhtority = "login.microsoftonline.com";
-const AzurePublicGraphEndpoint = "https://graph.microsoft.com";
-const AzureGovermentIdentityAuhtority = "login.microsoftonline.us";
-const AzureGovernmentGraphEndpoint = "https://graph.microsoft.us";
+const EntraIdPublicIdentityAuthority = "login.microsoftonline.com";
+const EntraIdPublicGraphEndpoint = "https://graph.microsoft.com";
+const EntraIdGovernmentIdentityAuthority = "login.microsoftonline.us";
+const EntraIdGovernmentGraphEndpoint = "https://graph.microsoft.us";

 const NextLink = "@odata.nextLink";
 const DeltaLink = "@odata.deltaLink";
@@ -34,9 +34,9 @@ enum UserSetType {
  ExcludeGroup,
 }

-export class AzureDirectoryService extends BaseDirectoryService implements IDirectoryService {
+export class EntraIdDirectoryService extends BaseDirectoryService implements IDirectoryService {
  private client: graph.Client;
-  private dirConfig: AzureConfiguration;
+  private dirConfig: EntraIdConfiguration;
  private syncConfig: SyncConfiguration;
  private accessToken: string;
  private accessTokenExpiration: Date;
@@ -52,12 +52,12 @@ export class AzureDirectoryService extends BaseDirectoryService implements IDire

  async getEntries(force: boolean, test: boolean): Promise<[GroupEntry[], UserEntry[]]> {
    const type = await this.stateService.getDirectoryType();
-    if (type !== DirectoryType.AzureActiveDirectory) {
+    if (type !== DirectoryType.EntraID) {
      return;
    }

-    this.dirConfig = await this.stateService.getDirectory<AzureConfiguration>(
-      DirectoryType.AzureActiveDirectory,
+    this.dirConfig = await this.stateService.getDirectory<EntraIdConfiguration>(
+      DirectoryType.EntraID,
    );
    if (this.dirConfig == null) {
      return;
@@ -459,10 +459,10 @@ export class AzureDirectoryService extends BaseDirectoryService implements IDire
        const identityAuthority =
          this.dirConfig.identityAuthority != null
            ? this.dirConfig.identityAuthority
-            : AzurePublicIdentityAuhtority;
+            : EntraIdPublicIdentityAuthority;
        if (
-          identityAuthority !== AzurePublicIdentityAuhtority &&
-          identityAuthority !== AzureGovermentIdentityAuhtority
+          identityAuthority !== EntraIdPublicIdentityAuthority &&
+          identityAuthority !== EntraIdGovernmentIdentityAuthority
        ) {
          done(new Error(this.i18nService.t("dirConfigIncomplete")), null);
          return;
@@ -546,8 +546,8 @@ export class AzureDirectoryService extends BaseDirectoryService implements IDire
  }

  private getGraphApiEndpoint(): string {
-    return this.dirConfig.identityAuthority === AzureGovermentIdentityAuhtority
-      ? AzureGovernmentGraphEndpoint
-      : AzurePublicGraphEndpoint;
+    return this.dirConfig.identityAuthority === EntraIdGovernmentIdentityAuthority
+      ? EntraIdGovernmentGraphEndpoint
+      : EntraIdPublicGraphEndpoint;
  }
 }
--- a/src/services/state.service.ts
+++ b/src/services/state.service.ts
@@ -11,7 +11,7 @@ import { StateService as StateServiceAbstraction } from "@/src/abstractions/stat
 import { DirectoryType } from "@/src/enums/directoryType";
 import { IConfiguration } from "@/src/models/IConfiguration";
 import { Account } from "@/src/models/account";
-import { AzureConfiguration } from "@/src/models/azureConfiguration";
+import { EntraIdConfiguration } from "@/src/models/entraIdConfiguration";
 import { GSuiteConfiguration } from "@/src/models/gsuiteConfiguration";
 import { LdapConfiguration } from "@/src/models/ldapConfiguration";
 import { OktaConfiguration } from "@/src/models/oktaConfiguration";
@@ -21,7 +21,10 @@ import { SyncConfiguration } from "@/src/models/syncConfiguration";
 const SecureStorageKeys = {
  ldap: "ldapPassword",
  gsuite: "gsuitePrivateKey",
+  // Azure Active Directory was renamed to Entra ID, but we've kept the old property name
+  // to be backwards compatible with existing configurations.
  azure: "azureKey",
+  entra: "entraKey",
  okta: "oktaToken",
  oneLogin: "oneLoginClientSecret",
  userDelta: "userDeltaToken",
@@ -68,8 +71,8 @@ export class StateService
        case DirectoryType.Ldap:
          (configWithSecrets as any).password = await this.getLdapKey();
          break;
-        case DirectoryType.AzureActiveDirectory:
-          (configWithSecrets as any).key = await this.getAzureKey();
+        case DirectoryType.EntraID:
+          (configWithSecrets as any).key = await this.getEntraKey();
          break;
        case DirectoryType.Okta:
          (configWithSecrets as any).token = await this.getOktaKey();
@@ -93,7 +96,7 @@ export class StateService
    config:
      | LdapConfiguration
      | GSuiteConfiguration
-      | AzureConfiguration
+      | EntraIdConfiguration
      | OktaConfiguration
      | OneLoginConfiguration,
  ): Promise<any> {
@@ -106,11 +109,11 @@ export class StateService
          await this.setLdapConfiguration(ldapConfig);
          break;
        }
-        case DirectoryType.AzureActiveDirectory: {
-          const azureConfig = config as AzureConfiguration;
-          await this.setAzureKey(azureConfig.key);
-          azureConfig.key = StoredSecurely;
-          await this.setAzureConfiguration(azureConfig);
+        case DirectoryType.EntraID: {
+          const entraConfig = config as EntraIdConfiguration;
+          await this.setEntraKey(entraConfig.key);
+          entraConfig.key = StoredSecurely;
+          await this.setEntraConfiguration(entraConfig);
          break;
        }
        case DirectoryType.Okta: {
@@ -187,23 +190,32 @@ export class StateService
    );
  }

-  private async getAzureKey(options?: StorageOptions): Promise<string> {
+  private async getEntraKey(options?: StorageOptions): Promise<string> {
    options = this.reconcileOptions(options, await this.defaultSecureStorageOptions());
    if (options?.userId == null) {
      return null;
    }
+
+    const entraKey = await this.secureStorageService.get<string>(
+      `${options.userId}_${SecureStorageKeys.entra}`,
+    );
+
+    if (entraKey != null) {
+      return entraKey;
+    }
+
    return await this.secureStorageService.get<string>(
      `${options.userId}_${SecureStorageKeys.azure}`,
    );
  }

-  private async setAzureKey(value: string, options?: StorageOptions): Promise<void> {
+  private async setEntraKey(value: string, options?: StorageOptions): Promise<void> {
    options = this.reconcileOptions(options, await this.defaultSecureStorageOptions());
    if (options?.userId == null) {
      return;
    }
    await this.secureStorageService.save(
-      `${options.userId}_${SecureStorageKeys.azure}`,
+      `${options.userId}_${SecureStorageKeys.entra}`,
      value,
      options,
    );
@@ -259,8 +271,8 @@ export class StateService
        return await this.getLdapConfiguration();
      case DirectoryType.GSuite:
        return await this.getGsuiteConfiguration();
-      case DirectoryType.AzureActiveDirectory:
-        return await this.getAzureConfiguration();
+      case DirectoryType.EntraID:
+        return await this.getEntraConfiguration();
      case DirectoryType.Okta:
        return await this.getOktaConfiguration();
      case DirectoryType.OneLogin:
@@ -305,17 +317,28 @@ export class StateService
    );
  }

-  async getAzureConfiguration(options?: StorageOptions): Promise<AzureConfiguration> {
+  async getEntraConfiguration(options?: StorageOptions): Promise<EntraIdConfiguration> {
+    const entraConfig = (
+      await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions()))
+    )?.directoryConfigurations?.entra;
+
+    if (entraConfig != null) {
+      return entraConfig;
+    }
+
    return (
      await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions()))
    )?.directoryConfigurations?.azure;
  }

-  async setAzureConfiguration(value: AzureConfiguration, options?: StorageOptions): Promise<void> {
+  async setEntraConfiguration(
+    value: EntraIdConfiguration,
+    options?: StorageOptions,
+  ): Promise<void> {
    const account = await this.getAccount(
      this.reconcileOptions(options, await this.defaultOnDiskOptions()),
    );
-    account.directoryConfigurations.azure = value;
+    account.directoryConfigurations.entra = value;
    await this.saveAccount(
      account,
      this.reconcileOptions(options, await this.defaultOnDiskOptions()),
--- a/src/services/stateMigration.service.ts
+++ b/src/services/stateMigration.service.ts
@@ -3,7 +3,7 @@ import { StateMigrationService as BaseStateMigrationService } from "@/jslib/comm

 import { DirectoryType } from "@/src/enums/directoryType";
 import { Account, DirectoryConfigurations, DirectorySettings } from "@/src/models/account";
-import { AzureConfiguration } from "@/src/models/azureConfiguration";
+import { EntraIdConfiguration } from "@/src/models/entraIdConfiguration";
 import { GSuiteConfiguration } from "@/src/models/gsuiteConfiguration";
 import { LdapConfiguration } from "@/src/models/ldapConfiguration";
 import { OktaConfiguration } from "@/src/models/oktaConfiguration";
@@ -14,6 +14,7 @@ const SecureStorageKeys: { [key: string]: any } = {
  ldap: "ldapPassword",
  gsuite: "gsuitePrivateKey",
  azure: "azureKey",
+  entra: "entraIdKey",
  okta: "oktaToken",
  oneLogin: "oneLoginClientSecret",
  directoryConfigPrefix: "directoryConfig_",
@@ -104,13 +105,16 @@ export class StateMigrationService extends BaseStateMigrationService {
      }
    };

-    // Initilize typed objects from key/value pairs in storage to either be saved temporarily until an account is authed or applied to the active account
+    // Initialize typed objects from key/value pairs in storage to either be saved temporarily until an account is authed or applied to the active account
    const getDirectoryConfig = async <T>(type: DirectoryType) =>
      await this.get<T>(SecureStorageKeys.directoryConfigPrefix + type);
    const directoryConfigs: DirectoryConfigurations = {
      ldap: await getDirectoryConfig<LdapConfiguration>(DirectoryType.Ldap),
      gsuite: await getDirectoryConfig<GSuiteConfiguration>(DirectoryType.GSuite),
-      azure: await getDirectoryConfig<AzureConfiguration>(DirectoryType.AzureActiveDirectory),
+      // Azure Active Directory was renamed to Entra ID, but we've kept the old property name
+      // to be backwards compatible with existing configurations.
+      azure: await getDirectoryConfig<EntraIdConfiguration>(DirectoryType.EntraID),
+      entra: await getDirectoryConfig<EntraIdConfiguration>(DirectoryType.EntraID),
      okta: await getDirectoryConfig<OktaConfiguration>(DirectoryType.Okta),
      oneLogin: await getDirectoryConfig<OneLoginConfiguration>(DirectoryType.OneLogin),
    };
Author	SHA1	Message	Date
Andy Pixley	13b5574723	[BRE-831] migrate secrets AKV (#796 )	2025-07-10 12:05:51 -05:00
Jared McCannon	a35d921993	[PM-32177] - Fixing Backward Compatibility with Azure AD (#813 ) * Updating the fetching of the config and key to check entra and check azure afterwards. * Making this camelCase to match other values. (cherry picked from commit `284206b735`)	2025-07-02 09:36:03 -05:00
Vincent Salucci	3a46e1781e	chore: bump version to v2025.6.1 (#812 )	2025-06-30 14:08:03 -05:00
Jared McCannon	dc64f7191e	[PM-21187] Rename Azure AD to Entra ID (#797 ) * Changed label to entraID * Performed rename of Azure AD to Entra ID * Added check to maintain backward compatibility. * Swapping Azure for Entra * one last spot * Adding property for the data.json for backward compatibility. Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com> * Removing unneeded setting using the old azure property. * Accidentally removed. Adding entra back in. * Adding backward compatibility comment. Added here because it's required for SecureStorageKeys * Adding backward compatibility comments. * Fixing comment * Removing unused fields. --------- Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>	2025-06-27 08:28:04 -05:00