private static void LogReporting(ProvisioningActionModel action, string provisioningEnvironment, DateTime startProvisioning, DomainModel.Package package, Int32 outcome, String details = null)
            // Prepare the reporting event
            var provisioningEvent = new
                EventId             = action.CorrelationId,
                EventStartDateTime  = startProvisioning,
                EventEndDateTime    = DateTime.Now,
                EventOutcome        = outcome,
                EventDetails        = details,
                EventFromProduction = provisioningEnvironment.ToUpper() == "PROD" ? 1 : 0,
                TemplateId          = action.PackageId,
                TemplateDisplayName = package?.DisplayName,

                // Make the Azure Function call for reporting
                                           provisioningEvent, "application/json", null);
                // Intentionally ignore any reporting issue
        private static async Task LoadThemesFromTenant(ProvisioningActionModel model, string tokenId, SharePointSite rootSite, string graphAccessToken)
            // Retrieve the SPO URL for the Admin Site
            var adminSiteUrl = rootSite.WebUrl.Replace("", "");

            // Retrieve the SPO Access Token
            var spoAccessToken = await ProvisioningAppManager.AccessTokenProvider.GetAccessTokenAsync(
                tokenId, adminSiteUrl,

            // Connect to SPO and retrieve the list of available Themes
            AuthenticationManager authManager = new AuthenticationManager();

            using (ClientContext spoContext = authManager.GetAzureADAccessTokenAuthenticatedContext(adminSiteUrl, spoAccessToken))
                TenantAdmin.Tenant tenant = new TenantAdmin.Tenant(spoContext);
                var themes = tenant.GetAllTenantThemes();

                model.Themes = themes.Select(t => t.Name).ToList();
        public async Task <ActionResult> Provision(ProvisioningActionModel model)

            if (model != null && ModelState.IsValid)
                // Enqueue the provisioning request
                await ProvisioningAppManager.EnqueueProvisioningRequest(
                    (Request.Files != null && Request.Files.Count > 0 && Request.Files[0].ContentLength > 0)?Request.Files[0].FileName : null,
                    (Request.Files != null && Request.Files.Count > 0 && Request.Files[0].ContentLength > 0)?Request.Files[0].InputStream : null

                // Get the service description content
                var context     = GetDataContext();
                var contentPage = context.ContentPages.FirstOrDefault(cp => cp.Id == "system/pages/");

                if (contentPage != null)
                    model.ProvisionDescription = contentPage.Content;

            return(View("ProvisionQueued", model));
        public async Task <ActionResult> Provision(String packageId = null)
            if (String.IsNullOrEmpty(packageId))
                throw new ArgumentNullException("packageId");

            ProvisioningActionModel model = new ProvisioningActionModel();

            if (IsValidUser())
                var issuer = (System.Threading.Thread.CurrentPrincipal as System.Security.Claims.ClaimsPrincipal)?.FindFirst("iss");
                if (issuer != null && !String.IsNullOrEmpty(issuer.Value))
                    var issuerValue = issuer.Value.Substring(0, issuer.Value.Length - 1);
                    var tenantId    = issuerValue.Substring(issuerValue.LastIndexOf("/") + 1);
                    var upn         = (System.Threading.Thread.CurrentPrincipal as System.Security.Claims.ClaimsPrincipal)?.FindFirst(ClaimTypes.Upn)?.Value;

                    if (this.IsAllowedUpnTenant(upn))
                        #region Prepare model generic context data

                        // Prepare the model data
                        model.TenantId          = tenantId;
                        model.UserPrincipalName = upn;
                        model.PackageId         = packageId;
                        model.ApplyTheme        = false;
                        model.ApplyCustomTheme  = false;

                        String provisioningScope       = ConfigurationManager.AppSettings["SPPA:ProvisioningScope"];
                        String provisioningEnvironment = ConfigurationManager.AppSettings["SPPA:ProvisioningEnvironment"];

                        var tokenId          = $"{model.TenantId}-{model.UserPrincipalName.GetHashCode()}-{provisioningScope}-{provisioningEnvironment}";
                        var graphAccessToken = await ProvisioningAppManager.AccessTokenProvider.GetAccessTokenAsync(
                            tokenId, "");

                        model.UserIsTenantAdmin = Utilities.UserIsTenantGlobalAdmin(graphAccessToken);
                        model.UserIsSPOAdmin    = Utilities.UserIsSPOAdmin(graphAccessToken);
                        model.NotificationEmail = upn;


                        // If the current user is an admin, we can get the available Themes
                        if (model.UserIsTenantAdmin || model.UserIsSPOAdmin)
                            await LoadThemesFromTenant(model, tokenId, graphAccessToken);

                        LoadPackageDataIntoModel(packageId, model);
                        throw new ApplicationException("Invalid request, the current tenant is not allowed to use this solution!");

            return(View("Provision", model));
        public async Task <ActionResult> Provision(ProvisioningActionModel model)
            if (model != null && ModelState.IsValid)
                if (!String.IsNullOrEmpty(model.MetadataPropertiesJson))
                    model.MetadataProperties = JsonConvert.DeserializeObject <Dictionary <String, MetadataProperty> >(model.MetadataPropertiesJson);

                // If there is an input file for the logo
                if (Request.Files != null && Request.Files.Count > 0 && Request.Files[0].ContentLength > 0)
                    // Generate a random file name
                    model.CustomLogo = $"{Guid.NewGuid()}-{Request.Files[0].FileName}";

                    // Get a reference to the blob storage account
                    var blobLogosConnectionString = ConfigurationManager.AppSettings["BlobLogosProvider:ConnectionString"];
                    var blobLogosContainerName    = ConfigurationManager.AppSettings["BlobLogosProvider:ContainerName"];

                    CloudStorageAccount csaLogos;
                    if (!CloudStorageAccount.TryParse(blobLogosConnectionString, out csaLogos))
                        throw new ArgumentException("Cannot create cloud storage account from given connection string.");

                    CloudBlobClient    blobLogosClient = csaLogos.CreateCloudBlobClient();
                    CloudBlobContainer containerLogos  = blobLogosClient.GetContainerReference(blobLogosContainerName);

                    // Store the file in the blob storage
                    CloudBlockBlob blobLogo = containerLogos.GetBlockBlobReference(model.CustomLogo);
                    await blobLogo.UploadFromStreamAsync(Request.Files[0].InputStream);

                // Get a reference to the blob storage queue
                CloudStorageAccount storageAccount = CloudStorageAccount.Parse(

                // Get queue... create if does not exist.
                CloudQueueClient queueClient = storageAccount.CreateCloudQueueClient();
                CloudQueue       queue       = queueClient.GetQueueReference(

                // add message to the queue
                queue.AddMessage(new CloudQueueMessage(JsonConvert.SerializeObject(model)));

            // Get the service description content
            var context     = GetDataContext();
            var contentPage = context.ContentPages.FirstOrDefault(cp => cp.Id == "system/pages/");

            if (contentPage != null)
                model.ProvisionDescription = contentPage.Content;

            return(View("ProvisionQueued", model));
        private static void CleanupCurrentActionItem(ProvisioningActionModel action, ProvisioningAppDBContext dbContext)
            // Check if there is the action item for the current action
            var existingItem = dbContext.ProvisioningActionItems.FirstOrDefault(i => i.Id == action.CorrelationId);

            // And in case it does exist and it is not failed
            if (existingItem != null && !existingItem.FailedOn.HasValue)
                // Delete it
        public static async Task EnqueueProvisioningRequest(ProvisioningActionModel model, String logoFileName = null, Stream logoFile = null)
            if (!String.IsNullOrEmpty(model.MetadataPropertiesJson))
                model.MetadataProperties = JsonConvert.DeserializeObject <Dictionary <String, MetadataProperty> >(model.MetadataPropertiesJson);

            // If there is an input file for the logo
            if (logoFile != null)
                // Generate a random file name
                model.CustomLogo = $"{Guid.NewGuid()}-{logoFileName}";

                // Get a reference to the blob storage account
                var blobLogosConnectionString = ConfigurationManager.AppSettings["BlobLogosProvider:ConnectionString"];
                var blobLogosContainerName    = ConfigurationManager.AppSettings["BlobLogosProvider:ContainerName"];

                CloudStorageAccount csaLogos;
                if (!CloudStorageAccount.TryParse(blobLogosConnectionString, out csaLogos))
                    throw new ArgumentException("Cannot create cloud storage account from given connection string.");

                CloudBlobClient    blobLogosClient = csaLogos.CreateCloudBlobClient();
                CloudBlobContainer containerLogos  = blobLogosClient.GetContainerReference(blobLogosContainerName);

                // Store the file in the blob storage
                CloudBlockBlob blobLogo = containerLogos.GetBlockBlobReference(model.CustomLogo);
                await blobLogo.UploadFromStreamAsync(logoFile);

            var queueTarget = CloudConfigurationManager.GetSetting("SPPA:QueueTarget")?.ToUpper() ?? "BLOB";

            switch (queueTarget)
            case "SERVICEBUS":
                var sbConnectionString = CloudConfigurationManager.GetSetting("SPPA:ServiceBusConnectionString");
                var sbQueueName        = CloudConfigurationManager.GetSetting("SPPA:ServiceBusQueueName");
                await ServiceBusQueueUtility.EnqueueMessageAsync(sbConnectionString, sbQueueName, model);


            case "BLOB":
                var blobConnectionString = CloudConfigurationManager.GetSetting("SPPA:StorageConnectionString");
                var blobQueueName        = CloudConfigurationManager.GetSetting("SPPA:StorageQueueName");
                await BlobStorageQueueUtility.EnqueueMessageAsync(blobConnectionString, blobQueueName, model);

        private static void MarkCurrentActionItemAsFailed(ProvisioningActionModel action, ProvisioningAppDBContext dbContext)
            // Check if there is the action item for the current action
            var existingItem = dbContext.ProvisioningActionItems.FirstOrDefault(i => i.Id == action.CorrelationId);

            // And in case it does exist
            if (existingItem != null)
                // Set the failure date and time
                existingItem.FailedOn = DateTime.Now;

                // Update the persistence storage
        private static Boolean CheckIfActionIsAlreadyRunning(ProvisioningActionModel action, ProvisioningAppDBContext dbContext)
            var result = false;

            var tenantId  = Guid.Parse(action.TenantId);
            var packageId = Guid.Parse(action.PackageId);

            // Check if there is already a pending action item with the same settings and not yet expired
            var alreadyExistingItems = from i in dbContext.ProvisioningActionItems
                                       where i.TenantId == tenantId && i.PackageId == packageId &&
                                       i.ExpiresOn > DateTime.Now &&
                                       i.FailedOn == null
                                       select i;

            // Prepare the action properties as JSON
            var currentActionProperties = action.PackageProperties != null?JsonConvert.SerializeObject(action.PackageProperties) : null;

            // Verify if the same package, with the same properties is already running in the same tenant
            foreach (var item in alreadyExistingItems)
                if (item.PackageProperties == currentActionProperties)
                    result = true;

            if (!result)
                // Add a ProvisioningActionItem record for tracking purposes
                dbContext.ProvisioningActionItems.Add(new ProvisioningActionItem
                    Id                = action.CorrelationId,
                    PackageId         = packageId,
                    TenantId          = tenantId,
                    PackageProperties = action.PackageProperties != null ? JsonConvert.SerializeObject(action.PackageProperties) : null,
                    CreatedOn         = DateTime.Now,
                    ExpiresOn         = DateTime.Now.AddHours(2),

        private static void LogSourceTrackingProvisionedSites(ProvisioningActionModel action, string spoAccessToken, AuthenticationManager authManager, List <Tuple <string, string> > provisionedSites)
            // Log source tracking (2 = Provisioned) for every provisioned site
            foreach (var provisionedSite in provisionedSites)
                // Get the provisioned site URL
                var provisionedSiteUrl = provisionedSite.Item2;

                // Connect to the provisioned site
                using (var provisionedSiteContext = authManager.GetAzureADAccessTokenAuthenticatedContext(provisionedSiteUrl, spoAccessToken))
                    // Retrieve the Site ID
                    var provisionedSiteId = provisionedSiteContext.Site.EnsureProperty(s => s.Id);

                    // Log the source tracking event
                    LogSourceTracking(action.Source, 2, null, action.PackageId, action.TenantId, provisionedSiteId.ToString());
        /// <summary>
        /// Notifies an exception through the configured webhooks
        /// </summary>
        /// <param name="action">The provisioning action</param>
        /// <param name="ex">The exception that occurred</param>
        private static void ProcessWebhooksExceptionNotification(ProvisioningActionModel action, Exception ex)
            if (action.Webhooks != null && action.Webhooks.Count > 0)
                foreach (var wh in action.Webhooks)
                    var provisioningWebhook = new OfficeDevPnP.Core.Framework.Provisioning.Model.ProvisioningWebhook
                        Kind       = ProvisioningTemplateWebhookKind.ExceptionOccurred,
                        Url        = wh.Url,
                        Method     = (ProvisioningTemplateWebhookMethod)Enum.Parse(typeof(ProvisioningTemplateWebhookMethod), wh.Method.ToString(), true),
                        BodyFormat = ProvisioningTemplateWebhookBodyFormat.Json, // force JSON format
                        Async      = false,                                      // force sync webhooks
                        Parameters = wh.Parameters,

                    var httpClient = new HttpClient();

                    WebhookSender.InvokeWebhook(provisioningWebhook, httpClient,
                                                exception: ex);
        private static async Task <Dictionary <string, string> > PrepareAccessTokensAsync(ProvisioningActionModel model)
            // Prepare the variable to hold the result
            var accessTokens = new Dictionary <string, string>();

            // Retrieve the Microsoft Graph Access Token
            var graphAccessToken = await ProvisioningAppManager.AccessTokenProvider.GetAccessTokenAsync(

            // Retrieve the SPO Access Token
            var spoAccessToken = await ProvisioningAppManager.AccessTokenProvider.GetAccessTokenAsync(

            // Retrieve the SPO URL for the Admin Site
            var adminSiteUrl = model.SPORootSiteUrl.Replace("", "");

            // Retrieve the SPO Access Token
            var spoAdminAccessToken = await ProvisioningAppManager.AccessTokenProvider.GetAccessTokenAsync(

            // Configure the resulting dictionary
            accessTokens.Add(new Uri(AuthenticationConfig.GraphBaseUrl).Authority, graphAccessToken);
            accessTokens.Add(new Uri(model.SPORootSiteUrl).Authority, spoAccessToken);
            accessTokens.Add(new Uri(adminSiteUrl).Authority, spoAdminAccessToken);

        private void LoadPackageDataIntoModel(string packageId, ProvisioningActionModel model)
            var context = GetDataContext();

            DomainModel.Package package = null;

            // Get the package
            if (Boolean.Parse(ConfigurationManager.AppSettings["TestEnvironment"]))
                // Process all packages in the test environment
                package = context.Packages.FirstOrDefault(p => p.Id == new Guid(packageId));
                // Process not-preview packages in the production environment
                package = context.Packages.FirstOrDefault(p => p.Id == new Guid(packageId) && p.Preview == false);

            if (package != null)
                if ((package.PackageType == PackageType.Tenant &&
                     !this.Request.Url.AbsolutePath.Contains("/tenant/")) ||
                    (package.PackageType == PackageType.SiteCollection &&
                    throw new ApplicationException("Invalid request, the requested package/template is not valid for the current request!");

                model.DisplayName = package.DisplayName;
                model.ActionType  = package.PackageType == PackageType.SiteCollection ? ActionType.Site : ActionType.Tenant;

                // Configure content for instructions
                model.Instructions = package.Instructions;

                // If we don't have specific instructions
                if (model.Instructions == null)
                    // Get the default instructions
                    var instructionsPage = context.ContentPages.FirstOrDefault(cp => cp.Id == "system/pages/");

                    if (instructionsPage != null)
                        model.Instructions = instructionsPage.Content;

                // Configure content for provisioning recap
                model.ProvisionRecap = package.ProvisionRecap;

                // If we don't have specific provisioning recap
                if (String.IsNullOrEmpty(model.ProvisionRecap))
                    // Get the default provisioning recap
                    var provisionRecapPage = context.ContentPages.FirstOrDefault(cp => cp.Id == "system/pages/");

                    if (provisionRecapPage != null)
                        model.ProvisionRecap = provisionRecapPage.Content;

                // Retrieve parameters from the package/template definition
                var packageFileUrl     = new Uri(package.PackageUrl);
                var packageLocalFolder = packageFileUrl.AbsolutePath.Substring(1,
                                                                               packageFileUrl.AbsolutePath.LastIndexOf('/') - 1);
                var packageFileName = packageFileUrl.AbsolutePath.Substring(packageLocalFolder.Length + 2);

                ProvisioningHierarchy hierarchy = GetHierarchyFromStorage(packageLocalFolder, packageFileName);

                // If we have the hierarchy and its parameters
                if (hierarchy != null && hierarchy.Parameters != null)
                    // Use them
                    model.PackageProperties = hierarchy.Parameters;
                    // Otherwise, use an empty list of parameters
                    model.PackageProperties = new Dictionary <string, string>();

                // Configure the metadata properties
                var metadata = new
                    properties = new[] {
                        new {
                            name           = "",
                            caption        = "",
                            description    = "",
                            editor         = "",
                            editorSettings = "",

                var metadataProperties = JsonConvert.DeserializeAnonymousType(package.PropertiesMetadata, metadata);
                model.MetadataProperties =
                    i =>,
                    i => new MetadataProperty
                    Name           =,
                    Caption        = i.caption,
                    Description    = i.description,
                    Editor         = i.editor,
                    EditorSettings = i.editorSettings

                model.MetadataPropertiesJson = JsonConvert.SerializeObject(model.MetadataProperties);

                // Get the service description content
                var contentPage = context.ContentPages.FirstOrDefault(cp => cp.Id == "system/pages/");

                if (contentPage != null)
                    model.ProvisionDescription = contentPage.Content;

                // Get the pre-reqs Header content
                var preReqsHeaderPage = context.ContentPages.FirstOrDefault(cp => cp.Id == "system/pages/");
                if (preReqsHeaderPage != null)
                    model.MissingPreReqsHeader = preReqsHeaderPage.Content;

                // Get the pre-reqs Footer content
                var preReqsFooterPage = context.ContentPages.FirstOrDefault(cp => cp.Id == "system/pages/");
                if (preReqsFooterPage != null)
                    model.MissingPreReqsFooter = preReqsFooterPage.Content;
                throw new ApplicationException("Invalid request, the requested package/template is not available!");
        public static async Task RunAsync([QueueTrigger("actions")] ProvisioningActionModel action, TextWriter log)
            var startProvisioning = DateTime.Now;

            String provisioningEnvironment = ConfigurationManager.AppSettings["SPPA:ProvisioningEnvironment"];

            log.WriteLine($"Processing queue trigger function for tenant {action.TenantId}");
            log.WriteLine($"PnP Correlation ID: {action.CorrelationId.ToString()}");

            // Instantiate and use the telemetry model
            TelemetryUtility telemetry = new TelemetryUtility((s) => {
            Dictionary <string, string> telemetryProperties = new Dictionary <string, string>();

            // Configure telemetry properties
            // telemetryProperties.Add("UserPrincipalName", action.UserPrincipalName);
            telemetryProperties.Add("TenantId", action.TenantId);
            telemetryProperties.Add("PnPCorrelationId", action.CorrelationId.ToString());
            telemetryProperties.Add("TargetSiteAlreadyExists", action.TargetSiteAlreadyExists.ToString());
            telemetryProperties.Add("TargetSiteBaseTemplateId", action.TargetSiteBaseTemplateId);

            // Get a reference to the data context
            ProvisioningAppDBContext dbContext = new ProvisioningAppDBContext();

                // Log telemetry event

                if (CheckIfActionIsAlreadyRunning(action, dbContext))
                    throw new ConcurrentProvisioningException("The requested package is currently provisioning in the selected target tenant and cannot be applied in parallel. Please wait for the previous provisioning action to complete.");

                var tokenId = $"{action.TenantId}-{action.UserPrincipalName.ToLower().GetHashCode()}-{action.ActionType.ToString().ToLower()}-{provisioningEnvironment}";

                // Retrieve the SPO target tenant via Microsoft Graph
                var graphAccessToken = await ProvisioningAppManager.AccessTokenProvider.GetAccessTokenAsync(
                    tokenId, "",

                log.WriteLine($"Retrieved target Microsoft Graph Access Token.");

                if (!String.IsNullOrEmpty(graphAccessToken))
                    #region Get current context data (User, SPO Tenant, SPO Access Token)

                    // Get the currently connected user name and email (UPN)
                    var jwtAccessToken = new System.IdentityModel.Tokens.Jwt.JwtSecurityToken(graphAccessToken);

                    String delegatedUPN = String.Empty;
                    var    upnClaim     = jwtAccessToken.Claims.FirstOrDefault(c => c.Type == "upn");
                    if (upnClaim != null && !String.IsNullOrEmpty(upnClaim.Value))
                        delegatedUPN = upnClaim.Value;

                    String delegatedUserName = String.Empty;
                    var    nameClaim         = jwtAccessToken.Claims.FirstOrDefault(c => c.Type == "name");
                    if (nameClaim != null && !String.IsNullOrEmpty(nameClaim.Value))
                        delegatedUserName = nameClaim.Value;

                    // Determine the URL of the root SPO site for the current tenant
                    var            rootSiteJson = HttpHelper.MakeGetRequestForString("", graphAccessToken);
                    SharePointSite rootSite     = JsonConvert.DeserializeObject <SharePointSite>(rootSiteJson);

                    String spoTenant = rootSite.WebUrl;

                    log.WriteLine($"Target SharePoint Online Tenant: {spoTenant}");

                    // Configure telemetry properties
                    telemetryProperties.Add("SPOTenant", spoTenant);

                    // Retrieve the SPO Access Token
                    var spoAccessToken = await ProvisioningAppManager.AccessTokenProvider.GetAccessTokenAsync(
                        tokenId, rootSite.WebUrl,

                    log.WriteLine($"Retrieved target SharePoint Online Access Token.");


                    // Connect to SPO, create and provision site
                    AuthenticationManager authManager = new AuthenticationManager();
                    using (ClientContext context = authManager.GetAzureADAccessTokenAuthenticatedContext(spoTenant, spoAccessToken))
                        // Telemetry and startup
                        var web = context.Web;
                        context.ClientTag = $"SPDev:ProvisioningPortal-{provisioningEnvironment}";
                        context.Load(web, w => w.Title, w => w.Id);
                        await context.ExecuteQueryAsync();

                        // Save the current SPO Correlation ID
                        telemetryProperties.Add("SPOCorrelationId", context.TraceCorrelationId);

                        log.WriteLine($"SharePoint Online Root Site Collection title: {web.Title}");

                        #region Store the main site URL in KeyVault

                        // Store the main site URL in the vault
                        var vault = ProvisioningAppManager.SecurityTokensServiceProvider;

                        // Read any existing properties for the current tenantId
                        var properties = await vault.GetAsync(tokenId);

                        if (properties == null)
                            // If there are no properties, create a new dictionary
                            properties = new Dictionary <String, String>();

                        // Set/Update the RefreshToken value
                        properties["SPORootSite"] = spoTenant;

                        // Add or Update the Key Vault accordingly
                        await vault.AddOrUpdateAsync(tokenId, properties);


                        #region Provision the package

                        var package = dbContext.Packages.FirstOrDefault(p => p.Id == new Guid(action.PackageId));

                        if (package != null)
                            // Update the Popularity of the package

                            #region Get the Provisioning Hierarchy file

                            // Determine reference path variables
                            var blobConnectionString = ConfigurationManager.AppSettings["BlobTemplatesProvider:ConnectionString"];
                            var blobContainerName    = ConfigurationManager.AppSettings["BlobTemplatesProvider:ContainerName"];

                            var packageFileName           = package.PackageUrl.Substring(package.PackageUrl.LastIndexOf('/') + 1);
                            var packageFileUri            = new Uri(package.PackageUrl);
                            var packageFileRelativePath   = packageFileUri.AbsolutePath.Substring(2 + blobContainerName.Length);
                            var packageFileRelativeFolder = packageFileRelativePath.Substring(0, packageFileRelativePath.LastIndexOf('/'));

                            // Configure telemetry properties
                            telemetryProperties.Add("PackageFileName", packageFileName);
                            telemetryProperties.Add("PackageFileUri", packageFileUri.ToString());

                            // Read the main provisioning file from the Blob Storage
                            CloudStorageAccount csa;
                            if (!CloudStorageAccount.TryParse(blobConnectionString, out csa))
                                throw new ArgumentException("Cannot create cloud storage account from given connection string.");

                            CloudBlobClient    blobClient    = csa.CreateCloudBlobClient();
                            CloudBlobContainer blobContainer = blobClient.GetContainerReference(blobContainerName);

                            var blockBlob = blobContainer.GetBlockBlobReference(packageFileRelativePath);

                            // Crate an in-memory copy of the source stream
                            MemoryStream mem = new MemoryStream();
                            await blockBlob.DownloadToStreamAsync(mem);

                            mem.Position = 0;

                            // Prepare the output hierarchy
                            ProvisioningHierarchy hierarchy = null;

                            if (packageFileName.EndsWith(".xml", StringComparison.InvariantCultureIgnoreCase))
                                // That's an XML Provisioning Template file

                                XDocument xml = XDocument.Load(mem);
                                mem.Position = 0;

                                // Deserialize the stream into a provisioning hierarchy reading any
                                // dependecy with the Azure Blob Storage connector
                                var formatter           = XMLPnPSchemaFormatter.GetSpecificFormatter(xml.Root.Name.NamespaceName);
                                var templateLocalFolder = $"{blobContainerName}/{packageFileRelativeFolder}";

                                var provider = new XMLAzureStorageTemplateProvider(

                                // Get the full hierarchy
                                hierarchy           = ((IProvisioningHierarchyFormatter)formatter).ToProvisioningHierarchy(mem);
                                hierarchy.Connector = provider.Connector;
                            else if (packageFileName.EndsWith(".pnp", StringComparison.InvariantCultureIgnoreCase))
                                // That's a PnP Package file

                                // Get a provider based on the in-memory .PNP Open XML file
                                OpenXMLConnector    openXmlConnector = new OpenXMLConnector(mem);
                                XMLTemplateProvider provider         = new XMLOpenXMLTemplateProvider(

                                // Get the .xml provisioning template file name
                                var xmlTemplateFileName = openXmlConnector.Info?.Properties?.TemplateFileName ??
                                                          packageFileName.Substring(packageFileName.LastIndexOf('/') + 1)
                                                          .ToLower().Replace(".pnp", ".xml");

                                // Get the full hierarchy
                                hierarchy           = provider.GetHierarchy(xmlTemplateFileName);
                                hierarchy.Connector = provider.Connector;


                            #region Apply the template

                            // Prepare variable to collect provisioned sites
                            var provisionedSites = new List <Tuple <String, String> >();

                            // If we have a hierarchy with at least one Sequence
                            if (hierarchy != null) // && hierarchy.Sequences != null && hierarchy.Sequences.Count > 0)
                                Console.WriteLine($"Provisioning hierarchy \"{hierarchy.DisplayName}\"");

                                var tenantUrl = UrlUtilities.GetTenantAdministrationUrl(context.Url);

                                // Retrieve the SPO Access Token
                                var spoAdminAccessToken = await ProvisioningAppManager.AccessTokenProvider.GetAccessTokenAsync(
                                    tokenId, tenantUrl,

                                log.WriteLine($"Retrieved target SharePoint Online Admin Center Access Token.");

                                using (var tenantContext = authManager.GetAzureADAccessTokenAuthenticatedContext(tenantUrl, spoAdminAccessToken))
                                    using (var pnpTenantContext = PnPClientContext.ConvertFrom(tenantContext))
                                        var tenant = new Microsoft.Online.SharePoint.TenantAdministration.Tenant(pnpTenantContext);

                                        // Prepare a dictionary to hold the access tokens
                                        var accessTokens = new Dictionary <String, String>();

                                        // Prepare logging for hierarchy application
                                        var ptai = new ProvisioningTemplateApplyingInformation();
                                        ptai.MessagesDelegate += delegate(string message, ProvisioningMessageType messageType)
                                            log.WriteLine($"{messageType} - {message}");
                                        ptai.ProgressDelegate += delegate(string message, int step, int total)
                                            log.WriteLine($"{step:00}/{total:00} - {message}");
                                        ptai.SiteProvisionedDelegate += delegate(string title, string url)
                                            log.WriteLine($"Fully provisioned site '{title}' with URL: {url}");
                                            var provisionedSite = new Tuple <string, string>(title, url);
                                            if (!provisionedSites.Contains(provisionedSite))

//#if !DEBUG
//                                        // Set the default delay for sites creations to 5 mins
//                                        ptai.DelayAfterModernSiteCreation = 60 * 5;

                                        // Configure the OAuth Access Tokens for the client context
                                        accessTokens.Add(new Uri(tenantUrl).Authority, spoAdminAccessToken);
                                        accessTokens.Add(new Uri(spoTenant).Authority, spoAccessToken);

                                        // Configure the OAuth Access Tokens for the PnPClientContext, too
                                        pnpTenantContext.PropertyBag["AccessTokens"] = accessTokens;
                                        ptai.AccessTokens = accessTokens;

                                        #region Theme handling

                                        // Process the graphical Theme
                                        if (action.ApplyTheme)
                                            // If we don't have any custom Theme
                                            if (!action.ApplyCustomTheme)
                                                // Associate the selected already existing Theme to all the sites of the hierarchy
                                                foreach (var sc in hierarchy.Sequences[0].SiteCollections)
                                                    sc.Theme = action.SelectedTheme;
                                                    foreach (var s in sc.Sites)
                                                        UpdateChildrenSitesTheme(s, action.SelectedTheme);


                                        // Configure provisioning parameters
                                        if (action.PackageProperties != null)
                                            foreach (var key in action.PackageProperties.Keys)
                                                if (hierarchy.Parameters.ContainsKey(key.ToString()))
                                                    hierarchy.Parameters[key.ToString()] = action.PackageProperties[key].ToString();
                                                    hierarchy.Parameters.Add(key.ToString(), action.PackageProperties[key].ToString());

                                                // Configure telemetry properties
                                                telemetryProperties.Add($"PackageProperty.{key}", action.PackageProperties[key].ToString());

                                        // Log telemetry event
                                        telemetry?.LogEvent("ProvisioningFunction.BeginProvisioning", telemetryProperties);

                                        // Define a PnPProvisioningContext scope to share the security context across calls
                                        using (var pnpProvisioningContext = new PnPProvisioningContext(async(r, s) =>
                                            if (accessTokens.ContainsKey(r))
                                                // In this scenario we just use the dictionary of access tokens
                                                // in fact the overall operation for sure will take less than 1 hour
                                                return(await Task.FromResult(accessTokens[r]));
                                                // Try to get a fresh new Access Token
                                                var token = await ProvisioningAppManager.AccessTokenProvider.GetAccessTokenAsync(
                                                    tokenId, $"https://{r}",

                                                accessTokens.Add(r, token);

                                            // Configure the webhooks, if any
                                            if (action.Webhooks != null && action.Webhooks.Count > 0)
                                                foreach (var t in hierarchy.Templates)
                                                    foreach (var wh in action.Webhooks)
                                                        AddProvisioningTemplateWebhook(t, wh, ProvisioningTemplateWebhookKind.ProvisioningTemplateStarted);
                                                        AddProvisioningTemplateWebhook(t, wh, ProvisioningTemplateWebhookKind.ObjectHandlerProvisioningStarted);
                                                        AddProvisioningTemplateWebhook(t, wh, ProvisioningTemplateWebhookKind.ObjectHandlerProvisioningCompleted);
                                                        AddProvisioningTemplateWebhook(t, wh, ProvisioningTemplateWebhookKind.ProvisioningTemplateCompleted);
                                                        AddProvisioningTemplateWebhook(t, wh, ProvisioningTemplateWebhookKind.ExceptionOccurred);

                                                foreach (var wh in action.Webhooks)
                                                    AddProvisioningWebhook(hierarchy, wh, ProvisioningTemplateWebhookKind.ProvisioningStarted);
                                                    AddProvisioningWebhook(hierarchy, wh, ProvisioningTemplateWebhookKind.ProvisioningCompleted);
                                                    AddProvisioningWebhook(hierarchy, wh, ProvisioningTemplateWebhookKind.ProvisioningExceptionOccurred);

                                            // Apply the hierarchy
                                            log.WriteLine($"Hierarchy Provisioning Started: {}");
                                                                           (hierarchy.Sequences != null && hierarchy.Sequences.Count > 0) ?
                                                                           hierarchy.Sequences[0].ID : null,
                                            log.WriteLine($"Hierarchy Provisioning Completed: {}");

                                        if (action.ApplyTheme && action.ApplyCustomTheme)
                                            if (!String.IsNullOrEmpty(action.ThemePrimaryColor) &&
                                                !String.IsNullOrEmpty(action.ThemeBodyTextColor) &&
                                                log.WriteLine($"Applying custom Theme to provisioned sites");

                                                #region Palette generation for Theme

                                                var jsonPalette = ThemeUtility.GetThemeAsJSON(


                                                // Apply the custom theme to all of the provisioned sites
                                                foreach (var ps in provisionedSites)
                                                    using (var provisionedSiteContext = authManager.GetAzureADAccessTokenAuthenticatedContext(ps.Item2, spoAccessToken))
                                                        if (provisionedSiteContext.Web.ApplyTheme(jsonPalette))
                                                            log.WriteLine($"Custom Theme applied on site '{ps.Item1}' with URL: {ps.Item2}");
                                                            log.WriteLine($"Failed to apply custom Theme on site '{ps.Item1}' with URL: {ps.Item2}");

                                        // Log telemetry event
                                        telemetry?.LogEvent("ProvisioningFunction.EndProvisioning", telemetryProperties);

                                        // Notify user about the provisioning outcome
                                        if (!String.IsNullOrEmpty(action.NotificationEmail))
                                            var appOnlyAccessToken = await ProvisioningAppManager.AccessTokenProvider.GetAppOnlyAccessTokenAsync(

                                                TemplateName     = action.DisplayName,
                                                ProvisionedSites = provisionedSites,

                                        // Log reporting event (1 = Success)
                                        LogReporting(action, provisioningEnvironment, startProvisioning, package, 1);
                                throw new ApplicationException($"The requested package does not contain a valid PnP Hierarchy!");

                            throw new ApplicationException($"Cannot find the package with ID: {action.PackageId}");


                        #region Process any children items

                        // If there are children items
                        if (action.ChildrenItems != null && action.ChildrenItems.Count > 0)
                            // Prepare any further child provisioning request
                            action.PackageId         = action.ChildrenItems[0].PackageId;
                            action.PackageProperties = action.ChildrenItems[0].Parameters;

                            // Enqueue any further child provisioning request
                            await ProvisioningAppManager.EnqueueProvisioningRequest(action);


                        log.WriteLine($"Function successfully executed!");
                        // Log telemetry event
                        telemetry?.LogEvent("ProvisioningFunction.End", telemetryProperties);
                    var noTokensErrorMessage = $"Cannot retrieve Refresh Token or Access Token for {action.CorrelationId} in tenant {action.TenantId}!";
                    throw new ApplicationException(noTokensErrorMessage);
            catch (Exception ex)
                // Skip logging exception for Recycled Site
                if (ex is RecycledSiteException)
                    // rather log an event
                    telemetry?.LogEvent("ProvisioningFunction.RecycledSite", telemetryProperties);

                    // Log reporting event (3 = RecycledSite)
                    LogReporting(action, provisioningEnvironment, startProvisioning, null, 3, ex.ToDetailedString());
                // Skip logging exception for Concurrent Provisioning
                else if (ex is ConcurrentProvisioningException)
                    // rather log an event
                    telemetry?.LogEvent("ProvisioningFunction.ConcurrentProvisioning", telemetryProperties);

                    // Log reporting event (4 = ConcurrentProvisioningException)
                    LogReporting(action, provisioningEnvironment, startProvisioning, null, 4, ex.ToDetailedString());
                    // Log telemetry event
                    telemetry?.LogException(ex, "ProvisioningFunction.RunAsync", telemetryProperties);

                    // Log reporting event (2 = Failed)
                    LogReporting(action, provisioningEnvironment, startProvisioning, null, 2, ex.ToDetailedString());

                if (!String.IsNullOrEmpty(action.NotificationEmail))
                    var appOnlyAccessToken = await ProvisioningAppManager.AccessTokenProvider.GetAppOnlyAccessTokenAsync(

                    // Notify user about the provisioning outcome
                        TemplateName     = action.DisplayName,
                        ExceptionDetails = SimplifyException(ex),
                        PnPCorrelationId = action.CorrelationId.ToString(),

                ProcessWebhooksExceptionNotification(action, ex);

                // Track the failure in the local action log
                MarkCurrentActionItemAsFailed(action, dbContext);

                throw ex;
                // Try to cleanup the pending action item, if any
                CleanupCurrentActionItem(action, dbContext);

        private static void GetProvisionTextMessages(SharePointPnP.ProvisioningApp.DomainModel.Package package, ProvisioningActionModel model)
            var settings = Newtonsoft.Json.JsonConvert.DeserializeObject <SharePointPnP.ProvisioningApp.DomainModel.TemplateSettingsMetadata>(package.PropertiesMetadata);

            if (settings?.displayInfo?.provisionMessages != null)
                model.ProvisionPageTitle    = settings.displayInfo.provisionMessages.provisionPageTitle;
                model.ProvisionPageSubTitle = settings.displayInfo.provisionMessages.provisionPageSubTitle;
                model.ProvisionPageText     = settings.displayInfo.provisionMessages.provisionPageText;
        public async Task <ProvisionContentPackResponse> ProvisionContentPack(ProvisionContentPackRequest provisionRequest)
            var provisionResponse = new ProvisionContentPackResponse();

            // If the input paramenters are missing, raise a BadRequest response
            if (provisionRequest == null)

            // If the TenantId input argument is missing, raise a BadRequest response
            if (String.IsNullOrEmpty(provisionRequest.TenantId))

            // If the UserPrincipalName input argument is missing, raise a BadRequest response
            if (String.IsNullOrEmpty(provisionRequest.UserPrincipalName))

            // If the PackageIds input argument is missing, raise a BadRequest response
            if (provisionRequest.Packages == null || provisionRequest.Packages.Count == 0)

            if (provisionRequest != null &&
                !String.IsNullOrEmpty(provisionRequest.TenantId) &&
                !String.IsNullOrEmpty(provisionRequest.UserPrincipalName) &&
                provisionRequest.Packages != null &&
                provisionRequest.Packages.Count > 0)
                    // Process the AuthorizationCode request
                    String provisioningScope       = ConfigurationManager.AppSettings["SPPA:ProvisioningScope"];
                    String provisioningEnvironment = ConfigurationManager.AppSettings["SPPA:ProvisioningEnvironment"];

                    var tokenId = $"{provisionRequest.TenantId}-{provisionRequest.UserPrincipalName.ToLower().GetHashCode()}-{provisioningScope}-{provisioningEnvironment}";

                        // Retrieve the refresh token and store it in the KeyVault
                        await ProvisioningAppManager.AccessTokenProvider.SetupSecurityFromAuthorizationCodeAsync(
                    catch (Exception ex)
                        // In case of any authorization exception, raise an Unauthorized exception

                    // Validate the Package IDs
                    var context = dbContext;
                    DomainModel.Package package = null;

                    // Get the first item to provision
                    var item = provisionRequest.Packages.First();

                    // And remove it from the whole list of items
                    var childrenItems = provisionRequest.Packages;

                    // Get the package
                    if (ProvisioningAppManager.IsTestingEnvironment)
                        // Process all packages in the test environment
                        package = context.Packages.FirstOrDefault(p => p.Id == new Guid(item.PackageId));
                        // Process not-preview packages in the production environment
                        package = context.Packages.FirstOrDefault(p => p.Id == new Guid(item.PackageId) && p.Preview == false);

                    // If the package is not valid
                    if (package == null)
                        // Throw an exception accordingly
                        throw new ArgumentException("Invalid Package Id!");

                    // First of all, validate the provisioning request for pre-requirements
                    provisionResponse.CanProvisionResult = await CanProvisionInternal(
                        new CanProvisionModel
                        PackageId         = item.PackageId,
                        TenantId          = provisionRequest.TenantId,
                        UserPrincipalName = provisionRequest.UserPrincipalName,
                        SPORootSiteUrl    = provisionRequest.SPORootSiteUrl,
                        UserIsSPOAdmin    = true,  // We assume that the request comes from an Admin
                        UserIsTenantAdmin = true,  // We assume that the request comes from an Admin

                    // If the package can be provisioned onto the target
                    if (provisionResponse.CanProvisionResult.CanProvision)
                        // Prepare the provisioning request
                        var request = new ProvisioningActionModel();
                        request.ActionType               = ActionType.Tenant; // Do we want to support site/tenant or just one?
                        request.ApplyCustomTheme         = false;
                        request.ApplyTheme               = false;             // Do we need to apply any special theme?
                        request.CorrelationId            = Guid.NewGuid();
                        request.CustomLogo               = null;
                        request.DisplayName              = $"Provision Content Pack {item.PackageId}";
                        request.PackageId                = item.PackageId;
                        request.TargetSiteAlreadyExists  = false; // Do we want to check this?
                        request.TargetSiteBaseTemplateId = null;
                        request.TenantId          = provisionRequest.TenantId;
                        request.UserIsSPOAdmin    = true; // We don't use this in the job
                        request.UserIsTenantAdmin = true; // We don't use this in the job
                        request.UserPrincipalName = provisionRequest.UserPrincipalName.ToLower();
                        request.NotificationEmail = provisionRequest.NotificationEmail;
                        request.PackageProperties = item.Parameters;
                        request.ChildrenItems     = childrenItems;
                        request.Webhooks          = provisionRequest.Webhooks;

                        // Enqueue the provisioning request
                        await ProvisioningAppManager.EnqueueProvisioningRequest(request);

                    // Set the status of the provisioning request
                    provisionResponse.ProvisioningStarted = true;
                catch (HttpResponseException)
                catch (Exception ex)
                    // In case of any other exception, raise an InternalServerError exception

            // Return to the requested URL
        public async Task <ActionResult> Provision(String packageId = null, String returnUrl = null, String source = null)
            if (String.IsNullOrEmpty(packageId))
                throw new ArgumentNullException("packageId");

            if (String.IsNullOrEmpty(source))
                source = "default";

            LogSourceTracking(source, 0, Request.Url.ToString(), packageId); // 0 = PageView

            ProvisioningActionModel model = new ProvisioningActionModel();

                if (IsValidUser())
                    var issuer = (System.Threading.Thread.CurrentPrincipal as System.Security.Claims.ClaimsPrincipal)?.FindFirst("iss");
                    if (issuer != null && !String.IsNullOrEmpty(issuer.Value))
                        var issuerValue = issuer.Value.Substring(0, issuer.Value.Length - 1);
                        var tenantId    = issuerValue.Substring(issuerValue.LastIndexOf("/") + 1);
                        var upn         = (System.Threading.Thread.CurrentPrincipal as System.Security.Claims.ClaimsPrincipal)?.FindFirst(ClaimTypes.Upn)?.Value;

                        if (this.IsAllowedUpnTenant(upn))
                            #region Prepare model generic context data

                            // Prepare the model data
                            model.TenantId          = tenantId;
                            model.UserPrincipalName = upn;
                            model.PackageId         = packageId;
                            model.ApplyTheme        = false;
                            model.ApplyCustomTheme  = false;

                            String provisioningScope       = ConfigurationManager.AppSettings["SPPA:ProvisioningScope"];
                            String provisioningEnvironment = ConfigurationManager.AppSettings["SPPA:ProvisioningEnvironment"];

                            var tokenId          = $"{model.TenantId}-{model.UserPrincipalName.ToLower().GetHashCode()}-{provisioningScope}-{provisioningEnvironment}";
                            var graphAccessToken = await ProvisioningAppManager.AccessTokenProvider.GetAccessTokenAsync(
                                tokenId, "");

                            if (string.IsNullOrEmpty(graphAccessToken))
                                throw new ApplicationException($"Cannot retrieve a valid Access Token for user {model.UserPrincipalName.ToLower()} in tenant {model.TenantId}");

                            model.UserIsTenantAdmin = Utilities.UserIsTenantGlobalAdmin(graphAccessToken);
                            model.UserIsSPOAdmin    = Utilities.UserIsSPOAdmin(graphAccessToken);
                            model.NotificationEmail = upn;

                            model.ReturnUrl = returnUrl;
                            model.Source    = source;


                            // Determine the URL of the root SPO site for the current tenant
                            var            rootSiteJson = HttpHelper.MakeGetRequestForString("", graphAccessToken);
                            SharePointSite rootSite     = JsonConvert.DeserializeObject <SharePointSite>(rootSiteJson);

                            // Store the SPO Root Site URL in the Model
                            model.SPORootSiteUrl = rootSite.WebUrl;

                            // If the current user is an admin, we can get the available Themes
                            if (model.UserIsTenantAdmin || model.UserIsSPOAdmin)
                                await LoadThemesFromTenant(model, tokenId, rootSite, graphAccessToken);

                            LoadPackageDataIntoModel(packageId, model);
                            throw new ApplicationException("Invalid request, the current tenant is not allowed to use this solution!");
            catch (Exception ex)
                throw new Exception(ex.Message);

            return(View("Provision", model));