upbound
diff --git a/‎example/README.md‎
Lines changed: 10 additions & 0 deletions b/‎example/README.md‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎example/envconfig.yaml‎
Lines changed: 2 additions & 0 deletions b/‎example/envconfig.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎example/service-principal-example-context-ref.yaml‎
Lines changed: 37 additions & 0 deletions b/‎example/service-principal-example-context-ref.yaml‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎example/service-principal-example-status-ref.yaml‎
Lines changed: 30 additions & 0 deletions b/‎example/service-principal-example-status-ref.yaml‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎example/xr.yaml‎
Lines changed: 2 additions & 0 deletions b/‎example/xr.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎fn.go‎
Lines changed: 24 additions & 1 deletion b/‎fn.go‎
Lines changed: 24 additions & 1 deletion
@@ -95,3 +95,13 @@ Get details of specified service principals:
 ```shell
 crossplane render xr.yaml service-principal-example.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc
 ```
+
+Dynamic `servicePrinicpalsRef` variations:
+
+```shell
+crossplane render xr.yaml service-principal-example-status-ref.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc
+```
+
+```shell
+crossplane render xr.yaml service-principal-example-context-ref.yaml functions.yaml --function-credentials=./secrets/azure-creds.yaml -rc --extra-resources=envconfig.yaml
+```
@@ -9,3 +9,5 @@ data:
     - test-fn-msgraph
   users:
     - [email protected]
+  servicePrincipalNames:
+    - yury-upbound-oidc-provider
@@ -0,0 +1,37 @@
+apiVersion: apiextensions.crossplane.io/v1
+kind: Composition
+metadata:
+  name: service-principal-example-context-ref
+spec:
+  compositeTypeRef:
+    apiVersion: example.crossplane.io/v1
+    kind: XR
+  mode: Pipeline
+  pipeline:
+    - step: environmentConfigs
+      functionRef:
+        name: crossplane-contrib-function-environment-configs
+      input:
+        apiVersion: environmentconfigs.fn.crossplane.io/v1beta1
+        kind: Input
+        spec:
+          environmentConfigs:
+            - type: Reference
+              ref:
+                name: example-config
+    - step: get-service-principal-details
+      functionRef:
+        name: function-msgraph
+      input:
+        apiVersion: msgraph.fn.crossplane.io/v1alpha1
+        kind: Input
+        queryType: ServicePrincipalDetails
+        servicePrincipalsRef: context.[apiextensions.crossplane.io/environment].servicePrincipalNames
+        target: "status.servicePrincipals"
+        skipQueryWhenTargetHasData: true
+      credentials:
+        - name: azure-creds
+          source: Secret
+          secretRef:
+            namespace: upbound-system
+            name: azure-account-creds
@@ -0,0 +1,30 @@
+apiVersion: apiextensions.crossplane.io/v1
+kind: Composition
+metadata:
+  name: service-principal-example-status-ref
+  annotations:
+    # Important: This function requires an Azure AD app registration with Microsoft Graph API permissions:
+    # - Application.Read.All
+    # - Directory.Read.All
+spec:
+  compositeTypeRef:
+    apiVersion: example.crossplane.io/v1
+    kind: XR
+  mode: Pipeline
+  pipeline:
+    - step: get-service-principal-details
+      functionRef:
+        name: function-msgraph
+      input:
+        apiVersion: msgraph.fn.crossplane.io/v1alpha1
+        kind: Input
+        queryType: ServicePrincipalDetails
+        servicePrincipalsRef: status.servicePrincipalNames
+        target: "status.servicePrincipals"
+        skipQueryWhenTargetHasData: true
+      credentials:
+        - name: azure-creds
+          source: Secret
+          secretRef:
+            namespace: upbound-system
+            name: azure-account-creds
@@ -11,3 +11,5 @@ status:
     - test-fn-msgraph
   users:
     - [email protected]
+  servicePrincipalNames:
+    - yury-upbound-oidc-provider
@@ -887,7 +887,7 @@ func (f *Function) validateAndPrepareInput(_ context.Context, req *fnv1.RunFunct
 	return true
 }
 
-// processReferences handles resolving references like groupRef, groupsRef, and usersRef
+// processReferences handles resolving references like groupRef, groupsRef, usersRef, and servicePrincipalsRef
 func (f *Function) processReferences(req *fnv1.RunFunctionRequest, in *v1beta1.Input, rsp *fnv1.RunFunctionResponse) bool {
 	// Process references based on query type
 	switch in.QueryType {
@@ -897,6 +897,8 @@ func (f *Function) processReferences(req *fnv1.RunFunctionRequest, in *v1beta1.I
 		return f.processGroupsRef(req, in, rsp)
 	case "UserValidation":
 		return f.processUsersRef(req, in, rsp)
+	case "ServicePrincipalDetails":
+		return f.processServicePrincipalsRef(req, in, rsp)
 	}
 	return true
 }
@@ -949,6 +951,22 @@ func (f *Function) processUsersRef(req *fnv1.RunFunctionRequest, in *v1beta1.Inp
 	return true
 }
 
+// processServicePrincipalsRef handles resolving the servicePrincipalsRef reference for ServicePrincipalDetails query type
+func (f *Function) processServicePrincipalsRef(req *fnv1.RunFunctionRequest, in *v1beta1.Input, rsp *fnv1.RunFunctionResponse) bool {
+	if in.ServicePrincipalsRef == nil || *in.ServicePrincipalsRef == "" {
+		return true
+	}
+
+	spNames, err := f.resolveServicePrincipalsRef(req, in.ServicePrincipalsRef)
+	if err != nil {
+		response.Fatal(rsp, err)
+		return false
+	}
+	in.ServicePrincipals = spNames
+	f.log.Info("Resolved ServicePrincipalsRef to service principals", "spCount", len(spNames), "servicePrincipalsRef", *in.ServicePrincipalsRef)
+	return true
+}
+
 // executeAndProcessQuery executes the query and processes the results
 func (f *Function) executeAndProcessQuery(ctx context.Context, req *fnv1.RunFunctionRequest, in *v1beta1.Input, azureCreds map[string]string, rsp *fnv1.RunFunctionResponse) bool {
 	// Execute the query
@@ -1114,6 +1132,11 @@ func (f *Function) resolveUsersRef(req *fnv1.RunFunctionRequest, usersRef *strin
 	return f.resolveStringArrayRef(req, usersRef, "usersRef")
 }
 
+// resolveServicePrincipalsRef resolves a list of service principal names from a reference in status or context
+func (f *Function) resolveServicePrincipalsRef(req *fnv1.RunFunctionRequest, servicePrincipalsRef *string) ([]*string, error) {
+	return f.resolveStringArrayRef(req, servicePrincipalsRef, "servicePrincipalsRef")
+}
+
 // extractStringArrayFromMap extracts a string array from a map using nested key
 func (f *Function) extractStringArrayFromMap(dataMap map[string]interface{}, field, refKey string) ([]*string, error) {
 	parts, err := ParseNestedKey(field)