auth0
diff --git a/‎src/tools/auth0/handlers/tenant.ts
+67-46 b/‎src/tools/auth0/handlers/tenant.ts
+67-46
diff --git a/‎test/e2e/recordings/should-deploy-directory-(JSON)-config-with-keyword-replacements.json
+1-138 b/‎test/e2e/recordings/should-deploy-directory-(JSON)-config-with-keyword-replacements.json
+1-138
@@ -4,6 +4,7 @@ import DefaultHandler, { order } from './default';
 import { supportedPages, pageNameMap } from './pages';
 import { convertJsonToString } from '../../utils';
 import { Asset, Assets, Language } from '../../../types';
+import log from '../../../logger';
 
 export const schema = {
   type: 'object',
@@ -63,17 +64,15 @@ export default class TenantHandler extends DefaultHandler {
     // Do nothing if not set
     if (!tenant) return;
 
-    const existingTenant = this.existing || (await this.getType());
-
-    const updatedTenant = {
+    const updatedTenant: Partial<Tenant> = {
       ...tenant,
     };
 
     if ('flags' in updatedTenant) {
-      updatedTenant.flags = sanitizeMigrationFlags({
-        existingFlags: existingTenant.flags,
-        proposedFlags: tenant.flags,
-      });
+      updatedTenant.flags = removeUnallowedTenantFlags(tenant.flags);
+      if (Object.keys(updatedTenant.flags).length === 0) {
+        delete updatedTenant.flags;
+      }
     }
 
     if (updatedTenant && Object.keys(updatedTenant).length > 0) {
@@ -84,47 +83,69 @@ export default class TenantHandler extends DefaultHandler {
   }
 }
 
-export const sanitizeMigrationFlags = ({
-  existingFlags = {},
-  proposedFlags = {},
-}: {
-  existingFlags: Tenant['flags'];
-  proposedFlags: Tenant['flags'];
-}): Tenant['flags'] => {
-  /*
-  Tenants can only update migration flags that are already configured.
-  If moving configuration from one tenant to another, there may be instances
-  where different migration flags exist and cause an error on update. This
-  function removes any migration flags that aren't already present on the target
-  tenant. See: https://github.com/auth0/auth0-deploy-cli/issues/374
-  */
-
-  const tenantMigrationFlags = [
-    'disable_clickjack_protection_headers',
-    'enable_mgmt_api_v1',
-    'trust_azure_adfs_email_verified_connection_property',
-    'include_email_in_reset_pwd_redirect',
-    'include_email_in_verify_email_redirect',
-  ];
-
-  return Object.keys(proposedFlags).reduce(
+/*
+ Tenant flags are used to facilitate a number of functionalities, some
+ public, some internal. The subset of flags that are allowed to be updated 
+ in the context of the Deploy CLI is based on wether they're publicly exposed
+ in the Auth0 API docs:
+
+ https://auth0.com/docs/api/management/v2#!/Tenants/patch_settings
+*/
+export const allowedTenantFlags = [
+  'change_pwd_flow_v1',
+  'enable_client_connections',
+  'enable_apis_section',
+  'enable_pipeline2',
+  'enable_dynamic_client_registration',
+  'enable_custom_domain_in_emails',
+  'allow_legacy_tokeninfo_endpoint',
+  'enable_legacy_profile',
+  'enable_idtoken_api2',
+  'enable_public_signup_user_exists_error',
+  'allow_legacy_delegation_grant_types',
+  'allow_legacy_ro_grant_types',
+  'enable_sso',
+  'disable_clickjack_protection_headers',
+  'no_disclose_enterprise_connections',
+  'disable_management_api_sms_obfuscation',
+  'enforce_client_authentication_on_passwordless_start',
+  'trust_azure_adfs_email_verified_connection_property',
+  'enable_adfs_waad_email_verification',
+  'revoke_refresh_token_grant',
+  'dashboard_log_streams_next',
+  'dashboard_insights_view',
+  'disable_fields_map_fix',
+  'require_pushed_authorization_requests',
+  'mfa_show_factor_list_on_enrollment',
+];
+
+export const removeUnallowedTenantFlags = (proposedFlags: Tenant['flags']): Tenant['flags'] => {
+  const removedFlags: string[] = [];
+  const filteredFlags = Object.keys(proposedFlags).reduce(
     (acc: Tenant['flags'], proposedKey: string): Tenant['flags'] => {
-      const isMigrationFlag = tenantMigrationFlags.includes(proposedKey);
-      if (!isMigrationFlag)
-        return {
-          ...acc,
-          [proposedKey]: proposedFlags[proposedKey],
-        };
-
-      const keyCurrentlyExists = existingFlags[proposedKey] !== undefined;
-      if (keyCurrentlyExists)
-        return {
-          ...acc,
-          [proposedKey]: proposedFlags[proposedKey],
-        };
-
-      return acc;
+      const isAllowedFlag = allowedTenantFlags.includes(proposedKey);
+      if (!isAllowedFlag) {
+        removedFlags.push(proposedKey);
+        return acc;
+      }
+      return {
+        ...acc,
+        [proposedKey]: proposedFlags[proposedKey],
+      };
     },
     {}
   );
+
+  if (removedFlags.length > 0) {
+    log.warn(
+      `The following tenant flag${
+        removedFlags.length > 1 ? 's have not been' : ' has not been'
+      } updated because deemed incompatible with the target tenant: ${removedFlags.join(', ')}
+      ${
+        removedFlags.length > 1 ? 'These flags' : 'This flag'
+      } can likely be removed from the tenant definition file. If you believe this removal is an error, please report via a Github issue.`
+    );
+  }
+
+  return filteredFlags;
 };
@@ -1,69 +1,4 @@
 [
-    {
-        "scope": "https://deploy-cli-dev.eu.auth0.com:443",
-        "method": "GET",
-        "path": "/api/v2/tenants/settings",
-        "body": "",
-        "status": 200,
-        "response": {
-            "allowed_logout_urls": [
-                "https://mycompany.org/logoutCallback"
-            ],
-            "change_password": {
-                "enabled": true,
-                "html": "<html>Change Password</html>\n"
-            },
-            "enabled_locales": [
-                "en"
-            ],
-            "error_page": {
-                "html": "<html>Error Page</html>\n",
-                "show_log_link": false,
-                "url": "https://mycompany.org/error"
-            },
-            "flags": {
-                "allow_changing_enable_sso": false,
-                "allow_legacy_delegation_grant_types": true,
-                "allow_legacy_ro_grant_types": true,
-                "change_pwd_flow_v1": false,
-                "disable_impersonation": true,
-                "enable_apis_section": false,
-                "enable_client_connections": false,
-                "enable_custom_domain_in_emails": false,
-                "enable_dynamic_client_registration": false,
-                "enable_legacy_logs_search_v2": false,
-                "enable_public_signup_user_exists_error": true,
-                "enable_sso": true,
-                "new_universal_login_experience_enabled": true,
-                "universal_login": true,
-                "use_scope_descriptions_for_consent": false,
-                "revoke_refresh_token_grant": false,
-                "disable_clickjack_protection_headers": false,
-                "enable_pipeline2": false
-            },
-            "friendly_name": "This is the Travel0 Tenant",
-            "guardian_mfa_page": {
-                "enabled": true,
-                "html": "<html>MFA</html>\n"
-            },
-            "idle_session_lifetime": 1,
-            "picture_url": "https://upload.wikimedia.org/wikipedia/commons/0/0d/Grandmas_marathon_finishers.png",
-            "sandbox_version": "12",
-            "session_lifetime": 3.0166666666666666,
-            "support_email": "[email protected]",
-            "support_url": "https://mycompany.org/support",
-            "universal_login": {},
-            "session_cookie": {
-                "mode": "non-persistent"
-            },
-            "sandbox_versions_available": [
-                "16",
-                "12"
-            ]
-        },
-        "rawHeaders": [],
-        "responseIsBinary": false
-    },
     {
         "scope": "https://deploy-cli-dev.eu.auth0.com:443",
         "method": "PATCH",
@@ -73,9 +8,6 @@
                 "en"
             ],
             "friendly_name": "This is the ##COMPANY_NAME## Tenant",
-            "flags": {
-                "new_universal_login_experience_enabled": true
-            },
             "universal_login": {}
         },
         "status": 200,
@@ -110,7 +42,6 @@
                 "enable_public_signup_user_exists_error": true,
                 "enable_sso": true,
                 "enforce_client_authentication_on_passwordless_start": true,
-                "new_universal_login_experience_enabled": true,
                 "universal_login": true,
                 "use_scope_descriptions_for_consent": false,
                 "revoke_refresh_token_grant": false,
@@ -136,71 +67,6 @@
         "rawHeaders": [],
         "responseIsBinary": false
     },
-    {
-        "scope": "https://deploy-cli-dev.eu.auth0.com:443",
-        "method": "GET",
-        "path": "/api/v2/tenants/settings",
-        "body": "",
-        "status": 200,
-        "response": {
-            "allowed_logout_urls": [
-                "https://mycompany.org/logoutCallback"
-            ],
-            "change_password": {
-                "enabled": true,
-                "html": "<html>Change Password</html>\n"
-            },
-            "enabled_locales": [
-                "en"
-            ],
-            "error_page": {
-                "html": "<html>Error Page</html>\n",
-                "show_log_link": false,
-                "url": "https://mycompany.org/error"
-            },
-            "flags": {
-                "allow_changing_enable_sso": false,
-                "allow_legacy_delegation_grant_types": true,
-                "allow_legacy_ro_grant_types": true,
-                "change_pwd_flow_v1": false,
-                "disable_impersonation": true,
-                "enable_apis_section": false,
-                "enable_client_connections": false,
-                "enable_custom_domain_in_emails": false,
-                "enable_dynamic_client_registration": false,
-                "enable_legacy_logs_search_v2": false,
-                "enable_public_signup_user_exists_error": true,
-                "enable_sso": true,
-                "new_universal_login_experience_enabled": true,
-                "universal_login": true,
-                "use_scope_descriptions_for_consent": false,
-                "revoke_refresh_token_grant": false,
-                "disable_clickjack_protection_headers": false,
-                "enable_pipeline2": false
-            },
-            "friendly_name": "This is the ##COMPANY_NAME## Tenant",
-            "guardian_mfa_page": {
-                "enabled": true,
-                "html": "<html>MFA</html>\n"
-            },
-            "idle_session_lifetime": 1,
-            "picture_url": "https://upload.wikimedia.org/wikipedia/commons/0/0d/Grandmas_marathon_finishers.png",
-            "sandbox_version": "12",
-            "session_lifetime": 3.0166666666666666,
-            "support_email": "[email protected]",
-            "support_url": "https://mycompany.org/support",
-            "universal_login": {},
-            "session_cookie": {
-                "mode": "non-persistent"
-            },
-            "sandbox_versions_available": [
-                "16",
-                "12"
-            ]
-        },
-        "rawHeaders": [],
-        "responseIsBinary": false
-    },
     {
         "scope": "https://deploy-cli-dev.eu.auth0.com:443",
         "method": "PATCH",
@@ -210,9 +76,6 @@
                 "en"
             ],
             "friendly_name": "This is the Travel0 Tenant",
-            "flags": {
-                "new_universal_login_experience_enabled": true
-            },
             "universal_login": {}
         },
         "status": 200,
@@ -338,4 +201,4 @@
         "rawHeaders": [],
         "responseIsBinary": false
     }
-]
+]