az ad app permission grant not working or usable as expected
#12137
Comments
|
Hi @jiasli , could you please help take a look at this ? |
|
add to S166. |
|
This was pushed to a future release. How many times is it going to get pushed before being addressed and resolved. Is any one able to comment on a commitment that this will be resolved with a definitive timeline? |
|
⚠ It can only be called by a user, not a service principal. For example, we can call it with app's Application ID: az ad app permission admin-consent --id 46eb4122-bd2b-4f54-af7b-6d79b46ee31aBefore:
After:
Grant Delegated PermissionsTo grant Delegated Permissions, we recommend using # Line breaks for legibility only, same for following commands
az ad app permission grant --id 46eb4122-bd2b-4f54-af7b-6d79b46ee31a
--api 00000003-0000-0000-c000-000000000000
--scope "Directory.Read.All Directory.ReadWrite.All"
Grant Application PermissionsTo grant Application Permissions, we can use any of these 2 APIs:
You may get it from Azure Portal:
Or query > az ad sp show --id 46eb4122-bd2b-4f54-af7b-6d79b46ee31a --query "objectId" --output tsv
8aaa6158-7450-4407-ba08-61377f23d05f
$ az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "objectId" --output tsv
a3efc889-f1b7-4532-9e01-91e32d1039f4
> az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "appRoles[?value=='Directory.ReadWrite.All']"
[
{
"allowedMemberTypes": [
"Application"
],
"description": "Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion.",
"displayName": "Read and write directory data",
"id": "19dbc75e-c2e2-444c-a770-ec69d8559fc7",
"isEnabled": true,
"value": "Directory.ReadWrite.All"
}
]You may also use F12 Developer Tools of the browser to capture network trace to check related ID conversions. (Quite complicated I admit.) |
|
Thanks for all of the detailed information! I'll take some time and digest this, and come back if I have any further questions on this. I understand a bit more on the delays though. |
|
Hi @dmprantz , thanks a lot for your understanding. We have been working tightly with AAD team on this feature. Don't hesitate to let us know if there are any concerns. |
|
For the granting app (or service principal, which you use to log in and grant permissions to another service principal),
⚠ Keep in mind that AppRoleAssignment.ReadWrite.All is extremely privileged, as it allows granting any app-only permission, including RoleManagement.ReadWrite.Directory, which can then be used to give anyone (or any app) even higher privileges up to and including Company Administrator (i.e. Global Admin). If you use Reference: https://winsmarts.com/how-to-grant-admin-consent-to-an-api-programmatically-e32f4a100e9d |
|
Hi @jiasli ,using the |
|
I found a solution. This is really confusing and undocumented. |
|
@fume, glad to know it is solved. You may use |
UpdateService Principal API of Microsoft Graph is now GA. I have updated my answer #12137 (comment) to reflect the most recent changes. The GA APIs have some changes from this blog I provided earlier for granting Application Permissions. In short
TL;DRWe can consider the assignment as a relationship/binding between 2 service principals. There are 4 ways to create an assignment. In the blog, the APIs are
Now the official APIs are We can draw a diagram like this:
Ideally the same URL can be used for 4 operations:
To use the above operations with URLs:
If we enumerate all combinations:
ExamplesUsing
|
|
@jiasli Thanks for the provided info. I am having issues when running the I tried this command last year and it was working fine, i didn't have to use it these last few months but now I am getting the following error:
Any idea on what this could be? My user is Owner and trying to run this on the PowerShell console |
|
Hi @estemendoza, Owner is a concept of ARM RBAC. In order to call MS Graph, please make sure you have the permission shown in |
|
Hi @jiasli Thanks for the links, but I am still having issues. I tried to execute it using PowerShell on the Portal and got the following error: What am I doing wrong on the command? Thanks in advance |
|
@jiasli Nevermind, I needed to run the script as an Administrator, thanks for the help. |
|
@estemendoza, passing JSON in PowerShell requires additional quoting rules. Please see https://github.com/Azure/azure-cli/blob/dev/doc/quoting-issues-with-powershell.md. Azure CLI doesn't need Administrator permission to run. |
jiasli
changed the title
az ad app permission grant not working or usable as expected
|
@jiasli I'm logged into Azure CLI in a Windows Terminal (PowerShell) using a Service Principal. I'm trying to grant admin consent for an Application Scoped API permission Executing the following I get an error message: |
|
@MartinHatchL365 seems related to the value of |
|
If I don't use that then I get the following error message
|
|
@Yvand could it be that the URL is incorrect? According to the official documentation on MS Graph, the correct endpoint is /appRoleAssignedTo and not /appRoleAssignments which is in the example above |
|
@MartinHatchL365 it looks good to me: In my script I am using endpoint /appRoleAssignments just fine... |
|
Does it make a difference that I'm logged in using a Service Principal? |
|
Another workaround is to use Microsoft Graph PowerShell SDK which is another client tool for AAD:
|
|
Just a quick note (I hope I'm not confusing anyone), but on my Azure Tenant, the MS Graph (00000003-0000-0000-c000-000000000000) does not have an So in my case, the code to get the correct resourceId for MS Graph is az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "id" --output tsv |
Describe the bug
"az ad app permission grant" only seems to grant a single scope. If I call it successive times, the existing scope is overwritten. This behaviour is not clearly documented, nor is the way to grant. multiple scopes.
"az ad app permission admin-consent" appears to be non-functional. How can admin consent be granted without three key pieces of information, AppID, APIID, and Scope? What is this doing? How can a single scope be granted at the application level?
I would also consider it a bug that "az ad app permission grant" cannot be used to grant application type scopes.
To Reproduce
Try to execute the above commands. "az ad app permission admin-consent" is not documented in any way that makes sense. "az ad app permission grant" seems to work, but successive calls over-write your work.
Expected behavior
There should be a single command that allows you to grant individual (or comma separated lists) of scopes for an API to an app. That same command should have a flag for Delegated vs Application Type. It should not overwrite itself. Worst case, if there have to be two commands, the one used to grant admin-consent to the application type should allow appropriate parameters.
Documentation of these calls should be clear and concise.
Environment summary
Windows 10. Installed via downloaded MSI for x64. cmd.exe shell.
C:\Program Files\Microsoft SDKs\Azure.NET SDK\v2.9\bin>az --version
azure-cli 2.0.81
command-modules-nspkg 2.0.3
core 2.0.81
nspkg 3.0.4
telemetry 1.0.4
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\dpomerantz.azure\cliextensions'
Python (Windows) 3.6.6 (v3.6.6:4cf1f54eb7, Jun 27 2018, 02:47:15) [MSC v.1900 32 bit (Intel)]
The text was updated successfully, but these errors were encountered: