Microsoft Graph API Support

[jiasli]

According to https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview:

Azure Active Directory (Azure AD) Graph is deprecated. To avoid loss of functionality, migrate your applications to Microsoft Graph before June 30, 2022 when Azure AD Graph API endpoints will stop responding to requests.

We need to switch Azure CLI to use Microsoft Graph API instead.

[jiasli]

Call Microsoft Graph API with az rest

As Microsoft Graph REST API v1.0 is now GA, we can call it directly with az rest to achieve the same effect as az ad commands, including all latest features from Microsoft Graph. It can automatically authenticate to Microsoft Graph.

Examples

Update redirectUris for an Application

Originally posted at #9501 (comment). We call the Update application API. The GUID part in the following URLs are the object ID of the application.

# Get the application
az rest --method GET --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001'

# Update `redirectUris` for `web` property
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001' --body '{"web":{"redirectUris":["https://myapp.com"]}}'

Add owners to a service principal

Originally posted at #9250 (comment). We call the servicePrincipal: Add owner API.

appId=93dde3da-9fca-47dd-aee2-409b402ffed3
spObjectId=$(az ad sp show --id $appId --query objectId --output tsv)

# Get the object Id for the current user
ownerObjectId=$(az ad signed-in-user show --query objectId -o tsv)

# This applies to both user and service principal as owners
az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/directoryObjects/$ownerObjectId\"}"

# To add a user as an owner
az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/users/$ownerObjectId\"}"

# To add a service principal as an owner
az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/servicePrincipals/$ownerObjectId\"}"

Remarks

• The above commands are for Bash which Azure Cloud Shell uses
• In both PowerShell and CMD terminal, double quotes " in the JSON body (as contents) need to be escaped by \, even if the JSON body is surrounded by single quotes ': '{\"key\":\"value\"}'. For more info, please see Quoting Issues

[acefei]

@jiasli I tried to use Microsoft Graph API with the required permission to add password for App registration

It still shows Insufficient privileges to complete the operation.
Any thoughts?

Reproduce steps:

1. Create a SPN and login azure by az login --service-principal -u <Application (client) ID> -p xxx --tenant xxx
2. Add password to an App registration that shows Insufficient privileges to complete the operation.
az rest --method POST --uri https://graph.microsoft.com/v1.0/applications/AppObjectId/addPassword --body '{"passwordCredential":{"displayName": "xxxx"}}'
3. Try to add the app to the owner list of itself, it shows Insufficient privileges to complete the operation. as well.
   az rest -m POST -u https://graph.microsoft.com/v1.0/applications/AppObjectId/owners/\$ref -b "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/AppObjectId\"}"

Updated: The same steps works well with service principals object Id.

[jiasli]

@acefei, Azure CLI is merely a REST client. For permission issue, you may reach out to AAD support: https://azure.microsoft.com/en-us/support/create-ticket/

[drdamour]

@acefei what shell you running that from?

[Tbohunek]

For me it works. Just running from PowerShell with Az CLI installed.
@acefei did you grant/obtain admin consent on Application.ReadWrite.OwnedBy? That is required.
You can remove Directory.Read.All Delegated, that isn't used here.

There's however another problem, #9742, so you need to call --body '{\"passwordCredential\":{\"displayName\": \"xxxx\"}}' instead. 😞

[Tbohunek]

@jiasli There's one more problem..
az rest --method POST --uri https://graph.microsoft.com/v1.0/applications/<app_objectid>/addPassword --body '{\"passwordCredential\":{\"displayName\": \"mytest6\"}}'

Bad Request({"error":{"code":"TooManyAppPasswords","message":"Not allowed to add 3 passwords. You can only add a maximum of 2 passwords.","details":[{"target":"passwordCredentials","code":"TooManyAppPasswords"}],"innerError":{"date":"2022-04-15T17:18:50","request-id":"f0c9aaac-9875-403e-bbd9-9048ec006efb","client-request-id":"f0c9aaac-9875-403e-bbd9-9048ec006efb"}}})

Same error also when adding Secret via Portal.

It seems this only happens for Apps created with az rest --method POST --uri https://graph.microsoft.com/v1.0/applications --body '{\"displayName\":\"myclicreated\"}'.
When I create App via Portal and I make the SP its owner with az ad app owner add, then I can use the above az rest or Portal to add as many passwords as I please.

Any clue what's behind that? Is this the right repo for this issue?

[jiasli]

@Tbohunek, I believe the 3 passwords limitation is a design of Graph API application: addPassword.

I can reproduce the same. Let me internally involve Graph team on this issue.

[Tbohunek]

@jiasli I don't think so. The Graph API addPassword works on a App created via Azure Portal. It has to do with the App config but comparing its json with Graph-API created App doesn't reveal any clues.

[Tbohunek]

I wonder what's your problem @joukevandermaas 👎

[joukevandermaas]

@Tbohunek you are spamming an issue that many people are monitoring with something only tangentially related. Can you not imagine why I might find that annoying? Why not take the unrelated issues somewhere else so those of use who care about the original topic can get notified when there are actual updates on this issue?

I tried to indicate this in a way that does not update everyone who follows this issue but I guess that didn't work.

[acefei]

@acefei what shell you running that from?
I ran az rest in mcrmcr.microsoft.com/azure-cli in container.

[acefei]

@acefei, Azure CLI is merely a REST client. For permission issue, you may reach out to AAD support: https://azure.microsoft.com/en-us/support/create-ticket/

Unfortunately, I did that, but I can't find AAD related in the problem type with Technical issue type.

BTW, I don't think it was a typical permission issue. As we know, there are two type applications with the same Application (client) ID once the SPN created, Enterprise applications (service principals) and App registrations (application).
They are using different Microsoft Graph API.

In my problem, with the same client ID and same permissions that following the requirement in API page, the permission issue only occurs on POST /applications/{id}/owners/$ref, but passed on POST /servicePrincipals/{id}/owners/$ref

[acefei]

For me it works. Just running from PowerShell with Az CLI installed. @acefei did you grant/obtain admin consent on Application.ReadWrite.OwnedBy? That is required. You can remove Directory.Read.All Delegated, that isn't used here.

There's however another problem, #9742, so you need to call --body '{\"passwordCredential\":{\"displayName\": \"xxxx\"}}' instead. 😞

I think my original thread was clear.

1. I've obtain admin consent on Application.ReadWrite.OwnedBy (see the screenshot)
2. Do you mentioned the escape characters? yes I did, but the problem persists.
   Literally, from the Application.ReadWrite.OwnedBy permission, the operator should be the owner of the application, so I tried to add appId into its owner list by az rest -m POST -u https://graph.microsoft.com/v1.0/applications/$AppObjectId/owners/\$ref -b "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$AppObjectId\"}", but that return Insufficient privileges to complete the operation

[Tbohunek]

@acefei your screenshot does not show whether the consent was actually granted, just that permission is configured. Add a wider screenshot.
Instead of modifying an existing App, try creating new App. Does that not work either?
Consider creating a separate issue to proceed your debugging. Graph seems to work as it should.

[ABerTSC]

is there any update now i still get "Insufficient privileges to complete the operation" trying to use

for example "az ad app create" at Azure DevOps Pipeline

[jiasli]

We have migrated to Microsoft Graph API in #22432.

[munntjlx]

I found the 'updated' version for this: https://learn.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignmentschedulerequests?view=graph-rest-1.0&tabs=powershell

[oalimerko]

@jiasli i see that even after the migration the commands az ad & az role can still be used.According to description of issue Azure Active Directory (Azure AD) Graph is deprecated. To avoid loss of functionality, migrate your applications to Microsoft Graph before June 30, 2022 when Azure AD Graph API endpoints will stop responding to requests. we should migrate our applications.My application is still working using old commands az ad & az role

[dsantunes]

@jiasli There's one more problem.. az rest --method POST --uri https://graph.microsoft.com/v1.0/applications/<app_objectid>/addPassword --body '{\"passwordCredential\":{\"displayName\": \"mytest6\"}}'

Bad Request({"error":{"code":"TooManyAppPasswords","message":"Not allowed to add 3 passwords. You can only add a maximum of 2 passwords.","details":[{"target":"passwordCredentials","code":"TooManyAppPasswords"}],"innerError":{"date":"2022-04-15T17:18:50","request-id":"f0c9aaac-9875-403e-bbd9-9048ec006efb","client-request-id":"f0c9aaac-9875-403e-bbd9-9048ec006efb"}}})

Same error also when adding Secret via Portal.

It seems this only happens for Apps created with az rest --method POST --uri https://graph.microsoft.com/v1.0/applications --body '{\"displayName\":\"myclicreated\"}'. When I create App via Portal and I make the SP its owner with az ad app owner add, then I can use the above az rest or Portal to add as many passwords as I please.

Any clue what's behind that? Is this the right repo for this issue?

Did you ever find the cause for this?