-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RBAC] Updates to az ad app permission list/add/delete #13325
Conversation
add to S169 |
102f2f2
to
91385c4
Compare
Hi @psignoret, thanks a lot for the contribution. We are on public holiday. I will review this PR tomorrow. By the way, |
Yes,
I'm working on a separate PR to add support for application permissions (app role assignments). Once that's implemented, we can update |
@jiasli Have you had a change to review this PR? |
Thanks @psignoret, I still haven't got a chance to review it as AD Graph API is not our priority. I don't think we will use the term We actually plan to do this in MS Graph migration, as the current work may be discarded during the process. |
5f54f03
to
b3e989e
Compare
* If at least one tenant-wide delegated permission exists, expiryTime is set to a date far in the future. * New parameter --skip-grant-expiry-time to avoid retrieving the grants, which adds several unnecessary queries.
b3e989e
to
91ca818
Compare
add to S171 |
Description
Various updates to
az ad app permission
commands for managing required API permissions on app registrations:az ad app permission add
az ad app permission grant --id {id} --api {api}
will grant the permissions added. (This was inaccurate and there's no command currently that can be used to grant both application and delegated permissions.)az ad app permission delete
az ad app permission list
show_service_principal
to avoid an unnecessary query in several scenarios.Testing Guide
See examples added in _help.py.
History Notes
[RBAC] az ad app permission list: Now includes a date far in the future as "expiryTime" when listing required permissions and there exists at least one tenant-wide delegated permission grant for the API in question. (The real "expiryTime" values are not enforced by the server, so it is more accurate to state the the permission grant expires far in the future.) Use
az ad app permission list-grants
to list all delegated permission grants.[RBAC] az ad app permission add: Add support for identifying the API by identifier URI.
[RBAC] az ad app permission delete: Add support for identifying the API by identifier URI, and add support for removing individual required permissions.
This checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.