Azure / azure-cli

Azure Command-Line Interface
MIT License
4.01k stars 2.98k forks source link

az rest --uri not support some Graph Endpoints e.g. /deviceManagement/deviceShellScripts #20572

Open weinishen opened 2 years ago

weinishen commented 2 years ago

Per our testing, az rest --uri not support some Graph Endpoints e.g. /deviceManagement/deviceShellScripts, since Azure CLI (1st party app) doesn't have the required delegated permissions.

However, our document doesn't mention that. May I know if any plan for letting az rest support that? Or can we update the document letting us know that limitation?


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

yonzhan commented 2 years ago

@jiasli for awareness

jiasli commented 2 years ago

Explanation

APIs like List deviceShellScripts require DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All permissions.

However, even as a first-party app, Azure CLI is not granted such permissions.

Possible solutions

  1. We are considering exposing something like

    # hypothetical
    az config set auth.client_id=xxx

    so that Azure CLI can also behave like third-party app when using user authentication. (https://github.com/Azure/azure-cli/issues/13284)

  2. Apply for these permissions from Microsoft Graph team.

Workaround

For now, you may use az login with a service principal that has DeviceManagementManagedDevices.Read.All and DeviceManagementManagedDevices.ReadWrite.All application permissions.