Open jiasli opened 2 years ago
Show object ID
@jiasli , @yonzhan - this won't help our scenario...we use az ad sp show --id command to get the object id of the SPN and not the logged in user which used to work till now.
We are looking for a solution given AppId how to get the object id in the tenant from the current logged in user context.
@jiasli the mentioned workaround here fetches the object id of the signed in user. We need the object id of the provided sp. Is there a similar workaround for this?
az ad sp show --id "" commands that is
To get the object ID of another service principal (not the signed in one), the solutions provided in https://github.com/Azure/azure-cli/issues/22629#issuecomment-1138371908 are the only possible ways in Microsoft tenant. This is MSDigital policy. Please see https://portal.microsofticm.com/imp/v3/incidents/details/309117289/home.
As for decoding the access token, as discussed with MSAL team and Azure architect, OAuth2 protocol treats access tokens as opaque. There is no expectation that clients will understand those. So, we shouldn't decode the access token and extract object ID from it.
oid
. However, MSAL currently can't expose ID token for each tenant, so we can't get the oid
for each tenant.@jiasli, currently we have moved away from this model, so we no longer require this functionality. See on the merit if the scenario is useful and triage accordingly.
Context
Currently, in order to get the object ID of the signed in account, we have to query Microsoft Graph API:
az ad signed-in-user show
az ad sp show
However, since some tenant (including Microsoft tenant) has Conditional Access policies that block accessing Microsoft Graph with device code (https://github.com/Azure/azure-cli/issues/22629), querying Microsoft Graph API is no longer possible with device code.
Proposed solutions
The result of
az login
az account show
az account list
can show the object ID decoded from the access token.
We can also add a
--show-claims
parameter toaz account get-access-token
:to decode the access token and show its claims, but his solution is less intuitive.
Manual solution
Object ID can be manually retrieved from the access token: