Open michaelhambe opened 1 year ago
@jiasli for awareness
It looks like a behavior change between AD Graph and MS Graph's Create application API.
AzureADandPersonalMicrosoftAccount
is now the default value of signInAudience
in MS Graph.
There are 2 workarounds:
az ad app create
with --sign-in-audience
to manually create the app and az ad sp create
to create its corresponding service principalaz ad sp create-for-rbac
, run az ad app update
with --sign-in-audience
to modify the appShouldn't the default signInAuduence be the least permissive?
Hi @jiasli
Having application registrations default to multi-tenant seems to contradict this documentation:
which states that "By default, web app/API registrations in Azure AD are single-tenant upon creation."
This is also happening with az ad app create - assuming this is the same problem.
Related command az ad sp create-for-rbac n {name} --scope {scope} --role {role}
Describe the bug In the past, this command would create both the service principal and application registration, where the application registration would be a single-tenant app. However, the behaviour seems to have changed as new app registrations are multi-tenant by default, with no option to choose.
To Reproduce az ad sp create-for-rbac -n {name} --scope {scope} --role {role}
Expected behaviour The resultant application registration is single-tenant, or a new flag is added to allow the user to choose.
The documentation could also be updated to indicate that the az ad sp command created both a Service Principal and an Application Registration.
Environment summary Azure CLI 2.46.0 installed on OSX via Homebrew
Additional context