yonzhan
commented
1 year ago @jiasli for awareness
Open michaelhambe opened 1 year ago
yonzhan
commented
1 year ago @jiasli for awareness
jiasli
commented
1 year ago It looks like a behavior change between AD Graph and MS Graph's Create application API.
AzureADandPersonalMicrosoftAccount is now the default value of signInAudience in MS Graph.
There are 2 workarounds:
az ad app create with --sign-in-audience to manually create the app and az ad sp create to create its corresponding service principalaz ad sp create-for-rbac, run az ad app update with --sign-in-audience to modify the app
michaelhambe
commented
1 year ago Shouldn't the default signInAuduence be the least permissive?
michaelhambe
commented
1 year ago Hi @jiasli
Having application registrations default to multi-tenant seems to contradict this documentation:
which states that "By default, web app/API registrations in Azure AD are single-tenant upon creation."
davejhahn
commented
7 months ago This is also happening with az ad app create - assuming this is the same problem.
Related command az ad sp create-for-rbac n {name} --scope {scope} --role {role}
Describe the bug In the past, this command would create both the service principal and application registration, where the application registration would be a single-tenant app. However, the behaviour seems to have changed as new app registrations are multi-tenant by default, with no option to choose.
To Reproduce az ad sp create-for-rbac -n {name} --scope {scope} --role {role}
Expected behaviour The resultant application registration is single-tenant, or a new flag is added to allow the user to choose.
The documentation could also be updated to indicate that the az ad sp command created both a Service Principal and an Application Registration.
Environment summary Azure CLI 2.46.0 installed on OSX via Homebrew
Additional context