search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.95k stars 2.93k forks source link

Azure CLI app cannot be found in app registrations nor enterprise apps #28628

Open ppodgorsek opened 5 months ago

ppodgorsek commented 5 months ago

Related command

az account get-access-token --output json --resource "https://graph.microsoft.com"

Is your feature request related to a problem? Please describe.

I see a strange behaviour by following these steps:

  1. Sign into the tenant via Azure CLI
  2. Request an access token for the Microsoft Graph API via the Azure CLI: az account get-access-token --output json --resource "https://graph.microsoft.com"
  3. The token generation is successful and can be decoded in https://jwt.ms/
  4. The app ID (appid claim) for the Azure CLI that is present in the token cannot be found in Entra ID for that tenant (not in app registrations nor in entreprise apps)

Describe the solution you'd like

From my understanding, the Azure CLI is an Entra ID app that relies on a standard approach to interact with exposed APIs on behalf of users.

Additional permissions cannot be granted via the Portal and this leads to problems with other Microsoft solutions, such as the Graph SDK using Azure CLI credentials. Such SDKs might need additional permissions (for example, Mail.Send for the Graph API), however it doesn't seem the delegated permission can be granted to the Azure CLI.

Is this just an issue with the Azure Portal, or is this scenario not possible at all?

Describe alternatives you've considered

A separate app registration can be created with delegated permissions, but this defeats the purpose of the Azure CLI credential.

Additional context

For ease of understanding and following the trail of thought, here is the associated issue in the Microsoft Graph SDK repo.

yonzhan commented 5 months ago

Thank you for opening this issue, we will look into it.

jiasli commented 5 months ago

Azure CLI is a First Party Application and its app ID is 04b07795-8ddb-461a-bbee-02f9e1bf7b46.

I am able to get its service principal in Microsoft tenant 72f988bf-86f1-41af-91ab-2d7cd011db47:

> az ad sp show --id 04b07795-8ddb-461a-bbee-02f9e1bf7b46
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals/$entity",
  "accountEnabled": true,
  "addIns": [],
  "alternativeNames": [],
  "appDescription": null,
  "appDisplayName": "Microsoft Azure CLI",
  "appId": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
  "appOwnerOrganizationId": "f8cdef31-a31e-4b4a-93e4-5f571e91255a",
  "appRoleAssignmentRequired": false,
  "appRoles": [],
  "applicationTemplateId": null,
  "createdDateTime": null,
  "deletedDateTime": null,
  "description": null,
  "disabledByMicrosoftStatus": null,
  "displayName": "Microsoft Azure CLI",
  "homepage": null,
  "id": "d164374b-2521-4e1a-b04d-dcb438233b9b",
  "info": {
    "logoUrl": null,
    "marketingUrl": null,
    "privacyStatementUrl": null,
    "supportUrl": null,
    "termsOfServiceUrl": null
  },
  "keyCredentials": [],
  "loginUrl": null,
  "logoutUrl": null,
  "notes": null,
  "notificationEmailAddresses": [],
  "oauth2PermissionScopes": [],
  "passwordCredentials": [],
  "preferredSingleSignOnMode": null,
  "preferredTokenSigningKeyThumbprint": null,
  "replyUrls": [
    "http://localhost",
    "urn:ietf:wg:oauth:2.0:oob",
    "https://login.microsoftonline.com/common/oauth2/nativeclient"
  ],
  "resourceSpecificApplicationPermissions": [],
  "samlSingleSignOnSettings": null,
  "servicePrincipalNames": [
    "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
  ],
  "servicePrincipalType": "Application",
  "signInAudience": "AzureADandPersonalMicrosoftAccount",
  "tags": [
    "WindowsAzureActiveDirectoryIntegratedApp"
  ],
  "tokenEncryptionKeyId": null,
  "verifiedPublisher": {
    "addedDateTime": null,
    "displayName": null,
    "verifiedPublisherId": null
  }
}

But not in another tenant:

> az ad sp show --id 04b07795-8ddb-461a-bbee-02f9e1bf7b46
Resource '04b07795-8ddb-461a-bbee-02f9e1bf7b46' does not exist or one of its queried reference-property objects are not present.

I need to work with Microsoft Entra team internally to understand why the API behaves like this and whether it is possible to add additionally delegated permissions to first party applications.

Related: https://github.com/Azure/azure-cli/issues/22775

magnus-longva-bouvet commented 3 months ago

I have the same problem as OP, and I'm 99% sure I've been able to find the Microsoft Azure CLI application with appId 04b07795-8ddb-461a-bbee-02f9e1bf7b46 before, but not necessarily in my current tenant.

jamesw4 commented 3 months ago

Seeing same issue in one of our tenants - nowhere to be seen and I need to grant it additional graph permissions.

Thomas-Butterfield commented 6 days ago

Seeing same issue in one of our tenants - nowhere to be seen and I need to grant it additional graph permissions.

The enterprise application was also missing in one of our tenants; by running the following command from a cloud shell I was able to force it to appear.

az ad sp create --id '04b07795-8ddb-461a-bbee-02f9e1bf7b46'