yonzhan
commented
8 months ago Thank you for opening this issue, we will look into it.
Open ppodgorsek opened 8 months ago
yonzhan
commented
8 months ago Thank you for opening this issue, we will look into it.
jiasli
commented
8 months ago Azure CLI is a First Party Application and its app ID is 04b07795-8ddb-461a-bbee-02f9e1bf7b46.
I am able to get its service principal in Microsoft tenant 72f988bf-86f1-41af-91ab-2d7cd011db47:
> az ad sp show --id 04b07795-8ddb-461a-bbee-02f9e1bf7b46
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals/$entity",
"accountEnabled": true,
"addIns": [],
"alternativeNames": [],
"appDescription": null,
"appDisplayName": "Microsoft Azure CLI",
"appId": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"appOwnerOrganizationId": "f8cdef31-a31e-4b4a-93e4-5f571e91255a",
"appRoleAssignmentRequired": false,
"appRoles": [],
"applicationTemplateId": null,
"createdDateTime": null,
"deletedDateTime": null,
"description": null,
"disabledByMicrosoftStatus": null,
"displayName": "Microsoft Azure CLI",
"homepage": null,
"id": "d164374b-2521-4e1a-b04d-dcb438233b9b",
"info": {
"logoUrl": null,
"marketingUrl": null,
"privacyStatementUrl": null,
"supportUrl": null,
"termsOfServiceUrl": null
},
"keyCredentials": [],
"loginUrl": null,
"logoutUrl": null,
"notes": null,
"notificationEmailAddresses": [],
"oauth2PermissionScopes": [],
"passwordCredentials": [],
"preferredSingleSignOnMode": null,
"preferredTokenSigningKeyThumbprint": null,
"replyUrls": [
"http://localhost",
"urn:ietf:wg:oauth:2.0:oob",
"https://login.microsoftonline.com/common/oauth2/nativeclient"
],
"resourceSpecificApplicationPermissions": [],
"samlSingleSignOnSettings": null,
"servicePrincipalNames": [
"04b07795-8ddb-461a-bbee-02f9e1bf7b46"
],
"servicePrincipalType": "Application",
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [
"WindowsAzureActiveDirectoryIntegratedApp"
],
"tokenEncryptionKeyId": null,
"verifiedPublisher": {
"addedDateTime": null,
"displayName": null,
"verifiedPublisherId": null
}
}But not in another tenant:
> az ad sp show --id 04b07795-8ddb-461a-bbee-02f9e1bf7b46
Resource '04b07795-8ddb-461a-bbee-02f9e1bf7b46' does not exist or one of its queried reference-property objects are not present.I need to work with Microsoft Entra team internally to understand why the API behaves like this and whether it is possible to add additionally delegated permissions to first party applications.
magnus-longva-bouvet
commented
6 months ago I have the same problem as OP, and I'm 99% sure I've been able to find the Microsoft Azure CLI application with appId 04b07795-8ddb-461a-bbee-02f9e1bf7b46 before, but not necessarily in my current tenant.
jamesw4
commented
6 months ago Seeing same issue in one of our tenants - nowhere to be seen and I need to grant it additional graph permissions.
Thomas-Butterfield
commented
3 months ago Seeing same issue in one of our tenants - nowhere to be seen and I need to grant it additional graph permissions.
The enterprise application was also missing in one of our tenants; by running the following command from a cloud shell I was able to force it to appear.
az ad sp create --id '04b07795-8ddb-461a-bbee-02f9e1bf7b46'
ioxterminal
commented
2 months ago It seems that the enterprise application cannot be found, either through the portal, Microsoft Graph, or the deprecated AzureAD module.
Import-Module AzureAD
Connect-AzureAD
(Get-AzureADServicePrincipal -All $true) | Where-Object {$_.DisplayName -like "*CLI*"}
ObjectId AppId DisplayName
-------- ----- -----------
19fb6d6a-0953-4e59-826b-4ebac1c8133a 3bc2296e-aa22-4ed2-9e1e-946d05afa6a2 SharePoint Online Web Client Extensibility Isolated
2b027fbc-b813-47fc-b88b-c2fa164e45f8 981f26a1-7f43-403b-a875-f8b09b8cd720 Azure Multi-Factor Auth Client
63c2caae-86f8-43e6-9e4e-b3647d63a13a c2ada927-a9e2-4564-aae2-70775a2fa0af OCaaS Client Interaction Service
9c877073-a359-4396-b424-d1cf0408b096 0f698dd4-f011-4d23-a33e-b36416dcb1e6 OfficeClientService
bbde190f-2f8f-4399-9a33-cb8a6f1891cf 08e18876-6177-487e-b8b5-cf950c1e598c SharePoint Online Web Client Extensibility
Connect-MgGraph -Scopes "Directory.Read.All", "Application.Read.All"
Get-MgServicePrincipal -All -Property * | Where-Object {$_.Displayname -like "*CLI*"}
DisplayName Id AppId
----------- -- -----
SharePoint Online Web Client Extensibility Isolated 19fb6d6a-0953-4e59-826b-4ebac1c8133a 3bc2296e-aa22-4ed2-9e1e-946d0…
Azure Multi-Factor Auth Client 2b027fbc-b813-47fc-b88b-c2fa164e45f8 981f26a1-7f43-403b-a875-f8b09…
OCaaS Client Interaction Service 63c2caae-86f8-43e6-9e4e-b3647d63a13a c2ada927-a9e2-4564-aae2-70775…
OfficeClientService 9c877073-a359-4396-b424-d1cf0408b096 0f698dd4-f011-4d23-a33e-b3641…
SharePoint Online Web Client Extensibility bbde190f-2f8f-4399-9a33-cb8a6f1891cf 08e18876-6177-487e-b8b5-cf950…
Related command
Is your feature request related to a problem? Please describe.
I see a strange behaviour by following these steps:
az account get-access-token --output json --resource "https://graph.microsoft.com"appidclaim) for the Azure CLI that is present in the token cannot be found in Entra ID for that tenant (not in app registrations nor in entreprise apps)Describe the solution you'd like
From my understanding, the Azure CLI is an Entra ID app that relies on a standard approach to interact with exposed APIs on behalf of users.
Additional permissions cannot be granted via the Portal and this leads to problems with other Microsoft solutions, such as the Graph SDK using Azure CLI credentials. Such SDKs might need additional permissions (for example,
Mail.Sendfor the Graph API), however it doesn't seem the delegated permission can be granted to the Azure CLI.Is this just an issue with the Azure Portal, or is this scenario not possible at all?
Describe alternatives you've considered
A separate app registration can be created with delegated permissions, but this defeats the purpose of the Azure CLI credential.
Additional context
For ease of understanding and following the trail of thought, here is the associated issue in the Microsoft Graph SDK repo.