Azure / azure-cli

Azure Command-Line Interface
MIT License
4.03k stars 3.01k forks source link

Not able to create a valid ms-graph token from azure cli with right permissions #30149

Open irrelevant-123 opened 1 month ago

irrelevant-123 commented 1 month ago

I am already raised tickets to the ms-graph team but they pointed me to here.

I am trying to activate my eligible assignment for PIM for Groups:

https://learn.microsoft.com/en-us/graph/api/privilegedaccessgroup-post-assignmentschedulerequests?view=graph-rest-1.0&tabs=http#example-2-user-activates-their-eligible-assignment-for-pim-for-groups

If I log in into graph explorer ist no problem to activate my eligible assignment from there. Also it is working with HTTP from bash if i use the existing token at the graph explorer.

If I try to get a graph token from azure cli it seems to work with:

az account get-access-token --resource-type ms-graph

With this token i ve not the right permissions to do the activation:

Authorization failed due to missing permission scope PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedAssignmentSchedule.Remove.AzureADGroup.

If i try to set the scope (ive tried a few formats) than i only get those errors:

az account get-access-token --resource-type ms-graph --scope https://graph.microsoft.com/.PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup or az account get-access-token --resource-type ms-graph --scope .PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup

Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.

We are not able to find a way to edit permissions to app '04b07795-8ddb-461a-bbee-02f9e1bf7b46' which seems to be Azure-CLI.

yonzhan commented 1 month ago

Thank you for opening this issue, we will look into it.

jiasli commented 1 month ago

The API mentioned by https://learn.microsoft.com/en-us/graph/api/privilegedaccessgroup-post-assignmentschedulerequests?view=graph-rest-1.0&tabs=http#example-2-user-activates-their-eligible-assignment-for-pim-for-groups is Create assignmentScheduleRequest.

Calling this API requires PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup or PrivilegedAssignmentSchedule.Remove.AzureADGroup delegated permission. However, as explained in https://github.com/Azure/azure-cli/issues/22775#issuecomment-1935450043, Azure CLI's first party application doesn't have these permissions.

I will discuss within the team.