Azure Spring Apps SSO pre-req az ad app update --reply-urls arg does not exist in CLI 2.42.0

[ezYakaEagle442]

at https://learn.microsoft.com/en-us/azure/spring-apps/quickstart-configure-single-sign-on-enterprise#create-and-configure-an-application-registration-with-azure-active-directory, the doc states :

az ad app update \
    --id ${APPLICATION_ID} \
    --reply-urls "https://${GATEWAY_URL}/login/oauth2/code/sso" "https://${PORTAL_URL}/oauth2-redirect.html" "https://${PORTAL_URL}/login/oauth2/code/sso"

but this --reply-urls arg does not exist, I guess it should be --web-redirect-uris or --public-client-redirect-uris ? I use CLI 2.42.0

az ad app update --help

Command
    az ad app update : Update an application.

Arguments
    --id                [Required] : Identifier uri, application id, or object id.
    --display-name                 : The display name of the application.
    --identifier-uris              : Space-separated values. Also known as App ID URI, this value is
                                     set when an application is used as a resource app. The
                                     identifierUris acts as the prefix for the scopes you'll
                                     reference in your API's code, and it must be globally unique.
                                     You can use the default value provided, which is in the form
                                     api://<application-client-id>, or specify a more readable URI
                                     like https://contoso.com/api.
    --is-fallback-public-client    : Specifies the fallback application type as public client, such
                                     as an installed application running on a mobile device. The
                                     default value is false which means the fallback application
                                     type is confidential client such as a web app.  Allowed values:
                                     false, true.
    --sign-in-audience             : Specifies the Microsoft accounts that are supported for the
                                     current application.  Allowed values: AzureADMultipleOrgs,
                                     AzureADMyOrg, AzureADandPersonalMicrosoftAccount,
                                     PersonalMicrosoftAccount.

Generic Update Arguments
    --add                          : Add an object to a list of objects by specifying a path and key
                                     value pairs.  Example: --add property.listProperty <key=value,
                                     string or JSON string>.
    --force-string                 : When using 'set' or 'add', preserve string literals instead of
                                     attempting to convert to JSON.
    --remove                       : Remove a property or an element from a list.  Example: --remove
                                     property.list <indexToRemove> OR --remove propertyToRemove.
    --set                          : Update an object by specifying a property path and value to
                                     set.  Example: --set property1.property2=<value>.

JSON property Arguments
    --app-roles                    : The collection of roles assigned to the application. With app
                                     role assignments, these roles can be assigned to users, groups,
                                     or service principals associated with other applications.
                                     Should be JSON file path or in-line JSON string. See examples
                                     for details.
    --optional-claims              : Application developers can configure optional claims in their
                                     Azure AD applications to specify the claims that are sent to
                                     their application by the Microsoft security token service. For
                                     more information, see https://docs.microsoft.com/azure/active-
                                     directory/develop/active-directory-optional-claims. Should be
                                     JSON file path or in-line JSON string. See examples for
                                     details.
    --required-resource-accesses   : Specifies the resources that the application needs to access.
                                     This property also specifies the set of delegated permissions
                                     and application roles that it needs for each of those
                                     resources. This configuration of access to the required
                                     resources drives the consent experience. Should be JSON file
                                     path or in-line JSON string. See examples for details.

keyCredential Arguments
    --end-date                     : Date or datetime after which credentials expire (e.g.
                                     '2017-12-31T11:59:59+00:00' or '2017-12-31'). Default value is
                                     one year after current time.
    --key-display-name             : Friendly name for the key.
    --key-type                     : The type of the key credentials associated with the
                                     application.  Allowed values: AsymmetricX509Cert, Password,
                                     Symmetric.  Default: AsymmetricX509Cert.
    --key-usage                    : The usage of the key credentials associated with the
                                     application.  Allowed values: Sign, Verify.  Default: Verify.
    --key-value                    : The value for the key credentials associated with the
                                     application.
    --start-date                   : Date or datetime at which credentials become valid (e.g.
                                     '2017-01-01T01:00:00+00:00' or '2017-01-01'). Default value is
                                     current time.

publicClient Arguments
    --public-client-redirect-uris  : Space-separated values. Specifies the URLs where user tokens
                                     are sent for sign-in, or the redirect URIs where OAuth 2.0
                                     authorization codes and access tokens are sent.

web Arguments
    --enable-access-token-issuance : Specifies whether this web application can request an access
                                     token using the OAuth 2.0 implicit flow.  Allowed values:
                                     false, true.
    --enable-id-token-issuance     : Specifies whether this web application can request an ID token
                                     using the OAuth 2.0 implicit flow.  Allowed values: false,
                                     true.
    --web-home-page-url            : Home page or landing page of the application.
    --web-redirect-uris            : Space-separated values. Specifies the URLs where user tokens
                                     are sent for sign-in, or the redirect URIs where OAuth 2.0
                                     authorization codes and access tokens are sent.

Global Arguments
    --debug                        : Increase logging verbosity to show all debug logs.
    --help -h                      : Show this help message and exit.
    --only-show-errors             : Only show errors, suppressing warnings.
    --output -o                    : Output format.  Allowed values: json, jsonc, none, table, tsv,
                                     yaml, yamlc.  Default: json.
    --query                        : JMESPath query string. See http://jmespath.org/ for more
                                     information and examples.
    --verbose                      : Increase logging verbosity. Use --debug for full debug logs.

Examples
    update a native application with delegated permission of "access the AAD directory as the
    signed-in user"
        az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --required-resource-accesses
        @manifest.json
        ("manifest.json" contains the following content)
        [{
            "resourceAppId": "00000002-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "a42657d6-7f20-40e3-b6f0-cee03008a62a",
                    "type": "Scope"
                }
           ]
        }]

    declare an application role
        az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --app-roles @manifest.json
        ("manifest.json" contains the following content)
        [{
            "allowedMemberTypes": [
              "User"
            ],
            "description": "Approvers can mark documents as approved",
            "displayName": "Approver",
            "isEnabled": "true",
            "value": "approver"
        }]

    update optional claims
        az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --optional-claims @manifest.json
        ("manifest.json" contains the following content)
        {
            "idToken": [
                {
                    "name": "auth_time",
                    "essential": false
                }
            ],
            "accessToken": [
                {
                    "name": "ipaddr",
                    "essential": false
                }
            ],
            "saml2Token": [
                {
                    "name": "upn",
                    "essential": false
                },
                {
                    "name": "extension_ab603c56068041afb2f6832e2a17e237_skypeId",
                    "source": "user",
                    "essential": false
                }
            ]
        }

    update an application's group membership claims to "All"
        az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --set groupMembershipClaims=All

To search AI knowledge base for examples, use: az find "az ad app update"

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 6fa51281-a4ab-83c3-0154-49ef10609f4f
• Version Independent ID: ed0a3c24-ea04-bc7d-1d08-a8978838fe9c
• Content: Quickstart - Configure single sign-on for applications using Azure Spring Apps Enterprise tier
• Content Source: articles/spring-apps/quickstart-configure-single-sign-on-enterprise.md
• Service: spring-apps
• GitHub Login: @KarlErickson
• Microsoft Alias: asirveda

[SaibabaBalapur-MSFT]

@ezYakaEagle442 Thanks for bringing this to our attention. I'm going to assign this to the document author @KarlErickson so they can take a look at it accordingly.

[ezYakaEagle442]

I need an update please @KarlErickson @seanli1988

[seanli1988]

passing on to engineering owner in ASA team

[yuwzho]

@ezYakaEagle442 Please use --web-redirect-uris instead of --reply-urls when your CLI version greater than 2.37.0. We will update documentation accordingly.

[ezYakaEagle442]

My GH Workflow fails with :

ERROR: Insufficient privileges to complete the operation.

Regarding this doc : https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

what permissions are required to run az ad app update ?

[yuwzho]

The documentation guides to configure the AAD app from creation. If the AAD app was created by another one, the creator should explicitly add the updater as a owner of the AAD app.

This command is used to check who owns this AAD app az ad app owner list --id ${APPLICATION_ID} -o table

This command will help to add an owner to the AAD app az ad app owner add --id ${APPLICATION_ID} --owner-object-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

[ezYakaEagle442]

@yuwzho I tested and I still fail with the same error message. Looking at the AAD docs even https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#directory-writers does not seem to be enough. I wonder if being Tenant Global Admin is the only way to run that az ad app update command ?

[ezYakaEagle442]

https://learn.microsoft.com/en-us/graph/permissions-reference#directory-permissions :

The Directory.ReadWrite.All permission grants the following privileges:

Full read of all directory resources (both declared properties and navigation properties) Create and update users Disable and enable users (but not Company Administrator) Set user alternative security ID (but not administrators) Create and update groups Manage group memberships Update group owner Manage license assignments Define schema extensions on applications Manage directory settings Manage admin consent workflow configuration (but not whether admin consent is required or who is authorized to grant admin consent) Note:

No rights to reset user passwords. Updating another user's businessPhones, mobilePhone, or otherMails property is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader and Reports Reader. For more details, see Helpdesk (Password) Administrator in Azure AD available roles. This is the case for apps granted either the User.ReadWrite.All or Directory.ReadWrite.All delegated or application permissions. No rights to delete resources (including users or groups). Specifically excludes create or update for resources not listed above. This includes: application, oAuth2PermissionGrant, appRoleAssignment, device, servicePrincipal, organization, domains, and so on.

[ezYakaEagle442]

It looks like the App running the GitHub Runner should have Application.ReadWrite.All permission, this should be documented in the ASA docs.

https://learn.microsoft.com/en-us/graph/permissions-reference#directory-permissions Application.ReadWrite.All
Delegated bdfbf15f-ee85-4955-8675-146e8e5296b5 Application 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9
https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications

az ad app permission add --api 00000003-0000-0000-c000-000000000000  --api-permissions bdfbf15f-ee85-4955-8675-146e8e5296b5=Scope --id $SPN_APP_ID

Invoking `az ad app permission grant --id <GUID of you $SPN_APP_ID 42424242424242424242442> --api 00000003-0000-0000-c000-000000000000 --scope`

az ad app permission grant --id ${SPN_APP_ID} --api 00000003-0000-0000-c000-000000000000 --scope --id ${SSO_APP_ID}
az ad app permission admin-consent --id ${SPN_APP_ID}

[ezYakaEagle442]

I now hit

The remained resource quota(cpu: 0, memory: 0) is insufficient,please retry with smaller size of build resourceRequests, retry after the previous build process completed or increased your build agent pool size

[yuwzho]

It looks like the App running the GitHub Runner should have Application.ReadWrite.All permission, this should be documented in the ASA docs.

https://learn.microsoft.com/en-us/graph/permissions-reference#directory-permissions Application.ReadWrite.All Delegated bdfbf15f-ee85-4955-8675-146e8e5296b5 Application 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9 https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications

az ad app permission add --api 00000003-0000-0000-c000-000000000000  --api-permissions bdfbf15f-ee85-4955-8675-146e8e5296b5=Scope --id $SPN_APP_ID

Invoking `az ad app permission grant --id <GUID of you $SPN_APP_ID 42424242424242424242442> --api 00000003-0000-0000-c000-000000000000 --scope`

az ad app permission grant --id ${SPN_APP_ID} --api 00000003-0000-0000-c000-000000000000 --scope --id ${SSO_APP_ID}
az ad app permission admin-consent --id ${SPN_APP_ID}

I am very happy to see you figure it out! We will note these in our documentation. For the resource quota issue in build service, we are now working on an enhancement. It will support a larger build agent pool sku. In addition, even the agent pool is full in use, you can still put some builds in a queue to wait former build finished, unless there is too many builds wait in a queue.

[ezYakaEagle442]

correction, I think the scope should be set to the SSO App ID

az ad app permission grant --id ${GitHub_Runner_APP_ID} --api 00000003-0000-0000-c000-000000000000 --scope --id ${SSO_APPLICATION_CLIENT_ID}
az ad app permission admin-consent --id ${SPN_APP_ID}

To be tested and documented

[ezYakaEagle442]

it still does not work

[yuwzho]

@ezYakaEagle442 What is current error message?

[KarlErickson]

doc has been updated

please-close