Azure-cli: How to grant extra permissions with az ad app update
First of all, is it possible to do this with this command? If yes, how to do that, e.g. if I want to grant Windows Active Directory -> Read Directory Data permission to a specific App? Thanks!
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 921aa920-c25f-5227-aabb-49116da38fa7
- Version Independent ID: 9b5a53ad-edf8-4d89-f8e6-cde01b7866f6
- Content: az ad app
- Content Source: src/command_modules/azure-cli-role/azure/cli/command_modules/role/_help.py
- Service: active-directory
- GitHub Login: @rloutlaw
- Microsoft Alias: routlaw
tumluliu
All 7 comments
Not a very smooth experience, but you can do it though az ad app update by providing the manifest artifacts
yugangw-msft
on 5 Sep 2018
okay, i will expose az ad app permission add to get it simpler.
Please note, in the latest release, you will see "az ad app permission grant" which does the same thing of the grant permissions button in the portal. The new add command will default to grant unless you opt out with the flag of --no-grant
yugangw-msft
on 24 Oct 2018
that would be much better! Many thanks @yugangw-msft !
tumluliu
on 25 Oct 2018
@yugangw-msft could you disclose which version of az cli will contain this feature? For now, it's not available yet in 2.0.49
tumluliu
on 26 Oct 2018
The plan is to get it done for the upcoming release. When the change gets committed, this issue will be closed.
yugangw-msft
on 26 Oct 2018
Hi @yugangw-msft, I have a couple of related questions: it looks like when running:
az ad app permission grant --id $appId --api 00000003-0000-0000-c000-000000000000
none of the permissions at scope and role level that I added to my app registration / service principal using the az ad app permission add command get granted. Looking at the documentation, it says that the scope defaults to user_impersionation. So I explicitly specified scopes:
az ad app permission grant \
--id $aksServerApplicationAppId \
--api 00000003-0000-0000-c000-000000000000 \
--scope User.Read,Directory.Read.All
--expires never 1> /dev/null
and it worked. Said that, this mechanism works for application permissions, but I have no idea of how to grant delegated permissions. The documentation at https://docs.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-grant does not explain how if the command works for both delegated and application permissions and how to properly use the scope parameter.
In addition, above you said :
"The new add command will default to grant unless you opt out with the flag of --no-grant."
Is this feature already available? If yes, starting from which version? Thanks!
paolosalvatori
on 6 Mar 2019
@paolosalvatori, PR was merged, please use az ap app permission admin-consent
yugangw-msft
on 19 Mar 2019
Related issues
ahmetb
·
3Comments
cicorias
·
3Comments
amarzavery
·
3Comments
jsturtevant
·
3Comments
williexu
·
3Comments