Azure-cli: az ad sp create-for-rbac fails

Seeing the same thing. Looks to me like an upstream change has made http:// an invalid home page URL scheme.

I have a local fix.

same problem for me - both locally in wsl ubuntu, and in the azure cloud shell :/

Same thing here. Tested on wsl azure (2.0.45) and windows (2.0.32).

msrest.http_logger` : b'{"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"Url contains invalid URI Scheme paramName: WwwHomepage, paramValue: http:\\/\\/azure-cli-2018-09-20-14-10-34, objectType: Microsoft.Online.DirectoryServices.Application"},"date":"2018-09-20T14:10:36","requestId":"98e81209-9b20-4c48-a57a-b702867b2ff1","values":[{"item":"PropertyName","value":"homepage"},{"item":"PropertyErrorCode","value":"UrlSchemeNotAllowed"}]}}'
msrest.exceptions : Url contains invalid URI Scheme paramName: WwwHomepage, paramValue: http://azure-cli-2018-09-20-14-10-34, objectType: Microsoft.Online.DirectoryServices.Application
Url contains invalid URI Scheme paramName: WwwHomepage, paramValue: http://azure-cli-2018-09-20-14-10-34, objectType: Microsoft.Online.DirectoryServices.Application

Same issue here on 2.0.44 and 2.0.45

Same issue here .. It is blocking us from doing an important experiment

Also the same issue.

Looks like only MS tenant enforces it
[EDIT] and the policy change was made yesterday. CLI has commit made to use https. The docker image/devbuild will be ready in about hour

The official release with the fix will be out in 2 weeks. For now, 2 options below. Please note, not all tenants enforce the https, so likely the tenant of your personal subscription still work.

1. use docker docker run -v ${HOME}:/root -it azuresdk/azure-cli-python:dev
2. use generic commands for now, e.g.

az ad app create --display-name "app123"  --end-date 2020-12-31 --identifier-uris "http://app123" --key-type password --password "verySecret"

(copy the appID from the result) 

az ad sp create --id <the appID>

(wait for a minute or so)

az role assignment create --assignee <the appID> --role contributor --scope /subscriptions/<your subscription id>

The workaround doesn't work

@pabowers, can you please share a bit more details, like your scenario, error trace, etc? create-for-rbac does support many other scenarios like certificate, keyvault integration, etc. I can provide examples once i know your context.

We are using it to create the service principal, get the appId and passwords to then assign it to the Owner role with the command

az role assignment create --assignee {{ app_id }} --role Owner

Earlier today, the simple call to az ad sp create-for-rbac was failing. Now, we are able to get past that step, but now it is failing on the role assignment step.
It is saying that the principal does not exist on the tenant, but the guid that it shows does not exist is different from the appId that I am passing in.

Thanks for your help

There is a known service replicate latency after you created the service principal, so that is why I suggested you wait for couple of minutes before try the role assignment creation or just rerun the command. create-for-rbac does the retry which mitigates the service defect

Hi folks here, I chatted with AAD graph team, and confirmed that rejecting http based homepage uri is not a correct service behavior, which means we likely experienced a transient server error. I tried several times just now and can't reproduce this error any more. So I would appreciate anyone here can also try again. If see the same error, please share with me the verbose trace (using --debug) for me to open an internal support ticket right away. I can be reached at yugangw at microsoft dot com

I can't reproduce the error too.

Confirmed in wsl azure (2.0.45) and windows (2.0.32): Cannot repro the issue!
az ad sp create-for-rbac --role="Contributor"

SP created.