Azure-cli: az app permission list --id <app id> does not work when app registration was created with azure cli.
Describe the bug
az app permission list --id <app id> does not work when app registration was created with azure cli.
Adding API Permissions manually in the portal and granting access makes az app permission working again.
To Reproduce
az ad app create --display-name test --homepage https://test --reply-urls https://test/auth --identifier-uris https://test
az app permission list --id <app id>
Expected behavior
az app permission list --id <app id> returns permission list.
Environment summary
macOS Mojave 10.14.3
PowerShell 6.0.2
azure-cli (2.0.55)
acr (2.1.12)
acs (2.3.14)
advisor (2.0.0)
ams (0.3.2)
appservice (0.2.11)
backup (1.2.1)
batch (3.4.1)
batchai (0.4.6)
billing (0.2.0)
botservice (0.1.4)
cdn (0.2.0)
cloud (2.1.0)
cognitiveservices (0.2.4)
command-modules-nspkg (2.0.2)
configure (2.0.20)
consumption (0.4.2)
container (0.3.11)
core (2.0.55)
cosmosdb (0.2.7)
dla (0.2.3)
dls (0.1.7)
dms (0.1.1)
eventgrid (0.2.0)
eventhubs (0.3.2)
extension (0.2.3)
feedback (2.1.4)
find (0.2.13)
hdinsight (0.2.0)
interactive (0.4.1)
iot (0.3.4)
iotcentral (0.1.5)
keyvault (2.2.9)
lab (0.1.5)
maps (0.3.3)
monitor (0.2.8)
network (2.3.0)
nspkg (3.0.3)
policyinsights (0.1.0)
profile (2.1.2)
rdbms (0.3.5)
redis (0.3.2)
relay (0.1.2)
reservations (0.4.1)
resource (2.1.8)
role (2.3.0)
search (0.1.1)
security (0.1.0)
servicebus (0.3.2)
servicefabric (0.1.11)
signalr (1.0.0)
sql (2.1.7)
storage (2.3.0)
telemetry (1.0.0)
vm (2.2.12)
Python location '/usr/local/opt/python/bin/python3.7'
Extensions directory '/Users/alex/.azure/cliextensions'
Python (Darwin) 3.7.2 (default, Jan 21 2019, 16:56:28)
[Clang 10.0.0 (clang-1000.11.45.5)]
Legal docs and information: aka.ms/AzureCliLegal
Additional context
Returned Error:
Operation failed with status: 'Not Found'. Details: 404 Client Error: Not Found for url: https://graph.windows.net/tenant id/oauth2PermissionGrants?$filter=clientId%20eq%20%27app ID%27&api-version=1.6
Creating an app registration in the portal then getting permissions via azure cli does work. Maybe because azure portal automatically grants User.Read permission.
The-First-Tiger
All 4 comments
It was just the bad error on the wire that should be caught and polished.
404 means the the app doesn't have any permissions configured.
yugangw-msft
on 23 Jan 2019
Just checked some additional szenario:
1.
az ad app create --display-name test --homepage https://test --reply-urls https://test/auth --identifier-uris https://test
az ad app permission list --id APP_ID
=> No permissions configured -> 404
- Configure permissions through azure portal, e.g. manually configuring Directory.ReadWrite.All Application permission.
az ad app permission list --id APP_ID
=> Still 404
- Grant admin consent through azure portal
az ad app permission list --id APP_ID
=> successfully returns list of permissions
- Add additional permission through azure portal, e.g. Application.ReadWrite.All. Do NOT grant admin consent.
az ad app permission list --id APP_ID
=> successfully returns list of permissions
After initially granting permissions everything works as expected. Regardless of permissions being granted or not all permissions are listed. But initially before granting any permission permission list returns "no permissions" even though permissions are configured.
Shouldn't this be consistent? So either always only listing granted permissions or always listing all permissions?
Is there a way to query whether permissions are granted already or admin consent still needs to be granted?
The-First-Tiger
on 24 Jan 2019
With SDK to be updated through https://github.com/Azure/azure-rest-api-specs/pull/5181. The only issue left is how to query whether permissions are granted already or admin consent still needs to be granted, this will have to be resolved by contacting AAD Graph team
yugangw-msft
on 3 Mar 2019
There are no support for query whether permissions are granted already or admin consent still needs to be granted, but my latest PR should provide the equivalent of Grant admin consent through azure portal . I am going to close this issue, since there are nothing else CLI can assist further. With the upcoming release the end to end support on permission grant should be addressed well.
yugangw-msft
on 19 Mar 2019
Related issues
cicorias
路
3Comments
dhermans
路
3Comments
williexu
路
3Comments
binderjoe
路
3Comments
derekbekoe
路
3Comments
Most helpful comment
Just checked some additional szenario:
1.
=> No permissions configured -> 404
=> Still 404
=> successfully returns list of permissions
=> successfully returns list of permissions
After initially granting permissions everything works as expected. Regardless of permissions being granted or not all permissions are listed. But initially before granting any permission
permission listreturns "no permissions" even though permissions are configured.Shouldn't this be consistent? So either always only listing granted permissions or always listing all permissions?
Is there a way to query whether permissions are granted already or admin consent still needs to be granted?