Azure-cli: az ad app permission admin-consent --id <app-id> fails in CloudShell
Describe the bug
Issuing the command az ad app permission admin-consent --id
msrestazure.azure_active_directory : MSI: Failed to retrieve a token from 'http://localhost:50342/oauth2/token' with an error of '400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token'. This could be caused by the MSI extension not yet fully provisioned.
To Reproduce
You need to be Global Admin in AAD
Run the following command in bash cloudshell
serverApplicationSecret="$(openssl rand -base64 30)"
serverApplicationId="$(az ad app create --display-name "Server" --identifier-uris "https://SomeTestServer" --query appId -o tsv)"
az ad app update --id $serverApplicationId --set groupMembershipClaims=All
az ad sp create --id $serverApplicationId
az ad sp credential reset --name $serverApplicationId --password $serverApplicationSecret --credential-description "Password"
az ad app permission add --id $serverApplicationId --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope 06da0dbc-49e2-44d2-8312-53f166ab848a=Scope 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role
az ad app permission grant --id $serverApplicationId --api 00000003-0000-0000-c000-000000000000
az ad app permission admin-consent --id $serverApplicationId
Expected behavior
Command should succeed the exact same command works outside of cloudshell logged in as the same user
Environment summary
CloudShell bash az version 2.0.61
simongdavies
All 24 comments
This is by design, because portal doesn't have the token for related AAD resources of https://main.iam.ad.ext.azure.com. Let me contact cloud shell team for the possibility to have this one ready
yugangw-msft
on 30 Mar 2019
Thanks , IMO we should fix this, having things like this not work in CloudShell is not a great experience, if we cannot fix it then at the least we should produce an error message so the user knows what the issue is.
simongdavies
on 8 Apr 2019
//CC: @jluk for the feasibility of having this token available. If not, CLI will emit out an error
yugangw-msft
on 12 Apr 2019
- @maertendMSFT who is now cloud shell owner
jluk
on 12 Apr 2019
@maertendMSFT @yugangw-msft
Is this issue expected to be fixed anytime soon? Or is there a work around granting Directory.Read.All to sp?
josh-sonrai
on 24 May 2019
@josh-sonrai
Workaround is to grant the permission in portal UI.
We will discuss within cloudshell team for this request.
BellaLi
on 24 May 2019
Given the high level of permissions required and the low frequency that these operations are performed the team Cloud Shell is not going to support this scenario. We recommend that users run this on a local CLI experience.
maertendMSFT
on 31 May 2019
I started to experience exactly the same issue from local Azure CLI in a WSL\bash session on my machine. I'm a global administrator of the Azure AD tenant, still I get the following error when running:
az ad app permission admin-consent --id $aksServerApplicationAppId --debug --verbose
it was working fine before, so I think you introduced a regression bug in a recent version of Azure CLI.
Here is the log produced by the command:
Command arguments: ['ad', 'app', 'permission', 'admin-consent', '--id', '09987941-58a8-4bf0-8bad-3a4a4eef17a0', '--debug', '--verbose']
Event: Cli.PreExecute []
Event: CommandParser.OnGlobalArgumentsCreate [
Event: CommandInvoker.OnPreCommandTableCreate []
Installed command modules ['acr', 'acs', 'advisor', 'ams', 'appservice', 'backup', 'batch', 'batchai', 'billing', 'botservice', 'cdn', 'cloud', 'cognitiveservices', 'configure', 'consumption', 'container', 'cosmosdb',
'dla', 'dls', 'dms', 'eventgrid', 'eventhubs', 'extension', 'feedback', 'find', 'hdinsight', 'interactive', 'iot', 'iotcentral', 'keyvault', 'kusto', 'lab', 'maps', 'monitor', 'network', 'policyinsights', 'privatedns', 'profile', 'rdbms', 'redis', 'relay', 'reservations', 'resource', 'role', 'search', 'security', 'servicebus', 'servicefabric', 'signalr', 'sql', 'sqlvm', 'storage', 'vm']
Loaded module 'acr' in 0.009 seconds.
Loaded module 'acs' in 0.006 seconds.
Loaded module 'advisor' in 0.005 seconds.
Event: CommandLoader.OnLoadCommandTable []
Loaded module 'ams' in 0.026 seconds.
Loaded module 'appservice' in 0.009 seconds.
Loaded module 'backup' in 0.003 seconds.
Event: CommandLoader.OnLoadCommandTable []
Loaded module 'batch' in 0.018 seconds.
Loaded module 'batchai' in 0.006 seconds.
Loaded module 'billing' in 0.004 seconds.
Loaded module 'botservice' in 0.004 seconds.
Event: CommandLoader.OnLoadCommandTable []
Loaded module 'cdn' in 0.012 seconds.
Loaded module 'cloud' in 0.003 seconds.
Loaded module 'cognitiveservices' in 0.002 seconds.
Loaded module 'configure' in 0.002 seconds.
Loaded module 'consumption' in 0.005 seconds.
Loaded module 'container' in 0.003 seconds.
Loaded module 'cosmosdb' in 0.006 seconds.
Loaded module 'dla' in 0.007 seconds.
Loaded module 'dls' in 0.004 seconds.
Loaded module 'dms' in 0.003 seconds.
Loaded module 'eventgrid' in 0.004 seconds.
Loaded module 'eventhubs' in 0.005 seconds.
Loaded module 'extension' in 0.004 seconds.
Loaded module 'feedback' in 0.003 seconds.
Loaded module 'find' in 0.002 seconds.
Loaded module 'hdinsight' in 0.003 seconds.
Loaded module 'interactive' in 0.001 seconds.
Loaded module 'iot' in 0.008 seconds.
Loaded module 'iotcentral' in 0.004 seconds.
Loaded module 'keyvault' in 0.012 seconds.
Loaded module 'kusto' in 0.005 seconds.
Loaded module 'lab' in 0.005 seconds.
Loaded module 'maps' in 0.004 seconds.
Loaded module 'monitor' in 0.013 seconds.
Loaded module 'network' in 0.039 seconds.
Loaded module 'policyinsights' in 0.003 seconds.
Loaded module 'privatedns' in 0.007 seconds.
Loaded module 'profile' in 0.002 seconds.
Loaded module 'rdbms' in 0.010 seconds.
Loaded module 'redis' in 0.004 seconds.
Loaded module 'relay' in 0.005 seconds.
Loaded module 'reservations' in 0.003 seconds.
Loaded module 'resource' in 0.009 seconds.
Loaded module 'role' in 0.007 seconds.
Loaded module 'search' in 0.003 seconds.
Loaded module 'security' in 0.004 seconds.
Loaded module 'servicebus' in 0.006 seconds.
Loaded module 'servicefabric' in 0.003 seconds.
Loaded module 'signalr' in 0.002 seconds.
Loaded module 'sql' in 0.010 seconds.
Loaded module 'sqlvm' in 0.005 seconds.
Event: CommandLoader.OnLoadCommandTable []
Loaded module 'storage' in 0.039 seconds.
Loaded module 'vm' in 0.025 seconds.
Loaded all modules in 0.396 seconds. (note: there's always an overhead with the first module loaded)
Extensions directory: '/root/.azure/cliextensions'
Found 5 extensions: ['aks-preview', 'dev-spaces-preview', 'eventgrid', 'mesh', 'resource-graph']
Event: CommandLoader.OnLoadCommandTable []
Extensions directory: '/root/.azure/cliextensions'
Loaded extension 'aks-preview' in 0.008 seconds.
Event: CommandLoader.OnLoadCommandTable []
Loaded extension 'dev-spaces-preview' in 0.005 seconds.
Extensions directory: '/root/.azure/cliextensions'
Loaded extension 'eventgrid' in 0.007 seconds.
Extensions directory: '/root/.azure/cliextensions'
Loaded extension 'mesh' in 0.010 seconds.
Extensions directory: '/root/.azure/cliextensions'
Loaded extension 'resource-graph' in 0.005 seconds.
Event: CommandInvoker.OnPreCommandTableTruncate [
az_command_data_logger : command args: ad app permission admin-consent --id {} --debug --verbose
metadata file logging enabled - writing logs to '/root/.azure/commands'.
Event: CommandInvoker.OnPostCommandTableCreate [
Event: CommandInvoker.OnCommandTableLoaded []
Event: CommandInvoker.OnPreParseArgs [
Event: CommandInvoker.OnPostParseArgs [
msrest.universal_http.requests : Configuring retry: max_retries=4, backoff_factor=0.8, max_backoff=90
msrest.universal_http.requests : Configuring retry: max_retries=4, backoff_factor=0.8, max_backoff=90
msrest.async_paging : Paging async iterator protocol is not available for ApplicationPaged
attempting to read file /root/.azure/accessTokens.json as utf-8-sig
adal-python : c6a4c3b6-c453-4df4-899c-9d6b4f2ff475 - Authority:Performing instance discovery: ...
adal-python : c6a4c3b6-c453-4df4-899c-9d6b4f2ff475 - Authority:Performing static instance discovery
adal-python : c6a4c3b6-c453-4df4-899c-9d6b4f2ff475 - Authority:Authority validated via static instance discovery
adal-python : c6a4c3b6-c453-4df4-899c-9d6b4f2ff475 - TokenRequest:Getting token from cache with refresh if necessary.
adal-python : c6a4c3b6-c453-4df4-899c-9d6b4f2ff475 - CacheDriver:finding with query keys: {'_clientId': '...', 'userId': '...'}
adal-python : c6a4c3b6-c453-4df4-899c-9d6b4f2ff475 - CacheDriver:Looking for potential cache entries: {'_clientId': '...', 'userId': '...'}
adal-python : c6a4c3b6-c453-4df4-899c-9d6b4f2ff475 - CacheDriver:Found 14 potential entries.
adal-python : c6a4c3b6-c453-4df4-899c-9d6b4f2ff475 - CacheDriver:Resource specific token found.
adal-python : c6a4c3b6-c453-4df4-899c-9d6b4f2ff475 - CacheDriver:Returning token from cache lookup, AccessTokenId: b'/1FQomTIal2eW70tH0qxARFI5Gd/wseeeiWtJaDzems=', RefreshTokenId: b'0n1XVOlTG0A48+MvrCqKGpVTux+qneM5T/FBdnIMAaA='
msrest.http_logger : Request URL: 'https://graph.windows.net/769ea97c-d6f6-48f3-a452-7d6ef2e3c8cb/applications?$filter=identifierUris%2Fany%28s%3As%20eq%20%2709987941-58a8-4bf0-8bad-3a4a4eef17a0%27%29&api-version=1.6'
msrest.http_logger : Request method: 'GET'
msrest.http_logger : Request headers:
msrest.http_logger : 'Accept': 'application/json'
msrest.http_logger : 'accept-language': 'en-US'
msrest.http_logger : 'User-Agent': 'python/3.6.5 (Linux-4.4.0-18362-Microsoft-x86_64-with-debian-stretch-sid) msrest/0.6.6 msrest_azure/0.6.0 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.0.62'
msrest.http_logger : Request body:
msrest.http_logger : None
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : Starting new HTTPS connection (1): graph.windows.net:443
urllib3.connectionpool : https://graph.windows.net:443 "GET /769ea97c-d6f6-48f3-a452-7d6ef2e3c8cb/applications?$filter=identifierUris%2Fany%28s%3As%20eq%20%2709987941-58a8-4bf0-8bad-3a4a4eef17a0%27%29&api-version=1.6 HTTP/1.1" 200 121
msrest.http_logger : Response status: 200
msrest.http_logger : Response headers:
msrest.http_logger : 'Cache-Control': 'no-cache'
msrest.http_logger : 'Pragma': 'no-cache'
msrest.http_logger : 'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8'
msrest.http_logger : 'Expires': '-1'
msrest.http_logger : 'ocp-aad-diagnostics-server-name': 'gufVld34TPvxFz0+D5Vne/M2hMFOtE9I0Z1tpyyYzJo='
msrest.http_logger : 'request-id': '0d8f49cb-5458-4ba1-854a-c2c5b52f9d73'
msrest.http_logger : 'client-request-id': '48150a7c-87d6-11e9-931e-44850064eb13'
msrest.http_logger : 'x-ms-dirapi-data-contract-version': '1.6'
msrest.http_logger : 'ocp-aad-session-key': 'nxLlqdMFEXCVs0ghruNzg2P6UJABzAaoDo1ClZR5xWIninrZlP9Gt021i8Pmw85TLTKdKERToaEIAfVwsxeBagCocwmMvXKgl-oqa14Ee1HHUeGe4kB2E3mKeYr-igaKyx_xE2oHb4e6wgzp9flhlA.BcAgARAscFd6j8CYBY9aDDq8U1orOcLsYaNThK1kjjs'
msrest.http_logger : 'DataServiceVersion': '3.0;'
msrest.http_logger : 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger : 'Access-Control-Allow-Origin': ''
msrest.http_logger : 'X-AspNet-Version': '4.0.30319'
msrest.http_logger : 'X-Powered-By': 'ASP.NET'
msrest.http_logger : 'Duration': '380375'
msrest.http_logger : 'Date': 'Wed, 05 Jun 2019 21:10:02 GMT'
msrest.http_logger : 'Content-Length': '121'
msrest.http_logger : Response content:
msrest.http_logger : {"odata.metadata":"https://graph.windows.net/769ea97c-d6f6-48f3-a452-7d6ef2e3c8cb/$metadata#directoryObjects","value":[]}
msrest.async_paging : Paging async iterator protocol is not available for ApplicationPaged
adal-python : 0982e0e0-b827-46f0-93a2-d1cb5d7bce9d - Authority:Performing instance discovery: ...
adal-python : 0982e0e0-b827-46f0-93a2-d1cb5d7bce9d - Authority:Performing static instance discovery
adal-python : 0982e0e0-b827-46f0-93a2-d1cb5d7bce9d - Authority:Authority validated via static instance discovery
adal-python : 0982e0e0-b827-46f0-93a2-d1cb5d7bce9d - TokenRequest:Getting token from cache with refresh if necessary.
adal-python : 0982e0e0-b827-46f0-93a2-d1cb5d7bce9d - CacheDriver:finding with query keys: {'_clientId': '...', 'userId': '...'}
adal-python : 0982e0e0-b827-46f0-93a2-d1cb5d7bce9d - CacheDriver:Looking for potential cache entries: {'_clientId': '...', 'userId': '...'}
adal-python : 0982e0e0-b827-46f0-93a2-d1cb5d7bce9d - CacheDriver:Found 14 potential entries.
adal-python : 0982e0e0-b827-46f0-93a2-d1cb5d7bce9d - CacheDriver:Resource specific token found.
adal-python : 0982e0e0-b827-46f0-93a2-d1cb5d7bce9d - CacheDriver:Returning token from cache lookup, AccessTokenId: b'/1FQomTIal2eW70tH0qxARFI5Gd/wseeeiWtJaDzems=', RefreshTokenId: b'0n1XVOlTG0A48+MvrCqKGpVTux+qneM5T/FBdnIMAaA='
msrest.http_logger : Request URL: 'https://graph.windows.net/769ea97c-d6f6-48f3-a452-7d6ef2e3c8cb/applications?$filter=appId%20eq%20%2709987941-58a8-4bf0-8bad-3a4a4eef17a0%27&api-version=1.6'
msrest.http_logger : Request method: 'GET'
msrest.http_logger : Request headers:
msrest.http_logger : 'Accept': 'application/json'
msrest.http_logger : 'accept-language': 'en-US'
msrest.http_logger : 'User-Agent': 'python/3.6.5 (Linux-4.4.0-18362-Microsoft-x86_64-with-debian-stretch-sid) msrest/0.6.6 msrest_azure/0.6.0 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.0.62'
msrest.http_logger : Request body:
msrest.http_logger : None
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : Starting new HTTPS connection (1): graph.windows.net:443
urllib3.connectionpool : https://graph.windows.net:443 "GET /769ea97c-d6f6-48f3-a452-7d6ef2e3c8cb/applications?$filter=appId%20eq%20%2709987941-58a8-4bf0-8bad-3a4a4eef17a0%27&api-version=1.6 HTTP/1.1" 200 2596
msrest.http_logger : Response status: 200
msrest.http_logger : Response headers:
msrest.http_logger : 'Cache-Control': 'no-cache'
msrest.http_logger : 'Pragma': 'no-cache'
msrest.http_logger : 'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8'
msrest.http_logger : 'Expires': '-1'
msrest.http_logger : 'ocp-aad-diagnostics-server-name': 'NbQQVYWBv5Gk6t5Wd/et+OeyEdbn9/+/KkWVa677TPU='
msrest.http_logger : 'request-id': 'd1b1aaa6-0302-4f04-bfd0-18cebdb5c10e'
msrest.http_logger : 'client-request-id': '48150a7c-87d6-11e9-931e-44850064eb13'
msrest.http_logger : 'x-ms-dirapi-data-contract-version': '1.6'
msrest.http_logger : 'ocp-aad-session-key': 'BwHVg1ghe-CARbULMP-9z2_rfsRAwJsRSw2HcFtLRCTcsZ2Z0e5vZKmF-n3V7tsQD5v-XEBAt2FZ8X2dwCqW1J4_8F2SCBVkmG3uucrWnKfDkOmiIxVm9mr_RCx5EHUtyB_FQ5Qk0cqa47e79Wyz9A.b0Ce-gBG1mFfF8rmePvS8VOzh1vnoGEEni46JQKis1s'
msrest.http_logger : 'DataServiceVersion': '3.0;'
msrest.http_logger : 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger : 'Access-Control-Allow-Origin': ''
msrest.http_logger : 'X-AspNet-Version': '4.0.30319'
msrest.http_logger : 'X-Powered-By': 'ASP.NET'
msrest.http_logger : 'Duration': '391841'
msrest.http_logger : 'Date': 'Wed, 05 Jun 2019 21:10:02 GMT'
msrest.http_logger : 'Content-Length': '2596'
msrest.http_logger : Response content:
msrest.http_logger : {"odata.metadata":"https://graph.windows.net/769ea97c-d6f6-48f3-a452-7d6ef2e3c8cb/$metadata#directoryObjects","value":[{"odata.type":"Microsoft.DirectoryServices.Application","objectType":"Application","objectId":"9ac26b5a-5657-4a3f-ba20-e94bac376c7f","deletionTimestamp":null,"acceptMappedClaims":null,"addIns":[],"appId":"09987941-58a8-4bf0-8bad-3a4a4eef17a0","applicationTemplateId":null,"appRoles":[],"availableToOtherTenants":false,"displayName":"LeonardAksServerApplication","errorUrl":null,"groupMembershipClaims":"All","homepage":null,"identifierUris":["https://LeonardAksServerApplication.babo.onmicrosoft.com"],"informationalUrls":{"termsOfService":null,"support":null,"privacy":null,"marketing":null},"isDeviceOnlyAuthSupported":null,"keyCredentials":[],"knownClientApplications":[],"logoutUrl":null,"[email protected]":"directoryObjects/9ac26b5a-5657-4a3f-ba20-e94bac376c7f/Microsoft.DirectoryServices.Application/logo","logoUrl":null,"[email protected]":"directoryObjects/9ac26b5a-5657-4a3f-ba20-e94bac376c7f/Microsoft.DirectoryServices.Application/mainLogo","oauth2AllowIdTokenImplicitFlow":true,"oauth2AllowImplicitFlow":false,"oauth2AllowUrlPathMatching":false,"oauth2Permissions":[{"adminConsentDescription":"Allow the application to access LeonardAksServerApplication on behalf of the signed-in user.","adminConsentDisplayName":"Access LeonardAksServerApplication","id":"652acdae-ba6c-4498-a256-62325f84bfeb","isEnabled":true,"type":"User","userConsentDescription":"Allow the application to access LeonardAksServerApplication on your behalf.","userConsentDisplayName":"Access LeonardAksServerApplication","value":"user_impersonation"}],"oauth2RequirePostResponse":false,"optionalClaims":null,"orgRestrictions":[],"parentalControlSettings":{"countriesBlockedForMinors":[],"legalAgeGroupRule":"Allow"},"passwordCredentials":[{"customKeyIdentifier":"//5BAEsAUwBQAGEAcwBzAHcAbwByAGQA","endDate":"2020-06-05T21:09:54.814205Z","keyId":"e80233d3-309a-47b0-adf7-12aef2efa6f5","startDate":"2019-06-05T21:09:54.814205Z","value":null}],"publicClient":null,"publisherDomain":"babo.onmicrosoft.com","recordConsentConditions":null,"replyUrls":["https://LeonardAksServerApplication.babo.onmicrosoft.com"],"requiredResourceAccess":[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4683d","type":"Scope"},{"id":"06da0dbc-49e2-44d2-8312-53f166ab848a","type":"Scope"},{"id":"7ab1d382-f21e-4acd-a863-ba3e13f7da61","type":"Role"}]}],"samlMetadataUrl":null,"signInAudience":"AzureADMyOrg","tokenEncryptionKeyId":null}]}
adal-python : 28f89c8a-55ba-414a-95c5-b1b1efedc1cc - Authority:Performing instance discovery: ...
adal-python : 28f89c8a-55ba-414a-95c5-b1b1efedc1cc - Authority:Performing static instance discovery
adal-python : 28f89c8a-55ba-414a-95c5-b1b1efedc1cc - Authority:Authority validated via static instance discovery
adal-python : 28f89c8a-55ba-414a-95c5-b1b1efedc1cc - TokenRequest:Getting token from cache with refresh if necessary.
adal-python : 28f89c8a-55ba-414a-95c5-b1b1efedc1cc - CacheDriver:finding with query keys: {'_clientId': '...', 'userId': '...'}
adal-python : 28f89c8a-55ba-414a-95c5-b1b1efedc1cc - CacheDriver:Looking for potential cache entries: {'_clientId': '...', 'userId': '...'}
adal-python : 28f89c8a-55ba-414a-95c5-b1b1efedc1cc - CacheDriver:Found 14 potential entries.
adal-python : 28f89c8a-55ba-414a-95c5-b1b1efedc1cc - CacheDriver:Resource specific token found.
adal-python : 28f89c8a-55ba-414a-95c5-b1b1efedc1cc - CacheDriver:Returning token from cache lookup, AccessTokenId: b'/1FQomTIal2eW70tH0qxARFI5Gd/wseeeiWtJaDzems=', RefreshTokenId: b'0n1XVOlTG0A48+MvrCqKGpVTux+qneM5T/FBdnIMAaA='
msrest.http_logger : Request URL: 'https://graph.windows.net/769ea97c-d6f6-48f3-a452-7d6ef2e3c8cb/applications/9ac26b5a-5657-4a3f-ba20-e94bac376c7f?api-version=1.6'
msrest.http_logger : Request method: 'GET'
msrest.http_logger : Request headers:
msrest.http_logger : 'Accept': 'application/json'
msrest.http_logger : 'accept-language': 'en-US'
msrest.http_logger : 'User-Agent': 'python/3.6.5 (Linux-4.4.0-18362-Microsoft-x86_64-with-debian-stretch-sid) msrest/0.6.6 msrest_azure/0.6.0 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.0.62'
msrest.http_logger : Request body:
msrest.http_logger : None
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : Starting new HTTPS connection (1): graph.windows.net:443
urllib3.connectionpool : https://graph.windows.net:443 "GET /769ea97c-d6f6-48f3-a452-7d6ef2e3c8cb/applications/9ac26b5a-5657-4a3f-ba20-e94bac376c7f?api-version=1.6 HTTP/1.1" 200 2593
msrest.http_logger : Response status: 200
msrest.http_logger : Response headers:
msrest.http_logger : 'Cache-Control': 'no-cache'
msrest.http_logger : 'Pragma': 'no-cache'
msrest.http_logger : 'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8'
msrest.http_logger : 'Expires': '-1'
msrest.http_logger : 'ocp-aad-diagnostics-server-name': 'wWkc+s8RiEzYhqgyU5nm0K0RUFWoXWB/UrDt0vQszas='
msrest.http_logger : 'request-id': '50c23475-b51a-4cd5-8069-e8f33cfbcba9'
msrest.http_logger : 'client-request-id': '48150a7c-87d6-11e9-931e-44850064eb13'
msrest.http_logger : 'x-ms-dirapi-data-contract-version': '1.6'
msrest.http_logger : 'ocp-aad-session-key': '_nZCrorcIC5kpnC2uiX1f06hhjOS0uMQxWg3rIK_YYnEK9nrJ1lX7OGGn_Yepm9tS-8IFaXs-eJ7zQS72sAh2DuuKyx6EToNPQMTC5fT31zz8ImfNC5SBieBq698tQBzm5xSV6qcjEwpltdvgSEUJA.aosZvrckLTMfvxp34eL3Y6ZEmKsNP2bvWCNzfSXaons'
msrest.http_logger : 'DataServiceVersion': '3.0;'
msrest.http_logger : 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger : 'Access-Control-Allow-Origin': '*'
msrest.http_logger : 'X-AspNet-Version': '4.0.30319'
msrest.http_logger : 'X-Powered-By': 'ASP.NET'
msrest.http_logger : 'Duration': '418715'
msrest.http_logger : 'Date': 'Wed, 05 Jun 2019 21:10:03 GMT'
msrest.http_logger : 'Content-Length': '2593'
msrest.http_logger : Response content:
msrest.http_logger : {"odata.metadata":"https://graph.windows.net/769ea97c-d6f6-48f3-a452-7d6ef2e3c8cb/$metadata#directoryObjects/@Element","odata.type":"Microsoft.DirectoryServices.Application","objectType":"Application","objectId":"9ac26b5a-5657-4a3f-ba20-e94bac376c7f","deletionTimestamp":null,"acceptMappedClaims":null,"addIns":[],"appId":"09987941-58a8-4bf0-8bad-3a4a4eef17a0","applicationTemplateId":null,"appRoles":[],"availableToOtherTenants":false,"displayName":"LeonardAksServerApplication","errorUrl":null,"groupMembershipClaims":"All","homepage":null,"identifierUris":["https://LeonardAksServerApplication.babo.onmicrosoft.com"],"informationalUrls":{"termsOfService":null,"support":null,"privacy":null,"marketing":null},"isDeviceOnlyAuthSupported":null,"keyCredentials":[],"knownClientApplications":[],"logoutUrl":null,"[email protected]":"directoryObjects/9ac26b5a-5657-4a3f-ba20-e94bac376c7f/Microsoft.DirectoryServices.Application/logo","logoUrl":null,"[email protected]":"directoryObjects/9ac26b5a-5657-4a3f-ba20-e94bac376c7f/Microsoft.DirectoryServices.Application/mainLogo","oauth2AllowIdTokenImplicitFlow":true,"oauth2AllowImplicitFlow":false,"oauth2AllowUrlPathMatching":false,"oauth2Permissions":[{"adminConsentDescription":"Allow the application to access LeonardAksServerApplication on behalf of the signed-in user.","adminConsentDisplayName":"Access LeonardAksServerApplication","id":"652acdae-ba6c-4498-a256-62325f84bfeb","isEnabled":true,"type":"User","userConsentDescription":"Allow the application to access LeonardAksServerApplication on your behalf.","userConsentDisplayName":"Access LeonardAksServerApplication","value":"user_impersonation"}],"oauth2RequirePostResponse":false,"optionalClaims":null,"orgRestrictions":[],"parentalControlSettings":{"countriesBlockedForMinors":[],"legalAgeGroupRule":"Allow"},"passwordCredentials":[{"customKeyIdentifier":"//5BAEsAUwBQAGEAcwBzAHcAbwByAGQA","endDate":"2020-06-05T21:09:54.814205Z","keyId":"e80233d3-309a-47b0-adf7-12aef2efa6f5","startDate":"2019-06-05T21:09:54.814205Z","value":null}],"publicClient":null,"publisherDomain":"babo.onmicrosoft.com","recordConsentConditions":null,"replyUrls":["https://LeonardAksServerApplication.babo.onmicrosoft.com"],"requiredResourceAccess":[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4683d","type":"Scope"},{"id":"06da0dbc-49e2-44d2-8312-53f166ab848a","type":"Scope"},{"id":"7ab1d382-f21e-4acd-a863-ba3e13f7da61","type":"Role"}]}],"samlMetadataUrl":null,"signInAudience":"AzureADMyOrg","tokenEncryptionKeyId":null}
Current cloud config:
AzureCloud
adal-python : 1ef94e01-2769-4103-b882-d5f7fee54ba9 - Authority:Performing instance discovery: ...
adal-python : 1ef94e01-2769-4103-b882-d5f7fee54ba9 - Authority:Performing static instance discovery
adal-python : 1ef94e01-2769-4103-b882-d5f7fee54ba9 - Authority:Authority validated via static instance discovery
adal-python : 1ef94e01-2769-4103-b882-d5f7fee54ba9 - TokenRequest:Getting token from cache with refresh if necessary.
adal-python : 1ef94e01-2769-4103-b882-d5f7fee54ba9 - CacheDriver:finding with query keys: {'_clientId': '...', 'userId': '...'}
adal-python : 1ef94e01-2769-4103-b882-d5f7fee54ba9 - CacheDriver:Looking for potential cache entries: {'_clientId': '...', 'userId': '...'}
adal-python : 1ef94e01-2769-4103-b882-d5f7fee54ba9 - CacheDriver:Found 14 potential entries.
adal-python : 1ef94e01-2769-4103-b882-d5f7fee54ba9 - CacheDriver:Resource specific token found.
adal-python : 1ef94e01-2769-4103-b882-d5f7fee54ba9 - CacheDriver:Returning token from cache lookup, AccessTokenId: b'ERXXrDi5W9oU0LL4AVylB7x7T/+1ej4QjekkLIyHCmY=', RefreshTokenId: b'0n1XVOlTG0A48+MvrCqKGpVTux+qneM5T/FBdnIMAaA='
urllib3.connectionpool : Starting new HTTPS connection (1): main.iam.ad.ext.azure.com:443
urllib3.connectionpool : https://main.iam.ad.ext.azure.com:443 "POST /api/RegisteredApplications/09987941-58a8-4bf0-8bad-3a4a4eef17a0/Consent?onBehalfOfAll=true HTTP/1.1" 400 1423
cli.azure.cli.core.util : Bad Request
Bad Request
az_command_data_logger : exit code: 1
telemetry.save : Save telemetry record of length 2521 in cache
telemetry.check : Negative: The /root/.azure/telemetry.txt was modified at 2019-06-05 23:08:51.437353, which in less than 600.000000 s
command ran in 2.379 seconds.
paolosalvatori
on 5 Jun 2019
I have the same issue when using a Service Principal to run az ad app permission admin-consent --id $serverApplicationId on an Azure VM. The Service principal has all AAD and Graph Application and Delegate Permissions and still returns an error
az : ERROR: Bad Request
At line:1 char:1
- az ad app permission admin-consent --id $serverApplicationId
~~~~~~~~~~~~
- CategoryInfo : NotSpecified: (ERROR: Bad Request:String) [], RemoteException
- FullyQualifiedErrorId : NativeCommandError
Whats missing?
vsaroopchand
on 12 Jun 2019
Are you the admin in the the tenant, which has the privilege to consent to the permission required by the service principal?
yugangw-msft
on 12 Jun 2019
@yugangw-msft I am the Global Administrator of the tenant.
vsaroopchand
on 12 Jun 2019
Can you please capture the trace and send it to me at yugangw at microsoft dot com?
yugangw-msft
on 12 Jun 2019
Info sent, thanks!
vsaroopchand
on 12 Jun 2019
Per our offline mail thread, this error is caused by you invoked this command under a service principal which is not supported by design
yugangw-msft
on 12 Jun 2019
Per our offline mail thread, this error is caused by you invoked this command under a service principal which is not supported by design
Strange I am deploying number of applications per day using azure devops, azure devops service principal has rights to perform necessary registrations and can do almost everything, except this. Maybe we can automate this via ARM deployment? Do you have any plans to support app reg manifests in ARM deployment style? We could solve app reg challenge then... Automation is not complete... right now. For each QA test I need to go to portal and click the button. It sounds stupid to ask my team to automate this via Selenium.
Damag3d
on 2 Aug 2019
The online documentation for this command makes no mention of the MSI requirement. Automation is hindered by this MSI requirement.
https://docs.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest (accessed 8/7/2019)
beastmondncm
on 7 Aug 2019
This hindrance is affecting my organization's use of AKS. We need to be able to automate cluster deployment from Azure DevOps.
knbnnate
on 8 Aug 2019
@yugangw-msft can this issue please be re-opened or documented appropriately, we don't understand why we can't do this through a service principal which is assigned the global administrator role and access to it appropriately restricted
timja
on 12 Aug 2019
CC @jiasli the new owner of CLI/Graph support
yugangw-msft
on 5 Sep 2019
move to S166.
yonzhan
on 15 Feb 2020
@haroldrandom, can we remove the Cloud Shell tag as this been found outside of Cloud Shell per the comments above.
maertendMSFT
on 5 Mar 2020
@haroldrandom, can we remove the Cloud Shell tag as this been found outside of Cloud Shell per the comments above.
done. Added _Graph_ label. Correct me if wrong.
haroldrandom
on 6 Mar 2020
Please check https://github.com/Azure/azure-cli/issues/12137 and see if you can get unblocked.
jiasli
on 9 Mar 2020
Please refer to the detailed description in #12137. Close this first, if have other problems, please reopen it or submit a new one. Thanks
arrownj
on 21 Apr 2020
Related issues
williexu
路
3Comments
williexu
路
3Comments
derekperkins
路
3Comments
FumiakiNagano
路
3Comments
derekbekoe
路
3Comments
Most helpful comment
This hindrance is affecting my organization's use of AKS. We need to be able to automate cluster deployment from Azure DevOps.