Azure-cli: Updating replyUrlsWithType property of a App Registration does not work

It looks like the current public REST API (api-version=1.6) only supports replyUrls: https://github.com/Azure/azure-rest-api-specs/blob/e9b03021559994e2988fd977d465685795c2f70d/specification/graphrbac/data-plane/Microsoft.GraphRbac/stable/1.6/graphrbac.json#L2974, while Azure Portal is using api-verison=2.0. We will improve this in CLI soon. Currently please use --reply-urls instead:

az ad app update --id "xxx" --reply-urls "xxx" "xxx"

or

az ad app update --id "xxx" --set replyUrls=[]

This is a very common scenario for any company who has a mobile app and need native reply url to be set per each of their environment via their pipeline. I am surprised it's not part of the REST API already.

Is there no progress on this issue? In our product I have a PowerShell script that uses az during the install process to create a suitable app registration, but I can't add a public reply-url because of this issue. We need to include instructions for customers to go to the Portal and manually add that, which is not a good look.

any update on this?

As MS Graph is now GA, you may use Update application API directly with az rest to achieve the same effect as updating replyUrlsWithType.

The GUID part in the URL is the object ID of the application. You can retrieve it with application ID using

az ad app show --id 93dde3da-9fca-47dd-aee2-409b402ffed3 --query objectId

Get the application:

az rest --method GET --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001'

Update redirectUris for publicClient property:

# pwsh
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001' --headers 'Content-Type=application/json' --body '{\"publicClient\":{\"redirectUris\":[\"https://myapp.com\"]}}'

# bash
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001' --headers 'Content-Type=application/json' --body '{"publicClient":{"redirectUris":["https://myapp.com"]}}'

Update redirectUris for web property:

# pwsh
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001' --headers 'Content-Type=application/json' --body '{\"web\":{\"redirectUris\":[\"https://myapp.com\"]}}'

# bash
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001' --headers 'Content-Type=application/json' --body '{"web":{"redirectUris":["https://myapp.com"]}}'

thanks @jiasli , honestly i didn't notice the publicClient property on the application object, i was pretty sure it was a boolen, so thanks for pointing me out to that. I was doing exactly the same thing for the web.redirectUris array, so shame on me!

Do you know if updating the publicClient.redirectUris array will reflect in the Azure Portal? I mean, will the public clients be divided in categories such as Android, iOS/macOS?

EDIT: answering my own question
Yes, the portal will recognize the iOS/macOS "platform" on its own, but won't detect the Android one, categorizing it under the generic "Mobile and Desktop applications".

In Cloud Shell, I generated a hash with:

$ echo "something" | openssl sha1 -binary | openssl base64
UKTpiDgMCdKQrNq0vVPSTue0l98=

Then add an Android app to the AAD app in Azure Portal with

Package name: com.myandroidapp
Signature hash: UKTpiDgMCdKQrNq0vVPSTue0l98=

Then add an iOS app to the AAD app in Azure Portal with

Bundle ID: com.myiosapp

Then retrieve the app using

> az rest --method GET --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001'

  "publicClient": {
    "redirectUris": [
      "msauth://com.myandroidapp/UKTpiDgMCdKQrNq0vVPSTue0l98%3D",
      "msauth://code/msauth.com.myiosapp%3A%2F%2Fauth",
      "msauth.com.myiosapp://auth"
    ]
  },

So you may follow this pattern to add Android and iOS apps accordingly.

To add an Android app:

az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001' --headers 'Content-Type=application/json' --body '{"publicClient":{"redirectUris":["msauth://com.myandroidapp/UKTpiDgMCdKQrNq0vVPSTue0l98%3D"]}}'

To add an iOS app:

az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001' --headers 'Content-Type=application/json' --body '{"publicClient":{"redirectUris":["msauth://code/msauth.com.myiosapp%3A%2F%2Fauth","msauth.com.myiosapp://auth"]}}'

FYI, we will track all MS Graph issue in https://github.com/Azure/azure-cli/issues/12946.

@jiasli , i'm already adding iOS and Android app that way, but i don't understand why when you navigate the app registration in the Azure Portal you don't see the Android platform (like you do when you add an Android app directly from the portal).

Adding the same Android app (using same packagename and same signaturehash) i have two different results in the azure portal.
Using the cli (basically using the MS Graph):

Using the portal:

I would like to be sure that this won't alter the functionality of my app registration and that this is just a graphic "glitch". BTW, iOS/macOS redirectUris are recognized successfully. The manifest looks like the same...so i don't really know how the portal is "recognizing" the different platforms.

Thanks a lot.

Ha, I got your point! I added it twice with both Azure Portal and CLI:

az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001' --headers 'Content-Type=application/json' --body '{"publicClient":{"redirectUris":["msauth://com.microsoft.fumer.android/2pmj9i4rSx0yEb%2fviWBYkE%2fZQrk%3d"]}}'

$ az rest --method GET --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001'
      "msauth://com.microsoft.fumer.android/2pmj9i4rSx0yEb%2FviWBYkE%2FZQrk%3D",
      "msauth://com.microsoft.fumer.android/2pmj9i4rSx0yEb%2fviWBYkE%2fZQrk%3d"

I think the issue is caused by the URL-encoded sequence: %2F,%3D. They should be capitalized, otherwise it makes Azure Portal confused.

You may use VS Code to encode a base64 string:

1. Select the string UKTpiDgMCdKQrNq0vVPSTue0l98=
2. Press F1 and search for Encode/Decode
   
3. select String to Encoded Url
   
4. And we get UKTpiDgMCdKQrNq0vVPSTue0l98%3D

Then run

az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001' --headers 'Content-Type=application/json' --body '{"publicClient":{"redirectUris":["msauth://com.microsoft.fumer.android/UKTpiDgMCdKQrNq0vVPSTue0l98%3D"]}}'

Bingo!

Uppercase to the rescue :) thanks a lot!

(but that's weird!)

I agree, we will sync with MS Graph team on this.

For future reference, if anyone will land here searching for a similar thing:

I'm using a powershell script that internally uses the Azure CLI. When preparing the json body for the MS Graph i was using the [System.Web.HTTPUtilty]::UrlEncode() method on the SignatureHash. For some reason, this encodes using the lowercase letters. You can use the [Uri]::EscapeDataString() method to achieve the objective: uppercase encoded chars!