Azure-cli: Support az ad app permission admin-consent being called by a service principal
Is your feature request related to a problem? Please describe.
Based on the discussion here I understand it is not possible to have a service principal run the az ad app permission admin-consent CLI command. This is a major blocker to being able to fully automate AKS deployments that use Azure AD integration, as the apps you create for this need consent.
Describe the solution you'd like
Service Principals able to run the az ad app permission admin-consent command
Describe alternatives you've considered
The only current workaround is to run a deployment as a user, which is no good for automated CI/CD
Additional context
sam-cogan
All 12 comments
Agreed, this single limitation is stopping our automation of the advanced networking features in AKS cluster deployments through automated pipelines... it always has to have a human in the loop for just this one step.
psyrus
on 4 Sep 2019
Thank you for raising this feature request. We will look into it.
jiasli
on 11 Sep 2019
This is also blocking CI/CD for rolling out new Azure Functions w/ RBAC
rmcolbert
on 11 Sep 2019
I got the same problem to automate AkS creation using terraform
farahgara1794
on 29 Oct 2019
I've been making a huge push to begin leveraging AKS as the container platform of choice for my organization. Unfortunately, this issue is going to delay or possibly prevent the adoption of AKS entirely. We need to be able to have end-to-end automation for provisioning and configuring AKS. Can this issue be worked around in any way, such as making calls against the REST API?
TechnologyAnimal
on 29 Oct 2019
We are unable to automate the AAD integration with our AKS cluster due to this limitation.
cloudpea
on 7 Nov 2019
I got the same problem to automate AkS creation using terraform
Same here. Blocks CI/CD for us with automatic nightly builds/tests
MarcelT-NL
on 1 Feb 2020
Duplicate of #12137
Granting Delegated Permission and Application Permission called by a Service Principal is not supported using Microsoft Graph API with az rest.
Please check https://github.com/Azure/azure-cli/issues/12137#issuecomment-596567479 for more information.
jiasli
on 9 Mar 2020
Want this feature too to automate using pipelines.
pmatthews05
on 11 Jun 2020
FYI it is now possible to grant consent through the REST API -See here.
sam-cogan
on 14 Jun 2020
@sam-cogan I saw this blog post and this is only for Delegate permissions. It was the application permissions I wanted to automate the grants for.
However, through that blog post, and bit of spare time at the weekend, I was able to understand how the App Registration / Service Principals work.
With the new permissions of AppRoleAssignment.ReadWrite.All available, it is now possible to do AppRoles as well as Oauth2Permissions.
I have put together a github project https://github.com/pmatthews05/CFAppOnlyGrantPermissions with the instructions in the readme.md file. I will get round to writing a blog post within the next week to explain the code.
pmatthews05
on 15 Jun 2020
Hi @pmatthews05,
It was the application permissions I wanted to automate the grants for.
We do support granting Application Permissions with az rest. Please check my comment at https://github.com/Azure/azure-cli/issues/12137#issuecomment-596567479.
jiasli
on 16 Jun 2020
Related issues
dhermans
路
3Comments
FumiakiNagano
路
3Comments
ahmetb
路
3Comments
cicorias
路
3Comments
seanknox
路
3Comments
Most helpful comment
This is also blocking CI/CD for rolling out new Azure Functions w/ RBAC