Azure-cli: Can't az ad app update --id $serverappid --set accessTokenAcceptedVersion=2
Hello,
When I run the command az ad app update --id $serverappid --set accessTokenAcceptedVersion=2
it fails stating "One or more property values are invalid."
The output from running the command az ad app show --id $serverappid is:
{
"acceptMappedClaims": null,
"addIns": [],
"allowGuestsSignIn": null,
"allowPassthroughUsers": null,
"appId": "98770c41-eb00-4ddb-b1c2-078b79cd727d",
"appLogoUrl": null,
"appPermissions": null,
"appRoles": [],
"applicationTemplateId": null,
"availableToOtherTenants": false,
"deletionTimestamp": null,
"displayName": "B2B-AccountRelayService",
"errorUrl": null,
"groupMembershipClaims": null,
"homepage": null,
"identifierUris": [
"api://93bce824-0296-11ea-bddb-20c9d0498385"
],
"informationalUrls": {
"marketing": null,
"privacy": null,
"support": null,
"termsOfService": null
},
"isDeviceOnlyAuthSupported": null,
"keyCredentials": [],
"knownClientApplications": [],
"[email protected]": "directoryObjects/81520eef-e36e-4e60-ad93-9bd409ed6a12/Microsoft.DirectoryServices.Application/logo",
"logoUrl": null,
"logoutUrl": null,
"[email protected]": "directoryObjects/81520eef-e36e-4e60-ad93-9bd409ed6a12/Microsoft.DirectoryServices.Application/mainLogo",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": true,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access B2B-AccountRelayService on behalf of the signed-in user.",
"adminConsentDisplayName": "Access B2B-AccountRelayService",
"id": "f5b0fa3e-1682-43c3-8db3-569d85807494",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access B2B-AccountRelayService on your behalf.",
"userConsentDisplayName": "Access B2B-AccountRelayService",
"value": "user_impersonation"
}
],
"oauth2RequirePostResponse": false,
"objectId": "81520eef-e36e-4e60-ad93-9bd409ed6a12",
"objectType": "Application",
"odata.metadata": "https://graph.windows.net/0c500671-6a7f-4ea1-8f5e-ca250da9563a/$metadata#directoryObjects/@Element",
"odata.type": "Microsoft.DirectoryServices.Application",
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": null,
"publicClient": null,
"publisherDomain": "<>",
"recordConsentConditions": null,
"replyUrls": [
"http://localhost:30662"
],
"requiredResourceAccess": [],
"samlMetadataUrl": null,
"signInAudience": "AzureADMyOrg",
"tokenEncryptionKeyId": null,
"wwwHomepage": null
}
Is there an issue tracking the "accessTokenAcceptedVersion" property's inclusion in the az ad app update --set command?
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 921aa920-c25f-5227-aabb-49116da38fa7
- Version Independent ID: 9b5a53ad-edf8-4d89-f8e6-cde01b7866f6
- Content: az ad app
- Content Source: src/azure-cli/azure/cli/command_modules/role/_help.py
- Service: active-directory
- GitHub Login: @rloutlaw
- Microsoft Alias: routlaw
mrooths
All 12 comments
@jiasli please take a look.
fengzhou-msft
on 10 Nov 2019
Property accessTokenAcceptedVersion is not exposed in AD Graph spec: https://github.com/Azure/azure-rest-api-specs/blob/master/specification/graphrbac/data-plane/Microsoft.GraphRbac/stable/1.6/graphrbac.json. That's why Azure CLI can't handle it.
I only saw it from https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest
It is neither defined in MS Graph: https://docs.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-1.0&tabs=http
We are internally working with AAD team to expose this field.
jiasli
on 28 Feb 2020
Property
accessTokenAcceptedVersionis not exposed in AD Graph spec: https://github.com/Azure/azure-rest-api-specs/blob/master/specification/graphrbac/data-plane/Microsoft.GraphRbac/stable/1.6/graphrbac.json. That's why Azure CLI can't handle it.I only saw it from https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest
It is neither defined in MS Graph: https://docs.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-1.0&tabs=http
We are internally working with AAD team to expose this field.
Hi!
Is there any ETA? Without AccessTokenAcceptedVersion property we can't automate Azure AD app registration. The Azure API management automation problem is the Azure AD app registration doesn’t accept the token with version two format which differs from token in version one as the default accepted token format is version one.
KatjaBF
on 2 Mar 2020
I did more research and it seems api.requestedAccessTokenVersion in MS Graph maps to accessTokenAcceptedVersion in AD Graph.
To get unblocked, do you mind using az rest directly on the MS Graph API Update application? Note the {id} part should be object ID of the application:
az rest --method PATCH --uri https://graph.microsoft.com/v1.0/applications/502912d6-eda3-4eb0-a3e1-5918dba268c3 --body '{"api":{"requestedAccessTokenVersion": 2}}'
I did more research and it seems
api.requestedAccessTokenVersionin MS Graph maps toaccessTokenAcceptedVersionin AD Graph.To get unblocked, do you mind using
az restdirectly on the MS Graph API Update application? Note the{id}part should be object ID of the application:az rest --method PATCH --uri https://graph.microsoft.com/v1.0/applications/502912d6-eda3-4eb0-a3e1-5918dba268c3 --body '{"api":{"requestedAccessTokenVersion": 2}}'
Hi!
I tested the command az rest --method PATCH --headers "Content-Type=application/json" --uri https://graph.microsoft.com/v1.0/applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/ --body '{"api":{"requestedAccessTokenVersion": 2}}'. It works. Thanks
KatjaBF
on 4 Mar 2020
Pending for customer feedback.
yonzhan
on 5 Mar 2020
Hi @KatjaBF, glad to know it works for you.
jiasli
on 16 Mar 2020
Please reopen this. I am not an admin in my AD tenant so the "az rest" directly on graph solution will not work for me. I need to be able to update accessTokenAcceptedVersion using "az ad app update".
matthew-kirtley
on 13 May 2020
@matthew-kirtley, if you don't have permission in MS Graph, you won't have permission in AD Graph either. Also we don't have plan to backport new features to AD Graph 1.6. Thanks for understanding.
jiasli
on 13 May 2020
@matthew-kirtley, if you don't have permission in MS Graph, you won't have permission in AD Graph either. Also we don't have plan to backport new features to AD Graph 1.6. Thanks for understanding.
Hi @jiasli. Not sure I understand. I'm able to perform, for example, "az ad app update --identifier-uris" without being an administrator so in theory shouldn't I also be able to update "accessTokenAcceptedVersion" if this was supported as an optional parameter?
matthew-kirtley
on 13 May 2020
accessTokenAcceptedVersion is not implemented in the current az ad app update command due to the lack of this field in AD Graph 1.6 which Azure CLI uses. If you use az rest, what is the error you are receiving? Could you share --debug log?
jiasli
on 14 May 2020
Microsoft Graph permissions
Application.ReadWrite.OwnedBy
Manage apps that this app creates or owns.
Allows the calling app to create othe applications and service principals, and fully manage those applications and service principals (read, update, update application secrets and delete), without a signed-in user. It cannot update any applications that it is not an owner of. Does not allow management of consent grants or application assignments to users or groups.
https://docs.microsoft.com/en-us/graph/permissions-reference
KatjaBF
on 18 May 2020
Related issues
mariojacobo
·
26Comments
ronaldgreeff
·
32Comments
patrickgalbraith
·
32Comments
davis-x
·
47Comments
SteveLasker
·
29Comments
Most helpful comment
I did more research and it seems
api.requestedAccessTokenVersionin MS Graph maps toaccessTokenAcceptedVersionin AD Graph.To get unblocked, do you mind using
az restdirectly on the MS Graph API Update application? Note the{id}part should be object ID of the application: