Azure-cli: optional claims through azure cli

Created on 10 Dec 2019  路  5Comments  路  Source: Azure/azure-cli

I am trying to create app registration through cli. I need to have AD return the group information as roles. I am trying to get this done by setting the optional claims additional properties as 'emit_as_roles' in manifest.json. But this is not happening. Would have been nice if there is an option to 'az ad app create --display-name testapp _--optional-claims_ manifest.json'

I was wondering if this optionalClaims to the app registration can be done via any other way. Please help.

Graph
Source
picture mrajaian

Most helpful comment

I was able to achieve the same thing using the MS Graph explicitly, issuing a PATCH request on https://graph.microsoft.com/v1.0/applications/{appObjectId} with the following body:

{
   "optionalClaims":{
      "idToken":[{"name":"email"},{"name":"family_name"},{"name":"given_name"}],
      "accessToken":[{"name":"email"},{"name":"family_name"},{"name":"given_name"}]
   }
}

Please note that in the URI there is the Application Object Id, not the Client Id

picture fume on 10 Apr 2020
👍2

All 5 comments

@jiasli Please take a look

haroldrandom picture haroldrandom on 11 Dec 2019

i'm trying to achieve almost the same using something like this:

az ad app update --id appId --add optionalClaims.idToken=[{"name":"email"},{"name":"family_name"},{"name":"given_name"}]

but i'm getting the following error back:

Couldn't find 'idToken' in 'optionalClaims'. 'optionalClaims' does not support further indexing.

Then tried with --set instead of --add and the error changed to

The command failed with an unexpected error. Here is the traceback:

Unable to build a model: Cannot deserialize as [OptionalClaim] an object of type <class 'str'>, DeserializationError: Cannot deserialize as [OptionalClaim] an object of type <class 'str'>
Traceback (most recent call last):
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\msrest\msrest\serialization.py", line 571, in body
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\msrest\msrest\serialization.py", line 1258, in _deserialize
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\msrest\msrest\serialization.py", line 1294, in _deserialize
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\msrest\msrest\serialization.py", line 1447, in deserialize_data
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\msrest\msrest\serialization.py", line 1476, in deserialize_iter
msrest.exceptions.DeserializationError: Cannot deserialize as [OptionalClaim] an object of type <class 'str'>

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\knack\knack\cli.py", line 206, in invoke
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\azure-cli-core\azure\cli\core\commands\__init__.py", line 560, in execute
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\azure-cli-core\azure\cli\core\commands\__init__.py", line 618, in _run_jobs_serially
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\azure-cli-core\azure\cli\core\commands\__init__.py", line 609, in _run_job
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\azure-cli-role\azure\cli\command_modules\role\commands.py", line 69, in graph_err_handler
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\azure-cli-core\azure\cli\core\commands\__init__.py", line 588, in _run_job
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\azure-cli-core\azure\cli\core\commands\__init__.py", line 297, in __call__
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\azure-cli-core\azure\cli\core\commands\arm.py", line 553, in handler
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\azure-cli-core\azure\cli\core\commands\__init__.py", line 403, in cached_put
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\azure-cli-core\azure\cli\core\commands\__init__.py", line 398, in _put_operation
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\azure-cli-role\azure\cli\command_modules\role\custom.py", line 962, in patch_application
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\azure-graphrbac\azure\graphrbac\operations\applications_operations.py", line 321, in patch
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\msrest\msrest\serialization.py", line 574, in body
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\msrest\msrest\exceptions.py", line 51, in raise_with_traceback
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\msrest\msrest\serialization.py", line 571, in body
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\msrest\msrest\serialization.py", line 1258, in _deserialize
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\msrest\msrest\serialization.py", line 1294, in _deserialize
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\msrest\msrest\serialization.py", line 1447, in deserialize_data
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-ygnynjtx\msrest\msrest\serialization.py", line 1476, in deserialize_iter
msrest.exceptions.SerializationError: Unable to build a model: Cannot deserialize as [OptionalClaim] an object of type <class 'str'>, DeserializationError: Cannot deserialize as [OptionalClaim] an object of type <class 'str'>

So tried

az ad app update --id appId --set optionalClaims={"idToken":[{"name":"email"},{"name":"family_name"},{"name":"given_name"}]}

but got same error as before.

Managing optionalClaims via Azure CLI would be great. We could then specify the additionalProperties for claims like groups to achieve what @mrajaian is asking.

fume picture fume on 8 Apr 2020

I was able to achieve the same thing using the MS Graph explicitly, issuing a PATCH request on https://graph.microsoft.com/v1.0/applications/{appObjectId} with the following body:

{
   "optionalClaims":{
      "idToken":[{"name":"email"},{"name":"family_name"},{"name":"given_name"}],
      "accessToken":[{"name":"email"},{"name":"family_name"},{"name":"given_name"}]
   }
}

Please note that in the URI there is the Application Object Id, not the Client Id

fume picture fume on 10 Apr 2020
👍2

Hi @mrajaian @fume , we support --optional-claims, you can upgrade to our latest version and run az ad app create -h or az ad app update -h to see how to use it. And please kindly be noted that as a known issue of graph sdk, now we only support idToken and accessToken for optional claims. samlToken is not supported currently.

arrownj picture arrownj on 21 Apr 2020

BTW, you may also use az rest to call MS Graph API. See https://github.com/Azure/azure-cli/issues/12946.

jiasli picture jiasli on 21 Apr 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

binderjoe picture binderjoe  路  3Comments
Kannaj picture Kannaj  路  3Comments
dhermans picture dhermans  路  3Comments
FumiakiNagano picture FumiakiNagano  路  3Comments
derekperkins picture derekperkins  路  3Comments