Azure-docs: Azure AD Permissions

Created on 17 Jul 2019  Â·  9Comments  Â·  Source: MicrosoftDocs/azure-docs

Under the Azure AD server component documentation, you are instructed to run this line:

az ad app permission add \
    --id $serverApplicationId \
    --api 00000003-0000-0000-c000-000000000000 \
    --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope 06da0dbc-49e2-44d2-8312-53f166ab848a=Scope 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role

There's no explanation for what the GUID following --api is (I later figured out that it's the Graph API via https://www.shawntabrizi.com/aad/common-microsoft-resources-azure-active-directory/), or the GUIDs following --api-permissions are.

This introduces a lot of confusion around what permissions I'm requesting, and to which API I'm requesting it for.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Pri2 assigned-to-author container-servicsvc doc-enhancement triaged
Source
picture bnookala
👍1

Most helpful comment

When running from cloud shell it keeps failing, but works perfectly from azure cli
az ad app permission admin-consent --id $serverApplicationId
leonid@Azure:~$ az ad app permission admin-consent --id $serverApplicationId
The command failed with an unexpected error. Here is the traceback:

400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
Traceback (most recent call last):
File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 206, in invoke
cmd_result = self.invocation.execute(args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 603, in execute
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 661, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 652, in _run_job
cmd_copy.exception_handler(ex)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/commands.py", line 69, in graph_err_handler
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 631, in _run_job
result = cmd_copy(params)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 305, in __call__
return self.handler(*args, kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/__init__.py", line 485, in default_command_handler
return op(command_args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 893, in admin_consent
send_raw_request(cmd.cli_ctx, 'post', url, resource='74658136-14ec-4630-ad9b-26e160ff0fc6')
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/util.py", line 563, in send_raw_request
token_info, _, _ = profile.get_raw_token(resource)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 600, in get_raw_token
creds = self._get_token_from_cloud_shell(resource)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 373, in _get_token_from_cloud_shell
auth = MSIAuthentication(resource=resource)
File "/opt/az/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 592, in __init__
self.set_token()
File "/opt/az/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 598, in set_token
self.scheme, _, self.token = get_msi_token(self.resource, self.port, self.msi_conf)
File "/opt/az/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 486, in get_msi_token
result.raise_for_status()
File "/opt/az/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

To open an issue, please run: 'az feedback'

picture lenvolk on 11 Sep 2019
👍2

All 9 comments

Thanks for the feedback! We are currently investigating and will update you shortly.

mimckitt picture mimckitt on 17 Jul 2019

@bnookala That's fair feedback.

I will assign to the content author to review and see if we can make this section a bit more clear.

mimckitt picture mimckitt on 17 Jul 2019

Any update on this? It has been two months?

bhall7718 picture bhall7718 on 5 Sep 2019

When running from cloud shell it keeps failing, but works perfectly from azure cli
az ad app permission admin-consent --id $serverApplicationId
leonid@Azure:~$ az ad app permission admin-consent --id $serverApplicationId
The command failed with an unexpected error. Here is the traceback:

400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
Traceback (most recent call last):
File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 206, in invoke
cmd_result = self.invocation.execute(args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 603, in execute
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 661, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 652, in _run_job
cmd_copy.exception_handler(ex)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/commands.py", line 69, in graph_err_handler
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 631, in _run_job
result = cmd_copy(params)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 305, in __call__
return self.handler(*args, kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/__init__.py", line 485, in default_command_handler
return op(command_args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 893, in admin_consent
send_raw_request(cmd.cli_ctx, 'post', url, resource='74658136-14ec-4630-ad9b-26e160ff0fc6')
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/util.py", line 563, in send_raw_request
token_info, _, _ = profile.get_raw_token(resource)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 600, in get_raw_token
creds = self._get_token_from_cloud_shell(resource)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 373, in _get_token_from_cloud_shell
auth = MSIAuthentication(resource=resource)
File "/opt/az/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 592, in __init__
self.set_token()
File "/opt/az/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 598, in set_token
self.scheme, _, self.token = get_msi_token(self.resource, self.port, self.msi_conf)
File "/opt/az/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 486, in get_msi_token
result.raise_for_status()
File "/opt/az/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

To open an issue, please run: 'az feedback'

lenvolk picture lenvolk on 11 Sep 2019
👍2

@MicahMcKittrick-MSFT is there a SLA on the content update.. i ran from Azure CLI command window from my machine and this still failed
az ad app permission grant --id $serverApplicationId --api 00000003-0000-0000-c000-000000000000

Operation failed with status: 'Not Found'. Details: 404 Client Error: Not Found for url: https://graph.windows.net/5d135798-0ae4-4f20-a663-a223e2cd1f4e/oauth2PermissionGrants?

mganeshphani picture mganeshphani on 23 Sep 2019
1

@mlearned any update on this issue?

CC @MicrosoftDocs/aks-pm if anyone has any suggestions.

mimckitt picture mimckitt on 18 Nov 2019

The error from lenvolk is expected, this command does not work on cloudshell. It's a cloud shell limitation.

The error from mgnashphani appears to be not finding the right client ID (the App is not created or replicated yet, or the ID in that variable is not correct). Could you please confirm by echoing the variable and/or trying again after a few minutes to check if the SP was not propagated on AAD yet?

Regarding the OP suggestion by bnookala I agree that should be added to clarify what the IDs represent. @mlearned @zr-msft for additional clarification on the doc. Also feel free to add and propose PRs to the doc, we're happy to accept them :)

palma21 picture palma21 on 22 Nov 2019
😕1 👍1

I just ran into this, trying to run the command on an application id I had created earlier I got this error, NOT FROM THE CLOUD SHELL,
Invoking "az ad app permission grant --id 88a175a9-5171-4aca-902d-de075570b859 --api 00000003-0000-0000-c000-000000000000" is needed to make the change effective

Then when running the command I receive:
Operation failed with status: 'Forbidden'. Details: 403 Client Error: Forbidden for url: https://graph.windows.net/3aa12b4b-4e0f-4129-852f-e15120429ced/oauth2PermissionGrants?api-version=1.6

marcusjwhelan picture marcusjwhelan on 29 Apr 2020

Thank you @bnookala for the feedback.

We've added a task to our backlog and will prioritize accordingly.

please-close

zr-msft picture zr-msft on 14 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

monteledwards picture monteledwards  Â·  3Comments
DeepPuddles picture DeepPuddles  Â·  3Comments
spottedmahn picture spottedmahn  Â·  3Comments
ianpowell2017 picture ianpowell2017  Â·  3Comments
JamesDLD picture JamesDLD  Â·  3Comments