[Feature Request] Support custom client ID

[jiasli]

Related command
az login

Is your feature request related to a problem? Please describe.
Currently Azure CLI uses a fixed client ID to authenticate into AAD

azure-cli/src/azure-cli-core/azure/cli/core/auth/identity.py

Line 22 in 1d973cc

AZURE_CLI_CLIENT_ID = '04b07795-8ddb-461a-bbee-02f9e1bf7b46'

This client ID 04b07795-8ddb-461a-bbee-02f9e1bf7b46 is a First Party Application, registered in First Party Portal.

This application is only pre-authorized for a limited set of Microsoft Graph permissions. Using Azure CLI command az rest to call trustFrameworkKeySet API which requires TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All will fail (#22755).

Describe the solution you'd like
Support custom client ID, so that users can create their own app in their tenant, consent to that app and let Azure CLI use that app’s client ID:

az login --client-id

Describe alternatives you've considered
Apply for those permissions in First Party Portal to support these APIs.

[yonzhan]

Support custom client ID

[navba-MSFT]

Removing CXP Attention label from this issue since this was created internally by SDK team

[jiasli]

We received a similar issue today that the user wants to use Azure CLI's client ID to call b2cIdentityUserFlows API which requires delegated permission IdentityUserFlow.Read.All, IdentityUserFlow.ReadWrite.All:

https://docs.microsoft.com/en-us/graph/api/identitycontainer-list-b2cuserflows?view=graph-rest-beta&tabs=csharp

but Azure CLI's Directory.AccessAsUser.All delegated permission is not sufficient. This causes failure:

AADSTS65002: Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.

[jiasli]

Workaround: Use service principal instead of user login

1. Create your own application and service principal
2. Give the application Application Permission IdentityUserFlow.Read.All, IdentityUserFlow.ReadWrite.All
3. Log in to Azure CLI with that service principal: https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli#sign-in-with-a-service-principal

[kthejoker]

What if a user doesn't have permission to create a service principal?

This exact same flow worked fine in October of 2022. A user could use a DeviceCodeCredential and then access the Databricks scope with their own tokens.

Now I have to create an SP?

[jiasli]

Azure CLI's first party application 04b07795-8ddb-461a-bbee-02f9e1bf7b46 is currently registered with below Microsoft Graph delegated permissions:

• AuditLog.Read.All
• Directory.AccessAsUser.All
• Group.ReadWrite.All
• User.ReadWrite.All
• openid

This can be observed in the access token retrieved from

az account get-access-token --scope https://graph.microsoft.com/.default

The access token contains the below scp claim:

  "scp": "AuditLog.Read.All Directory.AccessAsUser.All email Group.ReadWrite.All openid profile User.ReadWrite.All",

[jiasli]

This exact same flow worked fine in October of 2022. A user could use a DeviceCodeCredential and then access the Databricks scope with their own tokens.

@kthejoker, There is no DeviceCodeCredential concept in Azure CLI. Are you referring to az login --use-device-code? If so and you are seeing failure, that indicates your tenant may now have a Conditional Access policy that blocks accessing Databricks scope with Azure CLI's client ID and device code flow.

Now I have to create an SP?

Yes.

What if a user doesn't have permission to create a service principal?

You need to work with your tenant admin to either

• Unblock accessing Databricks scope with Azure CLI's client ID and device code flow
• Create a service principal

[cveld]

Today I started a project to configure PIM using terraform using the azuread provider's resource azuread_group_role_management_policy. This requires
RoleManagementPolicy.ReadWrite.AzureADGroup. I am not a great fan of your suggested workaround to introduce a service principal as we work with secret-free service principals.
It seems either the required permission scopes are to be added to the first party app registration, or the custom client id should be introduced.

[cveld]

@jiasli is there any plan to extend the permission scopes on the first party app registration 04b07795-8ddb-461a-bbee-02f9e1bf7b46? Any reason why you are keeping this a limited range? In the meanwhile the msgraph cli app registration did get the additional scopes. Although that is what I am assuming as the msgraph cli is capable of user delegated access to PIM related operations.

[jiasli]

#30149 is another issue about Azure CLI's lack of PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup or PrivilegedAssignmentSchedule.Remove.AzureADGroup delegated permission to call Create assignmentScheduleRequest API.

[jiasli]

I retrieved an access token from Graph Explorer and decoded it at https://jwt.ms/ by clicking the {} button:

The decoded claims contain:

  "app_displayname": "Graph Explorer",
  "appid": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",

scp claim is

Calendars.ReadWrite
Contacts.ReadWrite
DeviceManagementApps.ReadWrite.All
DeviceManagementConfiguration.Read.All
DeviceManagementConfiguration.ReadWrite.All
DeviceManagementManagedDevices.PrivilegedOperations.All
DeviceManagementManagedDevices.Read.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementRBAC.Read.All
DeviceManagementRBAC.ReadWrite.All
DeviceManagementServiceConfig.Read.All
DeviceManagementServiceConfig.ReadWrite.All
Directory.AccessAsUser.All
Directory.ReadWrite.All
Files.ReadWrite.All
Group.ReadWrite.All
IdentityRiskEvent.Read.All
Mail.ReadWrite
MailboxSettings.ReadWrite
Notes.ReadWrite.All
openid
People.Read
Policy.Read.All
Presence.Read
Presence.Read.All
profile
Reports.Read.All
Sites.ReadWrite.All
Tasks.ReadWrite
User.Read
User.ReadBasic.All
User.ReadWrite
User.ReadWrite.All
email

Apparently, Graph Explorer's first party app has far more delegated permissions than Azure CLI.