Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure CLI app cannot be found in app registrations nor enterprise apps #28628

Open
ppodgorsek opened this issue Mar 25, 2024 · 6 comments
Open

Azure CLI app cannot be found in app registrations nor enterprise apps #28628

ppodgorsek opened this issue Mar 25, 2024 · 6 comments
Assignees
@jiasli @zhoxing-ms
Labels
ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request
Milestone
Backlog

Comments

@ppodgorsek
Copy link

Related command

az account get-access-token --output json --resource "https://graph.microsoft.com"

Is your feature request related to a problem? Please describe.

I see a strange behaviour by following these steps:

  1. Sign into the tenant via Azure CLI
  2. Request an access token for the Microsoft Graph API via the Azure CLI: az account get-access-token --output json --resource "https://graph.microsoft.com"
  3. The token generation is successful and can be decoded in https://jwt.ms/
  4. The app ID (appid claim) for the Azure CLI that is present in the token cannot be found in Entra ID for that tenant (not in app registrations nor in entreprise apps)

Describe the solution you'd like

From my understanding, the Azure CLI is an Entra ID app that relies on a standard approach to interact with exposed APIs on behalf of users.

Additional permissions cannot be granted via the Portal and this leads to problems with other Microsoft solutions, such as the Graph SDK using Azure CLI credentials. Such SDKs might need additional permissions (for example, Mail.Send for the Graph API), however it doesn't seem the delegated permission can be granted to the Azure CLI.

Is this just an issue with the Azure Portal, or is this scenario not possible at all?

Describe alternatives you've considered

A separate app registration can be created with delegated permissions, but this defeats the purpose of the Azure CLI credential.

Additional context

For ease of understanding and following the trail of thought, here is the associated issue in the Microsoft Graph SDK repo.
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group labels Mar 25, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Azure CLI Team The command of the issue is owned by Azure CLI team label Mar 25, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented Mar 25, 2024

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added the question The issue doesn't require a change to the product in order to be resolved. Most issues start as that label Mar 25, 2024
@yonzhan yonzhan added this to the Backlog milestone Mar 25, 2024
@yonzhan yonzhan added feature-request and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Mar 25, 2024
@jiasli
Copy link
Member

jiasli commented Mar 26, 2024

Azure CLI is a First Party Application and its app ID is 04b07795-8ddb-461a-bbee-02f9e1bf7b46.

I am able to get its service principal in Microsoft tenant 72f988bf-86f1-41af-91ab-2d7cd011db47:

> az ad sp show --id 04b07795-8ddb-461a-bbee-02f9e1bf7b46
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals/$entity",
  "accountEnabled": true,
  "addIns": [],
  "alternativeNames": [],
  "appDescription": null,
  "appDisplayName": "Microsoft Azure CLI",
  "appId": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
  "appOwnerOrganizationId": "f8cdef31-a31e-4b4a-93e4-5f571e91255a",
  "appRoleAssignmentRequired": false,
  "appRoles": [],
  "applicationTemplateId": null,
  "createdDateTime": null,
  "deletedDateTime": null,
  "description": null,
  "disabledByMicrosoftStatus": null,
  "displayName": "Microsoft Azure CLI",
  "homepage": null,
  "id": "d164374b-2521-4e1a-b04d-dcb438233b9b",
  "info": {
    "logoUrl": null,
    "marketingUrl": null,
    "privacyStatementUrl": null,
    "supportUrl": null,
    "termsOfServiceUrl": null
  },
  "keyCredentials": [],
  "loginUrl": null,
  "logoutUrl": null,
  "notes": null,
  "notificationEmailAddresses": [],
  "oauth2PermissionScopes": [],
  "passwordCredentials": [],
  "preferredSingleSignOnMode": null,
  "preferredTokenSigningKeyThumbprint": null,
  "replyUrls": [
    "http://localhost",
    "urn:ietf:wg:oauth:2.0:oob",
    "https://login.microsoftonline.com/common/oauth2/nativeclient"
  ],
  "resourceSpecificApplicationPermissions": [],
  "samlSingleSignOnSettings": null,
  "servicePrincipalNames": [
    "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
  ],
  "servicePrincipalType": "Application",
  "signInAudience": "AzureADandPersonalMicrosoftAccount",
  "tags": [
    "WindowsAzureActiveDirectoryIntegratedApp"
  ],
  "tokenEncryptionKeyId": null,
  "verifiedPublisher": {
    "addedDateTime": null,
    "displayName": null,
    "verifiedPublisherId": null
  }
}

But not in another tenant:

> az ad sp show --id 04b07795-8ddb-461a-bbee-02f9e1bf7b46
Resource '04b07795-8ddb-461a-bbee-02f9e1bf7b46' does not exist or one of its queried reference-property objects are not present.

I need to work with Microsoft Entra team internally to understand why the API behaves like this and whether it is possible to add additionally delegated permissions to first party applications.

Related: #22775

@andrueastman andrueastman mentioned this issue Mar 27, 2024
Closed
@magnus-longva-bouvet
Copy link

I have the same problem as OP, and I'm 99% sure I've been able to find the Microsoft Azure CLI application with appId 04b07795-8ddb-461a-bbee-02f9e1bf7b46 before, but not necessarily in my current tenant.

@jamesw4
Copy link

jamesw4 commented May 14, 2024

Seeing same issue in one of our tenants - nowhere to be seen and I need to grant it additional graph permissions.

@Thomas-Butterfield
Copy link

Seeing same issue in one of our tenants - nowhere to be seen and I need to grant it additional graph permissions.

The enterprise application was also missing in one of our tenants; by running the following command from a cloud shell I was able to force it to appear.

az ad sp create --id '04b07795-8ddb-461a-bbee-02f9e1bf7b46'

@ioxterminal
Copy link

ioxterminal commented Sep 22, 2024
edited
Loading

It seems that the enterprise application cannot be found, either through the portal, Microsoft Graph, or the deprecated AzureAD module.

Import-Module AzureAD
Connect-AzureAD

 (Get-AzureADServicePrincipal -All $true) | Where-Object {$_.DisplayName -like "*CLI*"}

ObjectId                             AppId                                DisplayName                                        
--------                             -----                                -----------                                        
19fb6d6a-0953-4e59-826b-4ebac1c8133a 3bc2296e-aa22-4ed2-9e1e-946d05afa6a2 SharePoint Online Web Client Extensibility Isolated
2b027fbc-b813-47fc-b88b-c2fa164e45f8 981f26a1-7f43-403b-a875-f8b09b8cd720 Azure Multi-Factor Auth Client                     
63c2caae-86f8-43e6-9e4e-b3647d63a13a c2ada927-a9e2-4564-aae2-70775a2fa0af OCaaS Client Interaction Service                   
9c877073-a359-4396-b424-d1cf0408b096 0f698dd4-f011-4d23-a33e-b36416dcb1e6 OfficeClientService                                
bbde190f-2f8f-4399-9a33-cb8a6f1891cf 08e18876-6177-487e-b8b5-cf950c1e598c SharePoint Online Web Client Extensibility  


Connect-MgGraph -Scopes "Directory.Read.All", "Application.Read.All"
Get-MgServicePrincipal -All -Property * | Where-Object {$_.Displayname -like "*CLI*"}

DisplayName Id AppId
----------- -- -----
SharePoint Online Web Client Extensibility Isolated 19fb6d6a-0953-4e59-826b-4ebac1c8133a 3bc2296e-aa22-4ed2-9e1e-946d0…
Azure Multi-Factor Auth Client                      2b027fbc-b813-47fc-b88b-c2fa164e45f8 981f26a1-7f43-403b-a875-f8b09…
OCaaS Client Interaction Service                    63c2caae-86f8-43e6-9e4e-b3647d63a13a c2ada927-a9e2-4564-aae2-70775…
OfficeClientService                                 9c877073-a359-4396-b424-d1cf0408b096 0f698dd4-f011-4d23-a33e-b3641…
SharePoint Online Web Client Extensibility          bbde190f-2f8f-4399-9a33-cb8a6f1891cf 08e18876-6177-487e-b8b5-cf950…

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

@zhoxing-ms zhoxing-ms

Labels
ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
8 participants
@jiasli @ppodgorsek @jamesw4 @zhoxing-ms @ioxterminal @yonzhan @magnus-longva-bouvet @Thomas-Butterfield