Reputation: 87
Issue creating Azure App Registration with AZ CLI
I am trying to create an Azure AD app with an updated manifest that has access to Windows Azure AD. I have been able to successfully create / configure a new App Registration but run into issues when i try to configure the Manifest.
I have tried using the sample code provided my MS (https://learn.microsoft.com/en-us/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-create) with an updated 'resourceAppId' from an already existing App Registration however bash throws an error
az ad app create --display-name myTest --homepage https://blah.test.com --reply-urls https://blah.test.com/.auth/login/add/callback --required-resource-accesses @manifest.json("manifest.json" contains the following content)
[{"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "a42657d6-7f20-40e3-b6f0-cee03008a62a-test",
"type": "Scope"
}
]
}]
As I've copied the sample code and just updated a few params i would expect it to run. TIA for any suggestions
This is the error i recieve when running via the portal
Upvotes: 4
Views: 3515
Answers (1)
Reputation: 42163
Because you provide too little useful information, I am not sure what the error you got.
I have tested your script, and I got an error below.
az ad app create --display-name 'myTest' --homepage 'https://blah.test.com --reply-urls https://blah.test.com/.auth/login/add/callback' --required-resource-accesses 'C:\Users\joyw\Desktop\manifest.json'
az : ERROR: '--identifier-uris' is required for creating an application
At line:1 char:1
+ az ad app create --display-name 'myTest' --homepage 'https://blah.tes ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (ERROR: '--ident... an application:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
If you also get this error, just add the parameter like --identifier-uris 'https://mytestapp.websites.net', the complete command will be like :
az ad app create --display-name 'myTest' --homepage 'https://blah.test.com' --reply-urls 'https://blah.test.com/.auth/login/add/callback' --identifier-uris 'https://mytestapp.websites.net' --required-resource-accesses 'C:\Users\joyw\Desktop\manifest.json'
Then it will work fine.
Per my understand, you may think some wrong with the resourceAppId in your manifest.json. If you do not get the error above, you could follow the information below to troubleshoot and make sure you use the correct properties in the manifest.json.
My manifest.json file:
[{
"resourceAppId": "69ae001f-xxxxxxxx-375585ac983e",
"resourceAccess": [
{
"id": "6833b2c6-9954-43e1-ac46-f54a26a3b693",
"type": "Scope"
},
{
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"type": "Role"
}
]
}]
The resourceAppId is the application id of the service principal(i.e. the application id of the AD App), so you are correct.
In the resourceAccess, the type is Scope or Role. The Scope represents Delegated permission, Role represents Application permission. For the Application permission, you can find it in the appRoles in the manifest of the AD App which you are using(for my sample is the app 69ae001f-xxxxxxxx-375585ac983e). For the Delegated permission, you can find it in the oauth2Permissions in the manifest. Then get the id in the corresponding position.
Check it along with my manifest of the sample AD App, note the id and correspondence, it will be clear.
appRoles:
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "SurveyCreator",
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"isEnabled": true,
"description": "Creators can create Surveys",
"value": "SurveyCreator"
}
]
oauth2Permissions:
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access joywebtest on behalf of the signed-in user.",
"adminConsentDisplayName": "Access joywebtest",
"id": "6833b2c6-9954-43e1-ac46-f54a26a3b693",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access joywebtest on your behalf.",
"userConsentDisplayName": "Access joywebtest",
"value": "user_impersonation"
}
]
At last, we could check the AD App which created just now in the portal. It will have the Required permissions we set.
For more details, you can also see Azure Active Directory app manifest.
Upvotes: 5
Related Questions
- Azure app registration throws ERROR: Request contains a property with duplicate values
- Setting signInAudience of application registration with azure cli
- Creating webapps in Azure using AZ cli command
- How to register a web app in Azure AD using Azure Pipelines?
- Azure App registration add authorized client applications through powershell Azure CLI
- azure App registration using powershell does not create a service principal
- az cli create webapp fails with ResourceNotFound error
- Azure CLI for app registration creation from Azure DevOps - Insufficient privileges
- Azure app registration returns error code AADSTS70001
- Azure CLI Create AD App with AllowImplicit