AzureAD - oauth2AllowIdTokenImplicitFlow for app-registrations

Question

As I was attempting to remove the additional configuration for on an app-registration created by PowerShell.. I came around a strange behaviour;

The this command az ad app update --id $app.appid --set oauth2AllowIdTokenImplicitFlow='false' results in an exception namely "az : Property 'oauth2AllowIdTokenImplicitFlow' not found on root. Send it as an additional property". It however does apply the value.

Is there no documented way to automated this setting - as it can be send via the portal and via the API (Shoot and forget as per How to setup oauth2AllowIdTokenImplicitFlow in azure AD application from console? )

And i was expecting it to be part of the Permission-grants ..?

Answer 1

Microsoft split the oauth2AllowIdTokenImplicitFlow out of oauth2AllowImplicitFlow. To reliably set it from within Az-context is; use the API instead:

az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/<<Object_Id>' --headers 'Content-Type=application/json' --body '{\"web\":{\"implicitGrantSettings\":{\"enableIdTokenIssuance\":false}}}'

(reference: https://github.com/Azure/azure-cli/issues/10579)

Answer 2

The command you have shared will not work as oauth2AllowIdTokenImplicitFlow was not the correct syntax of az ad app update as per Microsoft Document.

The correct syntax will be

 az ad app update --id $app.appid --oauth2-allow-implicit-flow false