Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature request] az ad app permission admin-consent: Migrate https://main.iam.ad.ext.azure.com/ to Microsoft Graph #29424

Open
jiasli opened this issue Jul 19, 2024 · 2 comments
Open

[Feature request] az ad app permission admin-consent: Migrate https://main.iam.ad.ext.azure.com/ to Microsoft Graph #29424

jiasli opened this issue Jul 19, 2024 · 2 comments
Assignees
@jiasli
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team feature-request Graph az ad
Milestone
Backlog

Comments

@jiasli
Copy link
Member

jiasli commented Jul 19, 2024

Related command
az ad app permission admin-consent

Is your feature request related to a problem? Please describe.
az ad app permission admin-consent internally calls https://main.iam.ad.ext.azure.com/ endpoint:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Line 959 in 38eaebb

url = 'https://main.iam.ad.ext.azure.com/api/RegisteredApplications/{}/Consent?onBehalfOfAll=true'.format(

This endpoint has several limitations:

  1. This endpoint is now deprecated
  2. It can only be called by a user, not a service principal.
  3. It fails in Cloud Shell, because https://main.iam.ad.ext.azure.com/ is not a resource supported by Cloud Shell (az ad app permission admin-consent --id <app-id> fails in CloudShell #8912, Admin Consent is not working in Cloud Shell #14230)
  4. It doesn't support sovereign clouds (az ad app permission admin-consent for sovereign cloud #9942)

Describe the solution you'd like
Migrate https://main.iam.ad.ext.azure.com/ to Microsoft Graph.

Describe alternatives you've considered
Remove az ad app permission admin-consent and replace it with fine-grained az ad app permission grant and #22768.

Additional context
@microsoft-github-policy-service microsoft-github-policy-service bot added Auto-Assign Auto assign by bot Graph az ad labels Jul 19, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented Jul 19, 2024

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jul 19, 2024
@yonzhan yonzhan added this to the Backlog milestone Jul 19, 2024
@yonzhan yonzhan added feature-request and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jul 19, 2024
@ogarber
Copy link

ogarber commented Nov 18, 2024

Can you please inform me if this ticket is going to be managed and what the fixed estimations are?

My problem is listed above under #2 item:

It can only be called by a user, not a service principal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team feature-request Graph az ad
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@jiasli @yonzhan @ogarber