Unable to figure out how to grant consent for Azure CLI to an AAD application

[veleek]

Describe the bug

Command Name
az account get-access-token

Errors:

Get Token request returned http error: 400 and server response: {"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '04b07795-8ddb-461a-bbee-02f9e1bf7b46' named 'Microsoft Azure CLI'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 179c55fc-955d-4381-902f-67018ecb2900\r\nCorrelation ID: e4685217-4651-4839-8037-407add8b6949\r\nTimestamp: 2020-09-04 23:30:49Z","error_codes":[65001],"timestamp":"2020-09-04 23:30:49Z","trace_id":"179c55fc-955d-4381-902f-67018ecb2900","correlation_id":"e4685217-4651-4839-8037-407add8b6949","suberror":"consent_required"}
Traceback (most recent call last):
pip-install-7cl6xofh\knack\knack\cli.py, ln 215, in invoke
...

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Create an AAD application
• Enable User Consent
• Verify that user consent works using the web flow
• az account get-access-token --resource <myappidhere>

Expected Behavior

I can grant user-consent to my application as the azure cli.

Environment Summary

Windows-10-10.0.19041-SP0
Python 3.6.6
Installer: MSI

azure-cli 2.5.1 *

Extensions:
interactive 0.4.4

Additional Context

The error that I'm getting is expected, but I don't know what process i need to go through in order to actually grant consent to this application for the AZ cli.

My service uses AzureServiceTokenProvider to authenticate with AAD, and by default I depend on the Azure provided identity and everything works. However when running locally I'd like to just use the logged in user's credentials which I can manage access for independently.

[veleek]

Note: I'm not not an admin on the AAD directory so I can't grant Admin Consent, but I am a User and user consent is enabled. I just need some way to actually invoke the consent.

[yonzhan]

add to S176

[jiasli]

For AAD-related questions, you may reach out to AAD support by creating a support ticket. Thanks for understanding.

[veleek]

@jiasli - Appreciate the response, but is this something that has changed in the 10 months since the ticket was created? I'm not sure that this is a support request vs. a change to the CLI to allow it? Honestly, I've forgotten what the actual problem is since I created the ticket so I'm not positive. :)

[jiasli]

@veleek, az account get-access-token is only a generic command which retrieves an access token with silent authentication using Azure CLI's first-party client ID:

azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

Line 67 in 37b16e9

_CLIENT_ID = '04b07795-8ddb-461a-bbee-02f9e1bf7b46'

So there is hardly anything CLI can change to make your scenario work. Also, Azure CLI is not designed for and tested with third-party applications.

On second thought, as the error indicates:

AADSTS65001: The user or administrator has not consented to use the application with ID '04b07795-8ddb-461a-bbee-02f9e1bf7b46' named 'Microsoft Azure CLI'. Send an interactive authorization request for this user and resource.

perhaps you may try interactively logging in to your application using az login --scope <resourceId>/.default? This will launch a browser and allow the user to grant consent to the app. However, this functionality is still under development and is not fully supported yet (#17778). It doesn't target third-part applications either.

[veleek]

Thanks, I'll give it a shot.

[rolanddb]

I was able to make this work by going to the app registration, then 'Expose an API', and adding the Azure CLI as a client application [ID: 04b07795-8ddb-461a-bbee-02f9e1bf7b46] and scope: api://<application id>