Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not able to create a valid ms-graph token from azure cli with right permissions #30149

Open
irrelevant-123 opened this issue Oct 21, 2024 · 2 comments
Open

Not able to create a valid ms-graph token from azure cli with right permissions #30149

irrelevant-123 opened this issue Oct 21, 2024 · 2 comments
Assignees
@jiasli
Labels
ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog

Comments

@irrelevant-123
Copy link

I am already raised tickets to the ms-graph team but they pointed me to here.

I am trying to activate my eligible assignment for PIM for Groups:

https://learn.microsoft.com/en-us/graph/api/privilegedaccessgroup-post-assignmentschedulerequests?view=graph-rest-1.0&tabs=http#example-2-user-activates-their-eligible-assignment-for-pim-for-groups

If I log in into graph explorer ist no problem to activate my eligible assignment from there. Also it is working with HTTP from bash if i use the existing token at the graph explorer.

If I try to get a graph token from azure cli it seems to work with:

az account get-access-token --resource-type ms-graph

With this token i ve not the right permissions to do the activation:

Authorization failed due to missing permission scope PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedAssignmentSchedule.Remove.AzureADGroup.

If i try to set the scope (ive tried a few formats) than i only get those errors:

az account get-access-token --resource-type ms-graph --scope https://graph.microsoft.com/.PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup
or
az account get-access-token --resource-type ms-graph --scope .PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup

Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.

We are not able to find a way to edit permissions to app '04b07795-8ddb-461a-bbee-02f9e1bf7b46' which seems to be Azure-CLI.
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group labels Oct 21, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Oct 21, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented Oct 21, 2024

Thank you for opening this issue, we will look into it.

@yonzhan yonzhan added this to the Backlog milestone Oct 21, 2024
@jiasli
Copy link
Member

jiasli commented Oct 22, 2024
edited
Loading

The API mentioned by https://learn.microsoft.com/en-us/graph/api/privilegedaccessgroup-post-assignmentschedulerequests?view=graph-rest-1.0&tabs=http#example-2-user-activates-their-eligible-assignment-for-pim-for-groups is Create assignmentScheduleRequest.

Calling this API requires PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup or PrivilegedAssignmentSchedule.Remove.AzureADGroup delegated permission. However, as explained in #22775 (comment), Azure CLI's first party application doesn't have these permissions.

I will discuss within the team.

@jiasli jiasli mentioned this issue Oct 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@jiasli @yonzhan @irrelevant-123