Not able to create a valid ms-graph token from azure cli with right permissions #30149
Labels
ARM
az resource/group/lock/tag/deployment/policy/managementapp/account management-group
Auto-Assign
Auto assign by bot
Azure CLI Team
The command of the issue is owned by Azure CLI team
customer-reported
Issues that are reported by GitHub users external to the Azure organization.
question
The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
I am already raised tickets to the ms-graph team but they pointed me to here.
I am trying to activate my eligible assignment for PIM for Groups:
https://learn.microsoft.com/en-us/graph/api/privilegedaccessgroup-post-assignmentschedulerequests?view=graph-rest-1.0&tabs=http#example-2-user-activates-their-eligible-assignment-for-pim-for-groups
If I log in into graph explorer ist no problem to activate my eligible assignment from there. Also it is working with HTTP from bash if i use the existing token at the graph explorer.
If I try to get a graph token from azure cli it seems to work with:
az account get-access-token --resource-type ms-graph
With this token i ve not the right permissions to do the activation:
Authorization failed due to missing permission scope PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedAssignmentSchedule.Remove.AzureADGroup.
If i try to set the scope (ive tried a few formats) than i only get those errors:
az account get-access-token --resource-type ms-graph --scope https://graph.microsoft.com/.PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup
or
az account get-access-token --resource-type ms-graph --scope .PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup
Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.
We are not able to find a way to edit permissions to app '04b07795-8ddb-461a-bbee-02f9e1bf7b46' which seems to be Azure-CLI.
The text was updated successfully, but these errors were encountered: