Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Azure AD Group to Azure AD Enterprise Application #14016

Open
damienbod opened this issue Jun 18, 2020 · 3 comments
Open

Add Azure AD Group to Azure AD Enterprise Application #14016

damienbod opened this issue Jun 18, 2020 · 3 comments
Assignees
@jiasli
Labels
Core CLI core infrastructure customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request Service Attention This issue is responsible by Azure service team.
Milestone
Backlog

Comments

@damienbod
Copy link
Contributor

damienbod commented Jun 18, 2020
edited
Loading

I need to add a group to an Azure AD Enterprise application (Default Access). How do I do this using Azure CLI? This is possible using the portal UI. Is this possible with Azure CLI?

Greetings Damien
@ghost ghost added the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Jun 18, 2020
@ghost ghost added question The issue doesn't require a change to the product in order to be resolved. Most issues start as that and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Jun 18, 2020
@yonzhan yonzhan added this to the S172 milestone Jun 18, 2020
@yonzhan
Copy link
Collaborator

yonzhan commented Jun 18, 2020

add to S172

@yonzhan yonzhan added the Core CLI core infrastructure label Jun 18, 2020
@yonzhan yonzhan added feature-request OKR3.2 Candidate and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jul 5, 2020
@yonzhan yonzhan modified the milestones: S172, S173 Jul 5, 2020
@jiasli jiasli modified the milestones: S173, Backlog Jul 27, 2020
@jiasli
Copy link
Member

jiasli commented Jul 27, 2020

Azure CLI currently doesn't have a command for Adding Azure AD Group to Azure AD Enterprise Application.

The doc Assign a user or group to an enterprise app in Azure Active Directory mentions alternatives for how to do that in Azure Portal and PowerShell.

By capturing the network trace, I saw Azure Portal is calling an internal AppRoleAssignments API.

POST https://main.iam.ad.ext.azure.com/api/ManagedApplications/60f762f9-4b9d-4819-8447-b96770d393f7/AppRoleAssignments
{
    "objectId": "60f762f9-4b9d-4819-8447-b96770d393f7",
    "applicationRoleId": "",
    "userId": "5963f50c-7c43-405c-af7e-53294de76abd",
    "groupId": null,
    "passwordSSOCredentials": null,
    "automaticManagedEnabled": false,
    "rolloverFrequencyInDays": 0
}

However, it looks a little different from appRoleAssignment in MS Graph API.

I tried this API but got an error:

$ az rest -m POST -u https://graph.microsoft.com/v1.0/users/5963f50c-7c43-405c-af7e-53294de76abd/appRoleAssignments -b '{"principalId":"5963f50c-7c43-405c-af7e-53294de76abd","resourceId":"60f762f9-4b9d-4819-8447-b96770d393f7","appRoleId":""}'
Bad Request({
  "error": {
    "code": "Request_BadRequest",
    "message": "Cannot convert a primitive value to the expected type 'Edm.Guid'. See the inner exception for more details.",
    "innerError": {
      "date": "2020-07-27T08:11:27",
      "request-id": "49ea12b5-388a-409f-b04a-c8e5c08c0957"
    }
  }
})

Let me further confirm with AAD team about how to do it with REST API.

For examples about using MS Graph API, you may check #12946.

@yonzhan yonzhan added Service Attention This issue is responsible by Azure service team. and removed OKR3.2 Candidate labels Jul 27, 2020
@azure-sdk azure-sdk added the customer-reported Issues that are reported by GitHub users external to the Azure organization. label Sep 24, 2020
@jiasli
Copy link
Member

jiasli commented Sep 21, 2022
edited
Loading

Azure CLI is now calling Microsoft Graph API (#22580). Currently there is no plan to support appRoleAssignments. This feature request is tracked by #22768. You may use az rest to directly call that API.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Core CLI core infrastructure customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
5 participants
@damienbod @jiasli @meeraharidasa @azure-sdk @yonzhan