Azure CLI is migrated to Microsoft Graph in 2.37.0

[jiasli]

Due to the deprecation of Azure Active Directory (Azure AD) Graph, Azure CLI is migrated to Microsoft Graph in 2.37.0 which is released on 2022-05-24.

Please carefully review all breaking changes introduced during this migration: https://docs.microsoft.com/cli/azure/microsoft-graph-migration

If you are not ready for the migration yet, such as lacking Microsoft Graph permissions, you may keep using Azure CLI versions <= 2.36.0. If you have already installed 2.37.0, you may roll back to a previous version following the "Install specific version" section under the installation documents (except for Homebrew which doesn't support installing previous versions): https://docs.microsoft.com/en-us/cli/azure/install-azure-cli

If you have any questions, please create an issue at https://github.com/Azure/azure-cli/issues

References

• [Role] az ad/role: Azure AD Graph API to Microsoft Graph API migration #22432
• Microsoft Graph API Support #12946
• Migrate modules to Microsoft Graph #22174

[yonzhan]

This is a really huge achievement for Azure CLI to migrate to Microsoft Graph in 2.37.0 due to the deprecation of Azure Active Directory (Azure AD) Graph !!

[jiasli]

Call Microsoft Graph API with az rest

Azure CLI's az ad command group is only designed to facilitate interacting with Azure resources. It is NOT designed to be a fully-fledged client for managing Microsoft Graph. Therefore, only a limited subset of Microsoft Graph API is supported natively by Azure CLI.

For non-supported Microsoft Graph APIs or object properties, you may call APIs directly with az rest to achieve the same effect as az ad commands, including all latest features from Microsoft Graph API. az ad automatically authenticates to Microsoft Graph API.

⚠️ WARNING: Calling API (not limited to Microsoft Graph API) directly with az rest is only a supplemental feature of Azure CLI. It is not guaranteed to work and is subject to change, for reasons including but not limited to Azure CLI permission change, Microsoft Graph service limitation, AAD Conditional Access policies, etc.

ℹ️ NOTE: The First Party App 04b07795-8ddb-461a-bbee-02f9e1bf7b46 of Azure CLI only has following delegated permissions:

• AuditLog.Read.All
• Directory.AccessAsUser.All
• Group.ReadWrite.All
• User.ReadWrite.All
• openid

We are on the way of deprecating Directory.AccessAsUser.All and replacing it with Directory.ReadWrite.All. Also see #22775.

Examples

Update redirectUris for an Application

Originally posted at #9501 (comment). We call the Update application API. The GUID part in the following URLs are the object ID of the application.

# Get the application
az rest --method GET --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001'

# Update `redirectUris` for `web` property
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001' --body '{"web":{"redirectUris":["https://myapp.com"]}}'

Add owners to a service principal

Originally posted at #9250 (comment). We call the servicePrincipal: Add owner API.

appId=93dde3da-9fca-47dd-aee2-409b402ffed3
spObjectId=$(az ad sp show --id $appId --query id --output tsv)

# Get the object Id for the current user
ownerObjectId=$(az ad signed-in-user show --query id -o tsv)

# This applies to both user and service principal as owners
az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/directoryObjects/$ownerObjectId\"}"

# To add a user as an owner
az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/users/$ownerObjectId\"}"

# To add a service principal as an owner
az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/servicePrincipals/$ownerObjectId\"}"

Remarks

• The above commands are for Bash which Azure Cloud Shell uses by default
• In both PowerShell and CMD terminal, double quotes " in the JSON body (as contents) need to be escaped by \, even if the JSON body is surrounded by single quotes ' as '{\"key\":\"value\"}'. For more information, please see:
  • https://docs.microsoft.com/en-us/cli/azure/use-cli-effectively#pass-arguments
  • https://github.com/Azure/azure-cli/blob/dev/doc/quoting-issues-with-powershell.md

[jiasli]

Azure CLI's az ad command group is only designed to facilitate interacting with Azure resources. It is NOT designed to be a fully-fledged client for managing Microsoft Graph. Therefore, only a limited subset of Microsoft Graph API is supported natively by Azure CLI.

See Azure CLI's creator @yugangw-msft's comment #7579 (comment).