azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard
verified publisher icon Azure

Azure CLI cannot set values on nested properties

Open KSchlobohm opened this issue 3 years ago • 4 comments

Related command az ad app update --set

Describe the bug Attempting to set a value on a nested property returns an error. It appears that the cli is unaware of the changes made to the graph. Specifically cannot set these two properties:

  • "api.oauth2PermissionScopes"
  • "api.preAuthorizedApplications"

To Reproduce az ad app update --id $clientid --set api.oauth2PermissionScopes="[ { value: '$scopeName', adminConsentDescription: 'My API access', adminConsentDisplayName: 'My API access', id: 'b3e5bc7f-8568-45ee-b913-3a30f72d830b', isEnabled: true, type: 'Admin' } ] } }"

Expected behavior Expected the command to set oauth2PermissionScopes.

Environment summary running on Ubuntu WSL 2 install install command curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

az version

{
  "azure-cli": "2.38.0",
  "azure-cli-core": "2.38.0",
  "azure-cli-telemetry": "1.0.6",
  "extensions": {
    "containerapp": "0.3.5",
    "log-analytics": "0.2.2",
    "rdbms-connect": "1.0.2"
  }
}

Additional context can work around the issues with az rest command

option1: update scopes


az rest \
          --method PATCH \
          --uri "https://graph.microsoft.com/v1.0/applications/$apiObjectId" \
          --headers 'Content-Type=application/json' \
          --body "{ identifierUris:[ 'api://$apiWebAppClientId' ], api: { oauth2PermissionScopes: [ { value: '$scopeName', adminConsentDescription: 'My API access', adminConsentDisplayName: 'My API access', id: 'b3e5bc7f-8568-45ee-b913-3a30f72d830b', isEnabled: true, type: 'Admin' } ] } }"

option1: update preAuthorizedClients

permId=$(az ad app show --id $apiWebAppClientId --query 'api.oauth2PermissionScopes[].id' -o tsv)

az rest  \
          --method PATCH \
          --uri "https://graph.microsoft.com/v1.0/applications/$apiObjectId" \
          --headers 'Content-Type=application/json' \
          --body "{api:{preAuthorizedApplications:[{appId:'$preAuthedAppApplicationId',delegatedPermissionIds:['$permId']}]}}"

KSchlobohm avatar Aug 04 '22 22:08 KSchlobohm

@jiasli for awareness

yonzhan avatar Aug 04 '22 22:08 yonzhan

This is documented as a known issue during MS Graph migration: https://docs.microsoft.com/en-us/cli/azure/microsoft-graph-migration#known-issues

jiasli avatar Aug 05 '22 02:08 jiasli

Thanks @jiasli, I wasn't aware this was a known issue

My workflow was something like:

  1. az ad app update --help
  2. try out the command (it failed)
  3. read the doc
  4. try out the command with slightly different syntax (it failed)
  5. web search for guidance
  6. read stackoverflow posts (learned az rest is an alternative)
  7. see that az rest works
  8. search for known issues on GH
  9. open an issue because I didn't see one already open

I think it would help others if the known issue could be linked in the doc

KSchlobohm avatar Aug 05 '22 15:08 KSchlobohm

Thanks for the feedback @KSchlobohm. Indeed, the doc should exclude --set, --add and --remove if they are not supported. We will see how we can improve it.

jiasli avatar Aug 08 '22 05:08 jiasli