Azure CLI 2.37.0 default application creation - oath2permission

[jillyueh020]

Related command

Issue:

How to modify the oath2permission by "az ad app" or this can only by the portal?

Background:

cx use the 2.36.0 Azure CLI to create the Application, by default it would update the oath2permission:
*Command: az ad app create --display-name xxxxxx
Back to portal, App registration > Expose an API tab, there's user_impersonation value without API value assigned

But for Azure CLI version later than 2.37.0, the underlying API is MS Graph API and the oath2permission won't be modified by default
*Same command: az ad app create --display-name xxx
We want to know how to modify the value by az ad app?

Detailed application creation

For v2.36.0

PS C:\windows\system32> az ad app create --display-name Demo2360
The underlying Active Directory Graph API will be replaced by Microsoft Graph API in Azure CLI 2.37.0. Please carefully review all breaking changes introduced during this migration: https://docs.microsoft.com/cli/azure/microsoft-graph-migration
{
"acceptMappedClaims": null,
"addIns": [],
"allowGuestsSignIn": null,
"allowPassthroughUsers": null,
"appId": "1b2237c0-0480-464d-bef8-6a922d5c1904",
"appLogoUrl": null,
"appPermissions": null,
"appRoles": [],
"applicationTemplateId": null,
"availableToOtherTenants": false,
"deletionTimestamp": null,
"displayName": "Demo2360",
"errorUrl": null,
"groupMembershipClaims": null,
"homepage": null,
"identifierUris": [],
"informationalUrls": {
"marketing": null,
"privacy": null,
"support": null,
"termsOfService": null
},
"isDeviceOnlyAuthSupported": null,
"keyCredentials": [],
"knownClientApplications": [],
"logo@odata.mediaContentType": "application/json;odata=minimalmetadata; charset=utf-8",
"logo@odata.mediaEditLink": "directoryObjects/f3ff2b88-83ee-4ce3-865d-eba2d7db397a/Microsoft.DirectoryServices.Application/logo",
"logoUrl": null,
"logoutUrl": null,
"mainLogo@odata.mediaEditLink": "directoryObjects/f3ff2b88-83ee-4ce3-865d-eba2d7db397a/Microsoft.DirectoryServices.Application/mainLogo",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access Demo2360 on behalf of the signed-in user.",
"adminConsentDisplayName": "Access Demo2360",
"id": "d97ed074-f751-4819-adc5-7d0a2a3eb207",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access Demo2360 on your behalf.",
"userConsentDisplayName": "Access Demo2360",
"value": "user_impersonation"
}
],
"oauth2RequirePostResponse": false,
"objectId": "f3ff2b88-83ee-4ce3-865d-eba2d7db397a",
"objectType": "Application",
"odata.metadata": "https://graph.windows.net/08519609-343d-4644-a637-88791feb8e02/$metadata#directoryObjects/@Element",
"odata.type": "Microsoft.DirectoryServices.Application",
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": null,
"publicClient": null,
"publisherDomain": "jilllab.onmicrosoft.com",
"recordConsentConditions": null,
"replyUrls": [],
"requiredResourceAccess": [],
"samlMetadataUrl": null,
"signInAudience": "AzureADMyOrg",
"tokenEncryptionKeyId": null,
"wwwHomepage": null
}
PS C:\windows\system32>

***For version 2.40.0

PS /home/jill> az ad app create --display-name Demo2400
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications/$entity",
"addIns": [],
"api": {
"acceptMappedClaims": null,
"knownClientApplications": [],
"oauth2PermissionScopes": [],
"preAuthorizedApplications": [],
"requestedAccessTokenVersion": 2
},
"appId": "eda112db-5327-4b2b-96a0-84a849723304",
"appRoles": [],
"applicationTemplateId": null,
"certification": null,
"createdDateTime": "2022-09-21T09:26:26.5661795Z",
"defaultRedirectUri": null,
"deletedDateTime": null,
"description": null,
"disabledByMicrosoftStatus": null,
"displayName": "Demo2400",
"groupMembershipClaims": null,
"id": "863f0f91-e9ab-4b4e-81d4-0e8881ac0caa",
"identifierUris": [],
"info": {
"logoUrl": null,
"marketingUrl": null,
"privacyStatementUrl": null,
"supportUrl": null,
"termsOfServiceUrl": null
},
"isDeviceOnlyAuthSupported": null,
"isFallbackPublicClient": null,
"keyCredentials": [],
"notes": null,
"optionalClaims": null,
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"publicClient": {
"redirectUris": []
},
"publisherDomain": "microsoft.onmicrosoft.com",
"requiredResourceAccess": [],
"samlMetadataUrl": null,
"serviceManagementReference": null,
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"spa": {
"redirectUris": []
},
"tags": [],
"tokenEncryptionKeyId": null,
"verifiedPublisher": {
"addedDateTime": null,
"displayName": null,
"verifiedPublisherId": null
},
"web": {
"homePageUrl": null,
"implicitGrantSettings": {
"enableAccessTokenIssuance": false,
"enableIdTokenIssuance": false
},
"logoutUrl": null,
"redirectUriSettings": [],
"redirectUris": []
}
}
PS /home/jill>

On manifest there's no nodification on oath2permission

I've searched online and there's only API permission can be modified not the Expose by API.

Resource Provider

Azure Active Directory/App registration

Description of Feature or Work Requested

oath2permission is able to be changed by cli

Minimum API Version Required

2.37.0

Swagger PR link / SDK link

N/A

Request Example

No response

Target Date

N/A

Additional context

No response

[jillyueh020]

For MS Grpha API is to do:
PATCH https://graph.microsoft.com/v1.0/applications/
{
"api": {
"oauth2PermissionScopes": [
{
"adminConsentDescription": "user_impersonation",
"adminConsentDisplayName": "user_impersonation",
"id": "9272bb24-b60a-458a-a6a0-3b1235adbd4d",
"isEnabled": true,
"type": "User",
"userConsentDescription": "user_impersonation",
"userConsentDisplayName": "user_impersonation",
"value": "user_impersonation"
}
]
}
}

It can successfully updated the manifest and Expose to API. < 204 OK>

But not sure if Azure CLI support this kind of PATCH call to update the oath2permission in api

Thank you team!

[yonzhan]

@jiasli for awareness

[jiasli]

Azure CLI 2.36.0 uses AD Graph which sets oauth2Permissions to user_impersonation by default.

Azure CLI 2.37.0 uses MS Graph and not setting oauth2Permissions to user_impersonation is the designed behavior of Microsoft Graph.

Currently there is no native command or argument for updating oauth2Permissions. As a workaround, use az rest command to directly call MS Graph API. Examples can be found at #22580 (comment).

Thank you for your feedback. This has been routed to the support team for assistance.

[BenjaminAbt]

Please bring back the support.

Thousands of developers now have to convert a CLI to REST because support was removed in what should have been a stable CLI. The impact and dissatisfaction is huge.

Thousands of developer hours are burned unnecessarily. That's millions of dollars.

[BenjaminAbt]

And one more addition: Azure CLI versioning is based on semver.
But the changes violate the semver principle.

Version 2.36 to 2.37 is a minor update, but the changes are huge breaking changes. Both the commands and the overall behavior of the CLI has changed without any compatibility.

https://semver.org/
According to Semver, this should have been a major change. That's why so many are so surprised by the changes.

MINOR version when you add functionality in a backwards compatible manner