Issue creating Azure App Registration with AZ CLI

3
votes

I am trying to create an Azure AD app with an updated manifest that has access to Windows Azure AD. I have been able to successfully create / configure a new App Registration but run into issues when i try to configure the Manifest.

I have tried using the sample code provided my MS (https://docs.microsoft.com/en-us/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-create) with an updated 'resourceAppId' from an already existing App Registration however bash throws an error 

az ad app create --display-name myTest --homepage https://blah.test.com --reply-urls https://blah.test.com/.auth/login/add/callback --required-resource-accesses @manifest.json("manifest.json" contains the following content)

[{"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
                    {
                     "id": "a42657d6-7f20-40e3-b6f0-cee03008a62a-test",
                     "type": "Scope"
                    }
                  ]
}]

As I've copied the sample code and just updated a few params i would expect it to run. TIA for any suggestions

This is the error i recieve when running via the portal

enter image description here

1
azureazure-devopsazure-active-directoryazure-cli
I see for "id" you have -test at the end of a GUID a42657d6-7f20-40e3-b6f0-cee03008a62a-test.. try replacing that with a new valid GUID onlyRohit Saigal
i just stubbed that out for testing. I'm using a guid that i have copied from an existing app registrations manifest (that is set up correctly)tothecl0ud
ok got it.. any more details about the error message you get back?Rohit Saigal
Could you provide the error?Joy Wang-MSFT

1 Answers

3
votes

Because you provide too little useful information, I am not sure what the error you got.

I have tested your script, and I got an error below.

az ad app create --display-name 'myTest' --homepage 'https://blah.test.com --reply-urls https://blah.test.com/.auth/login/add/callback' --required-resource-accesses 'C:\Users\joyw\Desktop\manifest.json'
az : ERROR: '--identifier-uris' is required for creating an application
    At line:1 char:1
    + az ad app create --display-name 'myTest' --homepage 'https://blah.tes ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (ERROR: '--ident... an application:String) [], RemoteException
        + FullyQualifiedErrorId : NativeCommandError

If you also get this error, just add the parameter like --identifier-uris 'https://mytestapp.websites.net', the complete command will be like :

az ad app create --display-name 'myTest' --homepage 'https://blah.test.com' --reply-urls 'https://blah.test.com/.auth/login/add/callback' --identifier-uris 'https://mytestapp.websites.net' --required-resource-accesses 'C:\Users\joyw\Desktop\manifest.json'

Then it will work fine.

enter image description here

Per my understand, you may think some wrong with the resourceAppId in your manifest.json. If you do not get the error above, you could follow the information below to troubleshoot and make sure you use the correct properties in the manifest.json.

My manifest.json file:

   [{
      "resourceAppId": "69ae001f-xxxxxxxx-375585ac983e",
      "resourceAccess": [
        {
          "id": "6833b2c6-9954-43e1-ac46-f54a26a3b693",
          "type": "Scope"
        },
        {
          "id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
          "type": "Role"
        }
      ]
    }]

The resourceAppId is the application id of the service principal(i.e. the application id of the AD App), so you are correct.

In the resourceAccess, the type is Scope or Role. The Scope represents Delegated permission, Role represents Application permission. For the Application permission, you can find it in the appRoles in the manifest of the AD App which you are using(for my sample is the app 69ae001f-xxxxxxxx-375585ac983e). For the Delegated permission, you can find it in the oauth2Permissions in the manifest. Then get the id in the corresponding position.

Check it along with my manifest of the sample AD App, note the id and correspondence, it will be clear.

appRoles:

"appRoles": [
    {
      "allowedMemberTypes": [
        "Application"
      ],
      "displayName": "SurveyCreator",
      "id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
      "isEnabled": true,
      "description": "Creators can create Surveys",
      "value": "SurveyCreator"
    }
  ]

oauth2Permissions:

 "oauth2Permissions": [
    {
      "adminConsentDescription": "Allow the application to access joywebtest on behalf of the signed-in user.",
      "adminConsentDisplayName": "Access joywebtest",
      "id": "6833b2c6-9954-43e1-ac46-f54a26a3b693",
      "isEnabled": true,
      "type": "User",
      "userConsentDescription": "Allow the application to access joywebtest on your behalf.",
      "userConsentDisplayName": "Access joywebtest",
      "value": "user_impersonation"
    }
  ]

At last, we could check the AD App which created just now in the portal. It will have the Required permissions we set.

enter image description here

For more details, you can also see Azure Active Directory app manifest.