Related command
az account get-access-token --output json --resource "https://graph.microsoft.com"
Is your feature request related to a problem? Please describe.
I see a strange behaviour by following these steps:
- Sign into the tenant via Azure CLI
- Request an access token for the Microsoft Graph API via the Azure CLI:
az account get-access-token --output json --resource "https://graph.microsoft.com"
- The token generation is successful and can be decoded in https://jwt.ms/
- The app ID (
appid claim) for the Azure CLI that is present in the token cannot be found in Entra ID for that tenant (not in app registrations nor in entreprise apps)
Describe the solution you'd like
From my understanding, the Azure CLI is an Entra ID app that relies on a standard approach to interact with exposed APIs on behalf of users.
Additional permissions cannot be granted via the Portal and this leads to problems with other Microsoft solutions, such as the Graph SDK using Azure CLI credentials. Such SDKs might need additional permissions (for example, Mail.Send for the Graph API), however it doesn't seem the delegated permission can be granted to the Azure CLI.
Is this just an issue with the Azure Portal, or is this scenario not possible at all?
Describe alternatives you've considered
A separate app registration can be created with delegated permissions, but this defeats the purpose of the Azure CLI credential.
Additional context
For ease of understanding and following the trail of thought, here is the associated issue in the Microsoft Graph SDK repo.
Related command
az account get-access-token --output json --resource "https://graph.microsoft.com"Is your feature request related to a problem? Please describe.
I see a strange behaviour by following these steps:
az account get-access-token --output json --resource "https://graph.microsoft.com"appidclaim) for the Azure CLI that is present in the token cannot be found in Entra ID for that tenant (not in app registrations nor in entreprise apps)Describe the solution you'd like
From my understanding, the Azure CLI is an Entra ID app that relies on a standard approach to interact with exposed APIs on behalf of users.
Additional permissions cannot be granted via the Portal and this leads to problems with other Microsoft solutions, such as the Graph SDK using Azure CLI credentials. Such SDKs might need additional permissions (for example,
Mail.Sendfor the Graph API), however it doesn't seem the delegated permission can be granted to the Azure CLI.Is this just an issue with the Azure Portal, or is this scenario not possible at all?
Describe alternatives you've considered
A separate app registration can be created with delegated permissions, but this defeats the purpose of the Azure CLI credential.
Additional context
For ease of understanding and following the trail of thought, here is the associated issue in the Microsoft Graph SDK repo.