Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"az ad app show" results in "Insufficient privileges..." under Ubuntu #27831

Closed
PatrickZeier-SAG opened this issue Nov 13, 2023 · 4 comments
Closed

"az ad app show" results in "Insufficient privileges..." under Ubuntu #27831

PatrickZeier-SAG opened this issue Nov 13, 2023 · 4 comments
Assignees
@jiasli
Labels
Account az login/account Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. Graph az ad question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog

Comments

@PatrickZeier-SAG
Copy link

PatrickZeier-SAG commented Nov 13, 2023
edited
Loading

Describe the bug

When logging into Azure with an SP and executing az ad app --id <service principal id> this works with the Azure CLI under Windows. But under Ubuntu (same version) I get Insufficient privileges to complete the operation..

When I compare the request where it fails in the debug log it seems that some odata parts are missing in the header:

Content-Type': 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8'
'OData-Version': '4.0'

Related command

# az login --service-principal -u <client id> --password <client password> -t <tenant id> --allow-no-subscription
...
# az ad app show --id <client id>
Insufficient privileges to complete the operation.

Errors

Insufficient privileges to complete the operation.

Issue script & Debug output

Ubuntu:

# az ad app show --id CLIENT-ID-ANONYMIZED --debug
cli.knack.cli: Command arguments: ['ad', 'app', 'show', '--id', 'CLIENT-ID-ANONYMIZED', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f7303cf1360>, <function OutputProducer.on_global_arguments at 0x7f7303c54280>, <function CLIQuery.on_global_arguments at 0x7f7303a71480>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: role                      0.004        17        61
cli.azure.cli.core: Total (1)                 0.004        17        61
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: Total (0)                 0.000         0         0
cli.azure.cli.core: Loaded 17 groups, 61 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : ad app show
cli.azure.cli.core: Command table: ad app show
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f7302cc2dd0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/user/.azure/commands/2023-11-13.15-46-43.ad_app_show.2146228.log'.
az_command_data_logger: command args: ad app show --id {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f7302d03a30>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f7302d20a60>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f7302d21870>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f7303c54310>, <function CLIQuery.handle_query_parameter at 0x7f7303a71510>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7f7302d217e0>]
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/user/.azure/service_principal_entries.json', encrypt=False
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/user/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/user/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
msal.application: Region to be used: None
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://graph.microsoft.com//.default',), kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 933f05c2-f6af-4b12-8d84-39afc1ac265e
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/applications?$filter=appId%20eq%20%27CLIENT-ID-ANONYMIZED%27'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util:     'User-Agent': 'python/3.10.10 (Linux-5.15.90.1-microsoft-standard-WSL2-x86_64-with-glibc2.35) AZURECLI/2.53.1 (DEB)'
cli.azure.cli.core.util:     'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util:     'Accept': '*/*'
cli.azure.cli.core.util:     'Connection': 'keep-alive'
cli.azure.cli.core.util:     'x-ms-client-request-id': '8ff51367-8ea2-4ee0-86a4-6d9e55c26d53'
cli.azure.cli.core.util:     'CommandName': 'ad app show'
cli.azure.cli.core.util:     'ParameterSetName': '--id --debug'
cli.azure.cli.core.util:     'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/applications?$filter=appId%20eq%20%27CLIENT-ID-ANONYMIZED%27 HTTP/1.1" 403 None
cli.azure.cli.core.util: Response status: 403
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util:     'Cache-Control': 'no-cache'
cli.azure.cli.core.util:     'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util:     'Content-Type': 'application/json'
cli.azure.cli.core.util:     'Content-Encoding': 'gzip'
cli.azure.cli.core.util:     'Vary': 'Accept-Encoding'
cli.azure.cli.core.util:     'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util:     'request-id': '69398ae6-e784-404e-a06b-f049968e8bda'
cli.azure.cli.core.util:     'client-request-id': '69398ae6-e784-404e-a06b-f049968e8bda'
cli.azure.cli.core.util:     'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"Germany West Central","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"FR2PEPF000003FD"}}'
cli.azure.cli.core.util:     'x-ms-resource-unit': '2'
cli.azure.cli.core.util:     'Date': 'Mon, 13 Nov 2023 14:46:40 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2023-11-13T14:46:40","request-id":"69398ae6-e784-404e-a06b-f049968e8bda","client-request-id":"69398ae6-e784-404e-a06b-f049968e8bda"}}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send
    r = send_raw_request(self._cli_ctx, method, url, resource=self._resource, uri_parameters=param,
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/util.py", line 1010, in send_raw_request
    raise HTTPError(reason, r)
azure.cli.core.azclierror.HTTPError: Forbidden({"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2023-11-13T14:46:40","request-id":"69398ae6-e784-404e-a06b-f049968e8bda","client-request-id":"69398ae6-e784-404e-a06b-f049968e8bda"}}})

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 363, in handler
    show_exception_handler(ex)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/arm.py", line 429, in show_exception_handler
    raise ex
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 361, in handler
    return op(**command_args)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/role/custom.py", line 753, in show_application
    object_id = _resolve_application(client, identifier)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/role/custom.py", line 797, in _resolve_application
    result = client.application_list(filter="appId eq '{}'".format(identifier))
  File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 86, in application_list
    result = self._send("GET", "/applications" + _filter_to_query(filter))
  File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 55, in _send
    raise GraphError(ex.response.json()['error']['message'], ex.response) from ex
azure.cli.command_modules.role._msgrpah._graph_client.GraphError: Insufficient privileges to complete the operation.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/az/lib/python3.10/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 718, in _run_job
    return cmd_copy.exception_handler(ex)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/role/commands.py", line 50, in graph_err_handler
    raise CLIError(ex)
knack.util.CLIError: Insufficient privileges to complete the operation.

cli.azure.cli.core.azclierror: Insufficient privileges to complete the operation.
az_command_data_logger: Insufficient privileges to complete the operation.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f7302cc3010>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 0.573 seconds (init: 0.136, invoke: 0.437)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3518 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/bin/../../opt/az/bin/python3 /opt/az/lib/python3.10/site-packages/azure/cli/telemetry/__init__.py /home/user/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Windows:

# az ad app show --id CLIENT-ID-ANONYMIZED --debug
cli.knack.cli: Command arguments: ['ad', 'app', 'show', '--id', 'CLIENT-ID-ANONYMIZED', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0168A460>, <function OutputProducer.on_global_arguments at 0x0178C6A0>, <function CLIQuery.on_global_arguments at 0x018A82F8>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: role                      0.009        17        61
cli.azure.cli.core: Total (1)                 0.009        17        61
cli.azure.cli.core: Loaded 17 groups, 61 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : ad app show
cli.azure.cli.core: Command table: ad app show
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03ABC418>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\user\.azure\commands\2023-11-13.15-56-31.ad_app_show.32584.log'.
az_command_data_logger: command args: ad app show --id {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x03AE4418>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x03AF44F0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x03AF4580>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x0178C6E8>, <function CLIQuery.handle_query_parameter at 0x018A8340>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x03AF4538>]
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\user\\.azure\\service_principal_entries.bin', encrypt=True
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\user\\.azure\\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\user\.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
msal.application: Region to be used: None
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://graph.microsoft.com//.default',), kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: a25fac5c-3549-4b67-8a31-cf6f2c5e879e
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/applications?$filter=appId%20eq%20%27CLIENT-ID-ANONYMIZED%27'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util:     'User-Agent': 'python/3.10.10 (Windows-10-10.0.19045-SP0) AZURECLI/2.53.1 (MSI)'
cli.azure.cli.core.util:     'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util:     'Accept': '*/*'
cli.azure.cli.core.util:     'Connection': 'keep-alive'
cli.azure.cli.core.util:     'x-ms-client-request-id': 'fcf4e045-98f7-4adf-9ff9-fc8c6565b82a'
cli.azure.cli.core.util:     'CommandName': 'ad app show'
cli.azure.cli.core.util:     'ParameterSetName': '--id --debug'
cli.azure.cli.core.util:     'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/applications?$filter=appId%20eq%20%27CLIENT-ID-ANONYMIZED%27 HTTP/1.1" 200 None
cli.azure.cli.core.util: Response status: 200
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util:     'Cache-Control': 'no-cache'
cli.azure.cli.core.util:     'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util:     'Content-Type': 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8'
cli.azure.cli.core.util:     'Content-Encoding': 'gzip'
cli.azure.cli.core.util:     'Vary': 'Accept-Encoding'
cli.azure.cli.core.util:     'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util:     'request-id': '0444d98b-09e4-4138-ad82-eeaacfec0905'
cli.azure.cli.core.util:     'client-request-id': '0444d98b-09e4-4138-ad82-eeaacfec0905'
cli.azure.cli.core.util:     'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"Germany West Central","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"FR2PEPF00000422"}}'
cli.azure.cli.core.util:     'x-ms-resource-unit': '2'
cli.azure.cli.core.util:     'OData-Version': '4.0'
cli.azure.cli.core.util:     'Date': 'Mon, 13 Nov 2023 14:56:28 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#applications","value":[{"id":"APPLICATION-ID-ANONYMIZED","deletedDateTime":null,"appId":"CLIENT-ID-ANONYMIZED","applicationTemplateId":null,"disabledByMicrosoftStatus":null,"createdDateTime":"2023-11-13T10:30:09Z","displayName":"testreg1","description":null,"groupMembershipClaims":null,"identifierUris":[],"isDeviceOnlyAuthSupported":null,"isFallbackPublicClient":null,"notes":null,"publisherDomain":"userieroutlook.onmicrosoft.com","serviceManagementReference":null,"signInAudience":"AzureADMyOrg","tags":[],"tokenEncryptionKeyId":null,"samlMetadataUrl":null,"defaultRedirectUri":null,"certification":null,"optionalClaims":null,"requestSignatureVerification":null,"addIns":[],"api":{"acceptMappedClaims":null,"knownClientApplications":[],"requestedAccessTokenVersion":null,"oauth2PermissionScopes":[],"preAuthorizedApplications":[]},"appRoles":[],"info":{"logoUrl":null,"marketingUrl":null,"privacyStatementUrl":null,"supportUrl":null,"termsOfServiceUrl":null},"keyCredentials":[],"parentalControlSettings":{"countriesBlockedForMinors":[],"legalAgeGroupRule":"Allow"},"passwordCredentials":[{"customKeyIdentifier":null,"displayName":"testsec2","endDateTime":"2024-05-11T09:37:17.781Z","hint":"2jO","keyId":"cdb0ab82-d167-44c2-8c79-75d2b9b0dcd9","secretText":null,"startDateTime":"2023-11-13T10:37:17.781Z"},{"customKeyIdentifier":null,"displayName":"testsec1","endDateTime":"2024-05-11T09:36:36.053Z","hint":"ZDf","keyId":"662bd182-1ef6-4665-ad43-18ff8a7aef22","secretText":null,"startDateTime":"2023-11-13T10:36:36.053Z"}],"publicClient":{"redirectUris":[]},"requiredResourceAccess":[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30","type":"Role"}]}],"verifiedPublisher":{"displayName":null,"verifiedPublisherId":null,"addedDateTime":null},"web":{"homePageUrl":null,"logoutUrl":null,"redirectUris":[],"implicitGrantSettings":{"enableAccessTokenIssuance":false,"enableIdTokenIssuance":false},"redirectUriSettings":[]},"servicePrincipalLockConfiguration":{"isEnabled":true,"allProperties":true,"credentialsWithUsageVerify":true,"credentialsWithUsageSign":true,"identifierUris":false,"tokenEncryptionKeyId":true},"spa":{"redirectUris":[]}}]}
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/TENANT-ID-ANONYMIZED/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
msal.application: Region to be used: None
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://graph.microsoft.com//.default',), kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 1ecd11d3-b2e7-4b35-8990-972a08c055d5
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/applications/APPLICATION-ID-ANONYMIZED'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util:     'User-Agent': 'python/3.10.10 (Windows-10-10.0.19045-SP0) AZURECLI/2.53.1 (MSI)'
cli.azure.cli.core.util:     'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util:     'Accept': '*/*'
cli.azure.cli.core.util:     'Connection': 'keep-alive'
cli.azure.cli.core.util:     'x-ms-client-request-id': 'efb862b8-79c2-4c07-adee-ba3ffdd7b338'
cli.azure.cli.core.util:     'CommandName': 'ad app show'
cli.azure.cli.core.util:     'ParameterSetName': '--id --debug'
cli.azure.cli.core.util:     'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/applications/APPLICATION-ID-ANONYMIZED HTTP/1.1" 200 None
cli.azure.cli.core.util: Response status: 200
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util:     'Cache-Control': 'no-cache'
cli.azure.cli.core.util:     'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util:     'Content-Type': 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8'
cli.azure.cli.core.util:     'Content-Encoding': 'gzip'
cli.azure.cli.core.util:     'Vary': 'Accept-Encoding'
cli.azure.cli.core.util:     'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util:     'request-id': 'ad9d76a6-c7ed-4d46-9931-226382709276'
cli.azure.cli.core.util:     'client-request-id': 'ad9d76a6-c7ed-4d46-9931-226382709276'
cli.azure.cli.core.util:     'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"Germany West Central","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"FR2PEPF00000421"}}'
cli.azure.cli.core.util:     'x-ms-resource-unit': '1'
cli.azure.cli.core.util:     'OData-Version': '4.0'
cli.azure.cli.core.util:     'Date': 'Mon, 13 Nov 2023 14:56:29 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#applications/$entity","id":"APPLICATION-ID-ANONYMIZED","deletedDateTime":null,"appId":"CLIENT-ID-ANONYMIZED","applicationTemplateId":null,"disabledByMicrosoftStatus":null,"createdDateTime":"2023-11-13T10:30:09Z","displayName":"testreg1","description":null,"groupMembershipClaims":null,"identifierUris":[],"isDeviceOnlyAuthSupported":null,"isFallbackPublicClient":null,"notes":null,"publisherDomain":"userieroutlook.onmicrosoft.com","serviceManagementReference":null,"signInAudience":"AzureADMyOrg","tags":[],"tokenEncryptionKeyId":null,"samlMetadataUrl":null,"defaultRedirectUri":null,"certification":null,"optionalClaims":null,"requestSignatureVerification":null,"addIns":[],"api":{"acceptMappedClaims":null,"knownClientApplications":[],"requestedAccessTokenVersion":null,"oauth2PermissionScopes":[],"preAuthorizedApplications":[]},"appRoles":[],"info":{"logoUrl":null,"marketingUrl":null,"privacyStatementUrl":null,"supportUrl":null,"termsOfServiceUrl":null},"keyCredentials":[],"parentalControlSettings":{"countriesBlockedForMinors":[],"legalAgeGroupRule":"Allow"},"passwordCredentials":[{"customKeyIdentifier":null,"displayName":"testsec2","endDateTime":"2024-05-11T09:37:17.781Z","hint":"2jO","keyId":"cdb0ab82-d167-44c2-8c79-75d2b9b0dcd9","secretText":null,"startDateTime":"2023-11-13T10:37:17.781Z"},{"customKeyIdentifier":null,"displayName":"testsec1","endDateTime":"2024-05-11T09:36:36.053Z","hint":"ZDf","keyId":"662bd182-1ef6-4665-ad43-18ff8a7aef22","secretText":null,"startDateTime":"2023-11-13T10:36:36.053Z"}],"publicClient":{"redirectUris":[]},"requiredResourceAccess":[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30","type":"Role"}]}],"verifiedPublisher":{"displayName":null,"verifiedPublisherId":null,"addedDateTime":null},"web":{"homePageUrl":null,"logoutUrl":null,"redirectUris":[],"implicitGrantSettings":{"enableAccessTokenIssuance":false,"enableIdTokenIssuance":false},"redirectUriSettings":[]},"servicePrincipalLockConfiguration":{"isEnabled":true,"allProperties":true,"credentialsWithUsageVerify":true,"credentialsWithUsageSign":true,"identifierUris":false,"tokenEncryptionKeyId":true},"spa":{"redirectUris":[]}}
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x03ADFBF8>, <function _x509_from_base64_to_hex_transform at 0x03ADFC40>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications/$entity",
  "addIns": [],
  "api": {
    "acceptMappedClaims": null,
...
REST REMOVED
...
    "logoutUrl": null,
    "redirectUriSettings": [],
    "redirectUris": []
  }
}
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03ABC538>]
az_command_data_logger: exit code: 0
cli.__main__: Command ran in 1.434 seconds (init: 0.537, invoke: 0.897)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3309 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\user\.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

It just works and the API responds with a proper JSON.

Environment Summary

azure-cli 2.53.1

core 2.53.1
telemetry 1.1.0

Extensions:
aks-preview 0.5.56
azure-firewall 0.7.0

Dependencies:
msal 1.24.0b2
azure-mgmt-resource 23.1.0b2

Additional context

It works fine with the same CLI version under Windows.
@PatrickZeier-SAG PatrickZeier-SAG added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Nov 13, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot Account az login/account labels Nov 13, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Graph az ad labels Nov 13, 2023
@yonzhan
Copy link
Collaborator

yonzhan commented Nov 13, 2023

Thank you for opening this issue, we will look into it.

@yonzhan yonzhan added this to the Backlog milestone Nov 13, 2023
@yonzhan yonzhan removed the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Nov 13, 2023
@jiasli
Copy link
Member

jiasli commented Nov 17, 2023

When I compare the request where it fails in the debug log it seems that some odata parts are missing in the header:

In the provided log, Content-Type and OData-Version are not request headers, but response headers returned by Microsoft Graph API.

Linux (not working):

cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/applications?$filter=appId%20eq%20%27CLIENT-ID-ANONYMIZED%27'
cli.azure.cli.core.util: Request method: 'GET'
...
cli.azure.cli.core.util: Response status: 403
cli.azure.cli.core.util: Response headers:
...
cli.azure.cli.core.util:     'Content-Type': 'application/json'

Windows (working):

cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/applications?$filter=appId%20eq%20%27CLIENT-ID-ANONYMIZED%27'
cli.azure.cli.core.util: Request method: 'GET'
...
cli.azure.cli.core.util: Response status: 200
cli.azure.cli.core.util: Response headers:
...
cli.azure.cli.core.util:     'Content-Type': 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8'
...
cli.azure.cli.core.util:     'OData-Version': '4.0'

Besides, these are GET requests. Azure CLI doesn't send Content-Type or OData-Version headers in GET requests by HTTP definition.

I don't think the error is related to the operating system you are using. I doubt different identities are used to access Microsoft Graph. You may run az account show and verify the correct identity is used.

Furthermore, you may run az account get-access-token --scope https://graph.microsoft.com//.default and decode the access token at https://jwt.ms/ to verify if appid and oid claims are correct.

@jiasli
Copy link
Member

jiasli commented Nov 17, 2023

As az ad app show internally first calls List applications API to resolve the provided --id argument:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Lines 783 to 800 in fbf4c61

def _resolve_application(client, identifier):
"""Resolve an application's id (previously known as objectId) from
- appId
- id (returned as-is)
- identifierUris
"""
if is_guid(identifier):
# it is either app id or object id, let us verify
result = client.application_list(filter="appId eq '{}'".format(identifier))
# If not found, this looks like an object id
return result[0][ID] if result else identifier
result = client.application_list(filter="identifierUris/any(s:s eq '{}')".format(identifier))
if not result:
error = CLIError("Application with identifier URI '{}' doesn't exist".format(identifier))
error.status_code = 404 # Make sure CLI returns 3
raise error
return result[0][ID]

Then it calls Get application with the resolved object ID of the app:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Lines 746 to 749 in fbf4c61

def show_application(client, identifier):
object_id = _resolve_application(client, identifier)
result = client.application_get(object_id)
return result

According to the documentation of these APIs, the service principal should at least have Application.Read.All application permission.

@PatrickZeier-SAG
Copy link
Author

Thanks @jiasli!

the provided log, Content-Type and OData-Version are not request headers, but response headers

Yes, of course you are right. I mixed it up in the text

I doubt different identities are used to access Microsoft Graph.

And this was absolutely the right assumption! I had to log into different accounts for several tests and it seems I forgot to change back to the login via SP to the respective account under Linux.

Also thanks for the hint for getting the access token. Might be useful in the future.

Case closed, solution works fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Account az login/account Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. Graph az ad question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@jiasli @yonzhan @PatrickZeier-SAG