Comments (9)
Thank you for opening this issue, we will look into it.
from azure-cli.
https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes doesn't document AADSTS530003
, but I guess it is the same issue as https://learn.microsoft.com/en-us/cli/azure/microsoft-graph-migration#graph-command-fails-with-aadsts50005-or-aadsts53000, that is, Microsoft tenant (72f988bf-86f1-41af-91ab-2d7cd011db47) doesn't allow using device code flow to access Microsoft Graph.
There is a feature request #22776 to show the signed in account's object ID, but that feature request was suspended due to several unsettled security discussions. You may follow #22776 (comment) to retrieve the object ID from the access token.
from azure-cli.
https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes doesn't document
AADSTS530003
, but I guess it is the same issue as https://learn.microsoft.com/en-us/cli/azure/microsoft-graph-migration#graph-command-fails-with-aadsts50005-or-aadsts53000, that is, Microsoft tenant (72f988bf-86f1-41af-91ab-2d7cd011db47) doesn't allow using device code flow to access Microsoft Graph.There is a feature request #22776 to show the signed in account's object ID, but that feature request was suspended due to several unsettled security discussions. You may follow #22776 (comment) to retrieve the object ID from the access token.
Thank you @jiasli for the workaround. Do you have a similar to az ad sp list
?
from azure-cli.
You may use the same approach to get the object ID for a service principal. If this is not what you want, what information do you want to extract from az ad sp list
?
from azure-cli.
@jiasli The approach works for my own object ID because I can az login
as myself. But I cannot az login
as other objects, such as a service principal for a workspace named 'gcrllama2ws'. I cannot get access token tied to gcrllama2ws and thus cannot apply the same approach to extract object ID of gcrllama2ws from access token. Am I correct?
from azure-cli.
I cannot get access token tied to gcrllama2ws
Why can't? Is there any error when running az account get-access-token
?
from azure-cli.
@jiasli az account get-access-token
only return ID for the current user who logged in with az login
. It does not return ID for other entities. So there is no error when running az account get-token-token
. But you can only get ID for yourself, not any service principal entity such as 'gcrllama2ws'.
from azure-cli.
I cannot
az login
as other objects, such as a service principal for a workspace named 'gcrllama2ws'.
What is the relationship between the login service principal and gcrllama2ws
?
If gcrllama2ws
is different from the login service principal, you need to assign Application.Read.All permission to the login service principal in order to run az ad sp list
. This is the designed behavior of Microsoft Graph.
from azure-cli.
I am not sure if I understand the question "What is the relationship between the login service principal and gcrllama2ws?". What I am trying to do is:
az login
with my SC-Alt account, e.g. [email protected]az ad sp list --display-name gcrllama2ws
which is blocked by AADSTS70043
So I guess the "login service principal" is my extra ID, not really a service principal, and not an app either. I am not sure if I could assign my extra ID the role of "Application.Read.All". But that's an interesting idea.
from azure-cli.
Related Issues (20)
- Cannot install az ml extension HOT 2
- az network application-gateway address-pool update does not return an error when call fails HOT 3
- az login forced os account msft login HOT 3
- CLI v2.62.0 breaks confcom extension HOT 3
- Login with WAM + no more silent authentication failures cause Terraform errors HOT 5
- Please update Docker Image due to Security Issues CVE-2024-39689 CVE-2024-6345 HOT 2
- Internal Server Error on service principal credential reset and delete HOT 2
- (InvalidPolicyAssignmentName) az policy assignment create --name should be consistent with portal and back-end service HOT 3
- 'az webapp config ssl list' returns an empty list HOT 4
- Can not `az apim api import` HOT 2
- Specifying private-link specific parameters doesn't imply enabling of private-link in az afd origin create command HOT 5
- `az role assignment list --all --role AcrPull` fails with ValueError: No value for given attribute HOT 5
- Add new flag to mask secrets from '--debug' output HOT 1
- vnet-integration add fails with Site.FunctionAppConfig is invalid HOT 2
- Azure CLI - No output on command prompt HOT 1
- Invalid duplicate name error on webapp create HOT 3
- CI fails because of setuptools change HOT 3
- [Feature request] `az ad app permission admin-consent`: Migrate `https://main.iam.ad.ext.azure.com/` to Microsoft Graph HOT 1
- [Feature request] Remove the functionality of `az feedback` HOT 1
- Azure disk breaking change - Disk SAS limit max expiry to 5184000 seconds (60 days) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-cli.