Unable to run 'az ad user show --id [email protected]' on AzureML Ubuntu VM about azure-cli HOT 9 OPEN

Thank you for opening this issue, we will look into it.

from azure-cli.

https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes doesn't document AADSTS530003, but I guess it is the same issue as https://learn.microsoft.com/en-us/cli/azure/microsoft-graph-migration#graph-command-fails-with-aadsts50005-or-aadsts53000, that is, Microsoft tenant (72f988bf-86f1-41af-91ab-2d7cd011db47) doesn't allow using device code flow to access Microsoft Graph.

There is a feature request #22776 to show the signed in account's object ID, but that feature request was suspended due to several unsettled security discussions. You may follow #22776 (comment) to retrieve the object ID from the access token.

from azure-cli.

https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes doesn't document AADSTS530003, but I guess it is the same issue as https://learn.microsoft.com/en-us/cli/azure/microsoft-graph-migration#graph-command-fails-with-aadsts50005-or-aadsts53000, that is, Microsoft tenant (72f988bf-86f1-41af-91ab-2d7cd011db47) doesn't allow using device code flow to access Microsoft Graph.

There is a feature request #22776 to show the signed in account's object ID, but that feature request was suspended due to several unsettled security discussions. You may follow #22776 (comment) to retrieve the object ID from the access token.

Thank you @jiasli for the workaround. Do you have a similar to az ad sp list?

from azure-cli.

You may use the same approach to get the object ID for a service principal. If this is not what you want, what information do you want to extract from az ad sp list?

from azure-cli.

@jiasli The approach works for my own object ID because I can az login as myself. But I cannot az login as other objects, such as a service principal for a workspace named 'gcrllama2ws'. I cannot get access token tied to gcrllama2ws and thus cannot apply the same approach to extract object ID of gcrllama2ws from access token. Am I correct?

from azure-cli.

I cannot get access token tied to gcrllama2ws

Why can't? Is there any error when running az account get-access-token?

from azure-cli.

@jiasli az account get-access-token only return ID for the current user who logged in with az login. It does not return ID for other entities. So there is no error when running az account get-token-token. But you can only get ID for yourself, not any service principal entity such as 'gcrllama2ws'.

from azure-cli.

I cannot az login as other objects, such as a service principal for a workspace named 'gcrllama2ws'.

What is the relationship between the login service principal and gcrllama2ws?

If gcrllama2ws is different from the login service principal, you need to assign Application.Read.All permission to the login service principal in order to run az ad sp list. This is the designed behavior of Microsoft Graph.

from azure-cli.

I am not sure if I understand the question "What is the relationship between the login service principal and gcrllama2ws?". What I am trying to do is:

• az login with my SC-Alt account, e.g. [email protected]
• az ad sp list --display-name gcrllama2ws which is blocked by AADSTS70043

So I guess the "login service principal" is my extra ID, not really a service principal, and not an app either. I am not sure if I could assign my extra ID the role of "Application.Read.All". But that's an interesting idea.

from azure-cli.