1

I am attempting to setup and install this reference app from Azure, created by the Microsoft patterns & practices team: https://github.com/mspnp/serverless-reference-implementation - the setup is via Azure CLI not the UI.

However it uses Azure AD Graph, which has just very recently been deprecated and replaced by Microsoft.Graph as documented here: https://learn.microsoft.com/en-gb/cli/azure/microsoft-graph-migration

This breaks the installation instructions in the app, specifically the az ad app create command:

export API_APP_ID=$(az ad app create --display-name $API_APP_NAME --oauth2-allow-implicit-flow true \
--native-app false --reply-urls http://localhost --identifier-uris "http://$API_APP_NAME" \
--app-roles '  [ {  "allowedMemberTypes": [ "User" ], "description":"Access to device status", "displayName":"Get Device Status", "isEnabled":true, "value":"GetStatus" }]' \
--required-resource-accesses '  [ {  "resourceAppId": "00000003-0000-0000-c000-000000000000", "resourceAccess": [ { "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "type": "Scope" } ] }]' \
--query appId --output tsv)

Fails with: ERROR: unrecognized arguments: --native-app false

If I try to update the command with the new parameters for Microsoft.Graph as per the migration guide above:

export API_APP_ID=$(az ad app create --display-name $API_APP_NAME --enable-access-token-issuance true \
--is-fallback-public-client false --web-redirect-uris http://localhost --identifier-uris "http://$TENANT_NAME.onmicrosoft.com/$API_APP_NAME" \
--app-roles '  [ {  "allowedMemberTypes": [ "User" ], "description":"Access to device status", "displayName":"Get Device Status", "isEnabled":true, "value":"GetStatus" }]' \
--required-resource-accesses '  [ {  "resourceAppId": "00000003-0000-0000-c000-000000000000", "resourceAccess": [ { "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "type": "Scope" } ] }]' \
--query appId --output tsv)

The create command works - but the app's manifest does not have the expected data:

export API_IMPERSONATION_PERMISSION=$(az ad app show --id $API_APP_ID --query "oauth2Permissions[?value == 'user_impersonation'].id" --output tsv)

This returns NULL - the new Microsoft.Graph API does not even create this field in the app's manifest. I manually confirmed this by looking at the manifest in the Azure UI. This means the following commands that rely on this field existing are unusable.

How can I fix this so I can install this reference app given that the install instructions refer to the no longer available Azure AD Graph API? What is the correct az ad app create command that lets Microsoft.Graph API create the API app with oauth?

JK.
  • 21,477
  • 35
  • 135
  • 214
  • Have a look at this answer https://stackoverflow.com/a/73171550/4167200, the oauth2Permissions are not created by default using ms graph api. – Thomas Aug 23 '22 at 23:22

0 Answers0