Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

az ad sp show seems not to be working as expected #19179

Closed
binte opened this issue Aug 10, 2021 · 5 comments
Closed

az ad sp show seems not to be working as expected #19179

binte opened this issue Aug 10, 2021 · 5 comments
Assignees
@jiasli
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. Graph az ad
Milestone
Aug 2021 (2021-09...

Comments

@binte
Copy link

binte commented Aug 10, 2021

When running the following command:

az ad sp show --id http://$SP_NAME

I will always get an error (below) if $SP_NAME is the service principal display name, and not its ID.

Service principal ... doesn't exist

The $SP_NAME variable contains the exact same display name as I see in the App Registrations in Azure AD.

When deploying a service principal via script, we do not have the service principal object ID prior to running the script, only the name we want to assign to the service principal (display name). Not only this used to work a few months back, as per the documentation it should still work!

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
@ghost ghost added needs-triage This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that customer-reported Issues that are reported by GitHub users external to the Azure organization. labels Aug 10, 2021
@yonzhan yonzhan added the Graph az ad label Aug 10, 2021
@ghost ghost removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Aug 10, 2021
@yonzhan yonzhan removed the question The issue doesn't require a change to the product in order to be resolved. Most issues start as that label Aug 10, 2021
@yonzhan yonzhan added this to the Aug 2021 (2021-09-07) milestone Aug 10, 2021
@yonzhan
Copy link
Collaborator

yonzhan commented Aug 10, 2021

@jiasli for awareness

@oliviergaumond oliviergaumond mentioned this issue Aug 13, 2021
Closed
@jiasli
Copy link
Member

jiasli commented Aug 18, 2021

Azure CLI command az ad sp create-for-rbac doesn't create apps with identifierUris anymore (#18312), so showing an SP created by az ad sp create-for-rbac with identifierUris (http://<display-name>) doesn't work now. Please use the appId of the app or objectId of the SP in az ad sp show --id.

@binte
Copy link
Author

binte commented Aug 18, 2021
edited
Loading

So, that is why my scripts stopped working :) Thank you for the explanation! In the meantime, I was able to have my scripts work again by updating the az ad sp create-for-rbac command, to the following:

az ad sp create-for-rbac --name $SP_NAME --id http://$SP_NAME

So, I explicitly create the id I was using before #18312 when running the az ad sp create-for-rbac command. More information on this SO question

@binte binte closed this as completed Aug 18, 2021
@jiasli
Copy link
Member

jiasli commented Aug 19, 2021

I don't think --id http://$SP_NAME will work, as az ad sp create-for-rbac doesn't take an --id argument:

> az ad sp create-for-rbac --name "myapp0819" --id "http://myapp0819"
unrecognized arguments: --id http://myapp0819

With Azure CLI, the only way to update identifierUris of an app is through az ad app create and az ad app update.

We don't recommend using identifierUris for simple apps (for example, those you use in Azure RBAC) because in the future AAD will require all URIs must be on verified domains. When the check is rolled out, your script will break again if the identifierUris don't meet the requirement, as described in #18312.

@binte
Copy link
Author

binte commented Aug 19, 2021

Indeed you are right, the solution I proposed does not work. Thanks for the information @jiasli

Sieboldianus added a commit to Sieboldianus/zero-to-jupyterhub-k8s that referenced this issue Aug 2, 2022
@Sieboldianus
docs: According to [azure-cli issue #19179][1], --id http// has ben d…
534a893 
…eprecated and only appId should be used. Update the docs accordingly.

[1]: Azure/azure-cli#19179 (comment)
@Sieboldianus Sieboldianus mentioned this issue Aug 5, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. Graph az ad
Projects
None yet
Milestone
Aug 2021 (2021-09-07)
Development

No branches or pull requests
3 participants
@jiasli @binte @yonzhan