create-for-rbac no longer works: Values of identifierUris property must use a verified domain of the organization or its subdomain: 'http://azure-cli-2021-12-28-20-43-02'

[tjprescott]

Describe the bug
The first example for az ad sp create-for-rbac no longer works as written.

To Reproduce
Run:
az ad sp create-for-rbac

Expected behavior
Command works and outputs a created service principal.

Additional context
Output is:
Values of identifierUris property must use a verified domain of the organization or its subdomain: 'http://azure-cli-2021-12-28-20-43-02'

[yonzhan]

@jiasli for awareness

[jiasli]

@tjprescott, good to see you again for Azure CLI issues! 😸 This is due to a breaking change made on AAD service side. Please see #19892.

[johanste]

If we have an example that shows invalid use of the command, then we should presumably fix the example? See the last couple of lines below.

$> az ad sp create-for-rbac --help

Command
    az ad sp create-for-rbac : Create a service principal and configure its access to Azure
    resources.
        The output includes credentials that you must protect. Be sure that you do not include these
        credentials in your code or check the credentials into your source control. As an
        alternative, consider using [managed identities](https://aka.ms/azadsp-managed-identities)
        if available to avoid the need to use credentials.

        By default, this command assigns the 'Contributor' role to the service principal at the
        subscription scope. To reduce your risk of a compromised service principal, use --skip-
        assignment to avoid creating a role assignment, then assign a more specific role and narrow
        the scope to a resource or resource group. See [steps to add a role
        assignment](https://aka.ms/azadsp-more) for more information.

        WARNING: In a future release, this command will NOT create a 'Contributor' role assignment
        by default. If needed, use the --role argument to explicitly create a role assignment.

Arguments
    --name -n               : Display name of the service principal. If not present, default to
                              azure-cli-%Y-%m-%d-%H-%M-%S where the suffix is the time of creation.
    --role                  : Role of the service principal.
    --scopes                : Space-separated list of scopes the service principal's role assignment
                              applies to. Defaults to the root of the current subscription. e.g.,
                              /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,
                              /subscriptions/0b1f6471-1bf0-4dda-
                              aec3-111122223333/resourceGroups/myGroup, or
                              /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myG
                              roup/providers/Microsoft.Compute/virtualMachines/myVM.
    --sdk-auth [Deprecated] : Output result in compatible with Azure SDK auth file.
                              Allowed values: false, true.
        Option '--sdk-auth' has been deprecated and will be removed in a future release.
    --skip-assignment       : Skip creating the default assignment, which allows the service
                              principal to access resources under the current subscription. When
                              specified, --scopes will be ignored. You may use `az role assignment
                              create` to create role assignments for this service principal later.
                              Allowed values: false, true.

Credential Arguments
    --cert                  : Certificate to use for credentials.
        When used with `--keyvault,` indicates the name of the cert to use or create. Otherwise,
        supply a PEM or DER formatted public certificate string. Use `@{path}` to load from a file.
        Do not include private key info.
    --create-cert           : Create a self-signed certificate to use for the credential. Only the
                              current OS user has read/write permission to this certificate.
        Use with `--keyvault` to create the certificate in Key Vault. Otherwise, a certificate will
        be created locally.
    --keyvault              : Name or ID of a KeyVault to use for creating or retrieving
                              certificates.
    --years                 : Number of years for which the credentials will be valid. Default: 1
                              year.

Global Arguments
    --debug                 : Increase logging verbosity to show all debug logs.
    --help -h               : Show this help message and exit.
    --only-show-errors      : Only show errors, suppressing warnings.
    --output -o             : Output format.  Allowed values: json, jsonc, none, table, tsv, yaml,
                              yamlc.  Default: json.
    --query                 : JMESPath query string. See http://jmespath.org/ for more information
                              and examples.
    --verbose               : Increase logging verbosity. Use --debug for full debug logs.

Examples
    Create with a default role assignment.
        az ad sp create-for-rbac

[tjprescott]

The example works on the latest CLI, though the description is wrong since it now won't create a default role assignment.

[jiasli]

If we have an example that shows invalid use of the command, then we should presumably fix the example?

The example indeed works. You only need to update your Azure CLI installation.

[jiasli]

The example works on the latest CLI, though the description is wrong since it now won't create a default role assignment.

This was changed in

• [Role] BREAKING CHANGE: az ad sp create-for-rbac: No role assignment will be created by default #19805

but this PR hasn't been released yet. @tjprescott, have you installed from source code?

[tjprescott]

Ah, looks good then. The PR updates the example text.