-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get-AzAccessToken should also allow specifying scopes #14085
Comments
We will evaluate this feature request. |
Any progress on this? |
@dingmeng-xue I can see that this moved to "Breaking Change Release" about 5 months ago, does this means that it will be included in the next release? |
@HMassi87 , that label means feature will introduce breaking change potentially. We haven't planned it because we are still understanding the benefit to users and potential impact. Back to original requirement, |
@dingmeng-xue I can't do anything on Intune using managed identities
But the only scopes that I get from this are I can even expose my API and create my own scopes and I am able to get a token for those scopes using something like |
Hi @petehauge and @HMassi87 , After verifying the scope in my environment, I realized your requirement cannot meet even we changed the code. Please look into #18080. Azure PowerShell is the first party app. For MSGraph API, All required permissions are granted by MSGraph in advance. Your requirement can be met when Azure PowerShell becomes 3rd party app. It is on our roadmap. I'm hesitating to merge the PR. What's your thought? |
Hi @dingmeng-xue - good question on this one, if it doesn't cover my original scenario that I'm not sure I can use it. I have a question though, based on your other comment (Azure Powershell becoming 3rd party app) - if that happens, does that mean that we will need your code in the PR 18080 anyway to enable the scenario? If so, seems like it's still worthwhile to merge? Thanks! |
Scope contains 2 parts, resourceId and permission. Azure PowerShell accepts any resource id and automatically appends permission MSAL accepts array of scopes during authentication. So you can see strict syntax should be
or
Support above requires lots of code change because existing code is not designed for multiple scopes/permissions. If user cannot get benefit immediately, I'd like put it on hold for a while. |
I see, thanks @dingmeng-xue - my original issue was accessing the Teams API (since I'm logged in against the same tenant) - but if that won't work with this change than I don't have a preference on merging since I can't use the work yet. In particular, I want to be able to get an access token with the following scope: Thanks! |
@HMassi87 I think I'm having the same issue you are. I've added two application scopes to my managed identity (Enterprise Application):
... yet when the App Service running as that managed identity calls Get-AzAccessToken, those two permissions do not appear as scopes. All the others I have added (e.g. Directory.Read.All, TeamMember.ReadWrite.All) appear, but not these two. I know I'm risking drifting off topic, but is there something about the Intune Graph endpoints that's making this happen? )Feel free to hit me up on Twitter (@mabster) if you'd prefer to take the conversation out of GitHub.) If adding a -Scope parameter to Get-AzAccessToken could solve this issue and somehow force those scopes into the token, that would be awesome. |
OK project owners, now I'm really confused. On Friday I disabled all the scheduled jobs in my Azure App Service that are calling Get-AzAccessToken and left the service idling over the weekend. This morning, Get-AzAccessToken does indeed return a token with the scopes I had added to my managed identity last week. Does Get-AzAccessToken cache somehow? Why was it not returning these new scopes as soon as I added them to the MSI? Is it using a refresh token to keep the current (now incomplete) token "current" somehow? |
@mabster , you are right that there is a kinds of cache. After login (access token login), client will get primary refresh token and protect it leveraging MSAL (the secret of SP is not the case). The expiration of primary refresh token is 90 days. Azure PowerShell use |
When When Please let me know if you have further question. |
@dingmeng-xue thank you for taking your valuable time for a detailed explanation, it is appreciated, and I hope others find it useful as well. |
This feature will be discussed again when Azure PowerShell can work using the 3rd party app id. Closing this request now. Your thought is welcome. |
Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you! |
My biggest problem at the moment is trying to use delegated permission,
this can be achieved using the MSAL.PS module cmdlet get-msaltoken but
would prefer to use the same module used to authenticate as the managed
identify.
This process would avoid the necessity to create an App Secret or use of
certificates.
…On Mon, 9 May 2022, 14:29 Dingmeng Xue, ***@***.***> wrote:
Hi @petehauge <https://github.com/petehauge> and @HMassi87
<https://github.com/HMassi87> , After verifying the scope in my
environment, I realized your requirement cannot meet even we changed the
code. Please look into #18080
<#18080>.
Azure PowerShell is the first party app. For MSGraph API, All required
permissions are granted by MSGraph in advance. AuditLog.Read.All
Directory.AccessAsUser.All email openid profile are all granted. You
cannot get Get-AzAccessToken -ResourceUrl "
https://graph.microsoft.com/Directory.readwrite.all" if client id is
Azure PowerShell.
Your requirement can be met when Azure PowerShell becomes 3rd party app.
It is on our roadmap. I'm hesitating to merge the PR. What's your thought?
—
Reply to this email directly, view it on GitHub
<#14085 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AYDKZG5E3YB22OLCJFEQ7WTVJEHJ5ANCNFSM4W5OJURA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
I found this thread when trying to request a specific app role from a custom app registration using MSI. If you assign the MSI multiple app roles, the token will always include all roles. This seems like a similar problem to the delegated scopes. |
Hi @dingmeng-xue, I came to this thread through investigation of the same symptoms as the OP. I just had 2 questions, and I'm hoping you will be able to answer?
Many thanks |
Really appreciate your response.
And sorry: yes, MSI as in Managed Identity, which is now MSFT's preferred security principal for Azure Automation (the RunAs account alternative being deprecated imminently).
Look forward to hearing more.
|
About MSI, Azure doesn't recommend user to use its token in anywhere. So, it's not easy to get access token. You can just use normal service account. Create service principal, grant sufficient permission, login Azure PowerShell with that service principal, get access token, and use it. |
I've never encountered that recommendation; where is it documented please? |
Managed identity (MSI) links to an azure resource. If you use its token and execute script somewhere else, it is against the principle of MSI. But, definitely, you can use it for the time being. |
This is good to know, thanks for confirming, @dingmeng-xue
This is still a little bit confusing to be honest, in terms of what is meant by "somewhere else". But clarity would be good: for when the "for the time being" part of the above statement is no longer true, and particularly if that change is not well-publicised. The only use case I'm interested in is:
In the main, the confusion is what MSFT intend that we should use for AuthN and AuthZ to Microsoft 365 resources. Authentication in both cases relies on either a client secret or certificate, and authorisation is assigned the same way - as far as I can tell! - i.e. using either the App Registration's API permissions tab in the Identity portal, or associated PowerShell. So any weaknesses inherent in using one would seem to apply to the other. I do appreciate your time so far, thanks. |
@StevieLamb using a 3rd party app for Azure PowerShell has several consequences, one of them being that an admin would need to grant permission to the app. This would create a massive breaking change in the behavior of the client that would impact every organization using Azure PowerShell. |
Description of the new feature
The Get-AzAccessToken commandlet is awesome! Unfortunately I can't use it for my scenario because it's missing being able to set the "Scopes" in the authentication flow.
The feature request would be to enable passing scopes to the commandlet and could be done in two different ways:
Add -Scope as a parameter:
Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com" -Scope "Directory.readwrite.all"
Enable Resource URL to include scopes:
Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com//Directory.readwrite.all"
Scenario
I wanted to mention the scenario in which I want to use this feature: I am using the MicrosoftTeams PowerShell module (currently in preview). There is something supported by the API that's not yet supported by the module, so for 1 particular scenario, Adding tabs to an existing teams channel, I need to call the Rest API instead of a commandlet. The code looks like the following, but the Access Token part is the only bit of the code that doesn't work.
The text was updated successfully, but these errors were encountered: