`az ad app owner add` appears to rely on deprecated `graph.windows.net`

[TeresaBinks]

We've been struggling to get a Service Principal, which is an Owner on an App Registration, to add other Owners to that App Registration.

The Service Principal has an admin-consented AppRoleAssignment to Microsoft Graph's Application.ReadWrite.OwnedBy. However, when running az ad app owner add we were faced with an insufficient permissions error.

We have resolved that error by creating an admin-consented AppRoleAssignment to Windows AAD Graph's Application.ReadWrite.OwnedBy too. We can't do that through the portal anymore, as that control is grey'd out because the AAD Graph has been deprecated and goes out of support in June 2022.

This command seems to be quietly falling out of support. In the short term, could the documentation be updated to inform users that they will have to have Windows Graph permissions to make it work?

[yonzhan]

@jiasli for awareness

[jiasli]

We have resolved that error by creating an admin-consented AppRoleAssignment to Windows AAD Graph's Application.ReadWrite.OwnedBy too. We can't do that through the portal anymore, as that control is grey'd out because the AAD Graph has been deprecated and goes out of support in June 2022.

This is explained in #19818.

We are migrating to Microsoft Graph in the upcoming semester, which is tracked by #12946.

[justinmchase]

@TeresaBinks

@renskewierda I believe you were asking about this problem in another issue as well. Tagging you for reference.

I was able to work around this issue for now by directly calling the graph API via curl. I created my main application with the az ad app create... but then from there to use that app to create other apps by calling the Graph API directly via curl. You can use the below scripts to help work around the issue for now.

Relevant Documentation

(this assumes the main app has the Application.ReadWrite.OwnedBy permission in the Graph Api)

Acquire a token

TENANT_ID="<pasted Tenant ID>"
APP_ID="<pasted Application (client) ID>"
SECRET="<pasted secret value>"
TOKEN=$(curl -X POST \
  -F "client_id=$APP_ID" \
  -F "client_secret=$SECRET" \
  -F "scope=https://graph.microsoft.com/.default" \
  -F "grant_type=client_credentials" \
  https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token | \
  jq -r ".access_token")

Create a new Application

APP_NAME="<pasted app name>"
APP_ID=$(curl -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-type: application/json" \
  -d "{\"displayName\":\"$APP_NAME\"}" \
  https://graph.microsoft.com/v1.0/applications | \
  jq -r ".id")

Add Yourself as an Owner (optional)

This isn't strictly necessary but it allows you to go into the portal UI and update the apps manually as desired.

USER_ID="<pastes user Object ID>"
curl -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-type: application/json" \
  -d "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/$USER_ID\"}" \
  "https://graph.microsoft.com/v1.0/applications/$APP_ID/owners/\$ref"

[jiasli]

az rest is another choice which automatically does the authentication for you (as detailed in #12946).

[renskewierda]

Thanks to both of your suggestions! az cli commands can indeed be replaced by directly calling the Graph API via curl or with the az rest command. This would require us to replace all az ad commands throughout our entire codebase though, which would not be the preferable solution. We can for now just keep using the az ad commands if we provide the API permissions to new SPNs via the command line rather than via the Azure Portal. But it would still be great if migration to the new Graph API for the Azure CLI could be given somewhat more priority, since it is a bit strange that a Microsoft tool still makes use of an API that Microsoft has officially deprecated.