[Feature Request] Show object ID of the signed in account

[jiasli]

Context

Currently, in order to get the object ID of the signed in account, we have to query Microsoft Graph API:

• User account: az ad signed-in-user show
• Service principal account: az ad sp show

However, since some tenant (including Microsoft tenant) has Conditional Access policies that block accessing Microsoft Graph with device code (#22629), querying Microsoft Graph API is no longer possible with device code.

Proposed solutions

The result of

• az login
• az account show
• az account list

can show the object ID decoded from the access token.

We can also add a --show-claims parameter to az account get-access-token:

az account get-access-token --show-claims

to decode the access token and show its claims, but his solution is less intuitive.

Manual solution

Object ID can be manually retrieved from the access token:

pip3 install --upgrade pyjwt

az account get-access-token --query accessToken --output tsv |
  tr -d '\n' |
  python3 -c "import jwt, sys; print(jwt.decode(sys.stdin.read(), algorithms=['RS256'], options={'verify_signature': False})['oid'])" 

[yonzhan]

Show object ID

[subbartt]

@jiasli , @yonzhan - this won't help our scenario...we use az ad sp show --id command to get the object id of the SPN and not the logged in user which used to work till now.

We are looking for a solution given AppId how to get the object id in the tenant from the current logged in user context.

[uthsab]

@jiasli the mentioned workaround here fetches the object id of the signed in user. We need the object id of the provided sp. Is there a similar workaround for this?

az ad sp show --id "" commands that is

[jiasli]

To get the object ID of another service principal (not the signed in one), the solutions provided in #22629 (comment) are the only possible ways in Microsoft tenant. This is MSDigital policy. Please see https://portal.microsofticm.com/imp/v3/incidents/details/309117289/home.

[jiasli]

As for decoding the access token, as discussed with MSAL team and Azure architect, OAuth2 protocol treats access tokens as opaque. There is no expectation that clients will understand those. So, we shouldn't decode the access token and extract object ID from it.

• User account: ID token can be decoded to extract oid. However, MSAL currently can't expose ID token for each tenant, so we can't get the oid for each tenant.
• Service principal: Service principal doesn't have an ID token, so there is no way to get object ID without querying Graph.