Describe the bug
After having consented the service principal for the msgraph app permission "Group.Read.All", the token cache is still providing a token without this permission. This results in a 403.
Even after:
az logout
az login -u ... -p ...
The 403 still happens.
I need to execute az account clear to delete the token cache, or what works better, remove the file msal_token_cache.bin from disk. This does not require a new login, but enforces the cli to retrieve a fresh access token.
Command Name
az ad group show
Errors:
Insufficient privileges to complete the operation.
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
- Login with a service principal without any permissions
- Add
Group.Read.All
- az logout
- az login
az ad group show --group mygroup
Yields a 403
Expected Behavior
The cli should flush the tokens whenever an az logout happens.
Environment Summary
Windows-10-10.0.22621-SP0
Python 3.10.5
Installer: MSI
azure-cli 2.40.0 *
Additional Context
Describe the bug
After having consented the service principal for the msgraph app permission "Group.Read.All", the token cache is still providing a token without this permission. This results in a 403.
Even after:
The 403 still happens.
I need to execute
az account clearto delete the token cache, or what works better, remove the filemsal_token_cache.binfrom disk. This does not require a new login, but enforces the cli to retrieve a fresh access token.Command Name
az ad group showErrors:
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
Group.Read.Allaz ad group show --group mygroupYields a 403
Expected Behavior
The cli should flush the tokens whenever an
az logouthappens.Environment Summary
Additional Context
az cache listreturns an empty list interestingly--force-refreshinaz account get-access-token#17578az account get-account-token --resource=https://graph.microsoft.comyielded a correct JWT with the consented permissions inside. Interestingly this does not flush the token cache. I guess this could be integrated.