Scope Policy.ReadWrite.ConditionalAccess not granted

[kfkonrad]

Describe the bug

I tried managing conditional access policies via the azuread terraform provider using the az CLI login method. Even though my user is Conditional Access Administrator I kept seeing 403 errors in the debug output. After a bit of digging I found this issue hashicorp/terraform-provider-azuread#1281 that describes the same problem.

I tried the commands listed below, see the respective sections for the commands and their outputs.

Related command

az rest --method GET --url "https://graph.microsoft.com/v1.0/policies/authenticationStrengthPolicies/"

az login --scope Policy.ReadWrite.ConditionalAccess

Errors

Error message for the az rest command:

Forbidden({"error":{"code":"accessDenied","message":"Request Authorization failed","innerError":{"message":"Request Authorization failed","date":"2026-03-26T13:34:22","request-id":"<redacted>","client-request-id":"<redacted>"}}})

Error message for the az login command:

invalid_request: AADSTS65002: Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: <redacted> Correlation ID: <redacted> Timestamp: 2026-03-26 13:37:32Z. (https://login.microsoftonline.com/error?code=65002)

Issue script & Debug output

az rest --method GET --url "https://graph.microsoft.com/v1.0/policies/authenticationStrengthPolicies/" --debug

cli.knack.cli: Command arguments: ['rest', '--method', 'GET', '--url', 'https://graph.microsoft.com/v1.0/policies/authenticationStrengthPolicies/', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f19cdfeb560>, <function OutputProducer.on_global_arguments at 0x7f19cdd3c860>, <function CLIQuery.on_global_arguments at 0x7f19cdd62980>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'rest': ['azure.cli.command_modules.util']
cli.azure.cli.core: Loading command modules...
cli.azure.cli.core: Loaded command modules in parallel:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: util                      0.002         3         7
cli.azure.cli.core: Total (1)                 0.003         3         7
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: Total (0)                 0.000         0         0  
cli.azure.cli.core: Loaded 3 groups, 7 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : rest
cli.azure.cli.core: Command table: rest
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f19cca972e0>]
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f19ccad96c0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f19ccadbb00>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f19ccadbce0>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x7f19ccadbd80>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f19cdd3c900>, <function CLIQuery.handle_query_parameter at 0x7f19cdd62a20>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7f19ccadbba0>]
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/foo/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/foo/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/<redacted>
msal.authority: openid_config("https://login.microsoftonline.com/<redacted>/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/<redacted>/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic', 'self_signed_tls_client_auth'], 'jwks_uri': 'https://login.microsoftonline.com/<redacted>/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/<redacted>/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/<redacted>/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/<redacted>/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/<redacted>/kerberos', 'mtls_endpoint_aliases': {'token_endpoint': 'https://mtlsauth.microsoft.com/<redacted>/oauth2/v2.0/token'}, 'tls_client_certificate_bound_access_tokens': True, 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://graph.microsoft.com//.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: <redacted>
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/policies/authenticationStrengthPolicies/'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util:     'User-Agent': 'python/3.13.12 (Linux-5.15.167.4-microsoft-standard-WSL2-x86_64-with-glibc2.39) AZURECLI/2.84.0 (HOMEBREW)'
cli.azure.cli.core.util:     'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util:     'Accept': '*/*'
cli.azure.cli.core.util:     'Connection': 'keep-alive'
cli.azure.cli.core.util:     'x-ms-client-request-id': '<redacted>'
cli.azure.cli.core.util:     'CommandName': 'rest'
cli.azure.cli.core.util:     'ParameterSetName': '--method --url --debug'
cli.azure.cli.core.util:     'Authorization': 'Bearer <redacted>'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/policies/authenticationStrengthPolicies/ HTTP/1.1" 403 None
cli.azure.cli.core.util: Response status: 403
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util:     'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util:     'Content-Type': 'application/json'
cli.azure.cli.core.util:     'Content-Encoding': 'gzip'
cli.azure.cli.core.util:     'Vary': 'Accept-Encoding'
cli.azure.cli.core.util:     'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util:     'request-id': '<redacted>'
cli.azure.cli.core.util:     'client-request-id': '<redacted>'
cli.azure.cli.core.util:     'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"Germany West Central","Slice":"E","Ring":"4","ScaleUnit":"008","RoleInstance":"<redacted>"}}'
cli.azure.cli.core.util:     'Date': 'Thu, 26 Mar 2026 13:49:41 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"error":{"code":"accessDenied","message":"Request Authorization failed","innerError":{"message":"Request Authorization failed","date":"2026-03-26T13:49:42","request-id":"<redacted>","client-request-id":"<redacted>"}}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/home/linuxbrew/.linuxbrew/Cellar/azure-cli/2.84.0/libexec/lib/python3.13/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
  File "/home/linuxbrew/.linuxbrew/Cellar/azure-cli/2.84.0/libexec/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 682, in execute
    raise ex
  File "/home/linuxbrew/.linuxbrew/Cellar/azure-cli/2.84.0/libexec/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 812, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/linuxbrew/.linuxbrew/Cellar/azure-cli/2.84.0/libexec/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 781, in _run_job
    result = cmd_copy(params)
  File "/home/linuxbrew/.linuxbrew/Cellar/azure-cli/2.84.0/libexec/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 336, in __call__
    return self.handler(*args, **kwargs)
           ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/home/linuxbrew/.linuxbrew/Cellar/azure-cli/2.84.0/libexec/lib/python3.13/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler
    return op(**command_args)
  File "/home/linuxbrew/.linuxbrew/Cellar/azure-cli/2.84.0/libexec/lib/python3.13/site-packages/azure/cli/command_modules/util/custom.py", line 24, in rest_call
    r = send_raw_request(cmd.cli_ctx, method, url, headers, uri_parameters, body,
                         skip_authorization_header, resource, output_file)
  File "/home/linuxbrew/.linuxbrew/Cellar/azure-cli/2.84.0/libexec/lib/python3.13/site-packages/azure/cli/core/util.py", line 1096, in send_raw_request
    raise HTTPError(reason, r)
azure.cli.core.azclierror.HTTPError: Forbidden({"error":{"code":"accessDenied","message":"Request Authorization failed","innerError":{"message":"Request Authorization failed","date":"2026-03-26T13:49:42","request-id":"<redacted>","client-request-id":"<redacted>"}}})

cli.azure.cli.core.azclierror: Forbidden({"error":{"code":"accessDenied","message":"Request Authorization failed","innerError":{"message":"Request Authorization failed","date":"2026-03-26T13:49:42","request-id":"<redacted>","client-request-id":"<redacted>"}}})
az_command_data_logger: Forbidden({"error":{"code":"accessDenied","message":"Request Authorization failed","innerError":{"message":"Request Authorization failed","date":"2026-03-26T13:49:42","request-id":"<redacted>","client-request-id":"<redacted>"}}})
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f19cca97560>]
cli.__main__: Command ran in 0.502 seconds (init: 0.121, invoke: 0.381)

Expected behavior

While az CLI doesn't provide subcommands for manageing conditional access policies it should still be possible to use its auth flow for running arbitrary az rest commands or to authenticate the azuread terraform provider in a way that doesn't prevent users from managing certain resource types (azuread_authentication_strength_policy in my case)

I'd expect a user logged in with az login to be able to run az rest --method GET --url "https://graph.microsoft.com/v1.0/policies/authenticationStrengthPolicies/" or similar without error (assuming the user has a proper role)

Please consider preauthorizing the scope Policy.ReadWrite.ConditionalAccess.

Environment Summary

azure-cli 2.84.0

core 2.84.0
telemetry 1.1.0

Extensions:
resource-graph 2.1.1

Dependencies:
msal 1.35.0b1
azure-mgmt-resource 24.0.0

Python location '/home/linuxbrew/.linuxbrew/Cellar/azure-cli/2.84.0/libexec/bin/python'
Config directory '/home/de70632/.azure'
Extensions directory '/home/de70632/.azure/cliextensions'

Python (Linux) 3.13.12 (main, Feb 3 2026, 17:53:27) [GCC 12.3.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• az rest to MS Graph API with user logged in. equired scopes are missing in the token #23906
• Request ms-graph token with scope "calendars.read" #12986
• az login --scope https://communication.azure.com/.default fails: AADSTS65002 #23485
• Graph API consent issue #26471

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

Azure CLI's app ID 04b07795-8ddb-461a-bbee-02f9e1bf7b46 doesn't have the required permissions pre-configured. A workaround is to create and use your own service principal which has such permissions. See #22775 (comment).

Reference:

• Request ms-graph token with scope "calendars.read" #12986 (comment)
• Graph API consent issue #26471 (comment)

Solution 2:

As the error message indicates, Azure CLI has no preauthorization with the resource app. You may contact the owner of this resource app to pre-authorize Azure CLI in (Microsoft internal) first party portal.

Reference:

• az login --scope https://communication.azure.com/.default fails: AADSTS65002 #23485 (comment)

Powered by issue-sentinel

[kfkonrad]

Solution 1 is undesirable as this would mean giving up the clear audit log of who changed what.

Solution 2 doesn't seem too be an option either (see this comment #23485 (comment)). Though I didn't find an explantion in #22775 either. I'm willing to raise that issue and discuss with whoever owns/managed that first-party application the az cli uses, only I don't know whom to contact. Can someone tell me? Maybe @jiasli?