Can't get access token for custom AD Application

Question

When attempting to get an access token for a custom AD Application, using az account get-access-token --resource '<APP ID Uri>', I receive the following error:

AADSTS65001: The user or administrator has not consented to use the application with ID '04b07795-8ddb-461a-bbee-02f9e1bf7b46' named 'Microsoft Azure CLI'. Send an interactive authorization request for this user and resource.

04b07795-8ddb-461a-bbee-02f9e1bf7b46 is not my application id, and my application has had administrator consent granted. I've tried putting this id in an interactive login request with no change in behavior.

get-access-token works fine when the resource is a defined MS endpoint like https://database.windows.net or https://vault.azure.net/

My goal is to have Azure App Services with Managed Service Identity authenticating to each other with short-lived AD bearer tokens. Each service has a configured audience that corresponds to the AD App.

Answer 1

Running az account get-access-token --resource '<APP ID Uri>' from local CLI, you are trying to get token from '<APP ID Uri>' using Azure CLI, which client ID is exactly 04b07795-8ddb-461a-bbee-02f9e1bf7b46.

To handle this you could go to: Azure Active Directory → App registrations → {your app} → Expose an API → Add client application with:

ID: 04b07795-8ddb-461a-bbee-02f9e1bf7b46

Authorized scopes: check '<APP ID Uri>'

To make sure you have right ID you could run az account get-access-token paste token to jwt.io and find value of "appid".

Documentation reference: Application IDs for commonly used Microsoft applications

Answer 2

I can reproduce your issue with a --resource '<APP ID Uri>', if I login cli with a user account.

If I login with a service principal, it works fine.

You could try to login azure cli with a service principal, refer to this link.