Issue creating Azure App Registration with AZ CLI

Question

I am trying to create an Azure AD app with an updated manifest that has access to Windows Azure AD. I have been able to successfully create / configure a new App Registration but run into issues when i try to configure the Manifest.

I have tried using the sample code provided my MS (https://learn.microsoft.com/en-us/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-create) with an updated 'resourceAppId' from an already existing App Registration however bash throws an error

az ad app create --display-name myTest --homepage https://blah.test.com --reply-urls https://blah.test.com/.auth/login/add/callback --required-resource-accesses @manifest.json("manifest.json" contains the following content)

[{"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
                    {
                     "id": "a42657d6-7f20-40e3-b6f0-cee03008a62a-test",
                     "type": "Scope"
                    }
                  ]
}]

As I've copied the sample code and just updated a few params i would expect it to run. TIA for any suggestions

This is the error i recieve when running via the portal

Answer 1

Because you provide too little useful information, I am not sure what the error you got.

I have tested your script, and I got an error below.

az ad app create --display-name 'myTest' --homepage 'https://blah.test.com --reply-urls https://blah.test.com/.auth/login/add/callback' --required-resource-accesses 'C:\Users\joyw\Desktop\manifest.json'
az : ERROR: '--identifier-uris' is required for creating an application
    At line:1 char:1
    + az ad app create --display-name 'myTest' --homepage 'https://blah.tes ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (ERROR: '--ident... an application:String) [], RemoteException
        + FullyQualifiedErrorId : NativeCommandError

If you also get this error, just add the parameter like --identifier-uris 'https://mytestapp.websites.net', the complete command will be like :

az ad app create --display-name 'myTest' --homepage 'https://blah.test.com' --reply-urls 'https://blah.test.com/.auth/login/add/callback' --identifier-uris 'https://mytestapp.websites.net' --required-resource-accesses 'C:\Users\joyw\Desktop\manifest.json'

Then it will work fine.

---

Per my understand, you may think some wrong with the resourceAppId in your manifest.json. If you do not get the error above, you could follow the information below to troubleshoot and make sure you use the correct properties in the manifest.json.

My manifest.json file:

   [{
      "resourceAppId": "69ae001f-xxxxxxxx-375585ac983e",
      "resourceAccess": [
        {
          "id": "6833b2c6-9954-43e1-ac46-f54a26a3b693",
          "type": "Scope"
        },
        {
          "id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
          "type": "Role"
        }
      ]
    }]

The resourceAppId is the application id of the service principal(i.e. the application id of the AD App), so you are correct.

In the resourceAccess, the type is Scope or Role. The Scope represents Delegated permission, Role represents Application permission. For the Application permission, you can find it in the appRoles in the manifest of the AD App which you are using(for my sample is the app 69ae001f-xxxxxxxx-375585ac983e). For the Delegated permission, you can find it in the oauth2Permissions in the manifest. Then get the id in the corresponding position.

Check it along with my manifest of the sample AD App, note the id and correspondence, it will be clear.

appRoles:

"appRoles": [
    {
      "allowedMemberTypes": [
        "Application"
      ],
      "displayName": "SurveyCreator",
      "id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
      "isEnabled": true,
      "description": "Creators can create Surveys",
      "value": "SurveyCreator"
    }
  ]

oauth2Permissions:

 "oauth2Permissions": [
    {
      "adminConsentDescription": "Allow the application to access joywebtest on behalf of the signed-in user.",
      "adminConsentDisplayName": "Access joywebtest",
      "id": "6833b2c6-9954-43e1-ac46-f54a26a3b693",
      "isEnabled": true,
      "type": "User",
      "userConsentDescription": "Allow the application to access joywebtest on your behalf.",
      "userConsentDisplayName": "Access joywebtest",
      "value": "user_impersonation"
    }
  ]

At last, we could check the AD App which created just now in the portal. It will have the Required permissions we set.

For more details, you can also see Azure Active Directory app manifest.