How to add preAuthorizedApplications using CLI 2.x

Question

In Azure AD, under the expose an API section, I'm looking to automate the registration of an API and web app using CLI 2.x. I've looked through documents here but find nothing that addresses preAuthorizedApplications. Searching has yielded only information for legacy support. Where is the CLI 2.x support for setting preAuthorizedApplications data?

When populated via the portal UI, the manifest contains the relevant information

"preAuthorizedApplications": [
{
        "appId": "d22xxxxxxx",
        "permissionIds": [
            "ef92yyyyyy"
        ]
    }
 ],...

Is this something that can be inserted into the manifest directly? Any reference to documents or samples would be greatly appreciated.

Edit: An attempt to write the property with a null value fails with error "A value without a type name was found and no expected type is available...."

az ad app update --id $appId --set preAuthorizedApplications='[]'

If I show the app properties, I see preAuthorizedApplications in the list with a null value

az ad app list --display-name $appName

So it doesn't appear that this property can be injected into the manifest for some reason.

score 2 · Answer 1 · answered Jun 19 '21 at 13:19

@joy-wang's excellent answer put me on track but still took hours to get it right.

no longer using /beta/, using 1.0
permissionIds now called delegatedPermissionIds now
specification of headers seemed different style now. When specified as Joy did, I got [1]
Echoing what Joy says, yes you need to be really careful about quotes. I did lots of experiments on the wrong things before realizing that I needed double quotes around the body and single quotes internally on values, the other way round gave errors [2]

The following worked:

$permsJson = az ad sp show --id $apiApplicationId --query 'oauth2Permissions[].{Value:value, Id:id, UserConsentDisplayName:userConsentDisplayName}' -o json
$permsHash = $permsJson | ConvertFrom-Json
$permId = $permsHash.Id  #in my case that app only had one permission, you may need to do differently

$apiObjectId = az ad app show --id $apiApplicationId --query objectId

          az rest  `
            --method PATCH `
            --uri "https://graph.microsoft.com/v1.0/applications/$apiObjectId" `
            --headers 'Content-Type=application/json' `
            --body "{api:{preAuthorizedApplications:[{appId:'$preAuthedAppApplicationId',delegatedPermissionIds:['$permId']}]}}"

[1] The command failed with an unexpected error. Here is the traceback: not enough values to unpack (expected 2, got 1) Traceback (most recent call last): File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 510, in shell_safe_json_parse File "json_init_.py", line 367, in loads File "json\decoder.py", line 339, in decode File "json\decoder.py", line 355, in raw_decode json.decoder.JSONDecodeError: Expecting property name enclosed in double quotes: line 1 column 2 (char 1)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 516, in shell_safe_json_parse File "ast.py", line 85, in literal_eval File "ast.py", line 66, in _convert File "ast.py", line 65, in File "ast.py", line 77, in _convert File "ast.py", line 84, in _convert ValueError: malformed node or string: <_ast.Name object at 0x04765050>

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 807, in send_raw_request File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 521, in shell_safe_json_parse knack.util.CLIError: Expecting property name enclosed in double quotes: line 1 column 2 (char 1)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 660, in execute File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 723, in _run_jobs_serially File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 716, in _run_job File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\six.py", line 703, in reraise File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 694, in _run_job File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 331, in call File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/init.py", line 811, in default_command_handler File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/util/custom.py", line 17, in rest_call File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 810, in send_raw_request ValueError: not enough values to unpack (expected 2, got 1) To open an issue, please run: 'az feedback'

[2] Bad Request({"error":{"code":"BadRequest","message":"Unable to read JSON request payload. Please ensure Content-Type header is set and payload is of valid JSON format.","innerError":{"date":"2021-06-19T12:49:52","request-id":"13fe58d2-ef15-4a57-8f95-4f30dcece5cc","client-request-id":"13fe58d2-ef15-4a57-8f95-4f30dcece5cc"}}})

score 1 · Accepted Answer · answered Jul 03 '20 at 04:49

Not sure what caused the issue, if you want to set preAuthorizedApplications with azure cli, you could use the az rest to call the Microsoft Graph - Update application directly.

Sample:

az rest --method patch --uri "https://graph.microsoft.com/beta/applications/<object-id>" --headers '{"Content-Type":"application/json"}' --body '{"api":{"preAuthorizedApplications":[{"appId":"a37c1158-xxxxx94f2b","permissionIds":["5479xxxxx522869e718f0"]}]}}'

Note: You need to test the sample in the bash instead of the powershell, there are quoting issues in different terminals, if you want to run it in the powershell, you need to change the format of the headers and body, see https://github.com/Azure/azure-cli/blob/dev/doc/use_cli_effectively.md#quoting-issues

I test it directly in the Bash of Azure Cloud Shell, it works fine:

Check in the portal:

Github issue: https://github.com/Azure/azure-cli/issues/9522#issuecomment-603628528 — emp, Jan 25 '21 at 14:46

How to add preAuthorizedApplications using CLI 2.x

2 Answers2

Linked