I am trying to create an application using the Azure App service.
However, it shows the above error: unrecognized arguments:
The command that I use is --> az ad app create --available-to-other-tenants --display-name "rrwebappbot" --password "Password#1212"
For the command : az ad app create
The error says that the given argument " --available-to-other-tenants" shouldnt be used as argument for the command. You should use valid arguments.
I followed the Microsoft-Documentation,Plaese check the correct command as given below.
Example:
az ad app create --display-name rithwikapp
You can use other arguments that are mentioned in the Microsoft Document I provided.
When creating an application, there are four different types
Accounts in this organizational directory only
Accounts in any organizational directory
Accounts in any organizational directory and personal Microsoft accounts
Personal Microsoft accounts
From there, can see you want Accounts in any organizational directory.
According to the documentation, it's possible to see the command should include the parameter --sign-in-audience set to AzureADMultipleOrgs
So, your command should be something like
az ad app create --display-name rrwebappbot --sign-in-audience AzureADMultipleOrgs
Related
I am following (previous and) this tutorial: https://learn.microsoft.com/en-us/training/modules/connect-an-app-to-azure-storage/9-initialize-the-storage-account-model?pivots=javascript to connect an application to the Azure Storage account.
At step 8, when I verify the creation of the container by running the given Azure CLI command and replacing with my storage account:
az storage container list \
--account-name <name>
I get the following output:
There are no credentials provided in your command and environment, we will query for account key for your storage account.
It is recommended to provide --connection-string, --account-key or --sas-token in your command as credentials.
You also can add `--auth-mode login` in your command to use Azure Active Directory (Azure AD) for authorization if your login account is assigned required RBAC roles.
For more information about RBAC roles in storage, visit https://learn.microsoft.com/azure/storage/common/storage-auth-aad-rbac-cli.
In addition, setting the corresponding environment variables can avoid inputting credentials in your command. Please use --help to get more information about environment variable usage.
[]
which I am not sure whether the container is listed as [] at the end of the above output.
Comments and suggestions are welcome. Thanks!
This error you are getting is because of an auth issue.
So, there are three solution one is that you run the following command before the running the az storage container list
az login
The other way would be to use the --auth-mode option in the az storage container list this is written in the error prompt itself which you have given.
command:
az storage container list --account-name <name> --auth-mode login
this will prompt you for login credentials once provided the output should look like this
Lastly you can use the same option as above but with key
az storage container list --account-name <name> --auth-mode key <key>
you can get your key from the portal under access keys
The output of the command should look like this here I have two containers name photos and test.
I tried to reproduce in my environment and I got same error:
There are no credentials provided in your command and environment,
we will query for account key for your storage account. It is
recommended to provide --connection-string, --account-key or
--sas-token in your command as credentials.
You also can add --auth-mode login in your command to use Azure
Active Directory (Azure AD) for authorization if your login account is
assigned required RBAC roles. For more information about RBAC roles in
storage, visit
https://learn.microsoft.com/azure/storage/common/storage-auth-aad-rbac-cli.
In addition, setting the corresponding environment variables can avoid
inputting credentials in your command. Please use --help to get more
information about environment variable usage. []
The above error show that in your storage account you didn't create any containers and files.
I have created one container and add files.
I tried the same command now i got an output successfully.
If you need to remove warnings you can use this command--only-show-errors
Reference:
az storage container | Microsoft Learn
There are two types of groups in Azure Active Directory:
Security
Microsoft365
I can create a new Security group using Azure CLI and az ad group create --display-name TEST.
How do I create a new Microsoft365 group using Azure CLI?
Is it possible?
If not, which CLI can I use to script this?
Just found the answer. Apparently there is an Office365 CLI found here.
The command to create a new Azure Active Directory Microsoft 365 Group is:
m365 aad o365group add [options]
I am attempting to automate the registration of a new application in Azure Active Directory. Upon running the command in Azure CLI, it returns with the following error:
Insufficient privileges to complete the operation.
The command was run using a Service Principal which has Owner permissions at the Subscription level. When attempting to run other Azure AD commands (e.g. az ad app list), the same error is thrown. However, it works fine if we run commands relating to Azure API Manager (e.g. az apim list).
We have tried creating the Service Principal using both the Azure console (https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) and CLI by running the following command but neither works.
az ad sp create-for-rbac --role Owner --name some-service-principal
Is there anything else required to perform this operation?
The Owner role you mention is part of Azure RBAC, which does not apply to Azure AD.
The Azure AD tenant is above the Azure subscriptions and has its own permissions.
You need to give the SP application permissions to MS Graph API / AAD Graph API (not sure which one the CLI is trying to use), or a directory role.
The first you give through API permissions on the app registration for the SP.
A directory role can be added through the Roles and administrators tab.
that happens because Azure AD and Azure subscription are completely unrelated in terms of permissions. You need Application Read\Write Azure AD permissions for your principal (user\service principal\application) to be able to carry out that task
https://learn.microsoft.com/en-us/graph/permissions-reference#application-resource-permissions
az ad app permission: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-add
followed by az ad app grant: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-grant
or you could do it using the portal, like the other answer suggests
I want to give an Azure Managed Identity access to the Graph with Directory.Read.All. I was able to get it to work by following this blog: https://blog.bredvid.no/accessing-apis-using-azure-managed-service-identity-ff7802b887d?gi=f2307752395a, however:
that throws an Authorization_RequestDenied error (though apparently expected: MSI Permissions for Graph API)
I would prefer to get this working under az-cli
I tried...
graphId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].objectId")
roleId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].appRoles[?value=='Directory.Read.All' && contains(allowedMemberTypes, 'Application')] | [0].id")
az role assignment create --role $roleId --assignee-object-id fa22d971-c442-41f2-add1-77e636f80d31 --scope $graphId --assignee-principal-type MSI
But this results in... "The request did not have a subscription or a valid tenant level resource provider."
I am thinking this means I don't have the scope right. Is it possible to do this assignment under az-cli?
It is not possible to assign a service principal(MSI) to an application role currently, all commands here.
The az role assignment create is to add the user/service principal/group to the azure resource as an RBAC role, not that you want, it equals the steps in this link.
Besides, if you want to use the azure CLI instead of powershell because of the cross-platform issue. You could try the powershell core, it is cross-platform, refer to this link to install AzureAD.Standard.Preview module in it, then you will be able to use the AzureAD commands.
As an Azure beginner, I am attempting to configure a basic Ubuntu VM. I started with creating an account by drilling in from the http://azure.microsoft.com page's "Try it for free" link. I successfully created an account and can see the admin console at https://portal.azure.com. I then installed the latest node.js based CLI (0.10.1 on Mac OS X).
I downloaded a .publishsettings file using azure account download and successfully loaded it with azure account import. I can now see my account when I azure account list (the name is "Free Trial" and Current is "true").
I then put the CLI into resource manager mode via azure config mode arm. This is because my goal is to create my basic VM using this 101-vm-simple-linux resource manager template. To do so, I am following along with the instructions at Resource Manager template walkthrough.
My attempts to use the azure command line tool yield this error:
Your current subscription was likely created from a publishsettings file and will not work under arm mode. You can fix it by running either 'azure login' or 'azure accout set'
When I do as requested, I get essentially the same error message from the login command itself:
% azure login -u 'the account id I just signed up with'
info: Executing command login
Password: ***************
Authenticating...
error: Interactive login is required. Use 'azure login' to interactively login.
info: Error information has been recorded to /Users/kent/.azure/azure.err
error: login command failed
Can somebody tell me how I can successfully login with the Azure CLI so that I can continue?
You will get this error if you are trying to authenticate using the Microsoft Account (such as johndoe#hotmail.com) you used to create your Azure Subscription.
You need to add an organizational user (or service principal) to the Azure Active Directory for your Azure tenant. Instructions on how to do this are available here.
Then, make this user a co-administrator on your subscription. To do this, in the old portal (manage.windowsazure.com), click Settings in the left navigation (located at the very bottom). In the Settings page click on the Administrators tab. Then, click Add at the bottom of the page to add the user you created previously as an administrator on the subscription.
Now, you can use the user identity of this organizational user to sign-in from CLI. For example:
azure login -u johndoe#xyz.onmicrosoft.com
More information about this scenario and other ways to authenticate from CLI are available here.
Type 'azure login' this will then prompt you with url and device code. Enter that into the website, then you should be able to login with 'azure login -u email-address'
I'd like to add to this since --username or -u has multiple uses.
The -u also works with a service principal. Service principals are useful when you have a task running with no user interaction.
With the Azure CLI 2.0 this would work with the following command:
az login --service-principal -u "${clientId}" -p "${clientSecret}" -t "${tenantId}"
You can get these variables by creating an Active Directory application.
Here's the --help output from the Azure CLI 2.0 for the login command:
Command
az login: Log in to access Azure subscriptions.
Arguments
--password -p : User password or client secret. Will prompt if not given.
--service-principal: The credential representing a service principal.
--tenant -t : The tenant associated with the service principal.
--username -u : Organization id or service principal.
Global Arguments
--debug : Increase logging verbosity to show all debug logs.
--help -h : Show this help message and exit.
--output -o : Output format. Allowed values: json, jsonc, table, tsv. Default: json.
--query : JMESPath query string. See http://jmespath.org/ for more information and
examples.
--verbose : Increase logging verbosity. Use --debug for full debug logs.
Examples
Log in interactively.
az login
Log in with user name and password. This doesn't work with Microsoft accounts or accounts that
have two-factor authentication enabled.
az login -u johndoe#contoso.com -p VerySecret
Log in with a service principal.
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant
contoso.onmicrosoft.com