Unable to figure out how to grant consent for Azure CLI to an AAD application #15056
Description
Describe the bug
Command Name
az account get-access-token
Errors:
Get Token request returned http error: 400 and server response: {"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '04b07795-8ddb-461a-bbee-02f9e1bf7b46' named 'Microsoft Azure CLI'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 179c55fc-955d-4381-902f-67018ecb2900\r\nCorrelation ID: e4685217-4651-4839-8037-407add8b6949\r\nTimestamp: 2020-09-04 23:30:49Z","error_codes":[65001],"timestamp":"2020-09-04 23:30:49Z","trace_id":"179c55fc-955d-4381-902f-67018ecb2900","correlation_id":"e4685217-4651-4839-8037-407add8b6949","suberror":"consent_required"}
Traceback (most recent call last):
pip-install-7cl6xofh\knack\knack\cli.py, ln 215, in invoke
...
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
- Create an AAD application
- Enable User Consent
- Verify that user consent works using the web flow
az account get-access-token --resource <myappidhere>
Expected Behavior
I can grant user-consent to my application as the azure cli.
Environment Summary
Windows-10-10.0.19041-SP0
Python 3.6.6
Installer: MSI
azure-cli 2.5.1 *
Extensions:
interactive 0.4.4
Additional Context
The error that I'm getting is expected, but I don't know what process i need to go through in order to actually grant consent to this application for the AZ cli.
My service uses AzureServiceTokenProvider to authenticate with AAD, and by default I depend on the Azure provided identity and everything works. However when running locally I'd like to just use the logged in user's credentials which I can manage access for independently.