diff --git a/src/command_modules/azure-cli-role/azure/cli/command_modules/role/_help.py b/src/command_modules/azure-cli-role/azure/cli/command_modules/role/_help.py index 36aca84c6e1..3d8e21a6a22 100644 --- a/src/command_modules/azure-cli-role/azure/cli/command_modules/role/_help.py +++ b/src/command_modules/azure-cli-role/azure/cli/command_modules/role/_help.py @@ -200,11 +200,17 @@ """ helps['ad app permission grant'] = """ type: command - short-summary: Grant the app an API permission + short-summary: Grant the app an API Delegated permissions + long-summary: for Application permissions, please use "ad app permission admin-consent" examples: - name: Grant a native application with permissions to access an existing API with TTL of 2 years text: az ad app permission grant --id e042ec79-34cd-498f-9d9f-1234234 --api a0322f79-57df-498f-9d9f-12678 --expires 2 """ +helps['ad app permission admin-consent'] = """ + type: command + short-summary: grant Application & Delegated permissions through admin-consent. + long-summary: you must login as a directory administrator +""" helps['ad app permission list'] = """ type: command short-summary: List API permissions the application has requested diff --git a/src/command_modules/azure-cli-role/azure/cli/command_modules/role/commands.py b/src/command_modules/azure-cli-role/azure/cli/command_modules/role/commands.py index a9e0bbe1270..77862ad190b 100644 --- a/src/command_modules/azure-cli-role/azure/cli/command_modules/role/commands.py +++ b/src/command_modules/azure-cli-role/azure/cli/command_modules/role/commands.py @@ -146,6 +146,7 @@ def load_command_table(self, _): g.custom_command('permission add', 'add_permission') g.custom_command('permission delete', 'delete_permission') g.custom_command('permission list-grants', 'list_permission_grants') + g.custom_command('permission admin-consent', 'admin_consent') g.generic_update_command('update', setter_name='patch_application', setter_type=role_custom, getter_name='show_application', getter_type=role_custom, custom_func_name='update_application', custom_func_type=role_custom) diff --git a/src/command_modules/azure-cli-role/azure/cli/command_modules/role/custom.py b/src/command_modules/azure-cli-role/azure/cli/command_modules/role/custom.py index 8f60d243f66..b82f0a55b76 100644 --- a/src/command_modules/azure-cli-role/azure/cli/command_modules/role/custom.py +++ b/src/command_modules/azure-cli-role/azure/cli/command_modules/role/custom.py @@ -807,6 +807,34 @@ def delete_permission(cmd, identifier, api): return graph_client.applications.patch(application.object_id, update_parameter) +def admin_consent(cmd, identifier): + import requests + from azure.cli.core.cloud import AZURE_PUBLIC_CLOUD + from azure.cli.core._profile import Profile + from azure.cli.core.commands.client_factory import UA_AGENT + from azure.cli.core.util import should_disable_connection_verify + if cmd.cli_ctx.cloud.name != AZURE_PUBLIC_CLOUD.name: + raise CLIError('This command is not yet supported on sovereign clouds') + # we will leverage portal endpoints to get admin consent done + graph_client = _graph_client_factory(cmd.cli_ctx) + application = show_application(graph_client.applications, identifier) + url = 'https://main.iam.ad.ext.azure.com/api/RegisteredApplications/{}/Consent?onBehalfOfAll=true'.format( + application.app_id) + profile = Profile() + + # the key is to get the access token to the portal resource: + access_token = profile.get_raw_token('74658136-14ec-4630-ad9b-26e160ff0fc6') + headers = { + 'Authorization': "Bearer " + access_token[0][1], + 'Accept-Encoding': 'gzip, deflate, br', + 'x-ms-client-request-id': str(uuid.uuid4()), + 'User-Agent': UA_AGENT + } + response = requests.post(url, headers=headers, verify=not should_disable_connection_verify()) + if not response.ok: + raise CLIError(response.reason) + + def grant_application(cmd, identifier, api, consent_type=None, principal_id=None, expires='1', scope='user_impersonation'): graph_client = _graph_client_factory(cmd.cli_ctx)