Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

az ad app permission grant fails with ResourceNotFoundError

See original GitHub issue

Describe the bug

Command Name az ad app permission grant

Errors:

ResourceNotFoundError: Operation failed with status: 'Not Found'. Details: 404 Client Error: Not Found for url: https://graph.windows.net/4c78ae6a-788b-4b73-a2a4-3b7ba6269360/oauth2PermissionGrants?$filter=clientId%20eq%20%270d126170-fadc-4c1d-b96a-b7c756242d6a%27&api-version=1.6

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

➜  cluster-api-provider-azure git:(aad-support) oAuthPermissionId=$(az ad app show --id ${AZURE_SERVER_APP_ID} --query "oauth2Permissions[0].id" -o tsv)
az ad app permission add --id ${AZURE_CLIENT_APP_ID} --api ${AZURE_SERVER_APP_ID} --api-permissions ${oAuthPermissionId}=Scope
az ad app permission grant --id ${AZURE_CLIENT_APP_ID} --api ${AZURE_SERVER_APP_ID}

Invoking "az ad app permission grant --id 0d126170-fadc-4c1d-b96a-b7c756242d6a --api 9d11a142-e5c9-43df-8b02-5f988f2cd196" is needed to make the change effective
ResourceNotFoundError: Operation failed with status: 'Not Found'. Details: 404 Client Error: Not Found for url: https://graph.windows.net/4c78ae6a-788b-4b73-a2a4-3b7ba6269360/oauth2PermissionGrants?$filter=clientId%20eq%20%270d126170-fadc-4c1d-b96a-b7c756242d6a%27&api-version=1.6
➜  cluster-api-provider-azure git:(aad-support) az ad app permission list --id ${AZURE_CLIENT_APP_ID}
[
  {
    "additionalProperties": null,
    "expiryTime": "N/A",
    "resourceAccess": [
      {
        "additionalProperties": null,
        "id": "6ca5578f-5180-4d96-81da-6e0ad40811da",
        "type": "Scope"
      }
    ],
    "resourceAppId": "9d11a142-e5c9-43df-8b02-5f988f2cd196"
  }
]
➜  cluster-api-provider-azure git:(aad-support) az ad app permission grant --id 0d126170-fadc-4c1d-b96a-b7c756242d6a --api 9d11a142-e5c9-43df-8b02-5f988f2cd196
ResourceNotFoundError: Operation failed with status: 'Not Found'. Details: 404 Client Error: Not Found for url: https://graph.windows.net/4c78ae6a-788b-4b73-a2a4-3b7ba6269360/oauth2PermissionGrants?$filter=clientId%20eq%20%270d126170-fadc-4c1d-b96a-b7c756242d6a%27&api-version=1.6

Expected Behavior

az ad permission grant to succeed.

I’ve tried waiting a few minutes and trying again, same error. As you can see above az permission list does list the permission I am trying to grant.

I am logged in as admin in the tenant. I am able to grant the permission via the Azure Portal when logging in with the same user account.

Environment Summary

macOS-11.1-x86_64-i386-64bit
Python 3.8.7
Installer: HOMEBREW

azure-cli 2.18.0

Extensions:
k8sconfiguration 0.1.8
show-deployment 0.0.7
aks-preview 0.4.73
noelbundick 0.0.11

Additional Context

Similar issue I found on the topic: https://github.com/MicrosoftDocs/azure-docs/issues/35335#issuecomment-534229380

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:6 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
CecileRobertMichoncommented, Feb 23, 2021

Thanks @jiasli, and thank you for opening a PR to improve the error message!

1reaction
jiaslicommented, Feb 23, 2021

Hi @CecileRobertMichon, the error is triggered by this line:

https://github.com/Azure/azure-cli/blob/74ea23bc805d57e3cf68cc9a4396141975acb580/src/azure-cli/azure/cli/command_modules/role/custom.py#L997-L998

This is because the App doesn’t have an associated Service Principal and CLI falls back to use the provided appId 0d126170-fadc-4c1d-b96a-b7c756242d6a as Service Principal objectId:

https://github.com/Azure/azure-cli/blob/74ea23bc805d57e3cf68cc9a4396141975acb580/src/azure-cli/azure/cli/command_modules/role/custom.py#L1314-L1315

This causes the 404 error. To fix it, please create an associated Service Principal for the App:

az ad sp create --id 0d126170-fadc-4c1d-b96a-b7c756242d6a

Then az ad app permission grant should succeed.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Add Graph API via az ad app permission fails - Stack Overflow
The cmd az ad app permission grant will query it first and then insert the new permission. The error occurs in the querying...
Read more >
az ad app permission - Microsoft Learn
Grant Application & Delegated permissions through admin-consent. You must login as a global administrator. Azure CLI Copy.
Read more >
Creating Admin-Consent In Powershell After App Registration ...
This post details the issue I ran into when attempting to create an The bits that created the Azure AD app registration follows...
Read more >
Resource not found Error or Scope is not valid while ... - cozyroc
Resource not found Error or Scope is not valid while Generating the OAUTH Token ... 2- Select Azure Active Directory > Enterprise applications...
Read more >
Grant acces to Azure AD - AzureCP
Create the app registration using az cli #. This bash script creates the application, adds a secret, sets the permissions and grants the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

az storage blob now (2.19) requires login even if connection-string is provided

Next page

Pin cryptography to 3.3.2