azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard
verified publisher icon Azure

[Feature Request] Show object ID of the signed in account

Open jiasli opened this issue 3 years ago • 6 comments

Context

Currently, in order to get the object ID of the signed in account, we have to query Microsoft Graph API:

  • User account: az ad signed-in-user show
  • Service principal account: az ad sp show

However, since some tenant (including Microsoft tenant) has Conditional Access policies that block accessing Microsoft Graph with device code (https://github.com/Azure/azure-cli/issues/22629), querying Microsoft Graph API is no longer possible with device code.

Proposed solutions

The result of

  • az login
  • az account show
  • az account list

can show the object ID decoded from the access token.

We can also add a --show-claims parameter to az account get-access-token:

az account get-access-token --show-claims

to decode the access token and show its claims, but his solution is less intuitive.

Manual solution

Object ID can be manually retrieved from the access token:

pip3 install --upgrade pyjwt

az account get-access-token --query accessToken --output tsv |
  tr -d '\n' |
  python3 -c "import jwt, sys; print(jwt.decode(sys.stdin.read(), algorithms=['RS256'], options={'verify_signature': False})['oid'])"

jiasli avatar Jun 08 '22 05:06 jiasli

Show object ID

yonzhan avatar Jun 08 '22 05:06 yonzhan

@jiasli , @yonzhan - this won't help our scenario...we use az ad sp show --id command to get the object id of the SPN and not the logged in user which used to work till now.

We are looking for a solution given AppId how to get the object id in the tenant from the current logged in user context.

subbartt avatar Jun 08 '22 11:06 subbartt

@jiasli the mentioned workaround here fetches the object id of the signed in user. We need the object id of the provided sp. Is there a similar workaround for this?

az ad sp show --id "" commands that is

uthsab avatar Jun 08 '22 11:06 uthsab

To get the object ID of another service principal (not the signed in one), the solutions provided in https://github.com/Azure/azure-cli/issues/22629#issuecomment-1138371908 are the only possible ways in Microsoft tenant. This is MSDigital policy. Please see https://portal.microsofticm.com/imp/v3/incidents/details/309117289/home.

jiasli avatar Jun 08 '22 12:06 jiasli

As for decoding the access token, as discussed with MSAL team and Azure architect, OAuth2 protocol treats access tokens as opaque. There is no expectation that clients will understand those. So, we shouldn't decode the access token and extract object ID from it.

  • User account: ID token can be decoded to extract oid. However, MSAL currently can't expose ID token for each tenant, so we can't get the oid for each tenant.
  • Service principal: Service principal doesn't have an ID token, so there is no way to get object ID without querying Graph.

jiasli avatar Feb 07 '23 05:02 jiasli

@jiasli, currently we have moved away from this model, so we no longer require this functionality. See on the merit if the scenario is useful and triage accordingly.

subbartt avatar Feb 07 '23 07:02 subbartt