[Microsoft Entra ID] az ad app create/update: Add --requested-access-token-version argument (#30230)

Author: jiasli

src/azure-cli/azure/cli/command_modules/role/_msgrpah/_graph_objects.py

@@ -15,6 +15,8 @@
     'sign_in_audience': 'signInAudience',
     'service_management_reference': 'serviceManagementReference',
     'key_credentials': 'keyCredentials',
+    # api
+    'requested_access_token_version': ['api', 'requestedAccessTokenVersion'],
     # web
     'web_home_page_url': ['web', 'homePageUrl'],
     'web_redirect_uris': ['web', 'redirectUris'],

src/azure-cli/azure/cli/command_modules/role/_params.py

@@ -30,6 +30,7 @@ def load_arguments(self, _):
                    help='list all entities, expect long delay if under a big organization')
 
     with self.argument_context('ad app') as c:
+        # https://learn.microsoft.com/en-us/graph/api/resources/application?view=graph-rest-1.0
         c.argument('app_id', help='application id')
         c.argument('application_object_id', options_list=('--object-id',))
         c.argument('display_name', help='the display name of the application')
@@ -55,7 +56,15 @@ def load_arguments(self, _):
                                            'PersonalMicrosoftAccount']),
                    help='Specifies the Microsoft accounts that are supported for the current application.')
 
+        # api
+        # https://learn.microsoft.com/en-us/graph/api/resources/apiapplication?view=graph-rest-1.0
+        c.argument('requested_access_token_version', arg_group='api', type=int,
+                   help='Specifies the access token version expected by this resource. This changes the version and '
+                        'format of the JWT produced independent of the endpoint or client used to request the access '
+                        'token.')
+
         # web
+        # https://learn.microsoft.com/en-us/graph/api/resources/webapplication?view=graph-rest-1.0
         c.argument('web_home_page_url', arg_group='web', help='Home page or landing page of the application.')
         c.argument('web_redirect_uris', arg_group='web', nargs='+',
                    help='Space-separated values. '
@@ -71,12 +80,14 @@ def load_arguments(self, _):
                         'implicit flow.')
 
         # publicClient
+        # https://learn.microsoft.com/en-us/graph/api/resources/publicclientapplication?view=graph-rest-1.0
         c.argument('public_client_redirect_uris', arg_group='publicClient', nargs='+',
                    help='Space-separated values. '
                         'Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs '
                         'where OAuth 2.0 authorization codes and access tokens are sent.')
 
         # keyCredential
+        # https://learn.microsoft.com/en-us/graph/api/resources/keycredential?view=graph-rest-1.0
         c.argument('start_date', arg_group='keyCredential',
                    help="Date or datetime at which credentials become valid (e.g. '2017-01-01T01:00:00+00:00' or "
                         "'2017-01-01'). Default value is current time")

src/azure-cli/azure/cli/command_modules/role/custom.py

@@ -631,6 +631,8 @@ def create_application(cmd, client, display_name, identifier_uris=None,
                        is_fallback_public_client=None,
                        service_management_reference=None,
                        sign_in_audience=None,
+                       # api
+                       requested_access_token_version=None,
                        # keyCredentials
                        key_value=None, key_type=None, key_usage=None, start_date=None, end_date=None,
                        key_display_name=None,
@@ -660,6 +662,8 @@ def create_application(cmd, client, display_name, identifier_uris=None,
                 is_fallback_public_client=is_fallback_public_client,
                 service_management_reference=service_management_reference,
                 sign_in_audience=sign_in_audience,
+                # api
+                requested_access_token_version=requested_access_token_version,
                 # keyCredentials
                 key_value=key_value, key_type=key_type, key_usage=key_usage,
                 start_date=start_date, end_date=end_date,
@@ -691,6 +695,8 @@ def create_application(cmd, client, display_name, identifier_uris=None,
         is_fallback_public_client=is_fallback_public_client,
         service_management_reference=service_management_reference,
         sign_in_audience=sign_in_audience,
+        # api
+        requested_access_token_version=requested_access_token_version,
         # keyCredentials
         key_credentials=key_credentials,
         # web
@@ -718,6 +724,8 @@ def update_application(instance, display_name=None, identifier_uris=None,  # pyl
                        is_fallback_public_client=None,
                        service_management_reference=None,
                        sign_in_audience=None,
+                       # api
+                       requested_access_token_version=None,
                        # keyCredentials
                        key_value=None, key_type=None, key_usage=None, start_date=None, end_date=None,
                        key_display_name=None,
@@ -741,6 +749,8 @@ def update_application(instance, display_name=None, identifier_uris=None,  # pyl
         is_fallback_public_client=is_fallback_public_client,
         service_management_reference=service_management_reference,
         sign_in_audience=sign_in_audience,
+        # api
+        requested_access_token_version=requested_access_token_version,
         # keyCredentials
         key_credentials=key_credentials,
         # web

src/azure-cli/azure/cli/command_modules/role/linter_exclusions.yml

@@ -18,6 +18,9 @@ ad app create:
         service_management_reference:
             rule_exclusions:
             - option_length_too_long
+        requested_access_token_version:
+            rule_exclusions:
+            - option_length_too_long
 ad app update:
     parameters:
         enable_access_token_issuance:
@@ -35,6 +38,9 @@ ad app update:
         service_management_reference:
             rule_exclusions:
             - option_length_too_long
+        requested_access_token_version:
+            rule_exclusions:
+            - option_length_too_long
 ad user create:
     parameters:
         force_change_password_next_sign_in: