Not able to create a valid ms-graph token from azure cli with right permissionsΒ #30149
Description
I am already raised tickets to the ms-graph team but they pointed me to here.
I am trying to activate my eligible assignment for PIM for Groups:
If I log in into graph explorer ist no problem to activate my eligible assignment from there. Also it is working with HTTP from bash if i use the existing token at the graph explorer.
If I try to get a graph token from azure cli it seems to work with:
az account get-access-token --resource-type ms-graph
With this token i ve not the right permissions to do the activation:
Authorization failed due to missing permission scope PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedAssignmentSchedule.Remove.AzureADGroup.
If i try to set the scope (ive tried a few formats) than i only get those errors:
az account get-access-token --resource-type ms-graph --scope https://graph.microsoft.com/.PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup
or
az account get-access-token --resource-type ms-graph --scope .PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup
Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.
We are not able to find a way to edit permissions to app '04b07795-8ddb-461a-bbee-02f9e1bf7b46' which seems to be Azure-CLI.