'az webapp config access-restriction show' returns properties in snake case #32474
Description
Describe the bug
the command sometimes returns properties in snake case and sometimes in camel case
I didn't figure out the pattern
Related command
az webapp config access-restriction show
Errors
the error occurs in a client code which doesn't find the expected property in camel case
Issue script & Debug output
az webapp config access-restriction show --resource-group 'sensitive' --name 'sensitive' --debug
cli.knack.cli: Command arguments: ['webapp', 'config', 'access-restriction', 'show', '--resource-group', 'sensitive', '--name', 'sensitive', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x000001C21EFDB2E0>, <function OutputProducer.on_global_arguments at 0x000001C21F37C180>, <function CLIQuery.on_global_arguments at 0x000001C21F3A1580>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'webapp': ['azure.cli.command_modules.appservice', 'azure.cli.command_modules.serviceconnector']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: appservice 0.358 80 278
cli.azure.cli.core: serviceconnector 0.022 20 331
cli.azure.cli.core: Total (2) 0.380 100 609
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 98 groups, 609 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : webapp config access-restriction show
cli.azure.cli.core: Command table: webapp config access-restriction show
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x000001C2216971A0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\sensitive.azure\commands\2025-11-28.16-12-16.webapp_config_access-restriction_show.25768.log'.
az_command_data_logger: command args: webapp config access-restriction show --resource-group {} --name {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x000001C2216BBA60>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x000001C22170E2A0>, <function register_cache_arguments..add_cache_arguments at 0x000001C22170E3E0>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x000001C22170E480>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x000001C21F37C220>, <function CLIQuery.handle_query_parameter at 0x000001C21F3A1620>, <function register_ids_argument..parse_ids_arguments at 0x000001C22170E340>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=WebSiteManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\sensitive\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\sensitive.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/sensitive
msal.authority: openid_config("https://login.microsoftonline.com/sensitive/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/sensitive/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic', 'self_signed_tls_client_auth'], 'jwks_uri': 'https://login.microsoftonline.com/sensitive/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/sensitive/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/sensitive/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/sensitive/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/sensitive/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/sensitive/kerberos', 'mtls_endpoint_aliases': {'token_endpoint': 'https://mtlsauth.microsoft.com/sensitive/oauth2/v2.0/token'}, 'tls_client_certificate_bound_access_tokens': True, 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token_info: scopes=('https://management.core.windows.net//.default',), options={}
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://management.core.windows.net//.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: sensitive
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/sensitive/resourceGroups/sensitive/providers/Microsoft.Web/sites/sensitive/config/web?api-version=2024-11-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '9fba31b8-cc6c-11f0-b0cc-b3ce651aee6f'
cli.azure.cli.core.sdk.policies: 'CommandName': 'webapp config access-restriction show'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --name --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.76.0 (MSI) azsdk-python-core/1.35.0 Python/3.12.10 (Windows-11-10.0.22631-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/sensitive/resourceGroups/sensitive/providers/Microsoft.Web/sites/sensitive/config/web?api-version=2024-11-01 HTTP/1.1" 200 4440
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '4440'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'guid'
cli.azure.cli.core.sdk.policies: 'X-AspNet-Version': '4.0.30319'
cli.azure.cli.core.sdk.policies: 'X-Powered-By': 'ASP.NET'
cli.azure.cli.core.sdk.policies: 'x-ms-operation-identifier': 'tenantId=sensitive,objectId=guid/germanywestcentral/guid'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '249'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-reads': '3749'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': 'guid'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'GERMANYWESTCENTRAL:20251128T151216Z:guid'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 76232903A59A42219B569D93193CA3A0 Ref B: FRA261071510060 Ref C: 2025-11-28T15:12:15Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Fri, 28 Nov 2025 15:12:15 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"id":"/subscriptions/sensitive/resourceGroups/sensitive/providers/Microsoft.Web/sites/sensitive/config/web","name":"sensitive","type":"Microsoft.Web/sites/config","location":"West Europe","properties":{"numberOfWorkers":1,"defaultDocuments":["Default.htm","Default.html","Default.asp","index.htm","index.html","iisstart.htm","default.aspx","index.php","hostingstart.html"],"netFrameworkVersion":"v4.0","phpVersion":"","pythonVersion":"","nodeVersion":"","powerShellVersion":"","linuxFxVersion":"DOTNETCORE|9.0","windowsFxVersion":null,"sandboxType":null,"windowsConfiguredStacks":[],"requestTracingEnabled":false,"remoteDebuggingEnabled":false,"remoteDebuggingVersion":null,"httpLoggingEnabled":false,"azureMonitorLogCategories":[""],"acrUseManagedIdentityCreds":false,"acrUserManagedIdentityID":null,"logsDirectorySizeLimit":35,"detailedErrorLoggingEnabled":false,"publishingUsername":"REDACTED","publishingPassword":null,"appSettings":null,"metadata":null,"connectionStrings":null,"machineKey":null,"handlerMappings":null,"documentRoot":null,"scmType":"None","use32BitWorkerProcess":true,"webSocketsEnabled":false,"alwaysOn":true,"javaVersion":null,"javaContainer":null,"javaContainerVersion":null,"appCommandLine":"","managedPipelineMode":"Integrated","virtualApplications":[{"virtualPath":"/","physicalPath":"site\wwwroot","preloadEnabled":true,"virtualDirectories":null}],"winAuthAdminState":null,"winAuthTenantState":null,"customAppPoolIdentityAdminState":false,"customAppPoolIdentityTenantState":false,"runtimeADUser":null,"runtimeADUserPassword":null,"loadBalancing":"LeastRequests","routingRules":[],"experiments":{"rampUpRules":[]},"limits":null,"autoHealEnabled":false,"autoHealRules":null,"tracingOptions":null,"vnetName":"sensitive_CustomSubnet","vnetRouteAllEnabled":false,"vnetPrivatePortsCount":0,"publicNetworkAccess":null,"siteAuthEnabled":false,"siteAuthSettings":{"enabled":null,"unauthenticatedClientAction":null,"tokenStoreEnabled":null,"allowedExternalRedirectUrls":null,"defaultProvider":null,"clientId":null,"clientSecret":null,"clientSecretSettingName":null,"clientSecretCertificateThumbprint":null,"issuer":null,"allowedAudiences":null,"additionalLoginParams":null,"isAadAutoProvisioned":false,"aadClaimsAuthorization":null,"googleClientId":null,"googleClientSecret":null,"googleClientSecretSettingName":null,"googleOAuthScopes":null,"facebookAppId":null,"facebookAppSecret":null,"facebookAppSecretSettingName":null,"facebookOAuthScopes":null,"gitHubClientId":null,"gitHubClientSecret":null,"gitHubClientSecretSettingName":null,"gitHubOAuthScopes":null,"twitterConsumerKey":null,"twitterConsumerSecret":null,"twitterConsumerSecretSettingName":null,"microsoftAccountClientId":null,"microsoftAccountClientSecret":null,"microsoftAccountClientSecretSettingName":null,"microsoftAccountOAuthScopes":null,"configVersion":null},"cors":null,"push":null,"apiDefinition":null,"apiManagementConfig":null,"autoSwapSlotName":null,"localMySqlEnabled":false,"managedServiceIdentityId":null,"xManagedServiceIdentityId":28440,"keyVaultReferenceIdentity":null,"ipSecurityRestrictions":[{"ipAddress":"sensitive","action":"Allow","tag":"Default","priority":100,"name":"sensitive","description":"sensitive"},{"ipAddress":"Any","action":"Deny","priority":2147483647,"name":"Deny all","description":"Deny all access"}],"ipSecurityRestrictionsDefaultAction":null,"scmIpSecurityRestrictions":[{"ipAddress":"Any","action":"Allow","priority":2147483647,"name":"Allow all","description":"Allow all access"}],"scmIpSecurityRestrictionsDefaultAction":null,"scmIpSecurityRestrictionsUseMain":false,"http20Enabled":false,"minTlsVersion":"1.2","minTlsCipherSuite":null,"scmMinTlsCipherSuite":null,"supportedTlsCipherSuites":null,"scmSupportedTlsCipherSuites":null,"scmMinTlsVersion":"1.2","ftpsState":"FtpsOnly","preWarmedInstanceCount":0,"functionAppScaleLimit":null,"elasticWebAppScaleLimit":0,"healthCheckPath":null,"fileChangeAuditEnabled":false,"functionsRuntimeScaleMonitoringEnabled":false,"websiteTimeZone":null,"minimumElasticInstanceCount":0,"azureStorageAccounts":{},"http20ProxyFlag":0,"sitePort":null,"antivirusScanEnabled":false,"storageType":"StorageVolume","sitePrivateLinkHostEnabled":false,"clusteringEnabled":false,"webJobsEnabled":false}}
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x000001C2216BB7E0>, <function _x509_from_base64_to_hex_transform at 0x000001C2216BB880>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
{
"ipSecurityRestrictions": [
{
"action": "Allow",
"additional_properties": {},
"description": "sensitive",
"headers": null,
"ip_address": "sensitive",
"name": "sensitive",
"priority": 100,
"subnet_mask": null,
"subnet_traffic_tag": null,
"tag": "Default",
"vnet_subnet_resource_id": null,
"vnet_traffic_tag": null
},
{
"action": "Deny",
"additional_properties": {},
"description": "Deny all access",
"headers": null,
"ip_address": "Any",
"name": "Deny all",
"priority": 2147483647,
"subnet_mask": null,
"subnet_traffic_tag": null,
"tag": null,
"vnet_subnet_resource_id": null,
"vnet_traffic_tag": null
}
],
"ipSecurityRestrictionsDefaultAction": null,
"scmIpSecurityRestrictions": [
{
"action": "Allow",
"additional_properties": {},
"description": "Allow all access",
"headers": null,
"ip_address": "Any",
"name": "Allow all",
"priority": 2147483647,
"subnet_mask": null,
"subnet_traffic_tag": null,
"tag": null,
"vnet_subnet_resource_id": null,
"vnet_traffic_tag": null
}
],
"scmIpSecurityRestrictionsDefaultAction": null,
"scmIpSecurityRestrictionsUseMain": false
}
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x000001C221697420>]
Expected behavior
the output must have properties consistently named in camel case
{
"ipSecurityRestrictions": [
{
"action": "Allow",
"additionalProperties": {},
"description": "sensitive",
"headers": null,
"ipAddress": "sensitive",
"name": "sensitive",
"priority": 100,
"subnetMask": null,
"subnetTrafficTag": null,
"tag": "Default",
"vnetSubnetResource_id": null,
"
Environment Summary
Local
azure-cli 2.76.0 *
core 2.76.0 *
telemetry 1.1.0
Extensions:
azure-devops 1.0.2
Dependencies:
msal 1.33.0b1
azure-mgmt-resource 23.3.0
Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users\sensitive.azure'
Extensions directory 'C:\Users\sensitive.azure\cliextensions'
Python (Windows) 3.12.10 (tags/v3.12.10:0cc8128, Apr 8 2025, 12:21:36) [MSC v.1943 64 bit (AMD64)]
Cloud
{
"azure-cli": "2.79.0",
"azure-cli-core": "2.79.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"azure-devops": "1.0.2"
}
}
Image: ubuntu-latest
Current image version: '20251112.124.1'
Current agent version: '4.261.0'
Additional context
There are multiple Azure DevOps pipeline runs executed on the same day with the same version of build agent image and az cli.
Some of them fail because 'ipAddreess' property is not on the target rule
Some of them succeed when the 'ipAddress' property is found on the target rule
I didn't figure out the pattern.
The issue is reproduced locally as I consistently get snake cased properties in ipSecurityRestrictions and scmIpSecurityRestrictions objects