azure-cli: Can't create SAML-based AAD apps using az ad app create

Is your feature request related to a problem? Please describe. I can’t create a SAML-based SSO AAD app registration using the az CLI.

It’s possible to create it manually in the Azure portal by going to “Enterprise Applications” > “New Application”. The by choosing “Non-gallery application”. Apps created this way show a “Manage > Single sign-on” configuration blade which is not available in apps created using the az CLI.

From my research this seems to be caused because the CLI does not have an option to set the proper Portal UI tag. Showing it as an enterprise application in portal requires the Portal UI tag of WindowsAzureActiveDirectoryIntegratedApp.

Describe the solution you’d like I’d like a way to create SAML-based SSO applications with the az CLI, perhaps using a flag to differentiate between standard apps and integrated SSO apps.

az ad app create -n "My SSO App" --integrated-sso

Describe alternatives you’ve considered The only alternative is to create this manually which breaks automated deployments and management. This also does not appear to be possible in Powershell CLI.

Additional context Once the app has been created manually, it can be managed using the current az CLI to perform az ad app update and change it’s properties, however configuring it to be a SAML app does not appear to be possible.

About this issue

Original URL
State: open
Created 6 years ago
Reactions: 15
Comments: 33 (11 by maintainers)

Most upvoted comments

It’s really disappointing that Azure does not believe in automation and expects engineers to provision resources manually. Especially, when you already have the functionality to do it using UI why wouldn’t you put a little bit of extra effort and provide CLI support…

+11

b-b3rn4rd on Feb 5, 2019

Hi folks, we understand this great need from community, but at this moment we are not able to offer any ETAs you should align/plan your work with. One thing for sure is once the Service API goes public, CLI team will prioritize the work to expose the support as early as possible.

yugangw-msft on Apr 11, 2019

Folks, I ended up updating the Rest spec to open up the support for this. With that, the command to address this issue would be like below. Please let me know if I missed anything. It is different from what was proposed by @mattdot, but let us focus on the API readiness before polish further. BTW, I have a private installer (windows msi, and docker image) for initial test. If you like to try out, I can be reached at yugangw at microsoft dot com

   az ad sp create-for-rbac -n sp-reload --skip-assignment
   {
     "appId": "b8f8f0ab-2885-4bb2-9b03-1a514a2bbdc1",
     "displayName": "my-sp",
     "name": "http://my-sp",
     "password": "28999ddb-5ebb-47dd-99ac-a9084215f707",
     "tenant": "54826b22-38d6-4fb2-bad9-123456788888"
   } 

   az ad sp update --id b8f8f0ab-2885-4bb2-9b03-1a514a2bbdc1 --add tags WindowsAzureActiveDirectoryIntegratedApp

   az ad app update --id b8f8f0ab-2885-4bb2-9b03-1a514a2bbdc1 --set samlMetadataUrl=https://mysaml

yugangw-msft on Feb 25, 2019

I’m currently waiting on this as well. Is there an updated status?

avanbecelaere on May 7, 2019

Folks, I will take a look and get back to you.

yugangw-msft on Feb 11, 2019

Any update on this? We currently automate the provisioning of QA environments to azure, however as part of that automation we want the QA engineer to be able to log into the app with their azure ad account via saml. This means we have to automate the creation of a SAML app in azure AD for that QA environment (our qa environments have different URLs). Very disappointing to see this is apparently not yet possible even after all this time?

dazinator on Sep 21, 2020

Hi @jiasli, will do. in addition, i’ve raised a issue in azure-rest-api-specs repo.

duduz on Apr 19, 2020

As a workaround you can use the graph api beta endpoint to create a SAML application based on the standard SAML application template ID. This will create a base SAML application in Azure AD that you can then update the SAML metadata from.

https://docs.microsoft.com/en-us/graph/api/applicationtemplate-instantiate?view=graph-rest-beta&tabs=http

The ID of the basic SAML application template from Microsoft is: 8adf8e6e-67b2-4cf2-a259-e3dc5476c621

The endpoint URI would be the below then for creating the application with a request body json object of displayName, like below

Request Type: Post

Request Body:
{"displayName":"My App Test"}

URI Endpoint:
https://graph.microsoft.com/beta/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate

You could also specify the AWS template ID, which is 8b1025e4-1dd2-430b-a150-2ef79cd700f5

You can search for other template IDs from the graph API endpoint such as below, using displayName as a filter

https://graph.microsoft.com/beta/applicationTemplates?$filter=contains(displayName, 'AWS')

or list all of them

https://graph.microsoft.com/beta/applicationTemplates

StarkCaptain on Dec 10, 2019

@annbrady I am still in contact with @yugangw-msft via e-mail - offline to this issue. He told me, that it will take until the end of April approximately until the backend rest interfaces will be opened and the SDK’s will be able to access it. We have to wait a little bit, at this point, but I am happy that @yugangw-msft is working on it together with the other Azure teams. 😄

m4r10k on Mar 23, 2019

Until this is fully supported, I came up with a simple automation process of pushing IAM roles back to Azure from across all AWS accounts in an organization. In case anyone is interested https://github.com/b-b3rn4rd/aws-saml-azuread

b-b3rn4rd on Feb 26, 2019

@b-b3rn4rd, Azure CLI’s graph commands have never meant to be used for general graph object management; rather they are just enough for RBAC where SAML-based SSO applications don’t play any specific role there. Hence we usually don’t prioritize such asks till we have enough users votes.

yugangw-msft on Feb 6, 2019