Azure Active Directory breaking change impacting Azure CLI and Azure PowerShell

Published Oct 14 2021 05:20 PM 2,922 Views
Microsoft

Context

Starting 10/15/2021, Azure Active directory will require the AppId Uri in single tenant applications to use default scheme or verified domains. If you have not upgraded Azure CLI or Azure PowerShell to the most recent versions, you will receive the following error message when creating a service principal:

 

Values of identifierUris property must use a verified domain of the organization or its subdomain

 

Solution

You must upgrade to the following versions for reach impacted:

  • Azure CLI version 2.25.0 or later
  • Azure PowerShell version 6.0.0 or later

 

You can read more about the impact of this breaking change in each tool:

 

Workaround

We understand that upgrading to a new version of an automation tool is not always straightforward, the workaround consists of the following steps:

  1. If needed, add your custom domain name using Azure Active Directory portal
  2. Create the application with an authorized IdentifierUri
  3. Create the service principal referring to this application

 

 

4 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-2848388%22%20slang%3D%22en-US%22%3EAzure%20Active%20Directory%20breaking%20change%20impacting%20Azure%20CLI%20and%20Azure%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2848388%22%20slang%3D%22en-US%22%3E%3CH2%20id%3D%22toc-hId--324623095%22%20id%3D%22toc-hId--324623071%22%20id%3D%22toc-hId--324623071%22%20id%3D%22toc-hId--324623071%22%20id%3D%22toc-hId--324623071%22%20id%3D%22toc-hId--324623071%22%20id%3D%22toc-hId--324623071%22%20id%3D%22toc-hId--324623071%22%20id%3D%22toc-hId--324623071%22%3EContext%3C%2FH2%3E%0A%3CP%3EStarting%2010%2F15%2F2021%2C%20Azure%20Active%20directory%20will%20require%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fdevelop%2Freference-breaking-changes%23appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAppId%20Uri%20in%20single%20tenant%20applications%20to%20use%20default%20scheme%20or%20verified%20domains%3C%2FA%3E.%20If%20you%20have%20not%20upgraded%20Azure%20CLI%20or%20Azure%20PowerShell%20to%20the%20most%20recent%20versions%2C%20you%20will%20receive%20the%20following%20error%20message%20when%20creating%20a%20service%20principal%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EValues%20of%20identifierUris%20property%20must%20use%20a%20verified%20domain%20of%20the%20organization%20or%20its%20subdomain%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--2132077558%22%20id%3D%22toc-hId--2132077534%22%20id%3D%22toc-hId--2132077534%22%20id%3D%22toc-hId--2132077534%22%20id%3D%22toc-hId--2132077534%22%20id%3D%22toc-hId--2132077534%22%20id%3D%22toc-hId--2132077534%22%20id%3D%22toc-hId--2132077534%22%20id%3D%22toc-hId--2132077534%22%3ESolution%3C%2FH2%3E%0A%3CP%3EYou%20must%20upgrade%20to%20the%20following%20versions%20for%20reach%20impacted%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EAzure%20CLI%3C%2FSTRONG%3E%20version%20%3CSTRONG%3E2.25.0%20%3C%2FSTRONG%3Eor%20later%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EAzure%20PowerShell%26nbsp%3B%3C%2FSTRONG%3Eversion%20%3CSTRONG%3E6.0.0%3C%2FSTRONG%3E%20or%20later%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20read%20more%20about%20the%20impact%20of%20this%20breaking%20change%20in%20each%20tool%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAzure%20CLI%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-cli%2Fissues%2F19892%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2Fazure-cli%2Fissues%2F19892%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EAzure%20PowerShell%3A%20%3CA%20style%3D%22font-family%3A%20inherit%3B%20background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-powershell%2Fissues%2F16097%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2Fazure-powershell%2Fissues%2F16097%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-355435275%22%20id%3D%22toc-hId-355435299%22%20id%3D%22toc-hId-355435299%22%20id%3D%22toc-hId-355435299%22%20id%3D%22toc-hId-355435299%22%20id%3D%22toc-hId-355435299%22%20id%3D%22toc-hId-355435299%22%20id%3D%22toc-hId-355435299%22%20id%3D%22toc-hId-355435299%22%3EWorkaround%3C%2FH2%3E%0A%3CP%3EWe%20understand%20that%20upgrading%20to%20a%20new%20version%20of%20an%20automation%20tool%20is%20not%20always%20straightforward%2C%20the%20workaround%20consists%20of%20the%20following%20steps%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EIf%20needed%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fadd-custom-domain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eadd%20your%20custom%20domain%20name%20using%20Azure%20Active%20Directory%20portal%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3ECreate%20the%20application%20with%20an%20authorized%20IdentifierUri%3C%2FLI%3E%0A%3CLI%3ECreate%20the%20service%20principal%20referring%20to%20this%20application%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2848388%22%20slang%3D%22en-US%22%3E%3CP%3EAddressing%20%E2%80%9CValues%20of%20identifierUris%20property%20must%20use%20a%20verified%20domain%20of%20the%20organization%20or%20its%20subdomain%E2%80%9D%20issue%20with%20Azure%20CLI%20or%20Azure%20PowerShell%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2848388%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzureCLI%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2883219%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20breaking%20change%20impacting%20Azure%20CLI%20and%20Azure%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2883219%22%20slang%3D%22en-US%22%3E%3CP%3EWas%20there%20any%20upfront%20communication%20about%20this%20new%20naming%20policy%20for%20app%20registration%20ids%3F%20We%20complete%20missed%20out!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2901604%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20breaking%20change%20impacting%20Azure%20CLI%20and%20Azure%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2901604%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F30759%22%20target%3D%22_blank%22%3E%40Carl%20in%20't%20Veld%3C%2FA%3E%26nbsp%3B%2C%20Yes%20the%20change%20information%20was%20published%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Freference-breaking-changes%23appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ebreaking%20changes%20%3C%2FA%3Esection%20of%20Azure%20AD%20docs.%20Sorry%2C%20this%20didn't%20catch%20your%20attention%20in%20time.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2902051%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20breaking%20change%20impacting%20Azure%20CLI%20and%20Azure%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2902051%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20use%20many%20Azure%20services.%20For%20me%20personally%20it%20works%20best%20if%20the%20Az%20PowerShell%20cmdlets%20start%20throwing%20warnings%20when%20there%20are%20upcoming%20breaking%20changes%20or%20the%20Azure%20Portal%20starts%20reporting%20it.%20I%20don't%20track%20any%20website%20in%20particular.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2945830%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20breaking%20change%20impacting%20Azure%20CLI%20and%20Azure%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2945830%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20added%20breaking%20change%20warning%20on%20cmdlets.%20It%20is%20a%20little%20short%2C%20just%20one%20or%20two%20months.%20If%20user%20doesn't%20use%20the%20latest%20version%20of%20Az.Resources%2C%20they%20cannot%20see%20this%20message%20either.%20We%20will%20consider%20how%20to%20show%20those%20messages%20on%20Azure%20PowerShell%20online%20docs.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Oct 14 2021 05:20 PM
Updated by: