issue with ms-graph token

[tikicoder]

Describe the bug

Please let me know if this is in the wrong place.
I used the Azure CLI to generate ms-graph tokens. it works really well. Today was the first time I was using the token to try to find a file in my drive so I was trying
https://graph.microsoft.com/v1.0/me/drive/items/root/children
https://graph.microsoft.com/v1.0/me/drive/items/children
As both appear to work in the graph explorer (https://developer.microsoft.com/en-us/graph/graph-explorer)

However, when I try using the token generated from the cli I get a 404.
the me works though
https://graph.microsoft.com/v1.0/me

I used https://jwt.ms/ to compare the tokens. The only difference I could see is the
app_displayname and app_id
One of course is the info for graph explorer the other Microsoft Azure CLI

I tried to find the Microsoft Azure CLI in our enterprise apps but nothing. I tried to look to add it, and nothing came back. I have looked and cannot find anything on the web about it (I could easily missed sometehing). It look and feels like a slight glitch in the azure cli token generator.

Related command

az account get-access-token --resource "https://graph.microsoft.com" --tenant xxxxxx

Errors

when quring for certian data I get a 404
https://graph.microsoft.com/v1.0/me/drive/items/children
{
"error": {
"code": "itemNotFound",
"message": "Item not found",
"innerError": {
"date": "2023-06-23T18:12:03",
"request-id": "3760078b-d36c-4455-9eef-262bf883d1ac",
"client-request-id": "3760078b-d36c-4455-9eef-262bf883d1ac"
}
}
}

Issue script & Debug output

{
"error": {
"code": "itemNotFound",
"message": "Item not found",
"innerError": {
"date": "2023-06-23T18:12:03",
"request-id": "3760078b-d36c-4455-9eef-262bf883d1ac",
"client-request-id": "3760078b-d36c-4455-9eef-262bf883d1ac"
}
}
}

Expected behavior

I would expect the correct response similar to the graph explorer

Environment Summary

azure-cli 2.49.0

core 2.49.0
telemetry 1.0.8

Extensions:
account 0.2.5
azure-devops 0.26.0

Dependencies:
msal 1.20.0
azure-mgmt-resource 22.0.0

Python (Linux) 3.10.6 (main, May 29 2023, 11:10:38) [GCC 11.3.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[jiasli]

It seems you are trying to call Microsoft Graph API List children of a driveItem.

According to the documentation, it requires Files.Read, Files.ReadWrite, Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All permissions. However, Azure CLI as a first-party app doesn't have those permissions, so Azure CLI's app ID/client ID can't be used to call that API.

Also see #22775

[tikicoder]

List of drive item works. It's only fails for the me graph calls. I can call it and upload download files on groups. Plus the cli runs as the user and is showcased as the user. It defeats the purpose of generating a token based on a user.

[jiasli]

It defeats the purpose of generating a token based on a user.

user_impersonation is the special permission indicating the token represents the user, but the API List children of a driveItem doesn't accept user_impersonation. Therefore, it requires oauth2PermissionGrants to be granted on Azure CLI's app ID so that Azure CLI's app ID can acquire a token with Files.Read, Files.ReadWrite, Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All permissions, but Azure CLI's app ID currently doesn't have that oauth2PermissionGrants.