I try to set the signInAudience using the Azure Graph API (with the azure cli / az rest command) from inside powershell using the following code:
$body='{"signInAudience":"AzureADAndMicrosoftAccounts"}'
echo $body
Test-Json -Json $body
az rest --method PATCH --uri https://graph.microsoft.com/v1.0/applications/$application_object_id --body $body --headers "Content-Type=application/json"
Which should (according to the rest documentation here) Update the signInAudience auf the Azure AD Application.
This is the result:
{"signInAudience":"AzureADAndMicrosoftAccounts"}
True
ValidationError: Bad Request({
"error": {
"code": "BadRequest",
"message": "Unable to read JSON request payload. Please ensure Content-Type header is set and payload is of valid JSON format.",
"innerError": {
"date": "2020-10-13T10:48:48",
"request-id": "f29fd020-33aa-4cda-b98e-130d1434cd85",
"client-request-id": "f29fd020-33aa-4cda-b98e-130d1434cd85"
}
}
})
Why does this not work? Other Changes can be set ussing this API, the following call does for example work.
az rest --method PATCH --uri https://graph.microsoft.com/v1.0/applications/${azuread_application.main_application.object_id} --body '{"api":{"requestedAccessTokenVersion": 2}}' --headers "Content-Type=application/json"
According to my test, if we enclose the entire string in single quotation, the Azure CLI command
az restwill not identity double quotation. It just identity the body as{signInAudience:AzureADAndMicrosoftAccounts}. So I suggest you use double quotation to enclose the entire string.Besides, when you want to allow users with a personal Microsoft account, or a work or school account in any organization’s Azure AD tenant to access the application, the
signInAudienceshould be set asAzureADandPersonalMicrosoftAccount. For more details, please refer to here.for example