Skip to content

[Core] az rest: clarify Microsoft Graph 403 accessDenied for privileged scopes#33363

Draft
Copilot wants to merge 7 commits into
devfrom
copilot/fix-scope-policy-readwrite-access
Draft

[Core] az rest: clarify Microsoft Graph 403 accessDenied for privileged scopes#33363
Copilot wants to merge 7 commits into
devfrom
copilot/fix-scope-policy-readwrite-access

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 12, 2026
edited
Loading

Related command
az rest --method GET --url "https://graph.microsoft.com/v1.0/policies/authenticationStrengthPolicies/"

Description
az rest can return opaque 403 failures for Microsoft Graph endpoints that require privileged scopes not pre-authorized for the Azure CLI first-party app (for example Policy.ReadWrite.ConditionalAccess). This change adds targeted guidance so users can quickly identify the auth model mismatch and use a service principal flow with required Graph permissions.

  • What changed
    • Graph-specific 403 classification
      • Added focused detection in azure.cli.core.util.handle_exception for:
        • HTTP 403
        • https://graph.microsoft.com/ requests
        • Graph payload error.code == accessDenied (case-insensitive)
    • Actionable recommendation
      • Added a user-facing recommendation explaining the pre-authorization limitation (AADSTS65002) and directing users to az login --service-principal with required Microsoft Graph permissions.
    • Scoped implementation
      • Behavior is limited to the Graph 403/accessDenied pattern; other HTTP error paths are unchanged.
    • Unit coverage
      • Added/updated tests for:
        • recommendation shown on Graph 403/accessDenied (including casing variants)
        • recommendation not shown for non-Graph URLs or non-403 responses
if response.status_code == 403 \
   and response.url.lower().startswith("https://graph.microsoft.com/") \
   and error_code.lower() == "accessdenied":
    az_error.set_recommendation(GRAPH_ACCESS_DENIED_RECOMMENDATION)

Testing Guide

History Notes

[Core] az rest: Add guidance for Microsoft Graph 403 accessDenied caused by privileged scope pre-authorization limits

This checklist is used to make sure that common guidelines for a pull request are followed.

@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd Bot commented May 12, 2026
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.13
️✔️acs
️✔️latest
️✔️3.12
️✔️3.13
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.13
️✔️ams
️✔️latest
️✔️3.12
️✔️3.13
️✔️apim
️✔️latest
️✔️3.12
️✔️3.13
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.13
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️aro
️✔️latest
️✔️3.12
️✔️3.13
️✔️backup
️✔️latest
️✔️3.12
️✔️3.13
️✔️batch
️✔️latest
️✔️3.12
️✔️3.13
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.13
️✔️billing
️✔️latest
️✔️3.12
️✔️3.13
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.13
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.13
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.13
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.13
️✔️config
️✔️latest
️✔️3.12
️✔️3.13
️✔️configure
️✔️latest
️✔️3.12
️✔️3.13
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.13
️✔️container
️✔️latest
️✔️3.12
️✔️3.13
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.13
️✔️core
️✔️latest
️✔️3.12
️✔️3.13
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.13
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.13
️✔️dls
️✔️latest
️✔️3.12
️✔️3.13
️✔️dms
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.13
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.13
️✔️find
️✔️latest
️✔️3.12
️✔️3.13
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.13
️✔️identity
️✔️latest
️✔️3.12
️✔️3.13
️✔️iot
️✔️latest
️✔️3.12
️✔️3.13
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.13
️✔️lab
️✔️latest
️✔️3.12
️✔️3.13
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️maps
️✔️latest
️✔️3.12
️✔️3.13
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.13
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.13
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.13
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.13
️✔️network
️✔️latest
️✔️3.12
️✔️3.13
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.13
️✔️postgresql
️✔️latest
️✔️3.12
️✔️3.13
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.13
️✔️profile
️✔️latest
️✔️3.12
️✔️3.13
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.13
️✔️redis
️✔️latest
️✔️3.12
️✔️3.13
️✔️relay
️✔️latest
️✔️3.12
️✔️3.13
️✔️resource
️✔️latest
️✔️3.12
️✔️3.13
️✔️role
️✔️latest
️✔️3.12
️✔️3.13
️✔️search
️✔️latest
️✔️3.12
️✔️3.13
️✔️security
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.13
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.13
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.13
️✔️sql
️✔️latest
️✔️3.12
️✔️3.13
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.13
️✔️storage
️✔️latest
️✔️3.12
️✔️3.13
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.13
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.13
️✔️util
️✔️latest
️✔️3.12
️✔️3.13
️✔️vm
️✔️latest
️✔️3.12
️✔️3.13

@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd Bot commented May 12, 2026
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

Copilot AI linked an issue May 12, 2026 that may be closed by this pull request
Scope Policy.ReadWrite.ConditionalAccess not granted #33062
Open
@microsoft-github-policy-service microsoft-github-policy-service Bot added the Auto-Assign Auto assign by bot label May 12, 2026
Copilot AI and others added 6 commits May 12, 2026 06:08
@a0x1ab
Improve Graph accessDenied guidance for az rest HTTP errors
528dca2 
Agent-Logs-Url: https://github.com/Azure/azure-cli/sessions/434b4544-999c-4413-9df1-8ef7b472e216

Co-authored-by: a0x1ab <59631311+a0x1ab@users.noreply.github.com>
@a0x1ab
Add negative tests for Graph accessDenied recommendation guardrails
1094a7e 
Agent-Logs-Url: https://github.com/Azure/azure-cli/sessions/434b4544-999c-4413-9df1-8ef7b472e216

Co-authored-by: a0x1ab <59631311+a0x1ab@users.noreply.github.com>
@a0x1ab
Expand Graph accessDenied test coverage for case-insensitive codes
c72868b 
Agent-Logs-Url: https://github.com/Azure/azure-cli/sessions/434b4544-999c-4413-9df1-8ef7b472e216

Co-authored-by: a0x1ab <59631311+a0x1ab@users.noreply.github.com>
@a0x1ab
Refactor Graph accessDenied code check to named constant
9e216c6 
Agent-Logs-Url: https://github.com/Azure/azure-cli/sessions/434b4544-999c-4413-9df1-8ef7b472e216

Co-authored-by: a0x1ab <59631311+a0x1ab@users.noreply.github.com>
@a0x1ab
Polish Graph accessDenied constants and test message consistency
34f8b5b 
Agent-Logs-Url: https://github.com/Azure/azure-cli/sessions/434b4544-999c-4413-9df1-8ef7b472e216

Co-authored-by: a0x1ab <59631311+a0x1ab@users.noreply.github.com>
@a0x1ab
Rename Graph endpoint constant to explicit lowercase form
37f9b3b 
Agent-Logs-Url: https://github.com/Azure/azure-cli/sessions/434b4544-999c-4413-9df1-8ef7b472e216

Co-authored-by: a0x1ab <59631311+a0x1ab@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix Scope Policy.ReadWrite.ConditionalAccess not granted [Core] az rest: clarify Microsoft Graph 403 accessDenied for privileged scopes May 12, 2026
Copilot finished work on behalf of a0x1ab May 12, 2026 06:12
Copilot AI requested a review from a0x1ab May 12, 2026 06:12
@yonzhan
Copy link
Copy Markdown
Collaborator

yonzhan commented May 12, 2026

Core

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jiasli jiasli Awaiting requested review from jiasli jiasli is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan yonzhan is a code owner

@a0x1ab a0x1ab Awaiting requested review from a0x1ab

@necusjz necusjz Awaiting requested review from necusjz necusjz will be requested when the pull request is marked ready for review necusjz is a code owner

@DanielMicrosoft DanielMicrosoft Awaiting requested review from DanielMicrosoft DanielMicrosoft will be requested when the pull request is marked ready for review DanielMicrosoft is a code owner

@ReaNAiveD ReaNAiveD Awaiting requested review from ReaNAiveD ReaNAiveD will be requested when the pull request is marked ready for review ReaNAiveD is a code owner

@bebound bebound Awaiting requested review from bebound bebound will be requested when the pull request is marked ready for review bebound is a code owner

@isra-fel isra-fel Awaiting requested review from isra-fel isra-fel will be requested when the pull request is marked ready for review isra-fel is a code owner

@notyashhh notyashhh Awaiting requested review from notyashhh notyashhh will be requested when the pull request is marked ready for review notyashhh is a code owner

@xuming-ms xuming-ms Awaiting requested review from xuming-ms xuming-ms will be requested when the pull request is marked ready for review xuming-ms is a code owner

@teresaritorto teresaritorto Awaiting requested review from teresaritorto teresaritorto will be requested when the pull request is marked ready for review teresaritorto is a code owner

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

@jiasli jiasli

@a0x1ab a0x1ab

Copilot code review Copilot

Labels

Account az login/account act-identity-squad Auto-Assign Auto assign by bot

Projects

None yet

Milestone

June 2026 (2026-06-02)

Development

Successfully merging this pull request may close these issues.

Scope Policy.ReadWrite.ConditionalAccess not granted

4 participants

@yonzhan @jiasli @a0x1ab