aad-allowed-token-audiences not implemented

[mvillafranca-tc]

Describe the bug

The documentation for
az webapp auth update
mentions parameter --aad-allowed-token-audiences
but this option apparently does not exist

Whenever I invoke this command with that parameter, I get the following

Related command

az webapp update

Errors

unrecognized arguments: --aad-allowed-token-audiences api://some-app-id-here

Issue script & Debug output

cli.knack.cli: Command arguments: ['webapp', 'auth', 'update', '--aad-allowed-token-audiences', 'api://60306139-8117-49cc-8a00-c9079d40bdb5', '--name', 'fn-fmg-tisitna', '--resource-group', 'rg-fmg-tisitna', '--subscription', 'd6840717-caa1-4c9c-b2dc-453644afe4f6', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x01C6A4F0>, <function OutputProducer.on_global_arguments at 0x01D38C88>, <function CLIQuery.on_global_arguments at 0x01D578E0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'webapp': ['azure.cli.command_modules.appservice', 'azext_authV2', 'azure.cli.command_modules.serviceconnector']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: appservice 0.631 73 260
cli.azure.cli.core: serviceconnector 0.048 8 129
cli.azure.cli.core: Total (2) 0.679 81 389
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: authV2 0.008 11 24 C:\Users\mvillafranca.azure\cliextensions\authV2
cli.azure.cli.core: Total (1) 0.008 11 24
cli.azure.cli.core: Loaded 89 groups, 411 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : webapp auth update
cli.azure.cli.core: Command table: webapp auth update
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0406B538>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\mvillafranca.azure\commands\2023-06-05.09-27-00.webapp_auth_update.27468.log'.
az_command_data_logger: command args: webapp auth update --aad-allowed-token-audiences {} --name {} --resource-group {} --subscription {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x040926A0>]
cli.knack.commands: Configured default 'learn-571f83db-4503-4536-9287-5e4aec77fac3' for arg resource_group_name
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x040A2610>, <function register_cache_arguments..add_cache_arguments at 0x040A2808>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.azure.cli.core.command_recommender: "--aad-allowed-token-audiences" is an invalid parameter for command "webapp auth update".
urllib3.connectionpool: Starting new HTTPS connection (1): app.aladdin.microsoft.com:443
urllib3.connectionpool: https://app.aladdin.microsoft.com:443 "GET /api/v1.0/suggestions?query=%7B%22command%22%3A+%22webapp+auth+update%22%2C+%22parameters%22%3A+%22%22%7D&clientType=AzureCli&context=%7B%22versionNumber%22%3A+%222.49.0%22%2C+%22errorType%22%3A+%22UnrecognizedArguments%22%2C+%22correlationId%22%3A+%227e6f95b2-b386-4a66-84b5-0d80d8fe8827%22%2C+%22subscriptionId%22%3A+%2295ca9f50-5b06-43a6-9a25-ff32eb1874d6%22%2C+%22eventId%22%3A+%22e37f30ab-37a2-4998-bdce-7656088f7fda%22%7D HTTP/1.1" 200 None
cli.azure.cli.core.command_recommender: "--aad-allowed-token-audiences" is an invalid parameter for command "webapp auth update".
cli.azure.cli.core.command_recommender: "--facebook-app-id" is an invalid parameter for command "webapp auth update".
cli.azure.cli.core.command_recommender: "--facebook-app-secret" is an invalid parameter for command "webapp auth update".
cli.azure.cli.core.command_recommender: "--facebook-oauth-scopes" is an invalid parameter for command "webapp auth update".
cli.azure.cli.core.azclierror: NoneType: None

cli.azure.cli.core.azclierror: unrecognized arguments: --aad-allowed-token-audiences api://60306139-8117-49cc-8a00-c9079d40bdb5
az_command_data_logger: unrecognized arguments: --aad-allowed-token-audiences api://60306139-8117-49cc-8a00-c9079d40bdb5

Examples from AI knowledge base:
az webapp auth update --name myUniqueApp --resource-group myResourceGroup
Update the authentication settings for the webapp. (autogenerated)

az webapp auth update --resource-group myResourceGroup --name myUniqueApp --action AllowAnonymous --facebook-app-id my_fb_id --facebook-app-secret my_fb_secret --facebook-oauth-scopes public_profile email
Allow Facebook authentication by setting FB-associated parameters and turning on public-profile and email scopes; allow anonymous users

https://docs.microsoft.com/en-US/cli/azure/webapp/auth#az_webapp_auth_update
Read more about the command in reference docs
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0406B658>]
az_command_data_logger: exit code: 2
cli.main: Command ran in 3.032 seconds (init: 0.704, invoke: 2.328)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3812 in cache
telemetry.check: Negative: The C:\Users\mvillafranca.azure\telemetry.txt was modified at 2023-06-05 09:20:36.838589, which in less than 600.000000 s

Expected behavior

Either the option is accepted, or the documentation does not show it

Environment Summary

azure-cli 2.49.0

core 2.49.0
telemetry 1.0.8

Extensions:
authV2 0.1.2

Dependencies:
msal 1.20.0
azure-mgmt-resource 22.0.0

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\mvillafranca.azure\cliextensions'

Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[DrReedo]

I am also experiencing this issue:
cli.azure.cli.core.azclierror: unrecognized arguments: --aad-allowed-token-audiences
Is there another way that I can set the allowed audience tokens with Azure CLI and/or can this be fixed?
thanks

[C-h-r-i-s-L]

@mvillafranca-tc

If your App Service uses authV2 (and your info suggests this is the case) then az webapp auth update uses new commands.
Try:

az webapp auth update -g $(resourceGroup) --name $(clientName) --set identityProviders.$(identityProvider).validation.allowedAudiences=[$(apiUrl)] --debug

Here's an example of what mine looks like using AAD as the identity provider.
az webapp auth update -g "environment0-resrouce-group0" --name "app-service0" --set identityProviders.azureActiveDirectory.validation.allowedAudiences=["https://myApp.azure.com"] --debug

The current documentation doesn't really provide this information. You can assign values using the set command and the data structures found for your app service in https://resources.azure.com

https://resources.azure.com/subscriptions/$mySubscriptionId/resourceGroups/$myRgName/providers/Microsoft.Web/sites/$myAppServiceName/config/authsettingsV2/list