`az ad sp create-for-rbac` before 2.25.0 will stop working after 2021-10-15

[jiasli]

Context

According to the announcement of

• https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-breaking-changes#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains
• https://docs.microsoft.com/en-us/azure/active-directory/develop/security-best-practices-for-app-registration#appid-uri-configuration

AAD service will block creating single tenant applications with invalid idefntifierUris after 2021-10-15.

Impact

Azure CLI command az ad sp create-for-rbac before 2.25.0 which sets invalid idefntifierUris will fails with 400 badrequest, such as

Values of identifierUris property must use a verified domain of the organization or its subdomain: 'http://azure-cli-2021-10-20-03-53-05'

Solution

az ad sp create-for-rbac has been updated so that now it doesn't create identifierUris at all (#18312). Please update to Azure CLI 2.25.0 or newer. We recommend always using the latest version.

[yonzhan]

az ad sp create-for-rbac before 2.25.0 will stop working after 2021-10-15.