can anyone tell what "Roles and administrators" under App Registration (as well as Enterprise Application) is there for?
Seems that it always has "Cloud Application Administrator", but this role is NOT assigned to the service principal. I didn't find any documentation about it, maybe I'm missing something here.
Thank you!
Well, after searching/debugging for hours it seems that I just solved it a few minutes later when searching for a slightly different thing:
Role assignments at the organization-wide scope are added to and can
be seen in the list of single application role assignments.
Role assignments at the single application scope aren't added to and
can't be seen in the list of organization-wide scoped assignments.
So the Cloud Application Administrator is scoped to this app registration only. This also explains why I wasn't able to create SP's with this service principal (since it would need the organisation-wide assignment)
https://learn.microsoft.com/en-us/azure/active-directory/roles/view-assignments
Related
We just started recently using App Configuration Service in Azure for some of our applications.
As part of the setup, we removed Access Keys as a possible authentication method. This works pretty well, we have assigned dataowner rights to our team so that they can manage the service and everyone is happy.
We came up with the brilliant idea of using the app config service in our build and release yaml pipelines. We found a suitable task, but the user that is attached to the service connection that we use in Azure Devops to deploy to Azure does not have the rights to access the configuration store.
We want to be able to assign this right in the arm template we created for the app config service. The issue though is that we cannot find the principle id assigned to that user.
Honestly, I am not that experienced with AAD, so I am probably missing something here. The ServicePrincipleId does not work, whenever I try to use it, azure tells me that that user does not exist. I get redirected to an app-registration page whenever I try to manage the service connection, which I don't understand either.
Next steps for me will be to get our admin to manually assign this right to the Service Connection User and see if I can extract the principle Id from that role assignment.
My question(s) would be, why doesn't the service principle work? How do I extract the principle id from the service connection?
Could you please try below steps?
In Azure DevOps, go to the project that contains your target pipeline. In the lower-left corner, select Project settings.
Select Service connections.
Select Manage Service Principal.
From there, you should be able to find the objectId of your Service Principal, which uniquely identifies your SP.
Also these posts are great resources to learn about AAD Apps and Service Principals:
https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals
https://stackoverflow.com/questions/54066287/azure-service-principal-id-vs-application-id#:~:text=objectId%20will%20be%20a%20unique,will%20be%20same%20as%20appId%20.
User needs to have read only access to two subscriptions, so added user to the Access
Control for both subscriptions and gave them the built in role [Readers]. Basically I want the user to be able to view Application Insights but not to create, delete, update anything else.
The user reported that they could not AI and instead saw this.
Digging into this error I got this documentation from MS.
The pertinent information is:
These items require write access to the whole Resource group that contains your website:
TLS/SSL Certificates and bindings (TLS/SSL certificates can be shared between sites in the same resource group and geo-location)
Alert rules
Autoscale settings
Application insights components
Web tests
I think the best way to proceed is to create a role that is the same as the built in Reader, and then assign write rights to Application Insights, add this role to the user, and remove the built-in reader. I am knew to Azure and would appreciate any advice or recommendation.
Try to grant the user with both Reader and Application Insights Component Contributor roles. For full list of built-in roles, see Azure built-in roles.
How about this role https://learn.microsoft.com/en-us/azure/azure-monitor/roles-permissions-security#monitoring-reader
It allows for:
- Access Application Insights data and view data in Application Insights Analytics.
Let me know if you've found some other solution.
I have somewhat similar task: provide user with readonly access to Application Insights, but without using Contributor role or custom roles.
Simple case: I have two Azure Applications
TaskTrackerWebApp application has multiple Roles defined. I would like to add AG360DataApiClient application to one of the roles.
But no matter if i use Name or Application ID of the AG360DataApiClient i still cant find it.
In TaskTrackerWebApp i also defined a role with "Application" allowedmemberTypes
So, how would i add an application to another application role? Powershell voodoo?
Thank you.
Update: There was somethign wrong with my Application registration. I deleted and recreated it and now i can assign an application to a Role.
Well, your problem is that you are trying to add an application to a role on a blade that says Users and groups :)
Roles are given to apps as app permissions. Internally they are called appRoleAssignments actually, literally assigning a role to a service principal.
So go to the AG360DataApiClient app registration, go to Required permissions, and add & grant the App permissions. If you can't find the permissions there, make sure the roles have Application as an allowed member type.
I'd like to create a service principle to allow deployments to one or more of my resources under my subscription.
I have an MSDN subscription allowing me £40 a month on Azure.
The Azure Active Directory is maintained by my company.
I am set as a general user
I've already created a service principle with a key via the portal.
When I try to connect via the SP from Octopus Deploy I get the below message:
Unable to verify Azure Account: The client 'xxxx' with object id
'xxxx' does not have authorization to perform action
'Microsoft.Resources/subscriptions/resourcegroups/read' over scope
'/subscriptions/xxxx'.
As I now understand it, an SP sits at tenant level. So does this mean that I likely don't have any permissions to create an SP with the proper access to do what I need and I'll have to get an Admin to do it?
I'm struggling to understand this authentication method tbh. So any information to help clarify how this all fits together would be very much appreciated.
e.g.
Can I limit an SP to just my MSDN subscription?
Can I even limit it to resource groups / resources?
...
In terms of permissions Service Principal doesnt differ from a regular user. Your service principal doesnt have access to that particular subscription. You need to grant those rights to the service principal. You can use portal\powershell\cli\SDK to do that. Sample link.
I have a Java application running on premise in order to manage Azure app registrations and groups. For that purpose I registered an app and its service principle in Azure. I am using one of the samples under (https://github.com/Azure-Samples/aad-java-manage-users-groups-and-roles/). I am having trouble about giving right permissions to my app so that it can register other apps, create groups, assign them to groups and do client secret operations. I am receiving 403 unauthorized response. What are least possible Azure AD permissions for these operations? Which steps and options should I take/follow to implement that requirements in portal?
Thanks
UPDATE 1
Giving owner right is a big move. So that's not the answer I was looking for. That's why I am not marking it as a solution for my question but that would definitely work if you are willing to do that. Code also works.
Part of my question was least possible permissions. After experimenting I found that in app permissions:
Windows Azure Active Directory->Read Write Directory Data
Windows Azure Active Directory->Read Write All Applications
Microsoft Graph->Read Write Directory Data
Microsoft Graph->Read Write All Domains
Microsoft Graph->Read Write All Groups
solved the problem. Active Directory ones allowed me to create app and create group, graph ones allowed me to add app to group. Instead of Graph, adding app as User Access Admin also let me the app to group.
UPDATE 2
I am trying to repeat same process with another app. This time although I gave same permissions as I did in Update 1 this time adding new app to group fails with 403. Any idea how this really works? I am really confused...
You need create a service principal and give it Owner role to your subscription. You could check the code, the new created user is gived CONTRIBUTOR to your subscription. So, your sp need Owner role.
// Assign role to AD user, it needs `Owner` role.
RoleAssignment roleAssignment1 = authenticated.roleAssignments()
.define(raName1)
.forUser(user)
.withBuiltInRole(BuiltInRole.READER)
.withSubscriptionScope("3b4d41fa-e91d-4bc7-bc11-13d221b3b77d")
.create();
System.out.println("Created Role Assignment:");
You could do it on Azure Portal.
<your subscription>--><Access Control>--><Add>.
More information about this please refer to this official document.
Update:
I test in my lab, you don't need give your sp Graph permission, you only need give your sp your subscription Owner role. This is my test result.