I want to create custom Azure role by extracting few properties from couple of roles like User Administrator and Application Administrator.
I saw few blogs and articles on creating custom RBAC role but my need is for Directory roles.
Permissions needed
microsoft.directory/users/*
microsoft.directory/groups/*
microsoft.directory/applications/*
microsoft.directory/serviceprincipals/*
How to create custom directory role in my case?
Any inputs are needed
Thanks
To create custom role in Azure AD, you need to have either Azure AD Premium P1 or P2 license along with Global Admin or Privileged Admin roles.
I tried to reproduce the same in my environment and got below results:
I have Azure AD Premium P2 license for my Azure AD tenant like below:
To create custom role in Azure AD, you need to follow below steps:
Go to Azure Portal -> Azure Active Directory -> Roles and administrators -> All roles -> New custom role
In Basics tab, enter custom role name and select Start from scratch option -> Next:
In Permissions tab, you can select the permissions based on your requirement in the list like below:
After selecting all required permissions, you can click on Create in Review + Create tab like below:
After that, custom role created successfully in Azure AD like below:
You can assign that custom role to Azure AD users like below:
Go to Azure Active Directory -> Roles and administrators -> All roles -> Click on your custom role -> Add assignments
I assigned that custom role to one Azure AD user like below:
You can select the type based on your need and assign role accordingly like below:
After few minutes, it assigned to the user successfully like below:
Note that, you cannot find New custom role option if your tenant doesn't have required license.
I have another tenant with Azure AD Free license like below:
When I tried to create custom role, New custom role option is greyed out like below:
So, make sure to have required licenses and roles before creating Azure AD custom roles.
Related
According to this link, there should be 3 built in roles for azure sentinel. However, a global admin account is unable to see any of them in Administrative Roles on Azure.
When I go to the underlying workspace, in the Access Control (IAM) blade, I can set the roles:
They do not appear in the Azure AD roles list indeed.
If you go the the resource group that your instance of Sentinal is in it will have a 'Access Control' link.
From there you can click 'Add role assignment'
Choose which role you wish to assign and press next
Then assign access to a user or group
I would like to create a least permission custom role in Azure to assign to a service principal that only allows the service principal to register Azure AD applications and service principals.
The "Contributor" standard role has all the needed rights but also a great many that are not needed, and I can't find anything in the list of available operations that seems to correspond to application registrations which could be used to produce a custom role.
It turns out the question is misguided - I had thought the assignment of Microsoft.Azure.ActiveDirectory permissions to the service principal was insufficient to create and edit app registrations. But it turns out I was just running up against a 5-10 minute lag between permissions being set in the Azure portal and the permissions taking effect. Granting the contributor role to the service principal just happened to take enough time for the original permissions to take effect.
AFAIK, you would not need to create a custom role in Azure to allow registering Azure AD Applications and Service Principals.
Who can register an application through Azure AD is controlled by user's membership in Azure Active Directory itself and their "Directory Role" in that Azure AD for some operations but not the usual RBAC built-in or custom roles which you are looking at (as you mention the list of ARM Resource Provider operations in your question)
Please refer to this Microsoft Documentation: Who has permission to add applications to my Azure AD instance?
UPDATE: Answering query from comments after Simon's edit to original question.
How to provide application registration privileges to a service principal?
Again, you will not use RBAC roles or create custom roles as you mention in your question but instead provide specific "application permissions" to the relevant Service Principal in Azure AD. I'll give steps below.
Go to your Azure AD, "Registered applications"
Find your service principal (may need to look at all applications instead of just my)
Add required permissions as shown below:
Once you've selected the right permissions and done. Please click on "Grant Permissions" because these permissions need Admin consent.
Use a custom AAD role as described here.
This is preferable to granting the built-in "Application Developer" role because it's too permissive and has the 250 App limit..
#Requires -Modules AzureADPreview
# 3 October 2020
# Connect-AzureAD
$ParameterList = #{
DisplayName = 'Application Registration Creator'
Description = 'Can create an unlimited number of application registrations.'
TemplateId = (New-Guid).Guid
IsEnabled = $true
RolePermissions = #{
allowedResourceActions = #(
'microsoft.directory/applications/create'
'microsoft.directory/applications/createAsOwner'
)
}
}
$customRole = New-AzureAdMSRoleDefinition #ParameterList
Three topics in Azure AD I'm constantly confused on:
Service Principal
Enterprise Application
App Registration
What is the difference?
I can easily go into "App Registrations" and register an "app" while that "app" doesn't even need to exist. All it requires is a URL which can also be totally random. This app registration then becomes a service principal which you can use to connect to Azure to from PowerShell for instance? Why? I don't understand this.
Please advise, and as you can probably tell, I'm new to Azure :)
When you write an application as a developer, you will register it in a given tenant, and will specify it's properties. This happens in the App Registration blade in Azure AD.
I'll dare an analogy by saying that the app is like a "class" in object oriented languages (with some static properties, which will be common to all instances)
By registering the application, in that given tenant if you use the portal this also automatically created a service principal for this application, which you can find in the "Enterprise Applications" blade of the Azure portal.
To continue with my analogy the portal creates a kind of instance of that class. This service principal contains information which are related to both the application and the tenants and its users. For instance it contain the activity of the users, what they have consented to in particular.
Now if during the app registration / app management, you decide that your application is "multi-tenant", then, when the application is accessed in other tenants, another service principal (remember this instance) will be created in that tenant.
BTW, you go to the new App Registration (Preview) blade in the azure portal, when you create an application, you can now see nicely grouped by categories all the properties of the app (all the properties which are common to all the service principal). Now if, in the "Overview" tab of the app, you click on the link "Managed application in local directory", you'll get to the corresponding service principal in the same tenant (where you'll see which users have accessed the app, when, where you can grant admin consent - if you are tenant admin -, and see the activity and the audit logs)
This is indeed confusing, and you are not the only one who feel that way. I guess this whole application/service principal is designed from the perspective of web applications, which can be scaled across multiple Azure AD tenants. For someone, who just wants to create some small scripts which connects to Azure services, understanding this whole thing is too much. Unfortunately there is no way around it. Azure Portal is also little bit confusing for this part, it only started to make some sense when I used Azure CLI for it.
To access Azure resources programmatically, we need to use Service Principal credentials. Service Principal is actually an instance of application, so we need to create an Application(App Registration) first too. If App Registration is added from portal, Service Principal is created automatically. With Azure CLI creating Application and Service Principal are two distinct steps.
Tricky part is, credentials has to be obtained from Application(App Registrations -> select app -> Certificates & Secrets). While the role assignment for the Service Principal has to be done from Subscriptions(select subscription -> Access control(IAM) -> Role Assignments) or any other resource which supports IAM. Same process using CLI makes more sense.
Using Azure CLI
Register/create app
$ az ad app create --display-name "displayName"
Create service principal for the app just created
$ az ad sp create --id "applicationId"
Set application credentials
$ az ad app credential reset --credential-description "some_description" --id "applicationId"
OR
$ az ad sp credential reset --credential-description "some_description" --name "applicationDisplayName" --append
Assign roles to Service Principal to access resources in Azure.
$ az role assignment create --assignee "service principal object id/ApplicationId" --role role_name
And if you don't care about all this application/service principal stuff and just want to use Service Principal for accessing Azure resources, there is a shortcut.
$ az ad sp create-for-rbac --name "service_principal_name"
This will create application, service principal, set credentials on app, assign Contributor role at subscription scope to service principal and print the credentials !!
Since the name of the Application(in App Registrations) and Service Principal(Enterprise/All Applications) is same, we need to look carefully at Object ID and Application ID to find out which is which. On the top of that, Service Principals are listed as Enterprise Applications/All Applications in Azure Portal.
'Enterprise Applications' is just a category of Service Principal which satisfies two conditions.
Service Principal and Application registration should be in same tenant.
Service Principal should have tag 'WindowsAzureActiveDirectoryIntegratedApp'. If this tag is removed from Service Principal, it won't show under Enterprise Applications, but still be listed under 'All Applications'. ( Do not try in production!! )
Note that service principals created from cli did not appear in 'Enterprise Applications' and I had to add the tag manually.
$ az ad sp update --id "service_principal_object_id" --add tags WindowsAzureActiveDirectoryIntegratedApp
A user should be able to read a resource group. Not allowing the user to create/delete a resource group.
i. I have created a custom role using json script with the following permissions:
Actions: Microsoft.Resources/subscriptions/resourceGroups/read
NotActions: Microsoft.Resources/subscriptions/resourceGroups/write,
Microsoft.Resources/subscriptions/resourceGroups/delete
ii. Added it using PowerShell cmdlet New-AzureRMRoleDefinition.
But when I assigned this custom role to a user in IAM, user is still able to create/delete a resource group.
Note: I have used RBAC and IAM services of Azure
Go to resource group blade >> IAM >> Add (at the top of the blade).
Select contributor. Select User. you are done.
I`m a global administrator of my Azure Tenant and gave Global admin rights to others so they can manage the Azure Tenant.
However, they cant view any of the services already provisioned on Azure.
For Example, cannot view:
a) Resource group
b) Enterprise Applications
Please suggest what more shall I do to resolve the issue?
This issue may be caused by that you haven't been assigned a subscription.
Try to find it whether subscriptions in your Azure Account. (Put in "subscription" in search blank in Azure. )
If you don't have any subscription, try to connect the owner and add your account as owner or else role . (Go to subscription > choose one subscription > Access control > Add ) The steps looks like this: