I am trying to find a way to check the AD roles attached to a user. After a lot of reading, it seems like there is no cli call that can provide this information. The workaround I am thinking is to list out all the users who have "Global Administrator" permission in the AD role. Is there an azure CLI call that can help with getting this information? I tried the calls in az ad user but none of them have the information I am looking for.
I agree with #Panagiotis Kanavos, you can make use of HTTP requests by calling them from Azure CLI.
You can use below MS Graph query to get the list the users with Global Administrator role:
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10'
To call the above query from Azure CLI, you can use az rest command like below:
az rest --method get --url "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10'"
I tried to reproduce the same in my environment and got below results:
I have below users in my tenant, assigned with Global Administrator role:
To get these results from Azure CLI, I ran below command:
az rest --method get --url "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10'"
Response:
Here is Powershell and Graph API example how you can do that.
Related
I understand the process of assigning Microsoft Graph permissions to a service principal. I can take the object id of the Microsoft Graph app, then use the https://graph.microsoft.com/v1.0/servicePrincipals/<id>/appRoleAssignedTo MSGraph endpoint, like described here.
My question is: can I do the same with a regular user? That is, when calling appRoleAssignedTo, specify the object id of a user in the principalId field. Can a regular user have application permissions (like MSGraph permissions), and how do I use them afterwards?
I tried to do the above and assign the RoleManagement.ReadWrite.Directory to a user. Then I logged in with az login and ran az account get-access-token --resource-type ms-graph.
With this token I tried to do an operation that requires the RoleManagement.ReadWrite.Directory permission, like assigning a role to another user, but it fails with Insufficient privileges to complete the operation..
Users can request the scope they need when using Connect-MgGraph, for example:
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
Which is the recommended approach, as it means that for that session they will only have access to the scopes that are necessary rather than any they've previously requested
I tried to reproduce the same in my environment and got the same error as below:
Note that: Microsoft Graph API permissions can be assigned only to Service principals not users directly.
When I tried to Connect-MgGraph as a normal user, I got the error like below:
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
I created an Azure AD Application and granted API permission as below:
I generated access token by using below parameters:
GET https://login.microsoftonline.com/1810a95e-99f3-46e0-84e8-8a2aee05d830/oauth2/v2.0/token
client_id:ClientID
client_secret:*****
scope:RoleManagement.ReadWrite.Directory
grant_type:authorization_code
redirect_uri:RedirectUri
code:code
By using the above access token, I am able to assign directory role to the user successfully as below:
POST https://graph.microsoft.com/v1.0/directoryRoles/roleTemplateId=88d8e3e3-8f55-4a1e-953a-9b9898b8876b/members/$ref
Content-type: application/json
{
"#odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/UserID"
}
Reference:
Add graph api permission to user account by Harpreet Singh Matharoo
Today I have tried to perform action on Azur ADF using CLI (Portal for that subscription can be only used as "read") AZ CLI is installed on AZ VM that via Managed identity has received Contributor role on the whole subscription. Running command ended with AuthorizationFailed.
After logging into AZ CLI with AZ login -i
and running command az datafactory configure-factory-repo
(AuthorizationFailed) The client 'CLIENT_ID' with object id
'CLIENT_ID' does not have authorization to perform action
'Microsoft.DataFactory/locations/configureFactoryRepo/action' over scope
'/subscriptions/SUBSCRIPTION_ID' or the scope is invalid.
If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed Message: The client 'CLIENT_ID'
with object id 'CLIENT_ID' does not have authorization to
perform action 'Microsoft.DataFactory/locations/configureFactoryRepo/action' over scope
'/subscriptions/SUBSCRIPTION_ID' or the scope is invalid. If access
was recently granted, please refresh your credentials.
I have checked and VM Contributor role has Microsoft.DataFactory/locations/configureFactoryRepo/action
What else I should check?(I have no access to AZ AD)
Edit:
CLIENT_ID is equal to principalId of VM from which I'm running commands.
I assume that the CLIENT_ID and SUBSCRIPTION_ID actually are real values and you have replaced them to not disclose the here, correct?
To be sure that you are in the correct context you could first issue 'az account show' after you logged in using 'az login -i'. Is the response to that what you expected?
-- Edit --
The client ID should be the client id of the managed identity, also sometimes referred to as App ID (same thing). So when you log in with -i I believe it should be the same output as when you do the az account show. So that's a good thing.
Then I kind of get the feeling that it is a scope error. It looks a lot like you run in to this and it's by design as of now. But have a look at lmicverm's comment. You might use the the other call (Create or update Factory) as a workaround?
If I perform az login as myself, I'm able to see the following output:
(.venv) supertonic09 % az role assignment list --subscription aa11bb33-cc77-dd88-ee99-0918273645aa --role "Owner" --query '[*].principalName'
[
"zeus#test.onmicrosoft.com",
"pluto#test.onmicrosoft.com",
"poseidon#test.onmicrosoft.com"
]
…but if leverage the --service-principal option, as I'm attempting to develop a check via Python, while I get other values like id, name, and roleDefinitionName for example… I'm still oddly missing principalName from my query.
Please note, that based on Why don't I see Principal Name when I run az role assignment list from Azure Devops?, I've added Directory.Read.All but the result is still the same.
You you need Azure AD Graph Directory.Read.All —not to be confused with just Microsoft Graph Directory.Read.All
I'm trying to get my ansible script to get logged into azure via azure cli. For some reasons, I'm not allowed to use the ansible azure package. I have to use the shell and call directly the commands from there.
I'm fairly new with azure in general, so all this tenants, service principals and such are still concepts that I don't fully grasp.
I've been checking official the documentation. I've created an app registration for it (Named ansible_test). I get all I need, including the secret. and then I call the the commands as this:
az login --service-principal -u $AZURE_SERVICE_PRINCIPAL_NAME -p $AZURE_SECRET --tenant $AZURE_TENANT
where:
$AZURE_SERVICE_PRINCIPAL_NAME = ansible_test
$AZURE_SECRET = ${The one that I've defined via Certificates & secrets section in the app registration}
$AZURE_TENANT = ${The azure tenant that I find in the app registration}
I'm getting the error:
Get Token request returned http error: 400 and server response: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier 'ansible_test' was not found in the directory '${AZURE_TENANT}(Blurred because I'm not sure this is something secret or not)'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
As I understand, I got the wrong tenant. But I'm getting the exact one that I'm getting from the app registration. I've been hitting my head against this wall for some time. I've tried many other things, but it doesn't seem to work.
In this image, I'm trying to show that I've indeed created the app registration (What I'm understanding that it's a service principal). I've blurred the ids just out of ignorance whether they are private or not.
What is that I'm doing wrong? I can't really understand the origin of the error...
The username for a service principal is its Application (client) ID, so you need to use that instead of the app name.
It uses client credentials flow under the covers to get tokens which requires the client id, tenant id + client secret/client certificate to authenticate.
Use the following command, before running this command, make sure to define variables.
az login --service-principal -u ${app_id} -p ${password} --tenant ${tenant_id}
I'm trying to add a key in my Azure AD application using Azure CLI.
But looking throught the Azure CLI API it seems that there is no such command.
For exmaple:
I'm trying to automate the task from the link below via Azure CLI:
http://blog.davidebbo.com/2014/12/azure-service-principal.html
I can create AD application, service principal, but I can't find a way to add key for newly create AD application.
I'll appreciate any ideas and directions :)
Thanks in advance !
For a new AD application, you can specify a key with -p while creating. For example,
azure ad app create -n <your application name> --home-page <the homepage of you application> -i <the identifier URI of you application> -p <your key>
For an existing AD application, surely the Graph API is able to update the AD Application Credential. Read this API reference, and you can see that the password credential is able to use "POST, GET, PATCH". However, it's too complicated to use the Graph API. I have check the Azure CLI. That functionality is not yet implemented, and the source is unreadable for me. Then, I took a look at Azure SDK for Python, because I am familiar with python, and I found out that they have already implemented it in 2.0.0rc2. See the GitHub Repo
I have written a python script. But, in order to use my script you need to install not only azure2.0.0rc2, but also msrest and msrestazure.
from azure.common.credentials import UserPassCredentials
from azure.graphrbac import GraphRbacManagementClient, GraphRbacManagementClientConfiguration
from azure.graphrbac.models import ApplicationCreateParameters, PasswordCredential
credentials = UserPassCredentials("<your Azure Account>", "<your password>")
subscription_id = "<your subscription id>"
tenant_id = "<your tenant id>"
graphrbac_client = GraphRbacManagementClient(
GraphRbacManagementClientConfiguration(
credentials,
subscription_id,
tenant_id
)
)
application = graphrbac_client.application.get('<your application object id>')
passwordCredential = PasswordCredential(start_date="2016-04-13T06:08:04.0863895Z",
end_date="2018-04-13T06:08:04.0863895Z",
value="<your new key>")
parameters = ApplicationCreateParameters(application.available_to_other_tenants,
application.display_name,
"<the homepage of your AD application>",
application.identifier_uris,
reply_urls=application.reply_urls,
password_credentials = [passwordCredential])
application = graphrbac_client.application.update('<your application object id>', parameters)
The only problem with this script is that you are only able to override all the existing keys of you AD application. You are not able to append a new key. This is a problem of the Graph API. The Graph API does not allow users to read an existing key. One possible solution would be storing your existing keys somewhere else. But, this will bring extra security risk.
I don't have any experience of automating adding the key, I'm not sure it's even possible to be honest. However have a look at the ApplicationEntity documentation in the Graph API, it might be possible using a POST request to the web service.