Service Principal does have Application.ReadWrite.OwnedBy API permission but it can't PATCH using the AZ REST commands.
It can LIST/ GET using AZ REST command.
az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/applications/{OBJECT_ID}" --headers 'Content-Type=application/json' --body "{web:{redirectUris:['https://URL']}}"
Error:
Forbidden(
{
"error": {
"code":"Authorization_RequestDenied",
"message":"Insufficient privileges to complete the operation.",
"innerError": {
"date":"2022-10-13T06:10:41",
"request-id":"...",
"client-request-id":"...."
}
}
})
Any idea why it says forbidden?
As per the error you mentioned it seems to be delegated permission issue by the admin has to give permission to do that operation. Please check the same on Azure portal in API permission under App Registration
I tried reproduce in my environment got below results:
I have an Application with name testvenkat and added " Application.ReadWrite.OwnedBy" api permission and also granted admin consent permission which is shown below:
Now I tried the same commands:
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/'<Object ID>' --body "{'web':{'redirectUris':['https://< url >']}}" --headers Content-Type=application/json
Console:
I used the GET method to see my Web-redirectUrl to make sure whether it is updated or not.
az rest --method GET --uri 'https://graph.microsoft.com/v1.0/applications/<Object-ID>'
Console:
Portal:
"error": {
"code":"Authorization_RequestDenied",
"message":"Insufficient privileges to complete the operation.",
"innerError": {
"date":"2022-10-13T06:10:41",
"request-id":"...",
"client-request-id":"...."
}
} })
Please check the points
Make sure you are logged in correct az login < username > and < password > or az login serviceprincipal < application id > and secrets.
Check whether it has proper role assignments and permission role "owner" .
Also check the api permission "Application.ReadWrite.OwnedBy" has application type in microsoft graph api.
Reference:
Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn
Related
I am trying to find a way to check the AD roles attached to a user. After a lot of reading, it seems like there is no cli call that can provide this information. The workaround I am thinking is to list out all the users who have "Global Administrator" permission in the AD role. Is there an azure CLI call that can help with getting this information? I tried the calls in az ad user but none of them have the information I am looking for.
I agree with #Panagiotis Kanavos, you can make use of HTTP requests by calling them from Azure CLI.
You can use below MS Graph query to get the list the users with Global Administrator role:
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10'
To call the above query from Azure CLI, you can use az rest command like below:
az rest --method get --url "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10'"
I tried to reproduce the same in my environment and got below results:
I have below users in my tenant, assigned with Global Administrator role:
To get these results from Azure CLI, I ran below command:
az rest --method get --url "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10'"
Response:
Here is Powershell and Graph API example how you can do that.
As far as I understand the azcli doesn't have an app registration in AAD, and now that it's possible to make rest calls from the azcli, how does one grant permissions that are required for certain calls?
$ az rest --method get --url https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignments?$filter=subjectId+eq+'xxxxxxx-xxxx-xxxx-xxx-xxxxxxxx'
Unauthorized({
"error": {
"code": "UnknownError",
"message": "{\"errorCode\":\"PermissionScopeNotGranted\",\"message\":\"Authorization failed due to missing permission scope PrivilegedAccess.Read.AzureResources,PrivilegedAccess.ReadWrite.AzureResources.\",\"target\":null,\"details\":null,\"innerError\":null,\"instanceAnnotations\":[],\"typeAnnotation\":null}",
"innerError": {
"date": "2021-02-18T09:31:46",
"request-id": "989c1555-aa84-45a7-8fd9-e168531fcf88",
"client-request-id": "989c1555-aa84-45a7-8fd9-e168531fcf88"
}
}
})
As Microsoft Graph REST API v1.0 is now GA, we can call it directly with az rest to achieve the same effect as az ad commands, including all latest features from Microsoft Graph. It can automatically authenticate to Microsoft Graph.
And, for this you will have to use v1.0 version of the API: https://graph.microsoft.com/v1.0 Using this, it should work.
Check out this GitHub Issue #12946 about the same for more details.
I am trying to create an Azure AD Group via the Graph API using a service principal. The intent is that the service principal will create the group in a Pipelines run.
The call I am using to attempt to create the group is
az rest --method post \
--uri 'https://graph.microsoft.com/v1.0/groups' \
--body '{"description": "A description", "displayName": "MyAppGroup", "mailEnabled": false, "mailNickname": "test", "securityEnabled": true, "owners#odata.bind": ["https://graph.microsoft.com/v1.0/users/oooooooo-oooo-oooo-oooo-oooooooooooo"]}' \
--headers "Content-Type=application/json"
To graph permissions, I have bound the API permission Group.Create to my service principal. To understand the permissions I am required to grant, I am following this page:
https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http#permissions
With the Group.Create permissions, when I run the rest call to the Graph API above, I get the following permission error
Forbidden({
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-11-02T13:31:35",
"request-id": "...",
"client-request-id": "..."
}
}
})
I completely understand that if I were to add the Directory.ReadWrite.All, I could make the group and would have all required permissions. However this permission is overscoped and would allow my service principal to disable users in the Active Directory tenant - something my organisation will now allow. Therefore I cannot grant my service principal this permission.
The documentation I have linked above implies to me that Group.Create is a sufficient permission to enable a service principal to create a group.
My question is what I am doing wrong, or what permissions am I missing to be able to create a group? Directory.ReadWrite.All is clearly overscoped to simply create an AD security group and so using it is not an option for me.
Hopefully this helps someone else - I realised the answer immediately after posting this.
I had added the property
"owners#odata.bind": ["https://graph.microsoft.com/v1.0/users/oooooooo-oooo-oooo-oooo-oooooooooooo"]
to the json post data.
Removing this property allowed me to create the group with just the Group.Create permission.
Adding the permission User.Read.All allows the service principal to read the user data for the owner, and so is sufficient to create the group with any necessary owners.
After adding this API permission, my service principal was able to create the group (with owners) as expected.
I want to assign role Things.Reead.All, created in my app registration to a managed identity.
The app registration SP object id is 8055e1eb-0000-0000-9b77-00000000000
The Role definition looks like this
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Allow the application to read all things as itself.",
"displayName": "Read all things",
"id": "86a914fa-a862-4962-9975-000000000000",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Things.Read.All"
}
The only thing known about a system assigned managed identity is its object id, say
aad300-0872-0000-811d-00000000000
and I want to allow it to call the application 8055e1eb-0000-0000-9b77-00000000000 that expects to see the Role in access token.
I know I have to use the following api to do this.
https://graph.microsoft.com/v1.0/servicePrincipals/8055e1eb-0000-0000-9b77-00000000000/appRoleAssignedTo
{
"principalId": "aad300-0872-0000-811d-00000000000",
"resourceId": "8055e1eb-0000-0000-9b77-00000000000",
"appRoleId": "86a914fa-a862-4962-9975-000000000000"
}
I have wide but controlled access in my tenant. When I acquire a token from
az account get-access-token --resource https://graph.microsoft.com
and call the above, I get
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
What I need to figure out is the exact privilege that is needed to make this call.
As you did not answer my comment, I can just give you my own solution which used the service principal to login the azure cli, it works for me.
Please follow the steps below.
1.Create a new App Registration in azure ad, then get values for signing in and create a new application secret.
2.Navigate to the API permissions of the App, add the Application permission(not Delegated permission) Directory.ReadWrite.All of Microsoft Graph, don't forget to click the Grant admin consent for xxx button at last.
Note: From the doc, the AppRoleAssignment.ReadWrite.All permission is enough, but per my test, it will not work, not sure if it is a bug, I have decoded the token, the token has the AppRoleAssignment.ReadWrite.All permission.
3.In azure cli, run the commands below to get the token.
az account clear
az login --service-principal --allow-no-subscriptions --username '<application-id>' --password '<application secret>' --tenant '<tenant-id>'
az account get-access-token --resource https://graph.microsoft.com
4.I test the token to call the api - Grant an appRoleAssignment for a service principal to grant the app role for the system-assigned identity of my funtion app,it works fine.
Check it in the portal:
My objective is to get access token for a user for a resource( an AD app present in the tenant)
I have been able to get access token for a service principal by using
az login --service-principal -u -p --tenant --allow-no-subscriptions
az account get-access-token --resource
Now when I try to achieve the same for a user by switching service-principal login by user login(az login)
az login
az account get-access-token --resource
This however gives an error
Get Token request returned http error: 400 and server response: {"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'abc'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 19fdf309-f9ef-423b-8c18-7cd9269b0700\r\nr\nTimestamp: 2019-11-21 09:03:25Z","error_codes":[65001],"timestamp":"2019-11-21 09:03:25Z","trace_id":"19fdf309-f9ef-423b-8c18-7cd9269b0700","correlation_id":"2aafc4e4-0c1b-42b3-ba59-afe09bbe9fb5","suberror":"consent_required"}
Can someone help me understand why this is the case?
Thanks in advance!
You are trying to get token from <APP ID Uri> using Azure CLI, which client ID is exactly 04b07795-8ddb-461a-bbee-02f9e1bf7b46.
Go to the resource(App in AD)->Expose an API->Add client application with 04b07795-8ddb-461a-bbee-02f9e1bf7b46 and check scope.
Then get the access token again.