I found a link here which says:
There is no way to directly create a service principal using the Azure portal. When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant.
My question is, Can a 'service principal' create another 'service principals' in Azure? If yes, how? and what all permissions required for this?
Please suggest. Thanks.
A service principal can create another service principal after being assigned either the corresponding MS Graph permission, or Azure AD role
MS Graph Permissions
Either of the permissions
Application.ReadWrite.All
Application.ReadWrite.OwnedBy
References
Microsoft Graph permissions reference
Create application API endpoint
Create servicePrincipal API endpoint
Azure AD Role
Any role with one of these permissions
microsoft.directory/applications/create
microsoft.directory/applications/createAsOwner
microsoft.directory/applications/allProperties/allTasks
Built-in roles
Application Administrator
Application Developer
Cloud Application Administrator
Global Administrator
Hybrid Identity Administrator
References
Azure AD built-in roles
Application registration permissions for custom roles in Azure Active Directory
Related
I am looking for examples to fetch access token for azure storage account access via azure active directory with service principal in python
It seems like https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/dev/sample/client_credentials_sample.py doesn't support service principal access
are there other ways in fetching token via service principal?
• Yes, you can surely fetch an access token for an Azure storage account via Azure Active Directory using a service principal, i.e., an app registration by following the steps below as given in the below documentation link: -
https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service
As per the above documentation, you will have to host your python application code in a web app service and create a system assigned managed identity for it. Once created, then an application will be created in Azure AD with the same ‘Object ID’ as shown in the managed identity section of the web app service. Before moving onto this application created in Azure AD, assign the required roles to this system assigned managed identity through the ‘IAM’ tab. So, in your case, you should assign the role of ‘Storage Account Contributor’ to the ‘System-assigned managed identity’ created for the web app service.
• Once, the role has been assigned, then go to the ‘Enterprise application’ and search for the ‘Object ID’ of the managed identity, you will encounter an application with the name of the web app service, in that, go to ‘Permissions’ under ‘Security’ tab and assign the required permissions and admin consent required to the application. The permissions shown are those that are allowed under the scope of ‘Storage Account Contributor’ and similarly, you must assign permissions from it to the app/service principal. Then ensure that you are correctly calling the environment variables of this application created in Azure AD regarding the managed identity and implement the ‘DefaultAzureCredential’ from the ‘azure.identity’ module. For this purpose, kindly refer to the below subsection of the above documentation: -
https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service#3---implement-defaultazurecredential-in-your-application
In this way, you can fetch an access token for the Azure storage account via Azure Active Directory using a service principal.
According this when you create an Azure Resource Manager service connection to a certain Resource Group, Azure DevOps connects with Azure Active Directory (Azure AD) and creates an app registration with a secret that's valid for two years.
Well, what exactly are the permissions given to this app registration over the Resource Group? Same than the account which is creating the service connection?
When you create a automated Azure Resource Manager Service connection in Azure Devops, it will automaticlly create a service principal in Azure Active Directory(Named: Orgname-projectname-SubscriptionID).
You could navigate to Azure Portal -> Azure Active Directory -> App registrations.
When using this automatic service connection in azure devops, azure sources are operated through this service principal instead of the account which is creating the service connection.
This service principal has the Contributor role in Azure Resource Group.
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
You can search for the service principal name in Resource Group -> Access control to check its permissions
what exactly are the permissions given to this app registration over the Resource Group?
It is a Contributor role, also did a quick test for you.
Same than the account which is creating the service connection?
No, the account needs to be the Owner of the subscription, otherwise it will not have the permission to assign the role to the AD App i.e. service principal.
Background
I want to give an application ownership of several of my Azure Service Bus queues ... specifically, by granting it the Azure Service Bus Data Owner role.
The Azure Service Bus documentation says this is possible:
Azure Service Bus supports using Azure Active Directory (Azure AD) to authorize requests to Service Bus entities (queues, topics, subscriptions, or filters). With Azure AD, you can use role-based access control (RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal [my emphasis].
(Source)
However, I can't find a way to do it.
What I've Tried
Registered the application in Azure AD.
Granted the application the user_impersonation permission on Microsoft.ServiceBus. (Application permissions is disabled [1], so I selected Delegated permissions and checked user_impersonation [2]. No idea if that's right. I posted another question a while ago about Application permissions being disabled, but the accepted answer of editing the manifest doesn't work in this case.)
In my Service Bus queue, selected Role assignments.
Clicked Add.
Searched for my application.
Issue
My application doesn't appear in the search results in Role assignments.
A service principal is the instance of an application in a given tenant. (Multi-tenant applications can have service principals in many tenants, all referring back to a single app registration.)
To grant an Azure role to an application, a service principal must first exist in the tenant. To check if the service principal for an app registration already exists in the same tenant where the app is registered (and create it if it doesn't):
Using the Azure portal:
Navigate to Azure AD > App registrations > (app) > Overview
Under the Managed application in local directory heading:
If you see a link with the name of the app, the service principal already exists.
If you see a "Create service principal" link, clicking it will attempt to create the service principal.
Using Azure CLI:
az ad sp show --id {app-id}
az ad sp create --id {app-id}
Using Azure AD PowerShell:
Get-AzureADServicePrincipal -Filter "appId eq '{app-id}'"
New-AzureADServicePrincipal -AppId "{app-id}"
Service principle can be created without role via az ad sp create-for-rbac --skip-assignment
Q1. What's the use of a service principal without a role?
Q2. Can a service principle exit without attaching to any scope/resource? If so what's the use of such independent service principle?
Q1. What's the use of a service principal without a role?
The parameter --skip-assignment skip assigning the service principal to the subscription. So to be precise, your question should be without an RBAC role, because there is another role named Administrator role, it will be mentioned below.
Some usages here for you to refer to, there are many usages mixed with the AD App, will not go into details here. If you want to learn about them, you can look into the Azure AD official doc.
1.The service principal can be assigned as an Administrator role in Azure AD, then it can do the things depend on the role permissions, e.g. create a user, delete a group. Via Azure AD powershell, Microsoft Graph API, Azure AD Graph API, or the AAD part of the Az powershell module.
2.The service principal can also calls the APIs and use the powershell above without Administrator role, but you need to give the application permission to it. The az ad sp create-for-rbac will create an AD App along with a service principal, in the AD App in the portal -> API permissions, you can add the permission and consent. Note, when we add permissions and consent in AD App, actually the permissions will be given to the service principal in your tenant, the service principal is an instance of the AD Application in a specific tenant.
Q2. Can a service principle exit without attaching to any scope/resource? If so what's the use of such independent service principle?
Yes, as mentioned above, it can do many things related to Azure AD, Graph API. Here is a doc about Application and service principal objects in Azure Active Directory, it will be really helpful for you to understand the service principal.
A1- you can use it to remove the need of secret keys in your apps. For example, rather than storing the Azure Storage access key, you can grant an identity (your app) to store / access data on Azure Storage.
A2-I think so, it will be a system-assigned managed identity which is a special kind of managed identity (service principal)
I am deploying a standard ASP.NET MVC application to an Azure App Service using a VSTS build and release definition. The VSTS instance and the target Azure subscription are on separate Azure accounts/subscriptions so we have create a Azure AD application and Service Principal account to authorize the deployment.
When adding the Service Principal account to the subscription, it wants us to assign a role.
What is the best and least privileged role that can be used to deploy the site?
When add Azure Resource Manager Service Endpoint, it mentions:
A new Azure Service Principal will be created and assigned with
"Contributor" role, having access to all the resources in the selected
subscription.
So, the Contributor role is better.
On the other hand, to configure Azure RM service endpoint, you must be a member of the Global Admin role in the directory. More information: Insufficient privileges to complete the operation.