My App Registration - let's call it CHILD - has two owners. A human owner and another App Registration (here PARENT) as a second owner.
My goal is that both entities (human owner and PARENT App Registration) can reset the CHILD App Registration client secret. Whereas this works for the human owner, it does not work for the PARENT App Registration via CLI:
$ az ad app credential reset --id xxxxxxxx-062c-4251-86e7-xxxxxxxxxxxx --append
Insufficient privileges to complete the operation.
I've double-checked that I'm really logged in as the PARENT App Registration into the az cli.
Is there another condition I'm overlooking? Is the App Registration ownership alone a sufficient requirement for client secret rotation?
There is a blade in the Azure Portal under Azure Active Directory > App Registrations > [Your app] > Roles and administrators that shows a list of the roles that can manage the app. This includes also managing the secrets I think.
By default the Cloud application administrator role is listed.
Membership of the Cloud application administrator-role can be managed through Azure Active Directory > Roles and administrators.
Related
I currently create a service principal using the Azure CLI:
az ad sp create-for-rbac --name foo --role Contributor
I need the service principal to have enough permissions to create/modify/delete various Azure AD resources including Applications, other Service Principals and Service Principal Passwords. When I use the above service principal to create other service principals, I currently get 403 Forbidden errors.
I have also tried using the 'Owner' and 'User Access Administrator' roles but these still give me a 403 error. What do I need to add to the above Azure CLI command or what additional role assignments do I need to add?
I'd like to use the service principal in a Pulumi program with their Azure AD provider (based on Terraform's Azure AD provider). See:
https://github.com/pulumi/pulumi-azuread/issues/246
In order for a service principal to be able to manage applications it requires API permissions. There is no such thing as a scope, because the API permissions are against the Azure AD API. Scopes are only applicable when it is related to the Resource Manager API. These are not the same thing.
When you go to application registrations in Azure AD, you can find the application, this is also where you will be able to assign the API permissions and grant consent.
You will do this either on the Azure Active Directory Graph, or on the Microsoft Graph. In my experience only the permissions assigned with the Azure Active Directory Graph worked.
Application.ReadWrite.All
Application
Read and write all applications
Application.ReadWrite.OwnedBy
Application
Manage apps that this app creates or owns
You will find these two application permissions that you could use. The first you can use manage all applications.
The az cli command you are using is to create a role assignment. This is RBAC on the subscription, it has nothing to do with Azure AD aside from the service principal being an AAD resource.
You need to add the scope of this service principal and also change the Azure role of this Service Principal to 'User Access Administrator' to enable you to modify resources in Azure AD. Also, 'User Access Administrator' role will give the service principal the required permissions for that Azure role to assign RBAC permissions. Please refer the below command for more details: -
az ad sp create-for-rbac --name foo --role User Access Administrator --scopes /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup1}
Also, ensure that the user ID through which you are creating this service principal and assigning the role to it has permissions to register and create applications in Azure AD. If not, then please assign that ID 'Application Administrator' Azure AD role or you should be allowed to create and register applications by an administrator even though being a 'User'.
You need to give your service principal "App admin" permissions. This allows you to create application registrations and also set their credentials. And it does not give it rights to do anything else such as manage users and groups. If your intent is to include those, you need to add additional roles to the service principal.
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator
Im working on an Azure function that tries to get and update a client secret for an Azure app registration. Function runs as a managed identity, and tries to execute Azure powershell cmdlet New-AzADAppCredential, Remove-AzADAppCredential, and Get-AzADAppCredential.
But, upon the execution Im getting an error Insufficient privileges to complete the operation.
I tried assigning my function a Contributor role, under Azure role assignments, and I also tried giving a delegated permissions Directory.ReadWrite.All for an app registration that the function is trying to access. However, Im still seeing the same error.
I would like to know what permissions are necessary for a managed identity azure function to be able to manage an app registration client secrets.
Thanks!
The RBAC roles are used to manage resources in azure subscriptions, in this case, what you need is the permission in Azure AD, not in the subscription.
To fix the issue, the easiest way is to give the Application Administrator to your managed identity.
Navigate to the azure portal -> Azure Active Directory -> Roles and administrators -> Application Administrator -> add the managed identity to the role like below.
The Contributor role allows the assignee to manage and access the resource, but as you have discovered that does not include managing access. Similarly, Directory.ReadWrite.All is for user data not RBAC. There are two roles for RBAC- Owner and User Access Administrator. Owner is Contributor and UA Admin only allows access control.
I am attempting to automate the registration of a new application in Azure Active Directory. Upon running the command in Azure CLI, it returns with the following error:
Insufficient privileges to complete the operation.
The command was run using a Service Principal which has Owner permissions at the Subscription level. When attempting to run other Azure AD commands (e.g. az ad app list), the same error is thrown. However, it works fine if we run commands relating to Azure API Manager (e.g. az apim list).
We have tried creating the Service Principal using both the Azure console (https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) and CLI by running the following command but neither works.
az ad sp create-for-rbac --role Owner --name some-service-principal
Is there anything else required to perform this operation?
The Owner role you mention is part of Azure RBAC, which does not apply to Azure AD.
The Azure AD tenant is above the Azure subscriptions and has its own permissions.
You need to give the SP application permissions to MS Graph API / AAD Graph API (not sure which one the CLI is trying to use), or a directory role.
The first you give through API permissions on the app registration for the SP.
A directory role can be added through the Roles and administrators tab.
that happens because Azure AD and Azure subscription are completely unrelated in terms of permissions. You need Application Read\Write Azure AD permissions for your principal (user\service principal\application) to be able to carry out that task
https://learn.microsoft.com/en-us/graph/permissions-reference#application-resource-permissions
az ad app permission: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-add
followed by az ad app grant: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-grant
or you could do it using the portal, like the other answer suggests
I'm using service principal as login item for azure cli. The role of this service principal is "owner".
I'm trying to run:
az ad app list
and
az ad app create --display-name "Test application 2"
and getting error:
Directory permission is needed for the current user to register the
application. For how to configure, please refer
'https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal'.
Original error: Insufficient privileges to complete the operation.
What role should I assign to this service principal?
Your service principal is missing permissions related to reading and writing applications in Azure AD.
Go to your Azure AD, "Registered applications"
Find your service principal (may need to look at all applications instead of just my)
Add required permissions as shown below:
Once you've selected the right permissions and done. Please click on "Grant Permissions" because these permissions need Admin consent.
Three topics in Azure AD I'm constantly confused on:
Service Principal
Enterprise Application
App Registration
What is the difference?
I can easily go into "App Registrations" and register an "app" while that "app" doesn't even need to exist. All it requires is a URL which can also be totally random. This app registration then becomes a service principal which you can use to connect to Azure to from PowerShell for instance? Why? I don't understand this.
Please advise, and as you can probably tell, I'm new to Azure :)
When you write an application as a developer, you will register it in a given tenant, and will specify it's properties. This happens in the App Registration blade in Azure AD.
I'll dare an analogy by saying that the app is like a "class" in object oriented languages (with some static properties, which will be common to all instances)
By registering the application, in that given tenant if you use the portal this also automatically created a service principal for this application, which you can find in the "Enterprise Applications" blade of the Azure portal.
To continue with my analogy the portal creates a kind of instance of that class. This service principal contains information which are related to both the application and the tenants and its users. For instance it contain the activity of the users, what they have consented to in particular.
Now if during the app registration / app management, you decide that your application is "multi-tenant", then, when the application is accessed in other tenants, another service principal (remember this instance) will be created in that tenant.
BTW, you go to the new App Registration (Preview) blade in the azure portal, when you create an application, you can now see nicely grouped by categories all the properties of the app (all the properties which are common to all the service principal). Now if, in the "Overview" tab of the app, you click on the link "Managed application in local directory", you'll get to the corresponding service principal in the same tenant (where you'll see which users have accessed the app, when, where you can grant admin consent - if you are tenant admin -, and see the activity and the audit logs)
This is indeed confusing, and you are not the only one who feel that way. I guess this whole application/service principal is designed from the perspective of web applications, which can be scaled across multiple Azure AD tenants. For someone, who just wants to create some small scripts which connects to Azure services, understanding this whole thing is too much. Unfortunately there is no way around it. Azure Portal is also little bit confusing for this part, it only started to make some sense when I used Azure CLI for it.
To access Azure resources programmatically, we need to use Service Principal credentials. Service Principal is actually an instance of application, so we need to create an Application(App Registration) first too. If App Registration is added from portal, Service Principal is created automatically. With Azure CLI creating Application and Service Principal are two distinct steps.
Tricky part is, credentials has to be obtained from Application(App Registrations -> select app -> Certificates & Secrets). While the role assignment for the Service Principal has to be done from Subscriptions(select subscription -> Access control(IAM) -> Role Assignments) or any other resource which supports IAM. Same process using CLI makes more sense.
Using Azure CLI
Register/create app
$ az ad app create --display-name "displayName"
Create service principal for the app just created
$ az ad sp create --id "applicationId"
Set application credentials
$ az ad app credential reset --credential-description "some_description" --id "applicationId"
OR
$ az ad sp credential reset --credential-description "some_description" --name "applicationDisplayName" --append
Assign roles to Service Principal to access resources in Azure.
$ az role assignment create --assignee "service principal object id/ApplicationId" --role role_name
And if you don't care about all this application/service principal stuff and just want to use Service Principal for accessing Azure resources, there is a shortcut.
$ az ad sp create-for-rbac --name "service_principal_name"
This will create application, service principal, set credentials on app, assign Contributor role at subscription scope to service principal and print the credentials !!
Since the name of the Application(in App Registrations) and Service Principal(Enterprise/All Applications) is same, we need to look carefully at Object ID and Application ID to find out which is which. On the top of that, Service Principals are listed as Enterprise Applications/All Applications in Azure Portal.
'Enterprise Applications' is just a category of Service Principal which satisfies two conditions.
Service Principal and Application registration should be in same tenant.
Service Principal should have tag 'WindowsAzureActiveDirectoryIntegratedApp'. If this tag is removed from Service Principal, it won't show under Enterprise Applications, but still be listed under 'All Applications'. ( Do not try in production!! )
Note that service principals created from cli did not appear in 'Enterprise Applications' and I had to add the tag manually.
$ az ad sp update --id "service_principal_object_id" --add tags WindowsAzureActiveDirectoryIntegratedApp