I am configuring Harness Cost Management report for my Azure Dev subscription and getting the below error while creating the service principle.
When using this permission, the backing application of the service principal being created must in the local tenant
Used below command to create Service Principle.
az ad sp create --id 0211763d-24fb-4d63-865d-xxxxxxxxx
Here is the Harness link I am following for this setup
https://docs.harness.io/article/7idbmchsim-set-up-cost-visibility-for-azure
How can I resolve this issue?
To resolve the above issue ,You may refer the below workaround
Make sure that CCM has been enabled properly as shown in the given DOC.
After enabling CCM, it takes about 24 hours for the data to be
available for viewing and analysis.
Also make sure that you have the Application Administrator role assigned for your Azure AD and select the correct subscription where you need to create .
As you are using az ad sp create --id 0211763d-24fb-4d63-865d-xxxxxxxxx instead of that use below cmdlts to create Service principle .
az ad sp create --id 00000000-0000-0000-0000-000000000000
For more information please refer this Blogpost, & refer this SO THREAD for similar error.
Related
I am attempting to automate the registration of a new application in Azure Active Directory. Upon running the command in Azure CLI, it returns with the following error:
Insufficient privileges to complete the operation.
The command was run using a Service Principal which has Owner permissions at the Subscription level. When attempting to run other Azure AD commands (e.g. az ad app list), the same error is thrown. However, it works fine if we run commands relating to Azure API Manager (e.g. az apim list).
We have tried creating the Service Principal using both the Azure console (https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) and CLI by running the following command but neither works.
az ad sp create-for-rbac --role Owner --name some-service-principal
Is there anything else required to perform this operation?
The Owner role you mention is part of Azure RBAC, which does not apply to Azure AD.
The Azure AD tenant is above the Azure subscriptions and has its own permissions.
You need to give the SP application permissions to MS Graph API / AAD Graph API (not sure which one the CLI is trying to use), or a directory role.
The first you give through API permissions on the app registration for the SP.
A directory role can be added through the Roles and administrators tab.
that happens because Azure AD and Azure subscription are completely unrelated in terms of permissions. You need Application Read\Write Azure AD permissions for your principal (user\service principal\application) to be able to carry out that task
https://learn.microsoft.com/en-us/graph/permissions-reference#application-resource-permissions
az ad app permission: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-add
followed by az ad app grant: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-grant
or you could do it using the portal, like the other answer suggests
I am using Azure app service api to view server details like worker process and region etc. for management purpose. After generating token from AuthenticationContext.AcquireTokenAsync method, I am requesting following URL for server details https://management.azure.com/subscriptions/<sub ID>/resourceGroups/<resource group name>/providers/Microsoft.Web/serverfarms/?api-version=2018-02-01
In the response I am getting AuthorizationFailed error code with the detail given bellow:
The client does not have authorization to perform action 'Microsoft.Web/serverfarms/read' over scope '/subscriptions/xxxxxxxx-xxxxxxx-xxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Web/serverfarms/xxxx' or the scope is invalid. If access was recently granted, please refresh your credentials.
But when I try the same verification using https://learn.microsoft.com/en-us/rest/api/appservice/appserviceenvironments/get portal where I can try the APIs for testing, the request is returning expected results.
So, is there any other way to authenticate or should I have to define some permissions to achieve the functionality?
The service principal you are using doesn't have rights within that tenant.
Tenants have subscriptions and service principals belong to tenants. Azure resource manager also exposes role based authorization for a given principal, which would give it rights on Azure resources. It appears the service principal doesn't have rights to read from that subscription.
Go to portal and find your subscription, click on Access Control (IAM) and then click on Add role assignment with correspond service principal which you use to acquire token.
After you have given successful permission, refresh and try again.
I had the same error while running,
az aks get-credentials --resource-group myResourceGroup --name myAKSCluster
I did this shortly after az login.
Problem was I haven't set my subscription properly so what I had to do was run,
az account set --subscription your-subscription-id
After that az aks get-credentials worked fine, the error was gone and you will get an output like,
Merged "myAKSCluster" as current context in C:\Users\UserName\.kube\config
I had the same problem. Initially, I went ahead and added to my user the "Web Plan Contributor" role, as it is the one that should handle those things. Nothing changed - I still had this error.
What turned actual problem turned out to be is a wrong resource group... Turns out I copied some old script where WebAppPlans were in separate RG, and I was searching the app plan there. Completely missleading error. I guess it will bring up the same error message even if the App Plan simply doesn't exist.
I have a service principal that I use for automation. It has the Directory.Read.All permission in Microsoft Graph for our Azure Active Directory.
It cannot run the Set-AzSqlServerActiveDirectoryAdministrator command. The error I get is:
Cannot find the Azure Active Directory object 'My-AD-Group'.
Please make sure that the user or group you are authorizing is
registered in the current subscription's Azure Active directory.
If I run this same command as myself, it runs just fine.
Clearly my Service Principal needs more than the Directory.Read.All permission. Yet I cannot find any documentation that lists exactly what API Permissions my Service Principal would need to successfully run this command.
Does anyone know how I can discover exactly what API permissions would be required to run a particular Azure PowerShell command that involves accessing Azure Active Directory?
As an aside, I'm not tied to PowerShell. I cannot get this command to work with the az cli either. I'm open to methods using az that would get me this answer.
You need to give the Directory.Read.All(Application permission) of Azure AD Graph API not the Microsoft Graph API. Also make sure the service principal has the permission of the sql server(e.g. the service principal is the Owner of the subscription or the sql server), then it will work fine.
If you want to add the service principal as a role of the subscription or sql server, navigate to the subscription or the sql server in the portal -> Access control (IAM) -> Add -> Add role assignment -> search your service principal with name and add it as a role(e.g. Owner) -> Save, more details here.
Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName "<ResourceGroupName>" -ServerName "<ServerName>" -DisplayName "group1" -ObjectId "64d1b8xxxxx4ffbd"
Does anyone know how I can discover exactly what API permissions would be required to run a particular Azure PowerShell command that involves accessing Azure Active Directory?
The Azure PowerShell essentially calls the different APIs, to get the permissions of the APIs, you could catch the request via Fiddler, then look into the official API doc for the permissions.
Three topics in Azure AD I'm constantly confused on:
Service Principal
Enterprise Application
App Registration
What is the difference?
I can easily go into "App Registrations" and register an "app" while that "app" doesn't even need to exist. All it requires is a URL which can also be totally random. This app registration then becomes a service principal which you can use to connect to Azure to from PowerShell for instance? Why? I don't understand this.
Please advise, and as you can probably tell, I'm new to Azure :)
When you write an application as a developer, you will register it in a given tenant, and will specify it's properties. This happens in the App Registration blade in Azure AD.
I'll dare an analogy by saying that the app is like a "class" in object oriented languages (with some static properties, which will be common to all instances)
By registering the application, in that given tenant if you use the portal this also automatically created a service principal for this application, which you can find in the "Enterprise Applications" blade of the Azure portal.
To continue with my analogy the portal creates a kind of instance of that class. This service principal contains information which are related to both the application and the tenants and its users. For instance it contain the activity of the users, what they have consented to in particular.
Now if during the app registration / app management, you decide that your application is "multi-tenant", then, when the application is accessed in other tenants, another service principal (remember this instance) will be created in that tenant.
BTW, you go to the new App Registration (Preview) blade in the azure portal, when you create an application, you can now see nicely grouped by categories all the properties of the app (all the properties which are common to all the service principal). Now if, in the "Overview" tab of the app, you click on the link "Managed application in local directory", you'll get to the corresponding service principal in the same tenant (where you'll see which users have accessed the app, when, where you can grant admin consent - if you are tenant admin -, and see the activity and the audit logs)
This is indeed confusing, and you are not the only one who feel that way. I guess this whole application/service principal is designed from the perspective of web applications, which can be scaled across multiple Azure AD tenants. For someone, who just wants to create some small scripts which connects to Azure services, understanding this whole thing is too much. Unfortunately there is no way around it. Azure Portal is also little bit confusing for this part, it only started to make some sense when I used Azure CLI for it.
To access Azure resources programmatically, we need to use Service Principal credentials. Service Principal is actually an instance of application, so we need to create an Application(App Registration) first too. If App Registration is added from portal, Service Principal is created automatically. With Azure CLI creating Application and Service Principal are two distinct steps.
Tricky part is, credentials has to be obtained from Application(App Registrations -> select app -> Certificates & Secrets). While the role assignment for the Service Principal has to be done from Subscriptions(select subscription -> Access control(IAM) -> Role Assignments) or any other resource which supports IAM. Same process using CLI makes more sense.
Using Azure CLI
Register/create app
$ az ad app create --display-name "displayName"
Create service principal for the app just created
$ az ad sp create --id "applicationId"
Set application credentials
$ az ad app credential reset --credential-description "some_description" --id "applicationId"
OR
$ az ad sp credential reset --credential-description "some_description" --name "applicationDisplayName" --append
Assign roles to Service Principal to access resources in Azure.
$ az role assignment create --assignee "service principal object id/ApplicationId" --role role_name
And if you don't care about all this application/service principal stuff and just want to use Service Principal for accessing Azure resources, there is a shortcut.
$ az ad sp create-for-rbac --name "service_principal_name"
This will create application, service principal, set credentials on app, assign Contributor role at subscription scope to service principal and print the credentials !!
Since the name of the Application(in App Registrations) and Service Principal(Enterprise/All Applications) is same, we need to look carefully at Object ID and Application ID to find out which is which. On the top of that, Service Principals are listed as Enterprise Applications/All Applications in Azure Portal.
'Enterprise Applications' is just a category of Service Principal which satisfies two conditions.
Service Principal and Application registration should be in same tenant.
Service Principal should have tag 'WindowsAzureActiveDirectoryIntegratedApp'. If this tag is removed from Service Principal, it won't show under Enterprise Applications, but still be listed under 'All Applications'. ( Do not try in production!! )
Note that service principals created from cli did not appear in 'Enterprise Applications' and I had to add the tag manually.
$ az ad sp update --id "service_principal_object_id" --add tags WindowsAzureActiveDirectoryIntegratedApp
I looked for multiple solutions but could not find a proper solution for the creation of Azure AD application using PowerShell. I'm not looking to create an Azure AD itself but an application inside it.
Yes, you can do it through PowerShell. Please look at New-AzureADApplication Cmdlet: https://msdn.microsoft.com/en-us/library/dn986794.aspx.
Yes, you can use the Azure ARM commandlets:
https://msdn.microsoft.com/en-us/library/dn757692.aspx
You should look specifically at:
New-AzureADApplication - https://msdn.microsoft.com/en-us/library/mt603747.aspx
New-AzureADServicePrincipal - https://msdn.microsoft.com/en-us/library/mt603780.aspx
Here's an example of how you'd run them:
Login-AzureRmAccount
$app = New-AzureRmADApplication –DisplayName "My App" – HomePage "http://myapp" –IdentifierUris "http://myapp"
New-AzureRmADServicePrincipal –ApplicationId $app.ApplicationId
Note that the "classic" Azure Portal (manage.windowsazure.com) only shows "Service Principals" in the Applications tab. So if you only create the AD Application without creating the Service Principal, you won't see an entry in the portal.
You can find more info about Application Principals and Service Principals here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-objects/
Key points from that article: Application object: This object represents a definition for your app. You can find a detailed description of its properties in the Application Object section below.
ServicePrincipal object: This object represents an instance of your app in your directory tenant. You can apply policies to ServicePrincipal objects, including assigning permissions to the ServicePrincipal that allow the app to read your tenant’s directory data. Whenever you change your Application object, the changes are also applied to the associated ServicePrincipal object in your tenant.