My Azure account is under company's AD, and once i tried to create an App using Azure Devops, when trying to create New Service connection, this error pops up,
What permission do my account needs to perform this action ?
Thanks in advance.
You need the "Creator" permission:
Members of this role can create the service connection in the project. Contributors are added as members by default
Please find more information in the Microsoft documentation User permissions
Microsoft documentation for Manage service connections
The problem lies in not having privileges to create app registrations in the Azure Active Directory tenant. There are several roles that have permission for this operation. According to the docs it also depends on whether non-admin users can create app registrations.
Some Built-in roles that can be used are Application Administrator
Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
or Application Developer
Users in this role can create application registrations when the "Users can register applications" setting is set to No. This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No. Users assigned to this role are added as owners when creating new application registrations.
Related
From what I read, AppRoleAssignment.ReadWrite.All should allow application to use Microsoft Graph SDK to do app role management programmatically. But how do I grant permission such that the application principal can only allow to manage it's own role but not other enterprise application?
The goal is to build a role management page in the web application to allow designated users to add/remove user to an app role for the same application without granting them access to the Azure portal.
Unfortunately, it's impossible currently.
Although we can add the user as the admin of the application principal on Azure portal and then we can do anything to the application principal on Azure portal, calling Microsoft Graph is different. It has to rely on the permission of Azure AD app.
But the Microsoft Graph permission AppRoleAssignment.ReadWrite.All is for all the application principals.
If you click on "F12" to open the developer tool of Chrome, you will find that the Azure Portal is using another API to finish the operation.
I tried to add my user as the admin of only one application principal through Powershell, but it still doesn't work for Microsoft Graph.
You can go to Microsoft Graph user voice to make a request to get the attention of the product group.
I found out that you need to have owner rights of your subscription to add a Run as account in an Automation account. But as I search in my services I can see that my role inside the subscription is as an owner. Still i can't create a run as account because i don't have enough permissions ?
Is it enough to only have the owner rights of the subscriptions or do I need any more permissions ?
The issue was caused by you do not have the permission to create the AAD App.
If you want to configure Run As accounts, you also need to have the permission to create the AAD App.
For more details about the permissions, refer to this link.
Except for the permissions equivalent to the Owner role for Microsoft. Automation resources, you need to check these:
In the Azure portal, under Azure Active Directory > MANAGE > App registrations, if App registrations is set to Yes, non-admin users in your Azure AD tenant can register Active Directory applications. If App registrations is set to No, the user who performs this action must be a global administrator in Azure AD.
Ref: https://learn.microsoft.com/en-us/azure/automation/automation-create-standalone-account#permissions-required-to-create-an-automation-account
We are using VSTS/Azure DevOps to build and deploy our web services to Azure.
In the release step we use the Azure CLI build task to set up the environment for the web service. The build task uses a Service Connection to be authorized to do these actions.
The build task can create web services and deployment slots without issue, but when I try to instruct it to add a new reply url to the Azure AD application the web app uses to authenticate users, i see the following:
az ad app update --id 3e5a96e9-7311-4f92-869b-fbb5bbe8e41f --reply-urls http://mytestapp.azurewebsites.net
ERROR: Insufficient privileges to complete the operation.
The service connection used is an Azure RM service connection using a Service Principal. Is this correct? I'm guessing there is there a permission I need to set on the service principal, but which one?
Jayendran is correct. The user must be a member of Global Admin role in the directory because the Reply URL is added in the app registration.
You may also need to grant permissions to the app itself.
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-integrate-apps-with-azure-ad
If you're looking to follow the least privileges principle and not assign the highest possible privilege available (as per your comment), I see 3 possible options that could work for you -
Owner for only a specific application (and NOT the Owner/Global Administrator for entire Azure AD)
You can add the user as Owner for only the specific application, which they need to manage (in your case, change reply URL's for).
Pro: Obviously the good thing about this approach is that this user gets to manage the app registration for only this particular application and none of the others in your Azure AD.
How: Go to "App Registrations" in Azure AD and navigate to the specific application. Now click on "Settings" and select "Owners"
Application Administrator Role
This one is a little more generic and a higher privilege in comparison to single application owner, as it gives the user access to manage application registrations for all applications.
Pro: Role is specific to only managing application registrations. It helps in a scenario where all applications need to be managed by this user.
How: Go to "Users" in your Azure AD and then select the specific user. Now go to "Directory Role" and add "Application Administrator Role"
Application Developer Role
This one is very similar to option 2 i.e. "Application administrator". Difference being that "Application developer" gets permissions for only those applications which they are developing, so the registration was done by them.
Pro: Good for user that is about to create and manage registrations for multiple applications.
How: Very similar to option 2 above.
More information about all the available roles and granular permissions that are used by these roles in Microsoft Docs:
Available Roles
I've deployed an asp.net web forms application to an app service resource. I've turned on the app service authentication and set it to Log in With Azure Active Directory.
I've created a guest user account and verified that the user can log in to my application. That user is also able to log into the azure portal, and although the user doesn't appear to be able to do anything in the portal, they can still get to the portal and see things. How can I create users that can access my app service but not the azure itself. And if I have multiple app services, how can I create users that are silo'd to specific app services?
There is no way to prevent a user which has been your directory to sign in Azure portal. Onece you invited the user to your directory, the user could also login azure portal. But I also want to make clear that the user can not do anything in your directory and Azure resources if you don't give him/her permissions.
And if I have multiple app services, how can I create users that are
silo'd to specific app services?
Well, this can be resolved. Since each Web App liknes to one service principal, you need to set User assignment required to be Yes in the Properties for that service principal and only assigned users (Add users in Users and groups) can access to login access to this app.
I created a Azure Active Directory via the Azure portal. Then, I registered an app in it. I can configure it, add permissions and the like via the azure portal. But the same app I created, I don't see on https://apps.dev.microsoft.com/
Shouldn't I be able to see and configure the app I made in AD at that portal, too?
The apps that appear in the Application Registration Portal are the ones where you are explicitly marked as an owner of the application. This is in contrast to the apps that appear in the Azure Portal which are all the applications registered in your tenant, independent of whether or not your are an owner.
If you are a normal user, and you create an application in the Azure Portal, you should see your application appear in a section called "Azure AD only applications"
Here is the owner information for "Email Scraper" from the Azure Portal.
However, if you are a Tenant Administrator and you create an application, you will not be marked as an owner of the application. Implicitly, Tenant Administrators are owners of all objects in the directory, and to reduce the object quota generated by admins, these explicit links are not created.
Here is an example of an app I created where I am the Tenant Administrator:
Therefore, you probably do not see your application in the App Registration Portal because you are not marked as an Owner of the application, probably because you are an Administrator who created the app, or you did not create the app to begin with. You can remedy this by simply adding yourself to the owner list in the Azure Portal.
Let me know if this helps!