Been looking for a while but couldn't find the answer. I've been using service principle on my azure devops to modify my azure infrastructure via piplines (proper permissions). I need to run some of the commands locally using powershell, for example delete some of my azure roles.
Is there a way to use my service principle's permissions via cli / powershell to achieve what I'm looking for? Cannot do it via Connect-Azure as my user account's role has insufficient permissions. I need to do it with service principle.
Yes, you can login to the Azure CLI with a Service Principal.
To sign in with a service principal, you need:
The URL or name associated with the service principal
The service principal password, or the X509 certificate used to create the service principal in PEM format
The tenant associated with the service principal, as either an .onmicrosoft.com domain or Azure object ID
az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>
https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli#sign-in-with-a-service-principal
Related
I am testing an environment where I have the credentials of a service principal of an application. My next step is to identify the objects owned by the application or the resources that the app can access.
I could get similar details for an AD user through the cli command
ad signed-in-user list-owned-objects
Running the same command when signed-in with the credentials of the sp results in the following error
Resource not found for the segment 'me'.
My use-case is to enumerate the SP account to understand its access rights in the subscription. Can someone help me out with the right set of azure cli commands.
I tried to reproduce the same in my environment and got below results:
I created one service principal with Storage Blob Data Contributor role at storage account scope like below:
az ad sp create-for-rbac --role "Storage Blob Data Contributor" --name <spname> --scopes /subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Storage/storageAccounts/<storaccname>
Now I logged in to Azure account successfully using above service principal credentials:
az login --service-principal -u appID -p password --tenant tenantID
When I ran the same command to get the resources that the app can access, I got same error as below:
az ad signed-in-user list-owned-objects
To list RBAC roles assigned to a service principal, you can make use of below command:
az role assignment list --assignee <service_principal_ID> --all
If your use case is to list all the resources/objects a service principal can access/own, currently there is no command available particularly for that.
To know more in detail, you can check below reference:
For a given Azure AD Service Principal, Get a list of the Azure Objects and Rights by AlfredoRevilla-MSFT
I am using Terraform cloud and I don't want to use permanent keys in it. So, is there any to create a temporary keys in Azure Cloud(like we can create in AWS).
When you are authenticating to Azure Cloud via Azure service principal, by default, the Az CLI command will get a password for this service principal with a one-year expiration date.
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<subscription_id>"
from your comments, in fact you want to get this password to expire in a short time. You can use az ad app credential reset to append or overwrite an application's password or certificate credentials.
For example, reset the application password with the following Az CLI commands.
az ad app credential reset --id <appId> --password <sp_password> --end-date 2020-08-13T11:59:59+00:00
For more information, you could read the Relationship between application objects and service principals
By creating a ServicePrincipal in AzureAD you're also able to assign a LifetimePolicy (tokenLifetimePolicies). This way you're able to have an "end of life" for the token.
Here's also a short how to on creating a new ServicePrincipal.
Alternatevily you could use this new preview feature: Configurable token lifetimes in Microsoft identity platform (Preview).
As it is a preview feature you're not supposed to use it in production environments.
I am attempting to automate the registration of a new application in Azure Active Directory. Upon running the command in Azure CLI, it returns with the following error:
Insufficient privileges to complete the operation.
The command was run using a Service Principal which has Owner permissions at the Subscription level. When attempting to run other Azure AD commands (e.g. az ad app list), the same error is thrown. However, it works fine if we run commands relating to Azure API Manager (e.g. az apim list).
We have tried creating the Service Principal using both the Azure console (https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) and CLI by running the following command but neither works.
az ad sp create-for-rbac --role Owner --name some-service-principal
Is there anything else required to perform this operation?
The Owner role you mention is part of Azure RBAC, which does not apply to Azure AD.
The Azure AD tenant is above the Azure subscriptions and has its own permissions.
You need to give the SP application permissions to MS Graph API / AAD Graph API (not sure which one the CLI is trying to use), or a directory role.
The first you give through API permissions on the app registration for the SP.
A directory role can be added through the Roles and administrators tab.
that happens because Azure AD and Azure subscription are completely unrelated in terms of permissions. You need Application Read\Write Azure AD permissions for your principal (user\service principal\application) to be able to carry out that task
https://learn.microsoft.com/en-us/graph/permissions-reference#application-resource-permissions
az ad app permission: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-add
followed by az ad app grant: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-grant
or you could do it using the portal, like the other answer suggests
I am trying to create a service principal from azure cli.
az login --service-principal -u servicePrincipalGuid -p spPassword --tenant tenantGuid
az ad sp create-for-rbac --skip-assignment
It works if i assign to the service principal Global administrator but it does not work with the Application Administration which according to the documentations should be sufficient.
I am wondering what roles/permissions are needed to be able to create a service principal without global administrator?
I can reproduce your issue, it is really weird, based on my knowledge, the Application administrator role should work.
The command az ad sp create-for-rbac --skip-assignment creates the app registration successfully, but it can't create the corresponding service principal. Even if I test with the command below to create service principal for the app.
az ad sp create --id '<object-id of the app registration>'
or powershell
New-AzureADServicePrincipal -AppId <object-id of the app registration>
I am wondering what roles/permissions are needed to be able to create a service principal without global administrator?
If you just want to let the command work without the global admin, you could add Application.ReadWrite.All permission of Azure Active Directory Graph like below, then it will work.
I have a multi-tenant application in azure and was looking to find a way to login using Azure CLI. So far I have been unsuccessful.
The following command works well with service principal but fails with application
azure login --service-principal -u <app-id> -p <password> --tenant <tenant-id>
Is it possible to use Azure AD application with Azure CLI?
No , service principal is the identity for the app and could be used to authenticate the app with its own credentials. So if you have an app that needs to access resources , you need to create a service principal for an Active Directory application, and the service principal has permissions on your subscription, then you can use the azure login command to authenticate the service principal.