I am using the following Az Cli command to create an Azure AD B2C application:
az ad app create --display-name 'mytestapplication'
What I'd then also like to do in the process is grant some permissions, as per the Azure AD Microsoft Graph API permissions list. Below are two such examples of the permissions I'd like to grant. I'm however struggling to find any Az Cli examples or references that can enable me achieve this. Any suggestions?
User.ReadWrite.All
Application.ReadWrite.All
In order to grant a specific permission for an app registration , you need to pass those permissions in manifest.json file with a particular scope.
You can use the below cmdlet to create a app registration & to assign the specific azure-ad-microsoft-graph-api-permissions for that app registration.
az login -tenant [myb2ctenant.onmicrosoft.com](http://myb2ctenant.onmicrosoft.com/) --allow-no-subscriptions (this cmd helped me to login to B2C without subscription)
az ad app create --display-name 'mytestapplication' --required-resource-accesses #manifest.json
manifest.json file:
{
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "204e0828-b5ca-4ad8-b9f3-f32a958e7cc4"(# for Application.ReadWrite.All),
"type": "Scope"
},
{
"id": "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9(# for User.ReadWrite.All)",
"type": "Role"
}
]
}
]
}
Here is the output screenshot for reference:
For more information about app registration creation & Assigning permissions for a native app registration cmdlets you can refer this documentation.
Related
Can anyone help me how to write a CLI script to Enable Function Application Authentication to use Microsoft Azure AD ID Provider?
Thanks,
We have tested in our local environment , using the below cmdlets we are able to create Microsoft identity provider authentication for the function app & these cmdlets are working fine.
Below are the steps to be followed:
You Need to create a app registration in AAD & add the required permissions to that app registration using the below cmdlet.
az ad app create --display-name <NameofappRegistration> --password <clientsecret> --reply-urls https://<functionappName>.net/.auth/login/aad/callback --required-resource-accesses #manifest.json
The below resource access will create user.read permission to that app registration
how to declare permission in manifest.json file :
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}
]
You need to add identifier-uris/application uri for that app registration.
az ad app update --id <appId/clientId> --identifier-uris api://<clientId>
Creating the webapp authentication and authorization of the Microsoft identity provider for the function app to that app registration using the below cmdlet
az webapp auth microsoft update -n <functionAppName> -g <ResourceGroupName> --client-id <appRegistrationClientId> --client-secret <appresgistrationPassword> --tenant-id <TenantID>
Sample Output for reference post running the above cmdlets:
Here are the reference CLI cmdlet documentation for creation of Microsoft auth for a webapp & for app registration
I want to assign role Things.Reead.All, created in my app registration to a managed identity.
The app registration SP object id is 8055e1eb-0000-0000-9b77-00000000000
The Role definition looks like this
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Allow the application to read all things as itself.",
"displayName": "Read all things",
"id": "86a914fa-a862-4962-9975-000000000000",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Things.Read.All"
}
The only thing known about a system assigned managed identity is its object id, say
aad300-0872-0000-811d-00000000000
and I want to allow it to call the application 8055e1eb-0000-0000-9b77-00000000000 that expects to see the Role in access token.
I know I have to use the following api to do this.
https://graph.microsoft.com/v1.0/servicePrincipals/8055e1eb-0000-0000-9b77-00000000000/appRoleAssignedTo
{
"principalId": "aad300-0872-0000-811d-00000000000",
"resourceId": "8055e1eb-0000-0000-9b77-00000000000",
"appRoleId": "86a914fa-a862-4962-9975-000000000000"
}
I have wide but controlled access in my tenant. When I acquire a token from
az account get-access-token --resource https://graph.microsoft.com
and call the above, I get
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
What I need to figure out is the exact privilege that is needed to make this call.
As you did not answer my comment, I can just give you my own solution which used the service principal to login the azure cli, it works for me.
Please follow the steps below.
1.Create a new App Registration in azure ad, then get values for signing in and create a new application secret.
2.Navigate to the API permissions of the App, add the Application permission(not Delegated permission) Directory.ReadWrite.All of Microsoft Graph, don't forget to click the Grant admin consent for xxx button at last.
Note: From the doc, the AppRoleAssignment.ReadWrite.All permission is enough, but per my test, it will not work, not sure if it is a bug, I have decoded the token, the token has the AppRoleAssignment.ReadWrite.All permission.
3.In azure cli, run the commands below to get the token.
az account clear
az login --service-principal --allow-no-subscriptions --username '<application-id>' --password '<application secret>' --tenant '<tenant-id>'
az account get-access-token --resource https://graph.microsoft.com
4.I test the token to call the api - Grant an appRoleAssignment for a service principal to grant the app role for the system-assigned identity of my funtion app,it works fine.
Check it in the portal:
I'm automating an app setup and having registered an applicatioin with az ad app create --app-roles with the manifest:
[{
"allowedMemberTypes": [
"User",
"Application"
],
"description": "Read items",
"displayName": "Reader",
"isEnabled": "true",
"value": "items/r"
}]
I'm trying to figure a way to assign above mentioned Reader to a principal without PowerShell's New-AzureADUserAppRoleAssignment and coming up empty. I'd take ARM template, .NET SDK or az CLI way of doing it, but none seem to support it.
Not interested in the portal/ui as I'm trying to script this, any ideas?
Just use az cli rest to assign a custom app role to a principal via Azure AD Graph Rest API :
az rest --method post --uri "https://graph.windows.net/<your tenant ID>/servicePrincipals/<your principle object Id>/appRoleAssignments?api-version=1.6" --body "{\"id\":\"<your custom role app ID>\",\"principalId\":\"<your principle object Id>\",\"resourceId\":\"<your app object id>\"}" --headers "Authorization=Bearer <access token>"
You can get access token via az account get access token :
az account get-access-token --resource "https://graph.windows.net"
Test request on Azure cli :
Result, as you can see the role has been assigned to principle successfully :
I am trying to troubleshoot why certain automation tasks don't work with a Service Principal I've created, most especially any tasks involving Azure Active Directory. The Azure Portal seems to clearly show that the Service Principal has been granted the Microsoft.Graph Directory.Read.All API Permission. The portal also shows that this Service Principal has the User.Read permission as well.
However, when I run az ad app permission list-grants for the Service Principal, it only lists User.Read. This makes me wonder whether the Directory.Read.All permission is actually present. And yes, the portal clearly shows that Directory.Read.All permission has been granted.
How can I confirm that my Service Principal actually does have the Directory.Read.All API Permission?
az ad app permission list-grants --id db7a66b4-06ad-4412-9bbc-73cb34f96ce2 --show-resource-name
[
{
"clientId": "01b359a2-f452-43c6-b290-e5ea1b359f38",
"consentType": "AllPrincipals",
"expiryTime": "2019-12-08T17:07:04.550141",
"objectId": "olmzAVL0xkOykOXqGzWfOAvNygY8CKVIummKcmVpwq8",
"odatatype": null,
"principalId": null,
"resourceDisplayName": "Microsoft Graph",
"resourceId": "06cacd0b-083c-48a5-ba69-8a726569c2af",
"scope": "User.Read",
"startTime": "0001-01-01T00:00:00"
}
]
And a crude recreation of what I see in the portal for this Service Principal under Azure Active Directory > App Registrations > (Service Principal Name) > API Permissions:
API/Permissions name Type Admin Consent Required
-------------------- ----------- -----------------------------------
Microsoft Graph (2)
Directory.Read.All Application Yes <green check> Granted for MyOrg
User.Read Delegated <green check> Granted for MyOrg
As you have found, the reason is the Azure CLI command az ad app permissions list-grants just list the delegated permissions.
If you also want to get the application permissions granted to the service principal,
currently it is not supported by the Azure CLI and Az powershell module, you need to use AzureAD powershell module.
Try the script as below, it writes output the API name and corresponding permission.
Note the ObjectId in the first line is the ObjectId of your service principal, not the AD App(App registration), you can find it in the Enterprise applications in the portal(filter with All applications).
$apppermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId <ObjectId of your service principal>
foreach($item in $apppermissions){
$item.ResourceDisplayName
(Get-AzureADServicePrincipal -ObjectId $item.ResourceId).AppRoles | Where-Object {$_.Id -eq $item.Id}
}
The permissions in the App registration in the portal:
Here is a similar issue, you can also take a look.
I finally figured this out, and it was less than obvious.
az ad app permissions list-grants lists oauth2 permissions. In other words, delegated permissions.
My Service Principal's Directory.Read.All permission is an application permission. That means it's a permission my Service Principal has in its own right without needing another user's authentication token.
I'm still trying to figure out how to list the Application permissions using the new az commands and/or the new Get-Az PowerShell modules. If I find out how I'll update this answer.
I found out you can get that output with az cli but by using the rest command like this:
az rest --method get --url https://graph.microsoft.com/v1.0/servicePrincipals/{YOUR_SERVICE_PRINCIPAL_ID}/appRoleAssignments
When I register an application of type Web App/API in Azure Active Directory (Azure AD), I can add Users and Groups and assign pre-defined application roles to the application in the tenant's Enterprise Applications. However, there is no provision to add Users and Groups for an application of type Native.
Is it possible to add Users and Groups to a native application, and set them with application specific roles via PowerShell or Azure CLI?
As you noticed Users and Groups is hidden in the Enterprise Applications blade in the case of native applications and I believe that the reason is that you don't usually configure role assignments in the native application but instead you do it in the WebApp/WebAPI (that the native application is consuming).
Anyway yes you can configure application roles for a native application. You can do it but editing the manifest and adding the appRole there (the value property will appear in the role claim). Example:
"appRoles": [
{
"allowedMemberTypes": [
"Application",
"User"
],
"displayName": "ReadOnly",
"id": "9cc5ee76-3d7d-4060-8b7f-e734f3917e71",
"isEnabled": true,
"description": "ReadOnly roles have limited query access",
"value": "ReadOnlyUser"
}
]
Then you can add an user to that role by using Powershell:
New-AzureADUserAppRoleAssignment -ObjectId <user's object ID> -PrincipalId <user's object ID> -ResourceId <native app service principal ID> -Id <role ID as it is in the manifest>
Then if you get a token for this application and for that user, you should see the role claim:
"roles": [
"ReadOnlyUser"
]