Assign contributor role to application using az cli - azure

I am trying to assign contributor to app using following command:
az ad sp create-for-rbac -n "Terraform Cloud" --role Contributor --scopes /subscriptions/<id> --sdk-auth
I get following issue:
Changing "Terraform-Cloud" to a valid URI of
"http://Terraform-Cloud", which is the required format used for
service principal names Values of identifierUris property must use a
verified domain of the organization or its subdomain:
'http://Terraform-Cloud'
Any idea how to solve this?

Regarding to this link
Context
According to the announcement of
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-breaking-changes#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains,
AAD service will block creating single tenant applications with
invalid idefntifierUris after 2021-10-15.
Impact
Azure CLI command az ad sp create-for-rbac before 2.25.0 which
sets invalid idefntifierUris will fails with 400 badrequest, such as
Values of identifierUris property must use a verified domain of the
organization or its subdomain: 'http://azure-cli-2021-10-20-03-53-05'
Solution
az ad sp create-for-rbac has been updated so that now it
doesn't create identifierUris at all (#18312). Please update to Azure
CLI 2.25.0 or newer. We recommend always using the latest version.
So what I did is upgrading my az cli to latest version using az upgrade
When upgrade was done, I ran the same command that is mentioned in the question and all works as expected.

Related

Azure login cli for github actions without subscrition

I was reading this documentation https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication
And I have found that we can use azure login cli with allow-no-subscriptions parameter.
So my question is that what is the purpose of this parameter? although we have already defined the subscription id in the repository's secret when we can run this command
az ad sp create-for-rbac --name "myApp" --role contributor \
--scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
--sdk-auth
Because it outputs, subscription id, tenant id, secret id, client id.
Surprisingly, if I create app registration through azure portal I get an error
Error: : No subscriptions found for ***.
Error: Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows
Although the subscription id well defined in the secrets.
And if I just use that parameter
allow-no-subscriptions=false
Then I have no issue and it works like charm.
For creating rbac from your local machine you need to upgrade az module and need to login Azure CLi using az login
az upgrade , az login
az ad sp create-for-rbac --name "myApp" --role contributor \
--scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
--sdk-auth
*The service principle is mapped to contributor role and subscription scope. *
Please find the below screenshot
For reference, please check this Az CLI Login failed. Please check the credentials and make sure az is installed on the runner

Enumerating Azure service principal using cli

I am testing an environment where I have the credentials of a service principal of an application. My next step is to identify the objects owned by the application or the resources that the app can access.
I could get similar details for an AD user through the cli command
ad signed-in-user list-owned-objects
Running the same command when signed-in with the credentials of the sp results in the following error
Resource not found for the segment 'me'.
My use-case is to enumerate the SP account to understand its access rights in the subscription. Can someone help me out with the right set of azure cli commands.
I tried to reproduce the same in my environment and got below results:
I created one service principal with Storage Blob Data Contributor role at storage account scope like below:
az ad sp create-for-rbac --role "Storage Blob Data Contributor" --name <spname> --scopes /subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Storage/storageAccounts/<storaccname>
Now I logged in to Azure account successfully using above service principal credentials:
az login --service-principal -u appID -p password --tenant tenantID
When I ran the same command to get the resources that the app can access, I got same error as below:
az ad signed-in-user list-owned-objects
To list RBAC roles assigned to a service principal, you can make use of below command:
az role assignment list --assignee <service_principal_ID> --all
If your use case is to list all the resources/objects a service principal can access/own, currently there is no command available particularly for that.
To know more in detail, you can check below reference:
For a given Azure AD Service Principal, Get a list of the Azure Objects and Rights by AlfredoRevilla-MSFT

How to find SPNAME in Azure portal

Trying to access files from Azure Netapps via REST API by following documentation
https://learn.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-develop-with-rest-api
with POSTMAN rest client.
To get appId, password, tenant by executing following command in Azure CLI
az ad sp create-for-rbac --name $YOURSPNAMEGOESHERE --role Contributor --scopes /subscriptions/{subscription-id}
Here what is $YOURSPNAMEGOESHERE? How to fins this value? I am currently using trail account on Azure.
Please note that, the command you are currently using is related to creating service principal and assigning role to it.
In this $YOURSPNAMEGOESHERE , you have to pass the name of the service principal you want to create.
Instead of that, you can also give the name directly in string format like below:
I tried to reproduce the same in my environment like below and got the below results:
az ad sp create-for-rbac --name "TestSP" --role Contributor --scopes /subscriptions/subscriptionId
Output:
Reference:
az ad sp | Microsoft Docs

Not able to Access Billing info using Azure CLI

I created a service principal using rbac and using the subscription id and I was able to login and all CLI calls with Azure using this sp and this login
(creating SP
az ad sp create-for-rbac -n "AppName1" --role contributor --scopes /subscriptions//resourceGroups/)
But when I call for billing info as:
az consumption usage list --subscription
Unauthorized. Request ID:
I am not sure what authentication permission scope to add to enable this. Tried too many things and somehow I feel I am not in the right direction. Any help will be greatly appreciated.
Did you login with the service principle using the following command before hitting the billing/usage?
az login --service-principal -u <app-url> -p <password-or-cert> --tenant <tenant>
I believe the issue is that you assigned the “contributor” role at the resource group level and then trying to access a subscription level resource. Since you don’t have permission for that, you’re getting this “Unauthorized” error.
To fix this, please try to assign the “contributor” role at the subscription level for this service principal.

Giving an Azure Managed Identity Directory.Read.All

I want to give an Azure Managed Identity access to the Graph with Directory.Read.All. I was able to get it to work by following this blog: https://blog.bredvid.no/accessing-apis-using-azure-managed-service-identity-ff7802b887d?gi=f2307752395a, however:
that throws an Authorization_RequestDenied error (though apparently expected: MSI Permissions for Graph API)
I would prefer to get this working under az-cli
I tried...
graphId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].objectId")
roleId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].appRoles[?value=='Directory.Read.All' && contains(allowedMemberTypes, 'Application')] | [0].id")
az role assignment create --role $roleId --assignee-object-id fa22d971-c442-41f2-add1-77e636f80d31 --scope $graphId --assignee-principal-type MSI
But this results in... "The request did not have a subscription or a valid tenant level resource provider."
I am thinking this means I don't have the scope right. Is it possible to do this assignment under az-cli?
It is not possible to assign a service principal(MSI) to an application role currently, all commands here.
The az role assignment create is to add the user/service principal/group to the azure resource as an RBAC role, not that you want, it equals the steps in this link.
Besides, if you want to use the azure CLI instead of powershell because of the cross-platform issue. You could try the powershell core, it is cross-platform, refer to this link to install AzureAD.Standard.Preview module in it, then you will be able to use the AzureAD commands.

Resources