We quite simply want to run a command to create an app registration within our Azure AD. It is a SPA and obviously we need to set a redirect URL to send users back to our app after they authenticate.
I tried
az ad app create --display-name appName --reply-urls '[{\"url\":\"http://localhost:3000\",\"type\":\"Spa\"}]',
but this fails with
Invalid value specified for property 'replyUrls' of resource 'Application'.
Seems like this would be a very common operation to perform, but I can not locate docs on achieving this. These are the az ad app create docs.
For anyone else who comes across this, this is the solution I came up with after trying to accomplish this in several different ways (Thanks for the mentioning az rest Gaurav Mantri).
I created the following bash script
create-app-registration.sh
#Create App Registration
response=$(az ad app create --display-name $appName)
#Get the ObjectId of the newly created app registration
objectId=$(echo $response| cut -d'/' -f 3)
# Update app for SPA redirect
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/'$objectId \
--headers 'Content-Type=application/json' \
--body '{"spa":{"redirectUris":["'$redirectUri'"]}}'
Thanks, #BryceBy. I did a quick test of your script and it worked well.
In my case, I need to get both app id and object id and create the scripts below.
clientid=$(az ad app create --display-name $appregname --query appId --output tsv)
objectid=$(az ad app show --id $clientid --query objectId --output tsv)
Related
I was reading this documentation https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication
And I have found that we can use azure login cli with allow-no-subscriptions parameter.
So my question is that what is the purpose of this parameter? although we have already defined the subscription id in the repository's secret when we can run this command
az ad sp create-for-rbac --name "myApp" --role contributor \
--scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
--sdk-auth
Because it outputs, subscription id, tenant id, secret id, client id.
Surprisingly, if I create app registration through azure portal I get an error
Error: : No subscriptions found for ***.
Error: Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows
Although the subscription id well defined in the secrets.
And if I just use that parameter
allow-no-subscriptions=false
Then I have no issue and it works like charm.
For creating rbac from your local machine you need to upgrade az module and need to login Azure CLi using az login
az upgrade , az login
az ad sp create-for-rbac --name "myApp" --role contributor \
--scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
--sdk-auth
*The service principle is mapped to contributor role and subscription scope. *
Please find the below screenshot
For reference, please check this Az CLI Login failed. Please check the credentials and make sure az is installed on the runner
I have enabled the identity in azure web app, it has created one object id. I want to pull the object id using PowerShell, like that I want to pull all the app service using powershell command
You could use this command:
(Get-AzWebApp -Name <Your_WebApp_Name> -ResourceGroupName <Your_ResourceGroup>).Identity.PrincipalId
As per this MSDoc, we have alternate command to get the Azure WebApp Service Principal ID.
Display name must be your WebApp Name
Get-AzADServicePrincipal -DisplayName "Core52022"
To check whether you got the correct ID, you can verify it in Azure Active Directory
Navigate to the Portal => Azure AD => Enterprise applications,remove all the filters and in search box type your Web App name
Finally I got the answer for this. I try to get my identity id in my webapp, so to get this using below command in PowerShell
Command:
az webapp identity show --name yourwebappname --resource-group resrourcegroupname --query principalId
Example:
az webapp identity show --name ph-prod-blue-portal --resource-group test_resource --query principalId
you will get the below result
"abc-def-ghi-ijk-lnmkop"
Trying to access files from Azure Netapps via REST API by following documentation
https://learn.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-develop-with-rest-api
with POSTMAN rest client.
To get appId, password, tenant by executing following command in Azure CLI
az ad sp create-for-rbac --name $YOURSPNAMEGOESHERE --role Contributor --scopes /subscriptions/{subscription-id}
Here what is $YOURSPNAMEGOESHERE? How to fins this value? I am currently using trail account on Azure.
Please note that, the command you are currently using is related to creating service principal and assigning role to it.
In this $YOURSPNAMEGOESHERE , you have to pass the name of the service principal you want to create.
Instead of that, you can also give the name directly in string format like below:
I tried to reproduce the same in my environment like below and got the below results:
az ad sp create-for-rbac --name "TestSP" --role Contributor --scopes /subscriptions/subscriptionId
Output:
Reference:
az ad sp | Microsoft Docs
I get an ERROR: The request did not have a subscription or a valid tenant level resource provider. when trying to create a service principal via the azure cli under the scope of an Azure Iot Hub. I'm using the CLI (bash) but python would be sufficient, too.
As shown at end, i have correct credentials & rights to create sp's in this subscription, and i have owner rights to the iot hub in question.
In case i'm missing a better way to accomplish this, here is the context: We need to authenticate a job that automates the registration of new devices immediately after they are flashed, before they are shipped off to be plugged in. This does many things to customize the flashed filesystem (add unique device hostname & local passwords, for instance); and finally it needs to register the device with IotHub.
az iot hub device-identity create --device-id [device id] --hub-name [hub name] --edge-enabled
With my user permissions, i can az login and accomplish all of this - but it needs to run in an automated job with no interactive login. I believe service principal is the way to accomplish this (?).
Thus, attempting to create the principal I run:
# the following pulls a valid(looking) `"/subscriptions/NAME/resourceGroups/THEGROUP/providers/Microsoft.Devices/IotHubs/THEHUB"`
IOTHUB_ID="$(az iot hub show --name TheHubName --query id)
az ad sp create-for-rbac --name http://my-iothub-serviceprincipal --scopes $IOTHUB_ID --role contributor --query password --output tsv
which fails with the following as above (Note: contributor is too broad, will be a custom-role later):
WARNING: Role assignment creation failed.
ERROR: The request did not have a subscription or a valid tenant level resource provider.
as a test to ensure i have the right az login and other local state, the following analogous command for an Azure ACR scope does succeed, with a new service principal visible in the portal.
ACR_ID="$(az iot hub show --name TheAcrName --query id)
az ad sp create-for-rbac --name http://acr-service-principal-foobar --scopes $ACR_ID --role acrpull --query password --output tsv
This was caused by a bug in the azure CLI. az iot hub show is returning an improperly quoted string; az acr show for example does not.
az iot hub show --name your-iothub-name --query id returns a string like the following. both quotes " are in the original
'"/subscriptions/guid/.../IotHubs/your-iothub-name"'
az acr show --name your-acr-name --query id returns the same format string, but without the extra ' quoting.
"/subscriptions/.../registries/your-acr-name"
az iot hub device-identity create cannot deal with the '"..."' (understandable) but unfortunately doesn't fail cleanly, making this a bit difficult to track down as quoting blends in a bit for script output.
I am trying to create an Azure Key Vault but I am getting below error:
az keyvault create --location ${regionName} --name ${MyKeyVault} --resource-group ${resourceGroupName}
Error: (VaultAlreadyExists) The name 'check' is already in use.
Please help me write a code to check if the Key Vault name is avaialable.
There is no built-in CLI command to do this, your option is to use az rest call the REST API directly.
Sample:
az rest --method post --uri 'https://management.azure.com/subscriptions/<subscription-id>/providers/Microsoft.KeyVault/checkNameAvailability?api-version=2019-09-01' --headers 'Content-Type=application/json' --body '{"name": "joykeyvault","type": "Microsoft.KeyVault/vaults"}'
You can use Azure API to check that Keyvault name is valid and is not already in use.
https://learn.microsoft.com/en-us/rest/api/keyvault/vaults/checknameavailability