When I run the below on my local pc via powershell it completes successfully.
Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName $resourceGroupName -ServerName $serverName -DisplayName 'AAD_GAOUAT_SQLADMIN' -ObjectId 'd9c6b5a7-079e-44b4-8911-bd0451bfb59a'
Now when I run the same command (via Azure Powershell) in DevOps, I get the below error
Any ideas why this fails from Azure DevOps?
When you run the command in devops azure powershell task, it will let you use a service connection to auth, I suppose you didn't use a correct service principal located in the correct tenant(i.e. the subscription of the sql server located).
Please follow the steps below to fix the issue.
1.In devops, navigate to the Project Settings -> Service connections -> New service connection -> Azure Resource Manager -> Service principal (manual).
If you don't have an AD App, you can also select Service principal (automatic) above, then fix the values with correct information .e.g subscription. If you select Service principal (manual), please make sure the service principal has an RBAC role in the subscription to set the sql server AAD admin e.g. Owner, Contributor.
2.After creating the service connection, click it and select Manage Service Principal.
It will open a page for the related AD App -> API permissions -> Add a permission -> add Directory.Read.All Application permission of Azure Active Directory Graph like below(Not Microsoft Graph), At last, don't forget to click Grant admin consent for xxx button.
This step is because Set-AzSqlServerActiveDirectoryAdministrator will call the AAD Graph to check the object you input, so you need to give the permission.
3.Then in the azure powershell task, select the service connection we created.
Run it, it works fine.
Related
I have a Pipeline in my DevOps that builds and deploys an application. This is working successfully.
As part of the deployment I need to update a configuration.json file with the Client ID of my application. To achieve this I am executing:
$clientID = az ad app list --display-name "MyApplication" --query [0].appId
I have created an "Azure CLI" step and am executing this within the role of a Service Principal, but when it runs I get an error "Insufficient privileges to complete the operation". Where or what permissions to I need to change?
Pipeline Step Description:
Azure CLI
Type: Powershell Core
Script Path: A Valid Path
The other answer is only half correct and not good, the Delegated permission Directory.Read.All in Microsoft Graph will not work in this case, giving the Global Administrator role to the service principal will work, but this permission is too large, if you don’t want to cause some security issues, try not to use it.
To solve the issue, you just need to give the Application permission Directory.Read.All of Azure Active Directory Graph, you could follow the steps below.
1.Navigate to the Project Settings in devops -> Service connections -> find the service connection you used -> click Manage Service Principal.
2.Then it will open the Azure AD App page of the service principal, navigate to the API permissions -> add the Application permission Directory.Read.All of Azure Active Directory Graph like below(Note: It should be Azure Active Directory Graph, not Microsoft Graph).
Don' forget to click the Grant admin consent for xxx button at last.
After a while, try the command again, it will work fine.
I was able to run it with success after adding Directory.ReadAll permission
and adding this principal to Global Administrator group.
I am trying to create a release in AzureDevops that checks the expiration of SP secrets and then updates them if necessary. I have the part that does the check:
param (
[string]$SpId
)
$SpSecret
$SpEndDate = az ad sp credential list --id $SpId --query "[].{Key:endDate}" -o tsv
((Get-Date $SpEndDate).AddDays(-30) -lt (Get-Date)) {
#Set a new secret value if it is about to expire
$SpSecret = az ad sp credential reset --name $SpId --query password -o tsv
}
Write-Host "##vso[task.setvariable variable=var01;Secret=true]$SpSecret"
Write-Host $env:Secret
The issue now is that the service connection does not have the permissions to run "z ad sp credential reset". I have looked at the connection and don't see a permission that will work. Any suggestions?
When you create the Azure Resource Manager service connection to use the AzureCLI, the system will create an AD App for you automatically, check this link.
If you use this service connection with AzureCLI, it will use the credential of the service principal of the AD App in your tenant. For the concept of service principal and AD App, see this link.
To fix the issue, navigate to the Azure Active Directory in the portal -> App registrations -> All applications -> find the application corresponding to the service connection, its name should be like organizationname-projectname-513f22f1-befd-xxxxxxcfe90f1. Then click it -> add the permission like the screenshots(Note: your user account need the admin role to click the Grant admin consent button, e.g. Global admin ).
After granting the permission, wait for a while, the service principal of the service connection will be able to create the AD App, the Azure CLI task should work fine.
The Application.ReadWrite.All permission will allow the service principal to create, read, update and delete all applications and service principals. If you want to avoid the security problem, you can also use the powershell to add the service principal of the service connection as an Owner to the service principal which you want to reset credential. Then just need to add Application.ReadWrite.OwnedBy permission in the screenshot above.
Navigate to the organizationname-projectname-513f22f1-befd-xxxxxxcfe90f1 app in the portal -> click the Managed application in local directory as below.
Then copy the Object ID in the screenshot.
Then use the powershell below(At least you need to be the Owner of the target App to run the command).
Add-AzureADApplicationOwner -ObjectId <ObjectId of the app which corresponding to the service principal> -RefObjectId <ObjectId of the service connection corresponding service principal>
Besides: At first, I suppose Add-AzureADServicePrincipalOwner is enough, but per my test, it does not work, looks may be Application.ReadWrite.OwnedBy does not allow to operate on the service principal corresponding to the AD App.
I am attempting to automate the registration of a new application in Azure Active Directory. Upon running the command in Azure CLI, it returns with the following error:
Insufficient privileges to complete the operation.
The command was run using a Service Principal which has Owner permissions at the Subscription level. When attempting to run other Azure AD commands (e.g. az ad app list), the same error is thrown. However, it works fine if we run commands relating to Azure API Manager (e.g. az apim list).
We have tried creating the Service Principal using both the Azure console (https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) and CLI by running the following command but neither works.
az ad sp create-for-rbac --role Owner --name some-service-principal
Is there anything else required to perform this operation?
The Owner role you mention is part of Azure RBAC, which does not apply to Azure AD.
The Azure AD tenant is above the Azure subscriptions and has its own permissions.
You need to give the SP application permissions to MS Graph API / AAD Graph API (not sure which one the CLI is trying to use), or a directory role.
The first you give through API permissions on the app registration for the SP.
A directory role can be added through the Roles and administrators tab.
that happens because Azure AD and Azure subscription are completely unrelated in terms of permissions. You need Application Read\Write Azure AD permissions for your principal (user\service principal\application) to be able to carry out that task
https://learn.microsoft.com/en-us/graph/permissions-reference#application-resource-permissions
az ad app permission: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-add
followed by az ad app grant: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-grant
or you could do it using the portal, like the other answer suggests
I have a service principal that I use for automation. It has the Directory.Read.All permission in Microsoft Graph for our Azure Active Directory.
It cannot run the Set-AzSqlServerActiveDirectoryAdministrator command. The error I get is:
Cannot find the Azure Active Directory object 'My-AD-Group'.
Please make sure that the user or group you are authorizing is
registered in the current subscription's Azure Active directory.
If I run this same command as myself, it runs just fine.
Clearly my Service Principal needs more than the Directory.Read.All permission. Yet I cannot find any documentation that lists exactly what API Permissions my Service Principal would need to successfully run this command.
Does anyone know how I can discover exactly what API permissions would be required to run a particular Azure PowerShell command that involves accessing Azure Active Directory?
As an aside, I'm not tied to PowerShell. I cannot get this command to work with the az cli either. I'm open to methods using az that would get me this answer.
You need to give the Directory.Read.All(Application permission) of Azure AD Graph API not the Microsoft Graph API. Also make sure the service principal has the permission of the sql server(e.g. the service principal is the Owner of the subscription or the sql server), then it will work fine.
If you want to add the service principal as a role of the subscription or sql server, navigate to the subscription or the sql server in the portal -> Access control (IAM) -> Add -> Add role assignment -> search your service principal with name and add it as a role(e.g. Owner) -> Save, more details here.
Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName "<ResourceGroupName>" -ServerName "<ServerName>" -DisplayName "group1" -ObjectId "64d1b8xxxxx4ffbd"
Does anyone know how I can discover exactly what API permissions would be required to run a particular Azure PowerShell command that involves accessing Azure Active Directory?
The Azure PowerShell essentially calls the different APIs, to get the permissions of the APIs, you could catch the request via Fiddler, then look into the official API doc for the permissions.
I am trying to use Microsoft.Azure.Management.Logic.LogicManagementClient to programmatically create a Logic App workflow in Azure. Authentication has already worked, but when I call logicManagementClient.Workflows.CreateOrUpdateAsync(), I am getting a CloudException saying that the client does not have authorization to perform action 'Microsoft.Logic/workflows/write'.
How can I give the app the required permissions?
I have already given it (in the Azure Portal) all permissions for Azure AD and Microsoft Graph. But when I try to add permissions for Windows Azure Service Management API (which I assume is the relevant API here), it says "No application permissions available":
You need to give your app at least Contributor access to the resource group via the Access Control (IAM) tab.
To manage Azure resources through the ARM API, you always need a role via RBAC.
I did this via PowerShell. I assigned the Contributor role to my App Registration. Here are the commands.
az login
az account set --subscription "YOURSUBSCRIPTIONNAME"
NOTE: Had to create Resource Group in Portal, Use the Application (client) ID of the App Registration Client
New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName Application(client)ID -ResourceGroupName YOURRESOURCEGROUPNAME