Im working on an Azure function that tries to get and update a client secret for an Azure app registration. Function runs as a managed identity, and tries to execute Azure powershell cmdlet New-AzADAppCredential, Remove-AzADAppCredential, and Get-AzADAppCredential.
But, upon the execution Im getting an error Insufficient privileges to complete the operation.
I tried assigning my function a Contributor role, under Azure role assignments, and I also tried giving a delegated permissions Directory.ReadWrite.All for an app registration that the function is trying to access. However, Im still seeing the same error.
I would like to know what permissions are necessary for a managed identity azure function to be able to manage an app registration client secrets.
Thanks!
The RBAC roles are used to manage resources in azure subscriptions, in this case, what you need is the permission in Azure AD, not in the subscription.
To fix the issue, the easiest way is to give the Application Administrator to your managed identity.
Navigate to the azure portal -> Azure Active Directory -> Roles and administrators -> Application Administrator -> add the managed identity to the role like below.
The Contributor role allows the assignee to manage and access the resource, but as you have discovered that does not include managing access. Similarly, Directory.ReadWrite.All is for user data not RBAC. There are two roles for RBAC- Owner and User Access Administrator. Owner is Contributor and UA Admin only allows access control.
Related
I currently create a service principal using the Azure CLI:
az ad sp create-for-rbac --name foo --role Contributor
I need the service principal to have enough permissions to create/modify/delete various Azure AD resources including Applications, other Service Principals and Service Principal Passwords. When I use the above service principal to create other service principals, I currently get 403 Forbidden errors.
I have also tried using the 'Owner' and 'User Access Administrator' roles but these still give me a 403 error. What do I need to add to the above Azure CLI command or what additional role assignments do I need to add?
I'd like to use the service principal in a Pulumi program with their Azure AD provider (based on Terraform's Azure AD provider). See:
https://github.com/pulumi/pulumi-azuread/issues/246
In order for a service principal to be able to manage applications it requires API permissions. There is no such thing as a scope, because the API permissions are against the Azure AD API. Scopes are only applicable when it is related to the Resource Manager API. These are not the same thing.
When you go to application registrations in Azure AD, you can find the application, this is also where you will be able to assign the API permissions and grant consent.
You will do this either on the Azure Active Directory Graph, or on the Microsoft Graph. In my experience only the permissions assigned with the Azure Active Directory Graph worked.
Application.ReadWrite.All
Application
Read and write all applications
Application.ReadWrite.OwnedBy
Application
Manage apps that this app creates or owns
You will find these two application permissions that you could use. The first you can use manage all applications.
The az cli command you are using is to create a role assignment. This is RBAC on the subscription, it has nothing to do with Azure AD aside from the service principal being an AAD resource.
You need to add the scope of this service principal and also change the Azure role of this Service Principal to 'User Access Administrator' to enable you to modify resources in Azure AD. Also, 'User Access Administrator' role will give the service principal the required permissions for that Azure role to assign RBAC permissions. Please refer the below command for more details: -
az ad sp create-for-rbac --name foo --role User Access Administrator --scopes /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup1}
Also, ensure that the user ID through which you are creating this service principal and assigning the role to it has permissions to register and create applications in Azure AD. If not, then please assign that ID 'Application Administrator' Azure AD role or you should be allowed to create and register applications by an administrator even though being a 'User'.
You need to give your service principal "App admin" permissions. This allows you to create application registrations and also set their credentials. And it does not give it rights to do anything else such as manage users and groups. If your intent is to include those, you need to add additional roles to the service principal.
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator
I have the following:
Azure App Services in Tenant A
Azure SQL Server in Tenant A
Azure App/Enterprise Registration in Tenant B
The point of this separation was to restrict specific users to the Azure App Services website. How can I get to the point that I can execute this code on my SQL server to grant access to the app registration which sits in Tenant B?
CREATE USER [tenant_b_app_reg] FROM EXTERNAL PROVIDER;
EXEC sp_addrolemember [db_datareader], [tenant_b_app_reg];
This post seems similar to my issue (Grant service principal access to application in other tenant), but I cannot follow just the code posting with little context. It is also unclear why we post the same value multiple times object-id-of-sp-in-one-tenant in one command and it is also unclear what role-id is.
• As per your query, the ‘’ is occurring multiple times in the related script because ‘object-id’ and the ‘principal-id’ of the app in one tenant is different as object-id refers to the unique id of the app registered in that tenant and the principal-id refers to the entity that requires access to that application in that tenant or across other tenants. The principal-id refers to the service principal object that defines the access policy and the permissions for that application in the Azure AD tenant.
• Whereas ‘role-id’ is the azure built-in role based on azure role-based access control functionality that is to be assigned to that application or any custom azure role that is created for assigning the scoped access controls and permissions within that concerned role, i.e., may that be ‘contributor’ or ‘user access administrator’.
‘New-AzureADServiceAppRoleAssignment `
-ObjectId <object-id-of-sp-in-one-tenant> `
-Id <role-id> `
-PrincipalId <object-id-of-sp-in-one-tenant> `
-ResourceId <app-id-in-other-tenant>’
• Thus, you can refer to the script in the other thread and replace the object-id and the principal-id with the ones in your environment appropriately. Also, you can try granting database access to a managed identity user in Azure AD for this purpose. You can do this by connecting to a SQL database with a system-assigned managed identity.
• Once, managed identity on app is enabled, grant permissions to that managed identity in SQL Database with the required SQL security role on the SQL prompt. Once done, modify the SQL connection string and publish the changes done. Also, ensure to enter the appropriate app-id and user-id in the powershell commands to assign the managed identity to access SQL database with the enterprise app registration. Please find the below documentation link for more details on creating a managed identity for the SQL DB for an application across the tenants: -
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi?tabs=windowsclient%2Cdotnet
https://learn.microsoft.com/en-us/azure/app-service/tutorial-dotnetcore-sqldb-app?pivots=platform-windows
I have a service principal that I use for automation. It has the Directory.Read.All permission in Microsoft Graph for our Azure Active Directory.
It cannot run the Set-AzSqlServerActiveDirectoryAdministrator command. The error I get is:
Cannot find the Azure Active Directory object 'My-AD-Group'.
Please make sure that the user or group you are authorizing is
registered in the current subscription's Azure Active directory.
If I run this same command as myself, it runs just fine.
Clearly my Service Principal needs more than the Directory.Read.All permission. Yet I cannot find any documentation that lists exactly what API Permissions my Service Principal would need to successfully run this command.
Does anyone know how I can discover exactly what API permissions would be required to run a particular Azure PowerShell command that involves accessing Azure Active Directory?
As an aside, I'm not tied to PowerShell. I cannot get this command to work with the az cli either. I'm open to methods using az that would get me this answer.
You need to give the Directory.Read.All(Application permission) of Azure AD Graph API not the Microsoft Graph API. Also make sure the service principal has the permission of the sql server(e.g. the service principal is the Owner of the subscription or the sql server), then it will work fine.
If you want to add the service principal as a role of the subscription or sql server, navigate to the subscription or the sql server in the portal -> Access control (IAM) -> Add -> Add role assignment -> search your service principal with name and add it as a role(e.g. Owner) -> Save, more details here.
Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName "<ResourceGroupName>" -ServerName "<ServerName>" -DisplayName "group1" -ObjectId "64d1b8xxxxx4ffbd"
Does anyone know how I can discover exactly what API permissions would be required to run a particular Azure PowerShell command that involves accessing Azure Active Directory?
The Azure PowerShell essentially calls the different APIs, to get the permissions of the APIs, you could catch the request via Fiddler, then look into the official API doc for the permissions.
I am trying to use Microsoft.Azure.Management.Logic.LogicManagementClient to programmatically create a Logic App workflow in Azure. Authentication has already worked, but when I call logicManagementClient.Workflows.CreateOrUpdateAsync(), I am getting a CloudException saying that the client does not have authorization to perform action 'Microsoft.Logic/workflows/write'.
How can I give the app the required permissions?
I have already given it (in the Azure Portal) all permissions for Azure AD and Microsoft Graph. But when I try to add permissions for Windows Azure Service Management API (which I assume is the relevant API here), it says "No application permissions available":
You need to give your app at least Contributor access to the resource group via the Access Control (IAM) tab.
To manage Azure resources through the ARM API, you always need a role via RBAC.
I did this via PowerShell. I assigned the Contributor role to my App Registration. Here are the commands.
az login
az account set --subscription "YOURSUBSCRIPTIONNAME"
NOTE: Had to create Resource Group in Portal, Use the Application (client) ID of the App Registration Client
New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName Application(client)ID -ResourceGroupName YOURRESOURCEGROUPNAME
I am trying to add the Azure credentials (Microsoft Azure Service Principal) on jenkins server under
Credentials -> System -> Global Credentials.
Copied the subscription ID from my App service and added all the necessary information. When I click Verify Service Principal, I am getting The subscription id is not valid error.
I am pretty sure the subscription Id is correct. Am I missing something else?
I have faced similar issue and the solution is adding required permissions to the service principal which we are using to authenticate.
With out any permissions on subscription it cannot validate.
Even though i get that error i was able to save the settings and connect to Azure. It is definitely weird.
You will need to give the service principal access to your subscription by assigning a role to it. To assign a role to the service principal, go to the subscription level > access control (IAM) > add role assignment.
For Jenkins, I actually assign an owner or a contributor role to it. But you can choose the whatever role is appropriate for your use case. You can find more details about service principals here
I have faced a similar error and I resolved it by using the subscription ID of the resource group where I created a Service Principal