I have a Service Principal created which has contributor access. I have a user which also has contributor access.
When i login to powershel using ServicePrincipal credentials and run this command i am getting insufficient privileges error.
Get-AzADApplication|Select-Object DisplayName, ObjectId
When i login to powershel using User Credentials and run the same command i am getting the results.
DisplayName ObjectId
----------- --------
App1 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
App2 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
in azure there are two kind of roles :
Cloud resources roles ( contributor, owner, reader, etc...)
Azure AD roles ( https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/ )
I guess that to run your command you need the second category and your principal is currently, as you said , only a contributor.
So you should assign an AD role to your principal based on what you need to do and retry .
Related
I am trying to add new permissions to the newly created application. I am the owner of the app.
Try it with az ad app permission add Add-AzADAppPermission.No success, receive that error Az.MSGraph.internal\Get-AzADApplication : Insufficient privileges to complete the operation..
Tried it to add permissions from previously asked questions here and Git Hub, but with no success.
azure-cli version:2.44.1
What I'm missing?
Thank you!
I tried to reproduce the same in my environment and got the same error as below:
Even if the user is the owner of the Application, Insufficient privileges error will still occur:
Note that: To assign permissions the user account must have Application Administrator or Global Administrator role.
To resolve the error, I assigned Application Administrator role to the user account like below:
Go to Azure AD roles and administrators -> Select Application Administrator -> Add assignments -> Select members -> Select
After assigning the role, I am able to assign API permission to the Azure AD Application like below:
Connect-AzAccount
Add-AzADAppPermission -ObjectId ObjectID -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 5f8c59db-677d-491f-a6b8-5f174b11ec1d
The Group.Read.All API permission added successfully in the Azure Portal like below:
By using the below command, trying to assign a role to the managed identity using PowerShell runbook(5.1 Runtime version).
$roleAssignment = New-AzRoleAssignment -ObjectId 'xxxx-xxxx-xxxx-xxxx' -Scope '/subscriptions/xxxx-xxxx-xxxx/resourceGroups/xxxxxxxxx' -RoleDefinitionName 'Contributor'
When we execute the runbook we ran into the below error.
Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.
But, When executed the same command from local PowerShell ISE we are able to assign the role with out any fail.
How to make runbook to assign the role to the user assigned identity.
Can any one help me solve this.
Unable to assign a role to user assigned identity through Azure Run books (1).html
Unable to assign a role to user assigned identity through Azure Run books
Exception of type ‘Microsoft.Rest.Azure.CloudException’ was thrown.
To resolve the above error, I would suggest you try to follow the below workaround that worked for me: -
Go to Azure AD --> App registrations --> Select your app --> API Permissions --> Add permission --> Microsoft Graph (You can select any Azure resource for which you want to grant permissions for) --> Application Permissions --> Directory --> Directory.Read.All
Then grant admin consent for the selected permissions for that particular resource.
Here, you can select other services which you are using, also in ‘Request API Permissions’ other than Microsoft Graph, you can use other APIs that you are working since the process is same as shown in the below snapshot: -
I try to get all users from azure ad on behalf of user, I have my custom role, my question is what is the needed permission to add it to custom role to get all users from azure ad ?!
In custom directory role, there is no permission specifically to list users. There are permissions for Groups, Applications and ServicePrincipals but not Users. You can either assign built in Directory Role like User Admin role or Directory Reader role.
You may use below PS commands to assign directory reader role if there are many users who need this permission.
$role1 = Get-AzureADDirectoryRole -ObjectId ID
Add-AzureADDirectoryRoleMember -ObjectId $role1.ObjectId -RefObjectId object_id_of_user
Get-AzureADDirectoryRoleMember -ObjectId $role1.ObjectId | Get-AzureADUser
I'm trying to create a Azure function to provisioning different kind of sites.
I've created a App in Azure AD and granted the app sharepoint and graph.
When connecting to the site I use a certificate but I'm unable to create new sites.
New-PnPTenantSite -Url $url -Title $LinkTitle -Description $description -Template "STS#0" -Owner $username -TimeZone 4 -Lcid 1044 -Force
error:
New-PnPTenantSite : The remote server returned an error: (401) Unauthorized
it returns site and lists if I use get-pnplist and get-pnpsite ..
Connect using this command:
Connect-PnPOnline -CertificatePath .\certkeyname.pfx -Tenant 'xxx.onmicrosoft.com' -ClientId 'xxxx-xxx-xx-xx-xxxxxxx' -Url 'https://xxx.sharepoint.com'
answer is in this post
Azure AD application with Global Administrator rights
You can elevate the level of access an Application has in your tenant by adding the service principal of that application to the Company Administrator Directory Role. This will give the Application the same level of permissions as the Company Administrator, who can do anything. You can follow these same instructions for any type of Directory Role depending on the level of access you want to give to this application.
Note that this will only affect the access your app has in your tenant.
Also you must already be a Company Administrator of the tenant to follow these instructions.
In order to make the change, you will need to install the Azure Active Directory PowerShell Module.
Once you have the module installed, authenticate to your tenant with your Administrator Account:
Connect-MSOLService
Then we need to get the Object ID of both the Service Principal we want to elevate, and the Company Administrator Role for your tenant.
Search for Service Principal by App ID GUID:
$sp = Get-MsolServicePrincipal -AppPrincipalId
Search for Directory Role by Name
$role = Get-MsolRole -RoleName "Company Administrator"
Now we can use the Add-MsolRoleMember command to add this role to the service principal.
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal ->RoleMemberObjectId $sp.ObjectId
To check everything is working, lets get back all the members of the Company >Administrator role:
Get-MsolRoleMember -RoleObjectId $role.ObjectId
You should see your application in that list, where RoleMemberType is ServicePrincipal >and DisplayName is the name of your application.
Now your application should be able to perform any Graph API calls that the Company >Administrator could do, all without a user signed-in, using the Client Credential Flow.
As part of an Azure SQL database automation solution, I'm trying to create Azure SQL database users mapped to Azure AD Identities, using a service principal.
The result is an error message saying: Principal 'AAD_User_UPN_or_Group_Name' could not be found at this time. Please try again later.
The database users can be created using my own user account, following exactly the same procedure.
Please find more details below:
The service principal is a member of an Azure AD security group
The group is set as the Active Directory Admin of an Azure SQL server
My own user account is also a member of this group
The service principal has Directory Reader and Directory Writer role in the Azure Active Directory
My own user account is a regular member without any admin role in the Azure Active Directory
The service principal executes following T-SQL statement inside the Azure SQL database:
CREATE USER [AAD_User_UPN_or_Group_Name] FROM EXTERNAL PROVIDER;
The returned error message is:
Principal 'AAD_User_UPN_or_Group_Name' could not be found at this time. Please try again later.
When the same T-SQL statement is triggered by my own user account, it runs successfully and the user is created.
Your help or suggestions are highly appreciated.
I opened a ticket with Azure support and they gave me this solution.
The sql statement needs to be:
-- type X for AAD Group
create user [myAADGroupName] with sid = <sid>, type = X;
-- type E for AAD User or Service Principal/MSI
create user [myAADUserName] with sid = <sid>, type = E;
The sid needs to be generated from the AAD Principal ObjectID in most cases. However, for Service Principals/MSIs, it needs to come from the AppId. Here's a powershell script to generate the sid value:
param (
[string]$objectIdOrAppId
)
[guid]$guid = [System.Guid]::Parse($objectIdOrAppId)
foreach ($byte in $guid.ToByteArray())
{
$byteGuid += [System.String]::Format("{0:X2}", $byte)
}
return "0x" + $byteGuid