I want to assign role Things.Reead.All, created in my app registration to a managed identity.
The app registration SP object id is 8055e1eb-0000-0000-9b77-00000000000
The Role definition looks like this
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Allow the application to read all things as itself.",
"displayName": "Read all things",
"id": "86a914fa-a862-4962-9975-000000000000",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Things.Read.All"
}
The only thing known about a system assigned managed identity is its object id, say
aad300-0872-0000-811d-00000000000
and I want to allow it to call the application 8055e1eb-0000-0000-9b77-00000000000 that expects to see the Role in access token.
I know I have to use the following api to do this.
https://graph.microsoft.com/v1.0/servicePrincipals/8055e1eb-0000-0000-9b77-00000000000/appRoleAssignedTo
{
"principalId": "aad300-0872-0000-811d-00000000000",
"resourceId": "8055e1eb-0000-0000-9b77-00000000000",
"appRoleId": "86a914fa-a862-4962-9975-000000000000"
}
I have wide but controlled access in my tenant. When I acquire a token from
az account get-access-token --resource https://graph.microsoft.com
and call the above, I get
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
What I need to figure out is the exact privilege that is needed to make this call.
As you did not answer my comment, I can just give you my own solution which used the service principal to login the azure cli, it works for me.
Please follow the steps below.
1.Create a new App Registration in azure ad, then get values for signing in and create a new application secret.
2.Navigate to the API permissions of the App, add the Application permission(not Delegated permission) Directory.ReadWrite.All of Microsoft Graph, don't forget to click the Grant admin consent for xxx button at last.
Note: From the doc, the AppRoleAssignment.ReadWrite.All permission is enough, but per my test, it will not work, not sure if it is a bug, I have decoded the token, the token has the AppRoleAssignment.ReadWrite.All permission.
3.In azure cli, run the commands below to get the token.
az account clear
az login --service-principal --allow-no-subscriptions --username '<application-id>' --password '<application secret>' --tenant '<tenant-id>'
az account get-access-token --resource https://graph.microsoft.com
4.I test the token to call the api - Grant an appRoleAssignment for a service principal to grant the app role for the system-assigned identity of my funtion app,it works fine.
Check it in the portal:
Related
I have already created my service principal.
Using GitHub I need to complete all parameters below. My question is where and how can we find each one?
AZURE_CREDENTIALS :
{
"clientId": "XXX",
"clientSecret": "XXX",
"subscriptionId": "XXX",
"tenantId": "XXX",
"activeDirectoryEndpointUrl": "XXX",
"resourceManagerEndpointUrl": "XXX",
"activeDirectoryGraphResourceId": "XXX",
"sqlManagementEndpointUrl": "XXX",
"galleryEndpointUrl": "XXX",
"managementEndpointUrl": "XXX"
}
I've already seen in the documentation that we can generate a JSON file for a new principal service using CLI Azure:
az ad sp create-for-rbac `
--name "myApp" --role contributor `
--scopes /subscriptions/8baa642d-5109-4f1c-b935-401e5b215078/resourceGroups/rg-ai-recommender `
--sdk-auth
But I want to use the existing Service Principal.
You can run the command multiple times.
If you run it again, a message will appear stating something like:
az ad sp create-for-rbac --name TestPrincipal --role Contributor --sdk-auth
Found an existing application instance of "[existingId]". We will patch it
Creating 'Contributor' role assignment under scope '/subscriptions/[guid]'
Role assignment already exists.
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
'name' property in the output is deprecated and will be removed in the future. Use 'appId' instead.
{
"clientId": "[existingId]",
"clientSecret": "[aNewSecret]",
"subscriptionId": "[subscriptionid]",
// all the other properties
}
Of course, this will invalidate the credentials you're using in the other repositories, so you should update those also.
Recovering the secret isn't possible because it's a secret.
This way you can use the same service principal in multiple repositories.
Do keep in mind, it might be a more secure strategy to create new service principals for different services/deployments, so you can make the assignments of roles as granular as possible. But that's not what your question is about.
There are three types of service principal:
Application
Managed Identity
Legacy
You can use the Enterprise applications blade in the Azure portal to list and manage the service principals in a tenant. You can see the service principal's permissions, user consented permissions, which users have done that consent, sign in information, and more.
Go to the Azure Portal, open Azure Active Directory and click the Enterprise Applications menu item under Manage.
There, find the registration for the service principal, and find the corresponding information.
To create a new clientSecret for a service principal, find the corresponding registration in App Registrations and open up the Certificates & secrets menu under Manage. From there, you can create a new secret. You cannot see values for existing secrets.
I am using the following Az Cli command to create an Azure AD B2C application:
az ad app create --display-name 'mytestapplication'
What I'd then also like to do in the process is grant some permissions, as per the Azure AD Microsoft Graph API permissions list. Below are two such examples of the permissions I'd like to grant. I'm however struggling to find any Az Cli examples or references that can enable me achieve this. Any suggestions?
User.ReadWrite.All
Application.ReadWrite.All
In order to grant a specific permission for an app registration , you need to pass those permissions in manifest.json file with a particular scope.
You can use the below cmdlet to create a app registration & to assign the specific azure-ad-microsoft-graph-api-permissions for that app registration.
az login -tenant [myb2ctenant.onmicrosoft.com](http://myb2ctenant.onmicrosoft.com/) --allow-no-subscriptions (this cmd helped me to login to B2C without subscription)
az ad app create --display-name 'mytestapplication' --required-resource-accesses #manifest.json
manifest.json file:
{
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "204e0828-b5ca-4ad8-b9f3-f32a958e7cc4"(# for Application.ReadWrite.All),
"type": "Scope"
},
{
"id": "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9(# for User.ReadWrite.All)",
"type": "Role"
}
]
}
]
}
Here is the output screenshot for reference:
For more information about app registration creation & Assigning permissions for a native app registration cmdlets you can refer this documentation.
I am trying to create an Azure AD Group via the Graph API using a service principal. The intent is that the service principal will create the group in a Pipelines run.
The call I am using to attempt to create the group is
az rest --method post \
--uri 'https://graph.microsoft.com/v1.0/groups' \
--body '{"description": "A description", "displayName": "MyAppGroup", "mailEnabled": false, "mailNickname": "test", "securityEnabled": true, "owners#odata.bind": ["https://graph.microsoft.com/v1.0/users/oooooooo-oooo-oooo-oooo-oooooooooooo"]}' \
--headers "Content-Type=application/json"
To graph permissions, I have bound the API permission Group.Create to my service principal. To understand the permissions I am required to grant, I am following this page:
https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http#permissions
With the Group.Create permissions, when I run the rest call to the Graph API above, I get the following permission error
Forbidden({
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-11-02T13:31:35",
"request-id": "...",
"client-request-id": "..."
}
}
})
I completely understand that if I were to add the Directory.ReadWrite.All, I could make the group and would have all required permissions. However this permission is overscoped and would allow my service principal to disable users in the Active Directory tenant - something my organisation will now allow. Therefore I cannot grant my service principal this permission.
The documentation I have linked above implies to me that Group.Create is a sufficient permission to enable a service principal to create a group.
My question is what I am doing wrong, or what permissions am I missing to be able to create a group? Directory.ReadWrite.All is clearly overscoped to simply create an AD security group and so using it is not an option for me.
Hopefully this helps someone else - I realised the answer immediately after posting this.
I had added the property
"owners#odata.bind": ["https://graph.microsoft.com/v1.0/users/oooooooo-oooo-oooo-oooo-oooooooooooo"]
to the json post data.
Removing this property allowed me to create the group with just the Group.Create permission.
Adding the permission User.Read.All allows the service principal to read the user data for the owner, and so is sufficient to create the group with any necessary owners.
After adding this API permission, my service principal was able to create the group (with owners) as expected.
I have an Azure Function with Azure Active Directory authentication enabled (including "Action to take when request is not authenticated" = "Log in with Azure Active Directory"). Additionally the option "User assignment required?" of the Azure Function related service principal (sp_func) is set to "Yes" to avoid everybody in the tenant being able to in the end run the function.
The goal is to have a single security group (that can include users as well as service principals) that is added to "Users and groups" of sp_func so that the assignment to the group decides if the function can be accessed or not. With users this works fine but not with service principals (sp_nonfunc). For them (sp_nonfunc) to work I have to set the permissions for them (sp_nonfunc) what in the end allows them to interact with the Azure Function no matter if they (sp_nonfunc) are assigned to the group or not.
Is it possible that I can just add a service principal (sp_nonfunc) to a group with the group being added to sp_func and then be able to execute the Function by using sp_nonfunc (without giving explicit permissions to sp_nonfunc)?
EDIT: it also does not seem to be possible to add sp_nonfunc to sp_func directly even if I defined an own appRole in the Manifest. The only way currently seems to be to add permissions on sp_nonfunc for sp_func - but that is what I want to avoid.
EDIT2: here how I have defined the role in the sp_func manifest
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "AzureFunctionAccess",
"id": "xxx-xxx-xxx-xxx-xxx",
"isEnabled": true,
"description": "Access Azure Function.",
"value": "AzureFunctionAccess"
}
]
EDIT3: when I don't assign a role directly to sp_nonfunc but just add sp_nonfunc to the security group I get, when making a request to https://login.microsoftonline.com/<tenant id>/oauth2/token with resource = Application ID URI of the registered app of sp_func:
{
"error": "invalid_grant",
"error_description": "AADSTS501051: Application 'xxx-xxx-xx-xx-xx'(xxx) is not assigned to a role for the application 'https://xxx'(xxx).\r\nTrace ID: xxx-xxx-xx-xx-xx\r\nCorrelation ID: xxx-xxx-xx-xx-xx\r\nTimestamp: xx-xx-xx xx:xx:xxZ",
"error_codes": [
501051
],
"timestamp": "xx-xx-xx xx:xx:xxZ",
"trace_id": "5xxx-xxx-xx-xx-xx",
"correlation_id": "xxx-xxx-xx-xx-xx",
"error_uri": "https://login.microsoftonline.com/error?code=501051"
}
This way will not work, to use a service principal(in your case, the sp_nonfunc) get the token for the function app(sp_func), you need to give the API permission for the sp_nonfunc.
Navigate to the App Registration related to the sp_nonfunc in the portal -> API permissions -> add the AzureFunctionAccess you defined, at last click the Grant admin consent for xxx button.
Then get the token with the client credential flow, it will work fine. (I use the v2.0 endpoint, if you use the v1.0, it will also work.)
For more details about the steps, I wrote in this post before, you could refer to it.
I am trying to troubleshoot why certain automation tasks don't work with a Service Principal I've created, most especially any tasks involving Azure Active Directory. The Azure Portal seems to clearly show that the Service Principal has been granted the Microsoft.Graph Directory.Read.All API Permission. The portal also shows that this Service Principal has the User.Read permission as well.
However, when I run az ad app permission list-grants for the Service Principal, it only lists User.Read. This makes me wonder whether the Directory.Read.All permission is actually present. And yes, the portal clearly shows that Directory.Read.All permission has been granted.
How can I confirm that my Service Principal actually does have the Directory.Read.All API Permission?
az ad app permission list-grants --id db7a66b4-06ad-4412-9bbc-73cb34f96ce2 --show-resource-name
[
{
"clientId": "01b359a2-f452-43c6-b290-e5ea1b359f38",
"consentType": "AllPrincipals",
"expiryTime": "2019-12-08T17:07:04.550141",
"objectId": "olmzAVL0xkOykOXqGzWfOAvNygY8CKVIummKcmVpwq8",
"odatatype": null,
"principalId": null,
"resourceDisplayName": "Microsoft Graph",
"resourceId": "06cacd0b-083c-48a5-ba69-8a726569c2af",
"scope": "User.Read",
"startTime": "0001-01-01T00:00:00"
}
]
And a crude recreation of what I see in the portal for this Service Principal under Azure Active Directory > App Registrations > (Service Principal Name) > API Permissions:
API/Permissions name Type Admin Consent Required
-------------------- ----------- -----------------------------------
Microsoft Graph (2)
Directory.Read.All Application Yes <green check> Granted for MyOrg
User.Read Delegated <green check> Granted for MyOrg
As you have found, the reason is the Azure CLI command az ad app permissions list-grants just list the delegated permissions.
If you also want to get the application permissions granted to the service principal,
currently it is not supported by the Azure CLI and Az powershell module, you need to use AzureAD powershell module.
Try the script as below, it writes output the API name and corresponding permission.
Note the ObjectId in the first line is the ObjectId of your service principal, not the AD App(App registration), you can find it in the Enterprise applications in the portal(filter with All applications).
$apppermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId <ObjectId of your service principal>
foreach($item in $apppermissions){
$item.ResourceDisplayName
(Get-AzureADServicePrincipal -ObjectId $item.ResourceId).AppRoles | Where-Object {$_.Id -eq $item.Id}
}
The permissions in the App registration in the portal:
Here is a similar issue, you can also take a look.
I finally figured this out, and it was less than obvious.
az ad app permissions list-grants lists oauth2 permissions. In other words, delegated permissions.
My Service Principal's Directory.Read.All permission is an application permission. That means it's a permission my Service Principal has in its own right without needing another user's authentication token.
I'm still trying to figure out how to list the Application permissions using the new az commands and/or the new Get-Az PowerShell modules. If I find out how I'll update this answer.
I found out you can get that output with az cli but by using the rest command like this:
az rest --method get --url https://graph.microsoft.com/v1.0/servicePrincipals/{YOUR_SERVICE_PRINCIPAL_ID}/appRoleAssignments