I need service principal to run Get-AzADServicePrincipal -SearchString "sa-*" in order to find ApplicationIDs during deployment process
Which permissions to I have to assign to this service principal?
In the perfect scenario those should allow read only
Assuming the powershell command actually uses graph in the background, you would have to give it directory.read.all api permissions.
But if that doesn't work, then you'll have to assign the service principal to a role in the tenant that has access to read the sp info like. Directory Readers Role should be able to. Please note it could take a while to take effect, up to 24 hrs.
Related
I currently create a service principal using the Azure CLI:
az ad sp create-for-rbac --name foo --role Contributor
I need the service principal to have enough permissions to create/modify/delete various Azure AD resources including Applications, other Service Principals and Service Principal Passwords. When I use the above service principal to create other service principals, I currently get 403 Forbidden errors.
I have also tried using the 'Owner' and 'User Access Administrator' roles but these still give me a 403 error. What do I need to add to the above Azure CLI command or what additional role assignments do I need to add?
I'd like to use the service principal in a Pulumi program with their Azure AD provider (based on Terraform's Azure AD provider). See:
https://github.com/pulumi/pulumi-azuread/issues/246
In order for a service principal to be able to manage applications it requires API permissions. There is no such thing as a scope, because the API permissions are against the Azure AD API. Scopes are only applicable when it is related to the Resource Manager API. These are not the same thing.
When you go to application registrations in Azure AD, you can find the application, this is also where you will be able to assign the API permissions and grant consent.
You will do this either on the Azure Active Directory Graph, or on the Microsoft Graph. In my experience only the permissions assigned with the Azure Active Directory Graph worked.
Application.ReadWrite.All
Application
Read and write all applications
Application.ReadWrite.OwnedBy
Application
Manage apps that this app creates or owns
You will find these two application permissions that you could use. The first you can use manage all applications.
The az cli command you are using is to create a role assignment. This is RBAC on the subscription, it has nothing to do with Azure AD aside from the service principal being an AAD resource.
You need to add the scope of this service principal and also change the Azure role of this Service Principal to 'User Access Administrator' to enable you to modify resources in Azure AD. Also, 'User Access Administrator' role will give the service principal the required permissions for that Azure role to assign RBAC permissions. Please refer the below command for more details: -
az ad sp create-for-rbac --name foo --role User Access Administrator --scopes /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup1}
Also, ensure that the user ID through which you are creating this service principal and assigning the role to it has permissions to register and create applications in Azure AD. If not, then please assign that ID 'Application Administrator' Azure AD role or you should be allowed to create and register applications by an administrator even though being a 'User'.
You need to give your service principal "App admin" permissions. This allows you to create application registrations and also set their credentials. And it does not give it rights to do anything else such as manage users and groups. If your intent is to include those, you need to add additional roles to the service principal.
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator
Hi I'm trying to use the Azure CLI command logged in a service principal
az ad sp list
and I get the error message Insufficient privileges to complete the operation.
The service principal is owner of the subscription and has been assigned Delegated API Permission Directory.Read.All for both Microsoft Graph and Azure Active Directory Graph.
I have a similar setup on another Azure tenant where the same command will give me a list of SP's with the same API permissions. What's missing.
Apparently giving an SP the 'Owner' role is not enough. You have the give it the 'Directory Readers' role. This is not possible using the Azure CLI or Portal though. You have to use the Azure AD Graph API, easiest way to do this is using https://graphexplorer.azurewebsites.net/.
Now, the steps to add give the SP the Directory Readers role are a bit long to explain here, I found them here: https://lnx.azurewebsites.net/directory-roles-for-azure-ad-service-principal/
We have a Azure setup with multiple subscriptions, right now we would like to review the access rights of certain service principals. We were wondering whether there is a way to visualize all the access rights of a service principal? (E\either through the Azure Portal, az cli or PowerShell)?
I can't seem to find a streamlined way - It may be the case I am overlooking something :-)
Use Get-AzRoleAssignment to list the roles of a service principal.
For example: Get-AzRoleAssignment -ServicePrincipalName "http://testapp1.com".
See reference here.
For Azure CLI reference, see Manage service principal roles.
I have a service principal that I use for automation. It has the Directory.Read.All permission in Microsoft Graph for our Azure Active Directory.
It cannot run the Set-AzSqlServerActiveDirectoryAdministrator command. The error I get is:
Cannot find the Azure Active Directory object 'My-AD-Group'.
Please make sure that the user or group you are authorizing is
registered in the current subscription's Azure Active directory.
If I run this same command as myself, it runs just fine.
Clearly my Service Principal needs more than the Directory.Read.All permission. Yet I cannot find any documentation that lists exactly what API Permissions my Service Principal would need to successfully run this command.
Does anyone know how I can discover exactly what API permissions would be required to run a particular Azure PowerShell command that involves accessing Azure Active Directory?
As an aside, I'm not tied to PowerShell. I cannot get this command to work with the az cli either. I'm open to methods using az that would get me this answer.
You need to give the Directory.Read.All(Application permission) of Azure AD Graph API not the Microsoft Graph API. Also make sure the service principal has the permission of the sql server(e.g. the service principal is the Owner of the subscription or the sql server), then it will work fine.
If you want to add the service principal as a role of the subscription or sql server, navigate to the subscription or the sql server in the portal -> Access control (IAM) -> Add -> Add role assignment -> search your service principal with name and add it as a role(e.g. Owner) -> Save, more details here.
Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName "<ResourceGroupName>" -ServerName "<ServerName>" -DisplayName "group1" -ObjectId "64d1b8xxxxx4ffbd"
Does anyone know how I can discover exactly what API permissions would be required to run a particular Azure PowerShell command that involves accessing Azure Active Directory?
The Azure PowerShell essentially calls the different APIs, to get the permissions of the APIs, you could catch the request via Fiddler, then look into the official API doc for the permissions.
I would like to create a least permission custom role in Azure to assign to a service principal that only allows the service principal to register Azure AD applications and service principals.
The "Contributor" standard role has all the needed rights but also a great many that are not needed, and I can't find anything in the list of available operations that seems to correspond to application registrations which could be used to produce a custom role.
It turns out the question is misguided - I had thought the assignment of Microsoft.Azure.ActiveDirectory permissions to the service principal was insufficient to create and edit app registrations. But it turns out I was just running up against a 5-10 minute lag between permissions being set in the Azure portal and the permissions taking effect. Granting the contributor role to the service principal just happened to take enough time for the original permissions to take effect.
AFAIK, you would not need to create a custom role in Azure to allow registering Azure AD Applications and Service Principals.
Who can register an application through Azure AD is controlled by user's membership in Azure Active Directory itself and their "Directory Role" in that Azure AD for some operations but not the usual RBAC built-in or custom roles which you are looking at (as you mention the list of ARM Resource Provider operations in your question)
Please refer to this Microsoft Documentation: Who has permission to add applications to my Azure AD instance?
UPDATE: Answering query from comments after Simon's edit to original question.
How to provide application registration privileges to a service principal?
Again, you will not use RBAC roles or create custom roles as you mention in your question but instead provide specific "application permissions" to the relevant Service Principal in Azure AD. I'll give steps below.
Go to your Azure AD, "Registered applications"
Find your service principal (may need to look at all applications instead of just my)
Add required permissions as shown below:
Once you've selected the right permissions and done. Please click on "Grant Permissions" because these permissions need Admin consent.
Use a custom AAD role as described here.
This is preferable to granting the built-in "Application Developer" role because it's too permissive and has the 250 App limit..
#Requires -Modules AzureADPreview
# 3 October 2020
# Connect-AzureAD
$ParameterList = #{
DisplayName = 'Application Registration Creator'
Description = 'Can create an unlimited number of application registrations.'
TemplateId = (New-Guid).Guid
IsEnabled = $true
RolePermissions = #{
allowedResourceActions = #(
'microsoft.directory/applications/create'
'microsoft.directory/applications/createAsOwner'
)
}
}
$customRole = New-AzureAdMSRoleDefinition #ParameterList