I am using .Net Core App with hosting it on Azure Portal. Now at some place I need to use Get the detail of logged in User (Active Directory user) in the application. So for that I am using Microsoft Graph API. So to setup this permission I am using Get-AzureADServiceAppRoleAssignment command. It is working fine when I run this command with Global Administrator account access. But it throws error when I used it without Global Administrator account access.
Error: Service_InternalServerError. as shown in below image.
Anyone have an idea or suggestions how to get rid of this error, and Is there any way to run this script without Global Admin access?
Any help or suggestions will be highly appreciated !
Thanks
Assign the Cloud Application Administrator directory role to the affected user and try again.
the problem here is you don't necessarily need global admin, but the application/user would need a role that has at least roleassignment permissions. so you could create a custom role at the subscription level that has role assignment permissions.
you need
"Microsoft.Authorization/roleAssignments/"
and maybe
"Microsoft.Management/managementGroups/read"
"Microsoft.Authorization/roleDefinitions/"
However, I would like to point out that if an application has role assignment permissions, it can technically assign itself a global admin role.. so it doesn't add any extra real security.
Related
Iam trying to determine the minimum user rights , roles I can assign a user just so they can pull information from Azure AD, etc.
Currently the commands I am looking into are : Get-AzureADDevice , Get-AzureADUser, Get-MsolDevice.
All documentation I find just lists uses, examples etc. but not rights and I am currently unable to test out a case by case from normal user up to admin to find which rights are required.
Assigned the Global Reader role to the user and tested one of the given commands (Get-AzureADUser) in the Question.
Tried to update the user but not possible due to the role permission restrictions.
Note: Global Reader - Can read everything that a Global Administrator can, but not update anything.
Updated Answer:
Assigned the Directory Reader Role to the user and checked the workflow, able to get the information but not successful to update or do management work like updating/modifying the information using Azure Active Directory PowerShell Commands:
Workaround Result:
Note: Directory Reader Role - Can read basic directory information. Commonly used to grant directory read access to applications and guests.
Depending on your requirement, you can choose any of the above RBAC for the user.
I found sample code from Microsoft docs but it doesn't seem to work.
If anyone has any insight that would be helpful.
Also the broad question is if that is even possible.
As the NodeJS uses Tedious library, it's not clear if Tedious is able to support AAD connection.
Sample code was taken from: https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-nodejs?tabs=windows
It has the code sample with type: azure-active-directory-msi-app-service which I think should work.
The error I am getting is 'Security token could not be authenticated or authorized.'
The managed-identity user is added to the resources, with permissions
The code was working after adding a 'reader' role for principle user in sql server.
The steps that are required to connect SQL Server through AAD - Managed identity for NodeJS project are as below:
Create sql-server with sql-server database in an azure resource.
Create an azure-web app within the same azure resource.
Create a principle user in the web app.
This can be done by going to the azure web app > Settings > Identity menu > System-assigned tab and turning on the toggle.
In the sql-db create the user with the same name as principle user that was created in step 3. The name is same as web-app.
Also assign db_reader, db_writer, and ddladmin roles to the user.
You may use the below script to create and assign role to the user. (One thing to consider if it fails to create the user, you might need to rename the app-service name as in my case it was not allowing me to create the User saying it already exists).
**CREATE USER [<identity-name>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<identity-name>];
ALTER ROLE db_datawriter ADD MEMBER [<identity-name>];
ALTER ROLE db_ddladmin ADD MEMBER [<identity-name>];**
Add the reader role to the principle user in the sql server. (The one that I was missing).
This can be done by going to the Sql server resource(in Azure)> Access control (IAM)
Select Reader and select member/user (principle user with the app name), and assign the role reader to that user/member.
After all these configuration part is done, use the code from microsoft docs. For me lower node version was not working so needed to upgrade the node version.(14 in my case).
https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-nodejs?tabs=windows
Also the connection was successful only in the deployed version.
Hope this is helpful !! :)
I need to schedule two cloud functions to run at a predefined time using Cloud Scheduler. However, when I click on the Cloud Scheduler tab it shows the below error message.
You don't have permission to enable Cloud Scheduler (appengine.applications.create, serviceusage.services.enable)
So I asked the project owner to grant me access to the below roles:
Cloud Scheduler admin
AppEngine Admin
Service Usage Admin
However, even after this I'm still getting the same message as before.
Below are the current roles that I have access to:
App Engine Admin
BigQuery Data Viewer
BigQuery User
Cloud Scheduler Admin
Cloud SQL Admin
Editor
Service Usage Admin
Storage Admin
Kindly let me know if I'm missing something here.
You don't need to be the project Owner.
You need these permission:
appengine.applications.create
serviceusage.services.enable
Predefined roles for first permission:
roles/owner
roles/appengine.appCreator
Predefined roles for second permission:
roles/owner
roles/editor
roles/serviceusage.serviceUsageAdmin
Since you already are an Editor, you only need to request App Engine Creator role for the first permission.
For you to be able to perform the configuration of Cloud Scheduler, you need to be the Project Owner.
Could you please give it a try asking your administrator to make you the Project Owner?
Understanding roles
This should fix your issue and solve your case. In case it doesn't, let me know if you are facing the same error.
Please, let me know if it worked!
If you are using target HTTP Method in your Cloud Scheduler, you can add Auth Header (Add OAuth token) with a particular or spesific service account.
I've created and registered a web application via Azure Active Directory -> App Registrations.
Within my application manifest I've created a role (why there's no UI to do this is beyond me), and for now am planning on adding quite a few more.
However, I'm unable to assign users to the role I created via Azure Active Directory -> Enterprise Applications, as the Add, Edit, and Remove options are greyed out.
According to these docs, I need to be Global Admin to be able to set these. The only way I can do so is to keep pestering my network admin every time I want to assign users/groups to roles. This is obviously not a suitable solution, and as the registered application owner, it should be trivial for me to control the authorization levels of my application.
How is it possible for me to assign users & groups to the roles I create? If it's simply not possible without having to raise the issue with my global admin, what are my options?
Unfortunatelly, as per docs, you already went through, today only administrator can assign roles to an application.
There is a feature request to simplify that and Microsoft is working on a solution. If you give your vote, it will certainly make the request more important.
For time being it is only the Global Admin who can grant permissions to an Application.
I am trying to get some content from site collections in O365 via CSOM API.
I am using the Global Administrator account and getting the following error: Access denied. You do not have permission to perform this action or access this resource.
If I give the Global Administrator user that I use the Site Collection Administrator permission, then I am not getting the exception.
Is it possible to give the Global Admin another less powerful then Site Collection Administrator to achieve the same result?
If no, is there any other API that doesn't require adding the Site Collection Administrator permissions to the Global Administrator?
The global administrator should have full access through the whole tenant and shouldn't require you to modify its permissions to access the api. Do you definately mean the global admin account that was used to setup the tenant? Or have you created another account and assigned it global admin access?
Since the Global administrator and site collection administrator have 2 different roles it is essential to add Site Collection permission to the Global administrator account.
You can find more details at the following link : https://sharepoint.stackexchange.com/questions/164763/sharepoint-online-administrator-is-site-collection-administrator