I am trying to grant user_impersonation = scope rights to Azure AD App programatically .But unfortunately i am not getting the correct GUID of user_impersonation. I took it from another application manifest file but it seems it changes every time. Can someone assist me here.
I tried the below command to grant access
az ad app permission add --id --api --api-permissions user_impersonation=Scope
I have the way around by using below approach, Please suggest if it is right
$sp = Get-AzureADServicePrincipal -ObjectId "ObjectId"
$sp.Oauth2Permissions | select Id,AdminConsentDisplayName,Value
For this you get the below :
Id AdminConsent DisplayName Value
fb5a-c16f-4e30-49cd-ad2b3 Access ddudisplay user_impersonation
As soon as you have highlighted ID then you can put in the below command
az ad app permission add --id "appid" --api"resourceid" --api-permissions fb5a5asncdb-c16f-4e30-49cd-ada072b3=Scope
and viola it works.
Related
so the background as follows:
for installation and deployment process we need to modify a customer created App Registration.
but we get not the right Application.ReadWriteAll but we could get Application.ReadWrite.OwnedBy.
I know that if creating an Graph Api Call (excecuted with Postman) as shown below it worked, because Creator is automatically the Owner.
.
HTTP-Post Request:
https://graph.microsoft.com/v1.0/applications
with body:
{
"displayName": "AppRegName"
}
But I need to solution with standard tool like azure portal or powershell and I found no way to assign or remove a service principal as owner to an App Registration.
Is there a way to to do this with powershell?
The authentifiaction with an service principal i dont't know how I can do it?
I think after I can create an App Registration with
$appRegistration = New-AzADApplication -DisplayName "AppRegCreatebyPS"
but I very unexperinced in using powershell.
So how I can tell powershell to use the service principal authentitification for creating App Registrations?
A short extra question:
Can I remove later the owner role for the service principal and how can I do it?
Thanks for all Readers And I hope someone can give me a hint.
You can create App registration, Service Principal for App registration, Add application owner and remove application owner all from PowerShell AzureAD module.
Command to install Azure AD module in PowerShell:
Install-Module AzureAD
You can use the below commands :
#Connect to Azure AD
Connect-AzureAD
#Create Azure AD app Registration
$appRegistration = New-AzureADApplication -DisplayName "AppRegCreatebyPS"
# Create A service Principal for the above app Registration
New-AzureADServicePrincipal -AccountEnabled $true -AppId $appRegistration.AppId -AppRoleAssignmentRequired $true -DisplayName $appRegistration.DisplayName
# get objectid for the service principal
$serviceprincipal= Get-AzureADServicePrincipal -Filter "DisplayName eq 'AppRegCreatebyPS'"
#Get the old app registration for whom you want set owner
$oldappregistration = Get-AzureADApplication -Filter "DisplayName eq 'Postman'"
#add service principal to the application owner of old app registration
Add-AzureADApplicationOwner -ObjectId $oldappregistration.ObjectId -RefObjectId $serviceprincipal.ObjectId
# verify the owner for the old app registration
Get-AzureADApplicationOwner -ObjectId $oldappregistration.ObjectId
#remove the owner for the old app registration
Remove-AzureADApplicationOwner -ObjectId $oldappregistration.ObjectId -OwnerId $serviceprincipal.ObjectId
Reference:
Cmdlts for Azure AD module reference
This can be done like below from bash or windows subsystem linux.
Login to your Azure account
az login
Execute below command
az ad app owner add --id AAAA --owner-object-id AAAA
--id(Application id) , --owner-object-id (Owners object id)
Ref : https://learn.microsoft.com/en-us/cli/azure/ad/app/owner?view=azure-cli-latest
I cannot add Microsoft.Azure.Cdn service principal to Key Vault access policies.
I have run the following command in PowerShell.
New-AzureRmADServicePrincipal -ApplicationId "xxxxxx-xxxx-xxxx-xxxx-xxxxxxx"
I got the following result.
Secret: System.Security.SecureString
ServicePrincipalNames : {xxxxxx-xxxx-xxxx-xxxx-xxxxxxx,
https://microsoft.onmicrosoft.com/yyyyyyy-yyyy-yyyy-yyyy-yyyyyyyy}
ApplicationId: xxxxxx-xxxx-xxxx-xxxx-xxxxxxx
DisplayName: Microsoft.Azure.Cdn
Id: zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzz
AdfsId:
Type: ServicePrincipal
Then I went to the Access Policies of the Key Vault to add the principal there but I can't find it in the list.
Update
When I try to add it I get this result.
But when I do the following that was suggested in a comment:
"First, navigate to the Azure Active Directory in the portal -> Enterprise applications -> filter with All applications -> search for the ApplicationId in your result, make sure the service principal is existing."
Then I get no result.
First, navigate to the Azure Active Directory in the portal -> Enterprise applications -> filter with All applications -> search for the ApplicationId in your result, make sure the service principal is existing.
In the Add access policy page, search for the Id in your result(i.e. the Object ID of the SP), it should work.
Or you could use Set-AzureRmKeyVaultAccessPolicy to add a service principal to the access policy, the -ObjectId is the Id in your result.
Sample:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ObjectId 34595082-9346-41b6-8d6b-295a2808b8db -PermissionsToSecrets Get,Set
Update:
Follow the steps as below.
Navigate to your keyvault in the portal -> copy the Directory ID and Subscription ID.
Login with Connect-AzureRmAccount -TenantId "<Directory ID>" -Subscription "<Subscription ID>", use the two properties above.
If you already logged in, just use Set-AzureRmContext -Tenant "<Directory ID>" -SubscriptionId "<Subscription ID>".
Then use the New-AzureRmADServicePrincipal -ApplicationId "xxxxxx-xxxx-xxxx-xxxx-xxxxxxx" to create the service principal, when you create it successfully, navigate to the access polices in your keyvault to try to add it again.
Another way to solve this problem is by using the Azure CLI.
First check you are working with the right subscription by following below steps:
Login to Azure
az login
Get a list of your subscriptions
az account list --output table
Set a subscription from the list to be the current active one
az account set --subscription "<SUBSCRIPTION_NAME>"
Now copy the Service Principal ID shown in the blue box when you enable the "Custom Domain HTTPS" option
Create the Service Principal using that id
az ad sp create --id "d4631ece-daab-479b-be77-ccb713491fc0"
Go to your "KeyVault/Access Policies" and Add a new Access Policy
Grant "Get" and "List" permissions for the "Secret" and Select the Principal recently created
Do not forget to save your changes
You are done! You can now enable your "Custom Domain HTTPS" option and use your KeyVault.
I'm trying to grant API Permissions on an App registration programatically using terraform.
I dont know how to get the id of the permission that i want to grant. I've tried copy and paste of a permission used elsewhere from the manifest file, but it doesnt look to be that simple.
This description of the setting is from the Terraform documentation.
id - (Required) The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes.
Does anyone know how to get the permission guids that are used here? are they specific to an app registration? I'm guessing so.
The id in the terraform is not that in your screenshot, in your screenshot, it is the consent displayname of the permission, not the id, it just happens to be a guid.
To get the id, you could use the AzureAD powershell as below.
For example, get the id of the xxx-nex-kv-access API delegated permission like your screenshot.
1.Find the service principal.
Get-AzureADServicePrincipal -SearchString "xxx-nex-kv-access"
The command will list all the service principals related to xxx-nex-kv-access, make sure which one you need, then copy the ObjectId and AppId of it. (If there is no result, you can use Get-AzureADServicePrincipal with no parameter to list all the service principal and find the one you need.)
2.Use the ObjectId to get the delegated permission.
$sp = Get-AzureADServicePrincipal -ObjectId "<ObjectId>"
$sp.Oauth2Permissions | select Id,AdminConsentDisplayName,Value
The Id is that you want, in the terraform, specify that like below.
required_resource_access {
resource_app_id = "<AppId>"
resource_access {
id = "<Id>"
type = "Scope"
}
}
Besides, you should notice the type property has two vaules, Scope and Role, you should know the Scope is Delegated permission and Role is Application permission.
So if you want to add the Application permission permission, you need to use the command as below, then in the terraform, use type = "Role".
$sp = Get-AzureADServicePrincipal -ObjectId "<ObjectId>"
$sp.AppRoles | select Id,DisplayName,Value
I am trying to troubleshoot why certain automation tasks don't work with a Service Principal I've created, most especially any tasks involving Azure Active Directory. The Azure Portal seems to clearly show that the Service Principal has been granted the Microsoft.Graph Directory.Read.All API Permission. The portal also shows that this Service Principal has the User.Read permission as well.
However, when I run az ad app permission list-grants for the Service Principal, it only lists User.Read. This makes me wonder whether the Directory.Read.All permission is actually present. And yes, the portal clearly shows that Directory.Read.All permission has been granted.
How can I confirm that my Service Principal actually does have the Directory.Read.All API Permission?
az ad app permission list-grants --id db7a66b4-06ad-4412-9bbc-73cb34f96ce2 --show-resource-name
[
{
"clientId": "01b359a2-f452-43c6-b290-e5ea1b359f38",
"consentType": "AllPrincipals",
"expiryTime": "2019-12-08T17:07:04.550141",
"objectId": "olmzAVL0xkOykOXqGzWfOAvNygY8CKVIummKcmVpwq8",
"odatatype": null,
"principalId": null,
"resourceDisplayName": "Microsoft Graph",
"resourceId": "06cacd0b-083c-48a5-ba69-8a726569c2af",
"scope": "User.Read",
"startTime": "0001-01-01T00:00:00"
}
]
And a crude recreation of what I see in the portal for this Service Principal under Azure Active Directory > App Registrations > (Service Principal Name) > API Permissions:
API/Permissions name Type Admin Consent Required
-------------------- ----------- -----------------------------------
Microsoft Graph (2)
Directory.Read.All Application Yes <green check> Granted for MyOrg
User.Read Delegated <green check> Granted for MyOrg
As you have found, the reason is the Azure CLI command az ad app permissions list-grants just list the delegated permissions.
If you also want to get the application permissions granted to the service principal,
currently it is not supported by the Azure CLI and Az powershell module, you need to use AzureAD powershell module.
Try the script as below, it writes output the API name and corresponding permission.
Note the ObjectId in the first line is the ObjectId of your service principal, not the AD App(App registration), you can find it in the Enterprise applications in the portal(filter with All applications).
$apppermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId <ObjectId of your service principal>
foreach($item in $apppermissions){
$item.ResourceDisplayName
(Get-AzureADServicePrincipal -ObjectId $item.ResourceId).AppRoles | Where-Object {$_.Id -eq $item.Id}
}
The permissions in the App registration in the portal:
Here is a similar issue, you can also take a look.
I finally figured this out, and it was less than obvious.
az ad app permissions list-grants lists oauth2 permissions. In other words, delegated permissions.
My Service Principal's Directory.Read.All permission is an application permission. That means it's a permission my Service Principal has in its own right without needing another user's authentication token.
I'm still trying to figure out how to list the Application permissions using the new az commands and/or the new Get-Az PowerShell modules. If I find out how I'll update this answer.
I found out you can get that output with az cli but by using the rest command like this:
az rest --method get --url https://graph.microsoft.com/v1.0/servicePrincipals/{YOUR_SERVICE_PRINCIPAL_ID}/appRoleAssignments
I need to use an Azure service principal to programmatically:
1. add/delete passwords for other services principal , and
2. add/delete passwords for itself
1 is easy to do.
But I can't seem to do 2 due to the following error. Is #2 possible? How?
graphrbac.PasswordCredentialsUpdateParameters failed:
graphrbac.ApplicationsClient#UpdatePasswordCredentials: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error"
Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-06-06T22:19:35","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"<ID>"}}]
Is #2 possible? How?
Yes, it is possible.
Just add your service principal to the Application Administrator directory role in your tenant, no need to add other permissions, it will work(there may be some delay).
Navigate to the Azure Active Directory in the portal -> Roles and administrators -> click Application administrator -> Add assignment -> search by your AD App name(service principal name) -> select it -> Select.
My test sample:
I test it with powershell, in other languages, it should also work.
Add password:
Connect-AzureAD -TenantId "<TenantId>" -ApplicationId "<ApplicationId>" -CertificateThumbprint "D0F0B179xxxxx6E41833FDE5947"
New-AzureADApplicationPasswordCredential -ObjectId <ObjectId>
Remove password(it returns no content when successful):
$password = Get-AzureADApplicationPasswordCredential -ObjectId <ObjectId>
Remove-AzureADApplicationPasswordCredential -ObjectId <ObjectId> -KeyId $password.KeyId
Besides, you could check the screenshot in my test sample and that in the portal, make sure the service principal add/delete passwords for itself.
Seems you are trying to update your service principle meanwhile caught an error.
As the error said you don't have permission for this operation.
Reason of Error: You may not have sufficient permission on your application for this operation.
Action To Do:
To do that you have to assign following permission on your application. Please follow the below steps:
Login to azure portal
Click on azure active directory
App registrations
Select you application
API Permission
Add Permission
Microsoft Graph
Application permission
In Directory select Directory.Read.All
In Application select Application.ReadWrite.All
Add Permission
Grant admin consent for YourTennant
See the screen shot below:
Note: You also need to have at least Contributor directory role on that application. As the Contributor can create and manage all types of
Azure resources but can’t grant access to others.