We have a Azure setup with multiple subscriptions, right now we would like to review the access rights of certain service principals. We were wondering whether there is a way to visualize all the access rights of a service principal? (E\either through the Azure Portal, az cli or PowerShell)?
I can't seem to find a streamlined way - It may be the case I am overlooking something :-)
Use Get-AzRoleAssignment to list the roles of a service principal.
For example: Get-AzRoleAssignment -ServicePrincipalName "http://testapp1.com".
See reference here.
For Azure CLI reference, see Manage service principal roles.
Related
I currently create a service principal using the Azure CLI:
az ad sp create-for-rbac --name foo --role Contributor
I need the service principal to have enough permissions to create/modify/delete various Azure AD resources including Applications, other Service Principals and Service Principal Passwords. When I use the above service principal to create other service principals, I currently get 403 Forbidden errors.
I have also tried using the 'Owner' and 'User Access Administrator' roles but these still give me a 403 error. What do I need to add to the above Azure CLI command or what additional role assignments do I need to add?
I'd like to use the service principal in a Pulumi program with their Azure AD provider (based on Terraform's Azure AD provider). See:
https://github.com/pulumi/pulumi-azuread/issues/246
In order for a service principal to be able to manage applications it requires API permissions. There is no such thing as a scope, because the API permissions are against the Azure AD API. Scopes are only applicable when it is related to the Resource Manager API. These are not the same thing.
When you go to application registrations in Azure AD, you can find the application, this is also where you will be able to assign the API permissions and grant consent.
You will do this either on the Azure Active Directory Graph, or on the Microsoft Graph. In my experience only the permissions assigned with the Azure Active Directory Graph worked.
Application.ReadWrite.All
Application
Read and write all applications
Application.ReadWrite.OwnedBy
Application
Manage apps that this app creates or owns
You will find these two application permissions that you could use. The first you can use manage all applications.
The az cli command you are using is to create a role assignment. This is RBAC on the subscription, it has nothing to do with Azure AD aside from the service principal being an AAD resource.
You need to add the scope of this service principal and also change the Azure role of this Service Principal to 'User Access Administrator' to enable you to modify resources in Azure AD. Also, 'User Access Administrator' role will give the service principal the required permissions for that Azure role to assign RBAC permissions. Please refer the below command for more details: -
az ad sp create-for-rbac --name foo --role User Access Administrator --scopes /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup1}
Also, ensure that the user ID through which you are creating this service principal and assigning the role to it has permissions to register and create applications in Azure AD. If not, then please assign that ID 'Application Administrator' Azure AD role or you should be allowed to create and register applications by an administrator even though being a 'User'.
You need to give your service principal "App admin" permissions. This allows you to create application registrations and also set their credentials. And it does not give it rights to do anything else such as manage users and groups. If your intent is to include those, you need to add additional roles to the service principal.
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator
Hi I'm trying to use the Azure CLI command logged in a service principal
az ad sp list
and I get the error message Insufficient privileges to complete the operation.
The service principal is owner of the subscription and has been assigned Delegated API Permission Directory.Read.All for both Microsoft Graph and Azure Active Directory Graph.
I have a similar setup on another Azure tenant where the same command will give me a list of SP's with the same API permissions. What's missing.
Apparently giving an SP the 'Owner' role is not enough. You have the give it the 'Directory Readers' role. This is not possible using the Azure CLI or Portal though. You have to use the Azure AD Graph API, easiest way to do this is using https://graphexplorer.azurewebsites.net/.
Now, the steps to add give the SP the Directory Readers role are a bit long to explain here, I found them here: https://lnx.azurewebsites.net/directory-roles-for-azure-ad-service-principal/
I need service principal to run Get-AzADServicePrincipal -SearchString "sa-*" in order to find ApplicationIDs during deployment process
Which permissions to I have to assign to this service principal?
In the perfect scenario those should allow read only
Assuming the powershell command actually uses graph in the background, you would have to give it directory.read.all api permissions.
But if that doesn't work, then you'll have to assign the service principal to a role in the tenant that has access to read the sp info like. Directory Readers Role should be able to. Please note it could take a while to take effect, up to 24 hrs.
I would like to create a least permission custom role in Azure to assign to a service principal that only allows the service principal to register Azure AD applications and service principals.
The "Contributor" standard role has all the needed rights but also a great many that are not needed, and I can't find anything in the list of available operations that seems to correspond to application registrations which could be used to produce a custom role.
It turns out the question is misguided - I had thought the assignment of Microsoft.Azure.ActiveDirectory permissions to the service principal was insufficient to create and edit app registrations. But it turns out I was just running up against a 5-10 minute lag between permissions being set in the Azure portal and the permissions taking effect. Granting the contributor role to the service principal just happened to take enough time for the original permissions to take effect.
AFAIK, you would not need to create a custom role in Azure to allow registering Azure AD Applications and Service Principals.
Who can register an application through Azure AD is controlled by user's membership in Azure Active Directory itself and their "Directory Role" in that Azure AD for some operations but not the usual RBAC built-in or custom roles which you are looking at (as you mention the list of ARM Resource Provider operations in your question)
Please refer to this Microsoft Documentation: Who has permission to add applications to my Azure AD instance?
UPDATE: Answering query from comments after Simon's edit to original question.
How to provide application registration privileges to a service principal?
Again, you will not use RBAC roles or create custom roles as you mention in your question but instead provide specific "application permissions" to the relevant Service Principal in Azure AD. I'll give steps below.
Go to your Azure AD, "Registered applications"
Find your service principal (may need to look at all applications instead of just my)
Add required permissions as shown below:
Once you've selected the right permissions and done. Please click on "Grant Permissions" because these permissions need Admin consent.
Use a custom AAD role as described here.
This is preferable to granting the built-in "Application Developer" role because it's too permissive and has the 250 App limit..
#Requires -Modules AzureADPreview
# 3 October 2020
# Connect-AzureAD
$ParameterList = #{
DisplayName = 'Application Registration Creator'
Description = 'Can create an unlimited number of application registrations.'
TemplateId = (New-Guid).Guid
IsEnabled = $true
RolePermissions = #{
allowedResourceActions = #(
'microsoft.directory/applications/create'
'microsoft.directory/applications/createAsOwner'
)
}
}
$customRole = New-AzureAdMSRoleDefinition #ParameterList
I am trying to use Microsoft.Azure.Management.Logic.LogicManagementClient to programmatically create a Logic App workflow in Azure. Authentication has already worked, but when I call logicManagementClient.Workflows.CreateOrUpdateAsync(), I am getting a CloudException saying that the client does not have authorization to perform action 'Microsoft.Logic/workflows/write'.
How can I give the app the required permissions?
I have already given it (in the Azure Portal) all permissions for Azure AD and Microsoft Graph. But when I try to add permissions for Windows Azure Service Management API (which I assume is the relevant API here), it says "No application permissions available":
You need to give your app at least Contributor access to the resource group via the Access Control (IAM) tab.
To manage Azure resources through the ARM API, you always need a role via RBAC.
I did this via PowerShell. I assigned the Contributor role to my App Registration. Here are the commands.
az login
az account set --subscription "YOURSUBSCRIPTIONNAME"
NOTE: Had to create Resource Group in Portal, Use the Application (client) ID of the App Registration Client
New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName Application(client)ID -ResourceGroupName YOURRESOURCEGROUPNAME