I'm automating an app setup and having registered an applicatioin with az ad app create --app-roles with the manifest:
[{
"allowedMemberTypes": [
"User",
"Application"
],
"description": "Read items",
"displayName": "Reader",
"isEnabled": "true",
"value": "items/r"
}]
I'm trying to figure a way to assign above mentioned Reader to a principal without PowerShell's New-AzureADUserAppRoleAssignment and coming up empty. I'd take ARM template, .NET SDK or az CLI way of doing it, but none seem to support it.
Not interested in the portal/ui as I'm trying to script this, any ideas?
Just use az cli rest to assign a custom app role to a principal via Azure AD Graph Rest API :
az rest --method post --uri "https://graph.windows.net/<your tenant ID>/servicePrincipals/<your principle object Id>/appRoleAssignments?api-version=1.6" --body "{\"id\":\"<your custom role app ID>\",\"principalId\":\"<your principle object Id>\",\"resourceId\":\"<your app object id>\"}" --headers "Authorization=Bearer <access token>"
You can get access token via az account get access token :
az account get-access-token --resource "https://graph.windows.net"
Test request on Azure cli :
Result, as you can see the role has been assigned to principle successfully :
Related
I have already created my service principal.
Using GitHub I need to complete all parameters below. My question is where and how can we find each one?
AZURE_CREDENTIALS :
{
"clientId": "XXX",
"clientSecret": "XXX",
"subscriptionId": "XXX",
"tenantId": "XXX",
"activeDirectoryEndpointUrl": "XXX",
"resourceManagerEndpointUrl": "XXX",
"activeDirectoryGraphResourceId": "XXX",
"sqlManagementEndpointUrl": "XXX",
"galleryEndpointUrl": "XXX",
"managementEndpointUrl": "XXX"
}
I've already seen in the documentation that we can generate a JSON file for a new principal service using CLI Azure:
az ad sp create-for-rbac `
--name "myApp" --role contributor `
--scopes /subscriptions/8baa642d-5109-4f1c-b935-401e5b215078/resourceGroups/rg-ai-recommender `
--sdk-auth
But I want to use the existing Service Principal.
You can run the command multiple times.
If you run it again, a message will appear stating something like:
az ad sp create-for-rbac --name TestPrincipal --role Contributor --sdk-auth
Found an existing application instance of "[existingId]". We will patch it
Creating 'Contributor' role assignment under scope '/subscriptions/[guid]'
Role assignment already exists.
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
'name' property in the output is deprecated and will be removed in the future. Use 'appId' instead.
{
"clientId": "[existingId]",
"clientSecret": "[aNewSecret]",
"subscriptionId": "[subscriptionid]",
// all the other properties
}
Of course, this will invalidate the credentials you're using in the other repositories, so you should update those also.
Recovering the secret isn't possible because it's a secret.
This way you can use the same service principal in multiple repositories.
Do keep in mind, it might be a more secure strategy to create new service principals for different services/deployments, so you can make the assignments of roles as granular as possible. But that's not what your question is about.
There are three types of service principal:
Application
Managed Identity
Legacy
You can use the Enterprise applications blade in the Azure portal to list and manage the service principals in a tenant. You can see the service principal's permissions, user consented permissions, which users have done that consent, sign in information, and more.
Go to the Azure Portal, open Azure Active Directory and click the Enterprise Applications menu item under Manage.
There, find the registration for the service principal, and find the corresponding information.
To create a new clientSecret for a service principal, find the corresponding registration in App Registrations and open up the Certificates & secrets menu under Manage. From there, you can create a new secret. You cannot see values for existing secrets.
Can anyone help me how to write a CLI script to Enable Function Application Authentication to use Microsoft Azure AD ID Provider?
Thanks,
We have tested in our local environment , using the below cmdlets we are able to create Microsoft identity provider authentication for the function app & these cmdlets are working fine.
Below are the steps to be followed:
You Need to create a app registration in AAD & add the required permissions to that app registration using the below cmdlet.
az ad app create --display-name <NameofappRegistration> --password <clientsecret> --reply-urls https://<functionappName>.net/.auth/login/aad/callback --required-resource-accesses #manifest.json
The below resource access will create user.read permission to that app registration
how to declare permission in manifest.json file :
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}
]
You need to add identifier-uris/application uri for that app registration.
az ad app update --id <appId/clientId> --identifier-uris api://<clientId>
Creating the webapp authentication and authorization of the Microsoft identity provider for the function app to that app registration using the below cmdlet
az webapp auth microsoft update -n <functionAppName> -g <ResourceGroupName> --client-id <appRegistrationClientId> --client-secret <appresgistrationPassword> --tenant-id <TenantID>
Sample Output for reference post running the above cmdlets:
Here are the reference CLI cmdlet documentation for creation of Microsoft auth for a webapp & for app registration
I am using the following Az Cli command to create an Azure AD B2C application:
az ad app create --display-name 'mytestapplication'
What I'd then also like to do in the process is grant some permissions, as per the Azure AD Microsoft Graph API permissions list. Below are two such examples of the permissions I'd like to grant. I'm however struggling to find any Az Cli examples or references that can enable me achieve this. Any suggestions?
User.ReadWrite.All
Application.ReadWrite.All
In order to grant a specific permission for an app registration , you need to pass those permissions in manifest.json file with a particular scope.
You can use the below cmdlet to create a app registration & to assign the specific azure-ad-microsoft-graph-api-permissions for that app registration.
az login -tenant [myb2ctenant.onmicrosoft.com](http://myb2ctenant.onmicrosoft.com/) --allow-no-subscriptions (this cmd helped me to login to B2C without subscription)
az ad app create --display-name 'mytestapplication' --required-resource-accesses #manifest.json
manifest.json file:
{
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "204e0828-b5ca-4ad8-b9f3-f32a958e7cc4"(# for Application.ReadWrite.All),
"type": "Scope"
},
{
"id": "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9(# for User.ReadWrite.All)",
"type": "Role"
}
]
}
]
}
Here is the output screenshot for reference:
For more information about app registration creation & Assigning permissions for a native app registration cmdlets you can refer this documentation.
I want to assign role Things.Reead.All, created in my app registration to a managed identity.
The app registration SP object id is 8055e1eb-0000-0000-9b77-00000000000
The Role definition looks like this
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Allow the application to read all things as itself.",
"displayName": "Read all things",
"id": "86a914fa-a862-4962-9975-000000000000",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Things.Read.All"
}
The only thing known about a system assigned managed identity is its object id, say
aad300-0872-0000-811d-00000000000
and I want to allow it to call the application 8055e1eb-0000-0000-9b77-00000000000 that expects to see the Role in access token.
I know I have to use the following api to do this.
https://graph.microsoft.com/v1.0/servicePrincipals/8055e1eb-0000-0000-9b77-00000000000/appRoleAssignedTo
{
"principalId": "aad300-0872-0000-811d-00000000000",
"resourceId": "8055e1eb-0000-0000-9b77-00000000000",
"appRoleId": "86a914fa-a862-4962-9975-000000000000"
}
I have wide but controlled access in my tenant. When I acquire a token from
az account get-access-token --resource https://graph.microsoft.com
and call the above, I get
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
What I need to figure out is the exact privilege that is needed to make this call.
As you did not answer my comment, I can just give you my own solution which used the service principal to login the azure cli, it works for me.
Please follow the steps below.
1.Create a new App Registration in azure ad, then get values for signing in and create a new application secret.
2.Navigate to the API permissions of the App, add the Application permission(not Delegated permission) Directory.ReadWrite.All of Microsoft Graph, don't forget to click the Grant admin consent for xxx button at last.
Note: From the doc, the AppRoleAssignment.ReadWrite.All permission is enough, but per my test, it will not work, not sure if it is a bug, I have decoded the token, the token has the AppRoleAssignment.ReadWrite.All permission.
3.In azure cli, run the commands below to get the token.
az account clear
az login --service-principal --allow-no-subscriptions --username '<application-id>' --password '<application secret>' --tenant '<tenant-id>'
az account get-access-token --resource https://graph.microsoft.com
4.I test the token to call the api - Grant an appRoleAssignment for a service principal to grant the app role for the system-assigned identity of my funtion app,it works fine.
Check it in the portal:
I created an Azure Container Registry with the System Managed Identity. I know how to examine the Service Principal created for it:
C:\> az ad sp show --id 4***8
{
"accountEnabled": "True",
"alternativeNames": [
"isExplicit=False",
"/subscriptions/d***8/resourcegroups/VictorTestRG/providers/Microsoft.ContainerRegistry/registries/victorTestContainerRegistry"
],
"appId": "7***6",
"displayName": "victorTestContainerRegistry",
"keyCredentials": [...],
"objectId": "4***8",
"objectType": "ServicePrincipal",
"odata.metadata": "https://graph.windows.net/2***b/$metadata#directoryObjects/#Element",
"odata.type": "Microsoft.DirectoryServices.ServicePrincipal",
"servicePrincipalNames": [
"7***6",
"https://identity.azure.net/o***F/p***="
],
"servicePrincipalType": "ManagedIdentity"
}
(I scrubbed certain values and omitted the fields having null or [] as their value for brevity)
Now I would like to reset the credentials for this Service Principal, but none of following worked for me:
C:\> az ad sp credential reset --name 4***8
Resource '4***8' does not exist or one of its queried reference-property objects are not present.
C:\> az ad sp credential reset --name "7***6"
Resource '7***6' does not exist or one of its queried reference-property objects are not present.
C:\> az ad sp credential reset --name victorTestContainerRegistry
Resource '7***6' does not exist or one of its queried reference-property objects are not present.
C:\> az ad sp credential reset --name "https://identity.azure.net/o***F/p***="
Resource '7***6' does not exist or one of its queried reference-property objects are not present.
C:\>
So, how can one reset the credentials of a System Managed Identity?
As Thomas commented, you do not manage the credentials.
The point of using a Managed Identity is to get rid of that management.
The system will automatically rotate the certificates used by the identity behind the scenes.
You should not need to do anything about it.