Service principle can be created without role via az ad sp create-for-rbac --skip-assignment
Q1. What's the use of a service principal without a role?
Q2. Can a service principle exit without attaching to any scope/resource? If so what's the use of such independent service principle?
Q1. What's the use of a service principal without a role?
The parameter --skip-assignment skip assigning the service principal to the subscription. So to be precise, your question should be without an RBAC role, because there is another role named Administrator role, it will be mentioned below.
Some usages here for you to refer to, there are many usages mixed with the AD App, will not go into details here. If you want to learn about them, you can look into the Azure AD official doc.
1.The service principal can be assigned as an Administrator role in Azure AD, then it can do the things depend on the role permissions, e.g. create a user, delete a group. Via Azure AD powershell, Microsoft Graph API, Azure AD Graph API, or the AAD part of the Az powershell module.
2.The service principal can also calls the APIs and use the powershell above without Administrator role, but you need to give the application permission to it. The az ad sp create-for-rbac will create an AD App along with a service principal, in the AD App in the portal -> API permissions, you can add the permission and consent. Note, when we add permissions and consent in AD App, actually the permissions will be given to the service principal in your tenant, the service principal is an instance of the AD Application in a specific tenant.
Q2. Can a service principle exit without attaching to any scope/resource? If so what's the use of such independent service principle?
Yes, as mentioned above, it can do many things related to Azure AD, Graph API. Here is a doc about Application and service principal objects in Azure Active Directory, it will be really helpful for you to understand the service principal.
A1- you can use it to remove the need of secret keys in your apps. For example, rather than storing the Azure Storage access key, you can grant an identity (your app) to store / access data on Azure Storage.
A2-I think so, it will be a system-assigned managed identity which is a special kind of managed identity (service principal)
Related
I found a link here which says:
There is no way to directly create a service principal using the Azure portal. When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant.
My question is, Can a 'service principal' create another 'service principals' in Azure? If yes, how? and what all permissions required for this?
Please suggest. Thanks.
A service principal can create another service principal after being assigned either the corresponding MS Graph permission, or Azure AD role
MS Graph Permissions
Either of the permissions
Application.ReadWrite.All
Application.ReadWrite.OwnedBy
References
Microsoft Graph permissions reference
Create application API endpoint
Create servicePrincipal API endpoint
Azure AD Role
Any role with one of these permissions
microsoft.directory/applications/create
microsoft.directory/applications/createAsOwner
microsoft.directory/applications/allProperties/allTasks
Built-in roles
Application Administrator
Application Developer
Cloud Application Administrator
Global Administrator
Hybrid Identity Administrator
References
Azure AD built-in roles
Application registration permissions for custom roles in Azure Active Directory
I am looking for examples to fetch access token for azure storage account access via azure active directory with service principal in python
It seems like https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/dev/sample/client_credentials_sample.py doesn't support service principal access
are there other ways in fetching token via service principal?
• Yes, you can surely fetch an access token for an Azure storage account via Azure Active Directory using a service principal, i.e., an app registration by following the steps below as given in the below documentation link: -
https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service
As per the above documentation, you will have to host your python application code in a web app service and create a system assigned managed identity for it. Once created, then an application will be created in Azure AD with the same ‘Object ID’ as shown in the managed identity section of the web app service. Before moving onto this application created in Azure AD, assign the required roles to this system assigned managed identity through the ‘IAM’ tab. So, in your case, you should assign the role of ‘Storage Account Contributor’ to the ‘System-assigned managed identity’ created for the web app service.
• Once, the role has been assigned, then go to the ‘Enterprise application’ and search for the ‘Object ID’ of the managed identity, you will encounter an application with the name of the web app service, in that, go to ‘Permissions’ under ‘Security’ tab and assign the required permissions and admin consent required to the application. The permissions shown are those that are allowed under the scope of ‘Storage Account Contributor’ and similarly, you must assign permissions from it to the app/service principal. Then ensure that you are correctly calling the environment variables of this application created in Azure AD regarding the managed identity and implement the ‘DefaultAzureCredential’ from the ‘azure.identity’ module. For this purpose, kindly refer to the below subsection of the above documentation: -
https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service#3---implement-defaultazurecredential-in-your-application
In this way, you can fetch an access token for the Azure storage account via Azure Active Directory using a service principal.
I have a serviceA in TenantA which needs to deploy resources to a subscription_X that is in tenantB say using ARM SDK. This means serviceA must be having rights to create the resource group in the subscription_X too.
How can serviceA in the tenantA get a contributor access to the tenantB's subscription_X ?
ServiceA is a micro service running in AKS or VM
A Managed Identity can only be used within the tenant that is linked to the subscription it is in.
So it won't work for this scenario.
A service principal can be used, but it would need to be made into a multi-tenant app + an admin from tenant B would have to go through a manually written admin consent URL for it to show up in their tenant.
I'd say the easiest approach is for tenant B admin to define an app registration/service principal in tenant B.
If you use certificate authentication, you'd generate the certificate and give them the public key so that they can assign it to the app in their tenant.
If using client secret, they will have to add it and send it to you.
From what I know it is not possible.
Considering Managed Identities are scoped to a single subscription, I don't think it is possible for you to manage resources in a different subscription using a Managed Identity in another subscription.
Similarly Service Principals are special kind of Azure users that gets created automatically when you assign access to resources in an Azure AD (tenant). They also can't be shared across tenants.
What you have to do is register your Azure AD application in the target tenant. As a result of that, a new Service Principal will be created in that tenant. You can then assign proper Azure RBAC role to this Service Principal so that it can perform necessary operations on Azure Subscriptions where it has been assigned a role. You can either use Client ID/Client Secret or Client ID/Client Certificate of your Azure AD application to authenticate the Service Principal.
Background
I want to give an application ownership of several of my Azure Service Bus queues ... specifically, by granting it the Azure Service Bus Data Owner role.
The Azure Service Bus documentation says this is possible:
Azure Service Bus supports using Azure Active Directory (Azure AD) to authorize requests to Service Bus entities (queues, topics, subscriptions, or filters). With Azure AD, you can use role-based access control (RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal [my emphasis].
(Source)
However, I can't find a way to do it.
What I've Tried
Registered the application in Azure AD.
Granted the application the user_impersonation permission on Microsoft.ServiceBus. (Application permissions is disabled [1], so I selected Delegated permissions and checked user_impersonation [2]. No idea if that's right. I posted another question a while ago about Application permissions being disabled, but the accepted answer of editing the manifest doesn't work in this case.)
In my Service Bus queue, selected Role assignments.
Clicked Add.
Searched for my application.
Issue
My application doesn't appear in the search results in Role assignments.
A service principal is the instance of an application in a given tenant. (Multi-tenant applications can have service principals in many tenants, all referring back to a single app registration.)
To grant an Azure role to an application, a service principal must first exist in the tenant. To check if the service principal for an app registration already exists in the same tenant where the app is registered (and create it if it doesn't):
Using the Azure portal:
Navigate to Azure AD > App registrations > (app) > Overview
Under the Managed application in local directory heading:
If you see a link with the name of the app, the service principal already exists.
If you see a "Create service principal" link, clicking it will attempt to create the service principal.
Using Azure CLI:
az ad sp show --id {app-id}
az ad sp create --id {app-id}
Using Azure AD PowerShell:
Get-AzureADServicePrincipal -Filter "appId eq '{app-id}'"
New-AzureADServicePrincipal -AppId "{app-id}"
I am creating my first app function using powershell in the Azure portal, It's just to scale a SQLDB on I have tried to use this tutorial as a guide.
MSI example
I turned on MSI for the function and configured resources groups Giving the contributor role to the resource
When I run the function within the portal, I get the message doesn't have authorization to perform action. from this tutorial I believe this is all I had to do ? I have waited over a day to see if it's a timing issue, from the example I Have followed and this MS document managed identies for app service
I don't believe I need to add any secret key for this to work?
Function Error message
Setting the function MSI identity to on
Seeting the access control in
The service principal you are using doesn't have rights within that tenant.
Tenants have subscriptions and service principals belong to tenants. Azure resource manager also exposes role based authorization for a given principal, which would give it rights on Azure resources. It appears the service principal doesn't have rights to read from that subscription.
Go to portal and find your subscription, click on Access Control (IAM) and then click on Add role assignment with correspond service principal which you use to acquire token.
After you have given successful permission, refresh and try again.