I want to give an Azure Managed Identity access to the Graph with Directory.Read.All. I was able to get it to work by following this blog: https://blog.bredvid.no/accessing-apis-using-azure-managed-service-identity-ff7802b887d?gi=f2307752395a, however:
that throws an Authorization_RequestDenied error (though apparently expected: MSI Permissions for Graph API)
I would prefer to get this working under az-cli
I tried...
graphId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].objectId")
roleId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].appRoles[?value=='Directory.Read.All' && contains(allowedMemberTypes, 'Application')] | [0].id")
az role assignment create --role $roleId --assignee-object-id fa22d971-c442-41f2-add1-77e636f80d31 --scope $graphId --assignee-principal-type MSI
But this results in... "The request did not have a subscription or a valid tenant level resource provider."
I am thinking this means I don't have the scope right. Is it possible to do this assignment under az-cli?
It is not possible to assign a service principal(MSI) to an application role currently, all commands here.
The az role assignment create is to add the user/service principal/group to the azure resource as an RBAC role, not that you want, it equals the steps in this link.
Besides, if you want to use the azure CLI instead of powershell because of the cross-platform issue. You could try the powershell core, it is cross-platform, refer to this link to install AzureAD.Standard.Preview module in it, then you will be able to use the AzureAD commands.
Related
I am testing an environment where I have the credentials of a service principal of an application. My next step is to identify the objects owned by the application or the resources that the app can access.
I could get similar details for an AD user through the cli command
ad signed-in-user list-owned-objects
Running the same command when signed-in with the credentials of the sp results in the following error
Resource not found for the segment 'me'.
My use-case is to enumerate the SP account to understand its access rights in the subscription. Can someone help me out with the right set of azure cli commands.
I tried to reproduce the same in my environment and got below results:
I created one service principal with Storage Blob Data Contributor role at storage account scope like below:
az ad sp create-for-rbac --role "Storage Blob Data Contributor" --name <spname> --scopes /subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Storage/storageAccounts/<storaccname>
Now I logged in to Azure account successfully using above service principal credentials:
az login --service-principal -u appID -p password --tenant tenantID
When I ran the same command to get the resources that the app can access, I got same error as below:
az ad signed-in-user list-owned-objects
To list RBAC roles assigned to a service principal, you can make use of below command:
az role assignment list --assignee <service_principal_ID> --all
If your use case is to list all the resources/objects a service principal can access/own, currently there is no command available particularly for that.
To know more in detail, you can check below reference:
For a given Azure AD Service Principal, Get a list of the Azure Objects and Rights by AlfredoRevilla-MSFT
Trying to access files from Azure Netapps via REST API by following documentation
https://learn.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-develop-with-rest-api
with POSTMAN rest client.
To get appId, password, tenant by executing following command in Azure CLI
az ad sp create-for-rbac --name $YOURSPNAMEGOESHERE --role Contributor --scopes /subscriptions/{subscription-id}
Here what is $YOURSPNAMEGOESHERE? How to fins this value? I am currently using trail account on Azure.
Please note that, the command you are currently using is related to creating service principal and assigning role to it.
In this $YOURSPNAMEGOESHERE , you have to pass the name of the service principal you want to create.
Instead of that, you can also give the name directly in string format like below:
I tried to reproduce the same in my environment like below and got the below results:
az ad sp create-for-rbac --name "TestSP" --role Contributor --scopes /subscriptions/subscriptionId
Output:
Reference:
az ad sp | Microsoft Docs
While adding managed identities to the Keyvault Access Policy is easy
Now there's quite a few VMs that should be given access to the cluster.
It seems possible to select multiple managed identities add once and ascribe the same permissions to them, but I haven't managed to do this yet (ctrl + click, alt + click, selected multiple... all does not work). I cannot find it in the documentation either, however, it clearly states "selected items" below. How can I achieve this?
You cannot assign many managed identities at once. Neither for Portal nor via Azure CLI. You will need to assign one by one unfortunately..
Usually, Azure CLI is more capable of doing more jobs but it accepts only one assignee at a time.
az role assignment create --role
[--assignee]
[--assignee-object-id]
[--assignee-principal-type {Group, ServicePrincipal, User}]
[--condition]
[--condition-version]
[--description]
[--resource-group]
[--scope]
[--subscription]
Optional Parameters
--assignee
Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.
--assignee-object-id
Use this parameter instead of '--assignee' to bypass Graph API invocation in case of insufficient privileges. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.
--assignee-principal-type
Use with --assignee-object-id to avoid errors caused by propagation latency in AAD Graph.
accepted values: Group, ServicePrincipal, User
--condition
Condition under which the user can be granted permission.
--condition-version
Version of the condition syntax. If --condition is specified without --condition-version, default to 2.0.
--description
Description of role assignment.
--resource-group -g
Use it only if the role or assignment was added at the level of a resource group.
--scope
Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.
--subscription
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Checkout Assign a managed identity access to a resource using Azure CLI.
Create a user-assigned managed identity and grant it access to the Key Vault. Then assign the user-assigned managed identity to each VM.
This blog might help.
I created a service principal using rbac and using the subscription id and I was able to login and all CLI calls with Azure using this sp and this login
(creating SP
az ad sp create-for-rbac -n "AppName1" --role contributor --scopes /subscriptions//resourceGroups/)
But when I call for billing info as:
az consumption usage list --subscription
Unauthorized. Request ID:
I am not sure what authentication permission scope to add to enable this. Tried too many things and somehow I feel I am not in the right direction. Any help will be greatly appreciated.
Did you login with the service principle using the following command before hitting the billing/usage?
az login --service-principal -u <app-url> -p <password-or-cert> --tenant <tenant>
I believe the issue is that you assigned the “contributor” role at the resource group level and then trying to access a subscription level resource. Since you don’t have permission for that, you’re getting this “Unauthorized” error.
To fix this, please try to assign the “contributor” role at the subscription level for this service principal.
I am trying to create a service principal from azure cli.
az login --service-principal -u servicePrincipalGuid -p spPassword --tenant tenantGuid
az ad sp create-for-rbac --skip-assignment
It works if i assign to the service principal Global administrator but it does not work with the Application Administration which according to the documentations should be sufficient.
I am wondering what roles/permissions are needed to be able to create a service principal without global administrator?
I can reproduce your issue, it is really weird, based on my knowledge, the Application administrator role should work.
The command az ad sp create-for-rbac --skip-assignment creates the app registration successfully, but it can't create the corresponding service principal. Even if I test with the command below to create service principal for the app.
az ad sp create --id '<object-id of the app registration>'
or powershell
New-AzureADServicePrincipal -AppId <object-id of the app registration>
I am wondering what roles/permissions are needed to be able to create a service principal without global administrator?
If you just want to let the command work without the global admin, you could add Application.ReadWrite.All permission of Azure Active Directory Graph like below, then it will work.