I need to use an Azure service principal to programmatically:
1. add/delete passwords for other services principal , and
2. add/delete passwords for itself
1 is easy to do.
But I can't seem to do 2 due to the following error. Is #2 possible? How?
graphrbac.PasswordCredentialsUpdateParameters failed:
graphrbac.ApplicationsClient#UpdatePasswordCredentials: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error"
Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-06-06T22:19:35","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"<ID>"}}]
Is #2 possible? How?
Yes, it is possible.
Just add your service principal to the Application Administrator directory role in your tenant, no need to add other permissions, it will work(there may be some delay).
Navigate to the Azure Active Directory in the portal -> Roles and administrators -> click Application administrator -> Add assignment -> search by your AD App name(service principal name) -> select it -> Select.
My test sample:
I test it with powershell, in other languages, it should also work.
Add password:
Connect-AzureAD -TenantId "<TenantId>" -ApplicationId "<ApplicationId>" -CertificateThumbprint "D0F0B179xxxxx6E41833FDE5947"
New-AzureADApplicationPasswordCredential -ObjectId <ObjectId>
Remove password(it returns no content when successful):
$password = Get-AzureADApplicationPasswordCredential -ObjectId <ObjectId>
Remove-AzureADApplicationPasswordCredential -ObjectId <ObjectId> -KeyId $password.KeyId
Besides, you could check the screenshot in my test sample and that in the portal, make sure the service principal add/delete passwords for itself.
Seems you are trying to update your service principle meanwhile caught an error.
As the error said you don't have permission for this operation.
Reason of Error: You may not have sufficient permission on your application for this operation.
Action To Do:
To do that you have to assign following permission on your application. Please follow the below steps:
Login to azure portal
Click on azure active directory
App registrations
Select you application
API Permission
Add Permission
Microsoft Graph
Application permission
In Directory select Directory.Read.All
In Application select Application.ReadWrite.All
Add Permission
Grant admin consent for YourTennant
See the screen shot below:
Note: You also need to have at least Contributor directory role on that application. As the Contributor can create and manage all types of
Azure resources but can’t grant access to others.
Related
I am trying to add new permissions to the newly created application. I am the owner of the app.
Try it with az ad app permission add Add-AzADAppPermission.No success, receive that error Az.MSGraph.internal\Get-AzADApplication : Insufficient privileges to complete the operation..
Tried it to add permissions from previously asked questions here and Git Hub, but with no success.
azure-cli version:2.44.1
What I'm missing?
Thank you!
I tried to reproduce the same in my environment and got the same error as below:
Even if the user is the owner of the Application, Insufficient privileges error will still occur:
Note that: To assign permissions the user account must have Application Administrator or Global Administrator role.
To resolve the error, I assigned Application Administrator role to the user account like below:
Go to Azure AD roles and administrators -> Select Application Administrator -> Add assignments -> Select members -> Select
After assigning the role, I am able to assign API permission to the Azure AD Application like below:
Connect-AzAccount
Add-AzADAppPermission -ObjectId ObjectID -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 5f8c59db-677d-491f-a6b8-5f174b11ec1d
The Group.Read.All API permission added successfully in the Azure Portal like below:
By using the below command, trying to assign a role to the managed identity using PowerShell runbook(5.1 Runtime version).
$roleAssignment = New-AzRoleAssignment -ObjectId 'xxxx-xxxx-xxxx-xxxx' -Scope '/subscriptions/xxxx-xxxx-xxxx/resourceGroups/xxxxxxxxx' -RoleDefinitionName 'Contributor'
When we execute the runbook we ran into the below error.
Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.
But, When executed the same command from local PowerShell ISE we are able to assign the role with out any fail.
How to make runbook to assign the role to the user assigned identity.
Can any one help me solve this.
Unable to assign a role to user assigned identity through Azure Run books (1).html
Unable to assign a role to user assigned identity through Azure Run books
Exception of type ‘Microsoft.Rest.Azure.CloudException’ was thrown.
To resolve the above error, I would suggest you try to follow the below workaround that worked for me: -
Go to Azure AD --> App registrations --> Select your app --> API Permissions --> Add permission --> Microsoft Graph (You can select any Azure resource for which you want to grant permissions for) --> Application Permissions --> Directory --> Directory.Read.All
Then grant admin consent for the selected permissions for that particular resource.
Here, you can select other services which you are using, also in ‘Request API Permissions’ other than Microsoft Graph, you can use other APIs that you are working since the process is same as shown in the below snapshot: -
I was hoping to get some advice on the following issue:
I am using System-assigned identity in my automation account for authentication. The role assignment for that system-assigned identity is "Owner" and the Scope is "Subscription".
When I run this command "Connect-AzAccount -Identity" - everything works as expected. However, the next command which is the second one in the script - "Get-AzADApplication" -fails with "Insufficient privileges to complete the operation.".
Why am I unable to list all the applications under my tenant when my system managed identity has the "Owner" role? What am I missing here?
I'm trying to reset the password credentials of a service principal (let's call it SP1) through the following PowerShell commands:
Remove-AzADSpCredential -ObjectId <SP1_objectId> -Force
$Password = New-AzADSpCredential -ObjectId <SP1_objectId>
This works well when I run it through the PowerShell by my own user account, which has an Owner role assigned to SP1.
I also have this code in a runbook in an automation account with a "run as account" service principal (let's call it SP2).
I assigned the ownership of SP1 to SP2 as well through the command Add-AzureADServicePrincipalOwner and confirmed it through Get-AzureADServicePrincipalOwner.
I expected the runbook to be able to run the Remove-AzADSpCredential command on the SP1 after making its service principal the owner of SP1. But I get the following error:
Remove-AzADSpCredential : Insufficient privileges to complete the operation. At line:43 char:9 + Remove-AzADSpCredential -ObjectId $key.Name -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Remove-AzADSpCredential], Exception + FullyQualifiedErrorId : Microsoft.Azure.Commands.ActiveDirectory.RemoveAzureADSpCredentialCommand
And the same error for New-AzADSpCredential command as well.
I thought maybe the ownership of SP1 should be assigned to the App for the run as account, instead of its service principal.
So I also ran the following:
Add-AzureADServicePrincipalOwner -ObjectId <SP1_ObjectId> -RefObjectId <runasaccount_app_ObjectId>
But this wasn't possible, as I got the error:
Code: Request_BadRequest
Message: The reference target 'Application_xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' of type 'Application' is invalid for the 'owners' reference.
So I assume the ownership should have been assigned only to SP2, and not to the app.
I looked at here but the accepted answer says
If your user accounts are the Owner of the service principal(Enterprise application), the command New-AzADSpCredential will work.
which is true in my case, and yet, it's not working when running the runbook.
I also looked at here and it seems I need to do the #1 which the OP describes as easy to do.
Any input on how to do this will be greatly appreciated.
If you want to use a service principal to add/remove credentials for another service principal, it is different from using a user account to do that.
I assigned the ownership of SP1 to SP2 as well through the command Add-AzureADServicePrincipalOwner and confirmed it through Get-AzureADServicePrincipalOwner.
This way is correct, but not only the Owner, also you need to give an Application.ReadWrite.OwnedBy Application permission in Azure Active Directory Graph (Not Microsoft Graph)API after that.
Navigate to the API permissions of your automation account corresponded AD App in the portal -> add the permission like below, don't forget to click the Grant admin consent for xxx button at last.
Then test it in the runbook, it works fine.
New-AzADSpCredential -ObjectId xxxxxxxxxxxxx
The combination of Owner and Application.ReadWrite.OwnedBy is the minimum privilege in this case, there are also other ways, you can also give the Application Administrator directory role as you saw here or Application.ReadWrite.All Application permission in Azure Active Directory Graph, both will work.
I attempt to create an AKS cluster in a fresh new subscription. When a cluster is created via the web interface, eventually a CreateRoleAssignmentError error is produced with the following message:
RoleAssignmentReconciler retry timed out: autorest/azure: Service
returned an error. Status=403 Code="AuthorizationFailed" Message="The
client 'foo' with object id 'foo' does not have authorization to
perform action 'Microsoft.Authorization/roleAssignments/write' over
scope
'/subscriptions/bar/resourceGroups/MC_MyResourceGroup_mycluster_region/providers/Microsoft.Authorization/roleAssignments/az
Note that cluster is created with a manually created service principal, as per the documentation. This service principal has an "Owner" role on all Resource Groups within a subscription.
Note also that the reason I had to create a service principal manually is that the cluster could not be created otherwise in the first place. When attempted to create a cluster without explicitly specifying a service principal (that is, requesting a new one to be created automatically), another error was produced:
The credentials in ServicePrincipalProfile were invalid. Please see
https://aka.ms/aks-sp-help for more details. (Details: adal: Refresh
request failed. Status Code = '400'. Response body:
{"error":"unauthorized_client","error_description":"AADSTS700016:
Application with identifier 'foo' was
not found in the directory 'bar'.
This can happen if the application has not been installed by the
administrator of the tenant or consented to by any user in the tenant.
You may have sent your authentication request to the wrong
tenant.\r\nTrace ID:
9ec6ed81-892d-4592-b7b5-61842f5c1200\r\nCorrelation ID:
bffbb112-7348-4403-a36f-3010bf34e594\r\nTimestamp: 2019-07-13
15:48:02Z","error_codes":[700016],"timestamp":"2019-07-13
15:48:02Z","trace_id":"9ec6ed81-892d-4592-b7b5-61842f5c1200","correlation_id":"bffbb112-7348-4403-a36f-3010bf34e594","error_uri":"https://login.microsoftonline.com/error?code=700016"})
I am doing these operations on a fresh new account and a subscription using an "initial" admin user, so I would suppose all permissions should be in place all right. What can explain the errors above?
as the OP asks, here's the answer. In order to create resources in Azure (doesn't matter which resources) you need permissions of type: provider/resource/write. Same goes for edits. This basic principle applies to all the resources out there. Now lets compare owner and contributor:
I have an AKS template that needs contributor role to work + this custom role:
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Assign AKS permissions to the vnet"
$role.Description = "Assign AKS permissions to the vnet for the inflation process"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Authorization/roleAssignments/write")
AKS clusters created by code using this role + contributor are fully functional.
User Access Administrator is a built-in role that you are being granted when you are the tenant admit and you grant yourself access to everything under your tenant: https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin. So it will obviously work if you grant yourself this role, but you can get away with a lot less permissions.
In my case I solved it by doing again "az login" and moving to the correct subscription,and then i tried to run the command again. It worked.
Also the reason may be you don't have the rights to create a cluster on that resource group. I had this kind of problem before,for that you should contact the person who administers you subscription to give you rights.