I'm using service principal as login item for azure cli. The role of this service principal is "owner".
I'm trying to run:
az ad app list
and
az ad app create --display-name "Test application 2"
and getting error:
Directory permission is needed for the current user to register the
application. For how to configure, please refer
'https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal'.
Original error: Insufficient privileges to complete the operation.
What role should I assign to this service principal?
Your service principal is missing permissions related to reading and writing applications in Azure AD.
Go to your Azure AD, "Registered applications"
Find your service principal (may need to look at all applications instead of just my)
Add required permissions as shown below:
Once you've selected the right permissions and done. Please click on "Grant Permissions" because these permissions need Admin consent.
Related
I currently create a service principal using the Azure CLI:
az ad sp create-for-rbac --name foo --role Contributor
I need the service principal to have enough permissions to create/modify/delete various Azure AD resources including Applications, other Service Principals and Service Principal Passwords. When I use the above service principal to create other service principals, I currently get 403 Forbidden errors.
I have also tried using the 'Owner' and 'User Access Administrator' roles but these still give me a 403 error. What do I need to add to the above Azure CLI command or what additional role assignments do I need to add?
I'd like to use the service principal in a Pulumi program with their Azure AD provider (based on Terraform's Azure AD provider). See:
https://github.com/pulumi/pulumi-azuread/issues/246
In order for a service principal to be able to manage applications it requires API permissions. There is no such thing as a scope, because the API permissions are against the Azure AD API. Scopes are only applicable when it is related to the Resource Manager API. These are not the same thing.
When you go to application registrations in Azure AD, you can find the application, this is also where you will be able to assign the API permissions and grant consent.
You will do this either on the Azure Active Directory Graph, or on the Microsoft Graph. In my experience only the permissions assigned with the Azure Active Directory Graph worked.
Application.ReadWrite.All
Application
Read and write all applications
Application.ReadWrite.OwnedBy
Application
Manage apps that this app creates or owns
You will find these two application permissions that you could use. The first you can use manage all applications.
The az cli command you are using is to create a role assignment. This is RBAC on the subscription, it has nothing to do with Azure AD aside from the service principal being an AAD resource.
You need to add the scope of this service principal and also change the Azure role of this Service Principal to 'User Access Administrator' to enable you to modify resources in Azure AD. Also, 'User Access Administrator' role will give the service principal the required permissions for that Azure role to assign RBAC permissions. Please refer the below command for more details: -
az ad sp create-for-rbac --name foo --role User Access Administrator --scopes /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup1}
Also, ensure that the user ID through which you are creating this service principal and assigning the role to it has permissions to register and create applications in Azure AD. If not, then please assign that ID 'Application Administrator' Azure AD role or you should be allowed to create and register applications by an administrator even though being a 'User'.
You need to give your service principal "App admin" permissions. This allows you to create application registrations and also set their credentials. And it does not give it rights to do anything else such as manage users and groups. If your intent is to include those, you need to add additional roles to the service principal.
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator
I have a Pipeline in my DevOps that builds and deploys an application. This is working successfully.
As part of the deployment I need to update a configuration.json file with the Client ID of my application. To achieve this I am executing:
$clientID = az ad app list --display-name "MyApplication" --query [0].appId
I have created an "Azure CLI" step and am executing this within the role of a Service Principal, but when it runs I get an error "Insufficient privileges to complete the operation". Where or what permissions to I need to change?
Pipeline Step Description:
Azure CLI
Type: Powershell Core
Script Path: A Valid Path
The other answer is only half correct and not good, the Delegated permission Directory.Read.All in Microsoft Graph will not work in this case, giving the Global Administrator role to the service principal will work, but this permission is too large, if you don’t want to cause some security issues, try not to use it.
To solve the issue, you just need to give the Application permission Directory.Read.All of Azure Active Directory Graph, you could follow the steps below.
1.Navigate to the Project Settings in devops -> Service connections -> find the service connection you used -> click Manage Service Principal.
2.Then it will open the Azure AD App page of the service principal, navigate to the API permissions -> add the Application permission Directory.Read.All of Azure Active Directory Graph like below(Note: It should be Azure Active Directory Graph, not Microsoft Graph).
Don' forget to click the Grant admin consent for xxx button at last.
After a while, try the command again, it will work fine.
I was able to run it with success after adding Directory.ReadAll permission
and adding this principal to Global Administrator group.
I'm trying to add Azure CDN as a service account, in order to connect it to KeyVault.
Following the official guide and other suggestions such as Can't add Microsoft.Azure.Cdn service principal to Key Vault access policies
However this command:
New-AzureRmADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"
is giving me this error:
New-AzureRmADServicePrincipal : When using this permission, the backing application of the service principal being created must in the local tenant.
Even after I've set the context to the correct tenant using Set-AzureRmContext -TenantId xxx.
any help is appreciated!
The error
When using this permission, the backing application of the service principal being created must in the local tenant.
is reported when you don't have sufficient permissions in AAD to add service principal for application defined in different tenant. This is case of e.g. normal user, who does not have any specific Azure Active Directory Role. With Global Administrator or Application Administrator (or possibly other roles) the command would succeed (please note that these are AAD Administrative Roles, not RBAC roles which are used for resources).
The same error could be reported by az cli call to create principal:
az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8
I am trying to create a release in AzureDevops that checks the expiration of SP secrets and then updates them if necessary. I have the part that does the check:
param (
[string]$SpId
)
$SpSecret
$SpEndDate = az ad sp credential list --id $SpId --query "[].{Key:endDate}" -o tsv
((Get-Date $SpEndDate).AddDays(-30) -lt (Get-Date)) {
#Set a new secret value if it is about to expire
$SpSecret = az ad sp credential reset --name $SpId --query password -o tsv
}
Write-Host "##vso[task.setvariable variable=var01;Secret=true]$SpSecret"
Write-Host $env:Secret
The issue now is that the service connection does not have the permissions to run "z ad sp credential reset". I have looked at the connection and don't see a permission that will work. Any suggestions?
When you create the Azure Resource Manager service connection to use the AzureCLI, the system will create an AD App for you automatically, check this link.
If you use this service connection with AzureCLI, it will use the credential of the service principal of the AD App in your tenant. For the concept of service principal and AD App, see this link.
To fix the issue, navigate to the Azure Active Directory in the portal -> App registrations -> All applications -> find the application corresponding to the service connection, its name should be like organizationname-projectname-513f22f1-befd-xxxxxxcfe90f1. Then click it -> add the permission like the screenshots(Note: your user account need the admin role to click the Grant admin consent button, e.g. Global admin ).
After granting the permission, wait for a while, the service principal of the service connection will be able to create the AD App, the Azure CLI task should work fine.
The Application.ReadWrite.All permission will allow the service principal to create, read, update and delete all applications and service principals. If you want to avoid the security problem, you can also use the powershell to add the service principal of the service connection as an Owner to the service principal which you want to reset credential. Then just need to add Application.ReadWrite.OwnedBy permission in the screenshot above.
Navigate to the organizationname-projectname-513f22f1-befd-xxxxxxcfe90f1 app in the portal -> click the Managed application in local directory as below.
Then copy the Object ID in the screenshot.
Then use the powershell below(At least you need to be the Owner of the target App to run the command).
Add-AzureADApplicationOwner -ObjectId <ObjectId of the app which corresponding to the service principal> -RefObjectId <ObjectId of the service connection corresponding service principal>
Besides: At first, I suppose Add-AzureADServicePrincipalOwner is enough, but per my test, it does not work, looks may be Application.ReadWrite.OwnedBy does not allow to operate on the service principal corresponding to the AD App.
I am attempting to automate the registration of a new application in Azure Active Directory. Upon running the command in Azure CLI, it returns with the following error:
Insufficient privileges to complete the operation.
The command was run using a Service Principal which has Owner permissions at the Subscription level. When attempting to run other Azure AD commands (e.g. az ad app list), the same error is thrown. However, it works fine if we run commands relating to Azure API Manager (e.g. az apim list).
We have tried creating the Service Principal using both the Azure console (https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) and CLI by running the following command but neither works.
az ad sp create-for-rbac --role Owner --name some-service-principal
Is there anything else required to perform this operation?
The Owner role you mention is part of Azure RBAC, which does not apply to Azure AD.
The Azure AD tenant is above the Azure subscriptions and has its own permissions.
You need to give the SP application permissions to MS Graph API / AAD Graph API (not sure which one the CLI is trying to use), or a directory role.
The first you give through API permissions on the app registration for the SP.
A directory role can be added through the Roles and administrators tab.
that happens because Azure AD and Azure subscription are completely unrelated in terms of permissions. You need Application Read\Write Azure AD permissions for your principal (user\service principal\application) to be able to carry out that task
https://learn.microsoft.com/en-us/graph/permissions-reference#application-resource-permissions
az ad app permission: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-add
followed by az ad app grant: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-grant
or you could do it using the portal, like the other answer suggests