As part of disk encryption for a Linux VM in Azure, I asked customer to create key vault and Service principal as I don’t have access to their AD though I have owner permissions of the subscription. I used that service principal to do the Linux VM disk encryption. I am ending up in getting permission issues. I think the reason for this is, since I doesn’t have access to their AD, I doesn’t have enough permission to use service principal which is created by customer.
Now I am asking customer to do following actions:
Step-1: Grant the permissions
go to Azure Active Directory, go to App registrations, select All Apps, click on webapp which we created, click on settings, click on Required permissions, Click on Grant permissions and then Yes.
Step-2: Add me as the owner for service principal
Go to Azure Active Directory, go to App registrations, select All Apps, click on webapp which we created, click on settings, click on Owners and add me as the owner for the service principal by clicking on +Add owner. This should give access to use this service principal.
After these two steps, hope my issue will be resolved. I would like to take your opinion before asking customer. Please give your suggestions on this.
As long as you have the AADClientID and Secret from the App that should be fine on the AAD side.
Make sure the you give the App permission to the Key Vault and enable the keyvault for Disk Encryption.
https://learn.microsoft.com/en-us/azure/security/azure-security-disk-encryption#prerequisites
Related
I have a rather (hopefully) theoretical question regarding the secure usage of Service Pricipals in Azure (Enterprise Applications)
Introduction
we currently deploy our DevOps Code via Azure Service Principals.
AppRegistration/Enterprise App is created
Secret is generated
Permission (i.e. Contributor) to the Ressource Group is granted in Azure
Service Connection is made in Devops
everything works fine.
Assumption
By default the Service Principal (Enterprise Application) is not restricted to a specific user/group (Assignment Required => "no").
My assumption is now, that every user in the AAD-Tenant is able to login to the Enterprise Application as well.
I i.e. do this by using the "Graph Powershell API"-EnterpriseApp.
I can either use a Secret or use my User Credentials to access the Service Principal and its permissions
Security issue?
coming back to our DevOps configuration:
The Service Principal has Contributor Permission on the dedicated Resource Group
Assignment Required is set to no (default configuration)
if I (as a malicious user) have the Application ID, i could simply logon to the Service Principal and receive the Token.
Question:
With this token and my login to the App, do i also have the Contributor Permissions of the App and could now manipulate the whole Resource Group?
Since i'm not an Azure Developer - but only an Azure AD Admin - my knowledge regarding this is limited,
so i'm not able to test it.
Can someone maybe either provide code or prove that my assumptions are wrong or correct?!
Thanks
Yes, the SPN can manage the resources within the resource group if it has Contributor - it is no different than a normal (human) identity.
Consider if the SPN actually needs Contributor or if you can limit it with another role or even make a custom role.
Furthermore, monitor the sign-ins using the Azure AD sign-in logs:
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins
You can also use CanNotDelete resource lock, which means that the service principal cannot delete resource as it is only Contributor:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
You might want to look into the Conditional Access to strengthen your environment:
https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identities-overview
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/workload-identity
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review
Take a look here:
https://infosecwriteups.com/a-lab-for-practicing-azure-service-principal-abuse-bd000e6c48eb
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/disable-user-sign-in-portal
https://learn.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-9.3.0#example-3-connect-to-azure-using-a-service-principal-account
My assumption is now, that every user in the AAD-Tenant is able to login to the Enterprise Application as well.
No. They would need the client secret or the rights to generate a new one. Which requires that they are owners of the App Registration. In the App Registration on the Owners tab it says:
The users listed here can view and edit this application registration. Additionally, any user (may not be listed here) with administrative privileges to manage any application (e.g., Global Administrator, Cloud App Administrator etc.) can view and edit the application registrations.
I'm a Microsoft employee and I'm new to Azure. I would like to deploy a Service Principal on my internal Microsoft Azure subscription. Using the Azure CLI, when I run
az ad sp create-for-rbac --name $spn_name
I get the error "Insufficient privileges to complete the operation." The documentation here (https://learn.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest) makes it seem like I don't have Azure Active Directory configured properly.
I don't have Azure Active Directory on my internal subscription. Do I need to add this? If so, how can I set this up on my Microsoft internal account? Is there a way to create a Service Principal without Azure Active Directory?
Normal user without Admin roles also will be able to create a service principle even with Azure CLI. If the scenario is that you are creating a service principle from an application then you need application permissions. Please go through similar question which helps in fixing your issue.
Does not require you to have administrator permissions.
If your account's User type is just a Member in the tenant. Make sure in the portal -> AAD -> User settings -> Users can register applications is Yes.
It seems that the issue was that my SP name was not unique. Changing the name solved this problem for me.
I want to add three wordpress-based web apps to my currently existing Azure Service Plan. I have a Premium plan (P1V2), whose location is marked as East US 2, and has the appropriate Resource groups created.
However, when it prompts me to select a Subscription for my app and I do, I get this error:
You do not have correct permissions to add apps to this app service plan
Which appears directly next to the default App Service Plan associated with it.
I have global administrator access on my account, so permissions should not be a problem,but I'm still getting this error. How can I fix it?
See screenshot of error:
I have global administrator access on my account, so permissions should not be a problem,but I'm still getting this error. How can I fix it?
The global administrator is a role in Azure AD, not represents you have the direct permissions in the subscription.
Please follow the steps below:
1.Navigate to the Azure Active Directory-> Properties in the portal, make sure the setting as below is Yes.
2.Navigate to the subscription which you want to do the operations -> Access control (IAM), add your account as an Owner, then the error will be fixed.
I am trying to setup Azure DevOps 'Release' Pipeline, when I am trying to add Azure Resource Manager service Connection, I am getting error like 'Failed to create an app in Azure Active Directory. Error: Insufficient privileges to complete the operation. For troubleshooting refer to link. '
My Organization assigned me an Azure Professional Subscription account. When I click the Active Directory, I am getting error like 'Access denied. You do not have access. Looks like you don't have access to this content. To get access, please contact the owner.'
What sort of user role, the organization needs to assign to me so that I can setup the Azure DevOps Release Pipeline.
The company can't give me the role as global administrator or user account administrator to ADFS, because of security reason. What is the appropriate ADFS user role permission my company should assign to me ?
There's no way to do this without being a Global Admin or Owner on the Azure Active Directory tenant. You need to request access from your organization or else make your own account with your own subscription and publish the application there.
You need to have the Application Administrator role in the AD in order to create the service connections.
After, enabling the Application Administrator role from the Azure Active Directory roles, I was able to create the service connection properly.
We are trying to create a service connection named, xyz-serviceconn-verify. Without any error message, now I could create service connections.
Here, you could see the created service connection, xyz-serviceconn-verify.
Good Luck :)
See the link, last error
https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-rm-endpoint?view=azure-devops&viewFallbackFrom=vsts
This error is coming because you do not have sufficient privileges in your AAD, you do not have Write permission for the selected Azure subscription when the system attempts to assign the Contributor role.
It worked for me when I tried to create my own new AD, and then I move the subscriptions I got from the company to this AD (it is just for dev and test).
If you want it to work on production, maybe you should ask the administrator to create a new app registration for you and he should grant all permission to you inside this app (I guess).
Best regards,
Tai.
I am trying to set up octopus to deploy resources to azure.
Under azure active directory I've added a new app registration, and have generated a key and hooked up octopus with the correct Application ID, Tenant ID and key
The organisation has multiple azure subscriptions corresponding to the environments, so I've noticed if I use the Subscription ID of my "Visual Studio Professional MSDN" subscription it works and creates the resources, however if I try to use any of the other organisation Subscription IDs I get the following error:
Login-AzureRmAccount : The provided account c0b2.......76a6 does not
have access to subscription ID "f06.......2aa3". Please try logging in
with different credentials or a different subscription ID.
I have looked through all the settings of the Application Registration and granted it every "Windows Azure Active Directory" permission available, but still no luck.
How do I go about granting permissions to this Application Registration so that it can access the relevant subscriptions?
You need to give the app a role on the subscription/resource group/resource you want it to be able to access.
So for example, you can go to the Access Control (IAM) tab of the subscription, and give the app the Contributor role, which allows the app to read and modify anything in the subscription.
You can also give a more limited role if desired.
Roles can also be applied at a lower scope, like a resource group.
More info in the docs: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal