Azure App Service Deployments - Minimum Role for Service Principal Account - azure

I am deploying a standard ASP.NET MVC application to an Azure App Service using a VSTS build and release definition. The VSTS instance and the target Azure subscription are on separate Azure accounts/subscriptions so we have create a Azure AD application and Service Principal account to authorize the deployment.
When adding the Service Principal account to the subscription, it wants us to assign a role.
What is the best and least privileged role that can be used to deploy the site?

When add Azure Resource Manager Service Endpoint, it mentions:
A new Azure Service Principal will be created and assigned with
"Contributor" role, having access to all the resources in the selected
subscription.
So, the Contributor role is better.
On the other hand, to configure Azure RM service endpoint, you must be a member of the Global Admin role in the directory. More information: Insufficient privileges to complete the operation.

Related

Unable to connect Azure DevOps and Azure ML

I have created an automated Service Principal from the service requests on Azure Devops with sufficient permissions. Now, when I am trying to create an artifact which is an ML model (registered) it is not auto populating the registered models and resulting in an error.
I am using a free trial Azure account and attempting to implement CI CD for ML. I turned my firewall off and attempted as well but still the issue persists.
It appears that the Service Principal is not assigned the role in the appropriate subscription.
You need to grant the service principal Azure subscription access permission:
Login Azure portal->All service->Subscriptions->click your subscription->Access control(IAM)->Add role assignment->assign the correct role to your service principal
Refer to Use the portal to create an Azure AD application and service principal that can access resources and Assign Azure roles using the Azure portal for details.

Can a service principal create other service principals in Azure?

I found a link here which says:
There is no way to directly create a service principal using the Azure portal. When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant.
My question is, Can a 'service principal' create another 'service principals' in Azure? If yes, how? and what all permissions required for this?
Please suggest. Thanks.
A service principal can create another service principal after being assigned either the corresponding MS Graph permission, or Azure AD role
MS Graph Permissions
Either of the permissions
Application.ReadWrite.All
Application.ReadWrite.OwnedBy
References
Microsoft Graph permissions reference
Create application API endpoint
Create servicePrincipal API endpoint
Azure AD Role
Any role with one of these permissions
microsoft.directory/applications/create
microsoft.directory/applications/createAsOwner
microsoft.directory/applications/allProperties/allTasks
Built-in roles
Application Administrator
Application Developer
Cloud Application Administrator
Global Administrator
Hybrid Identity Administrator
References
Azure AD built-in roles
Application registration permissions for custom roles in Azure Active Directory

Azure Resource Manager Service connection using automated security: What permissions are assigned over the Resource Group?

According this when you create an Azure Resource Manager service connection to a certain Resource Group, Azure DevOps connects with Azure Active Directory (Azure AD) and creates an app registration with a secret that's valid for two years.
Well, what exactly are the permissions given to this app registration over the Resource Group? Same than the account which is creating the service connection?
When you create a automated Azure Resource Manager Service connection in Azure Devops, it will automaticlly create a service principal in Azure Active Directory(Named: Orgname-projectname-SubscriptionID).
You could navigate to Azure Portal -> Azure Active Directory -> App registrations.
When using this automatic service connection in azure devops, azure sources are operated through this service principal instead of the account which is creating the service connection.
This service principal has the Contributor role in Azure Resource Group.
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
You can search for the service principal name in Resource Group -> Access control to check its permissions
what exactly are the permissions given to this app registration over the Resource Group?
It is a Contributor role, also did a quick test for you.
Same than the account which is creating the service connection?
No, the account needs to be the Owner of the subscription, otherwise it will not have the permission to assign the role to the AD App i.e. service principal.

Using IAM for Azure Service Bus, how can I assign a role to an application?

Background
I want to give an application ownership of several of my Azure Service Bus queues ... specifically, by granting it the Azure Service Bus Data Owner role.
The Azure Service Bus documentation says this is possible:
Azure Service Bus supports using Azure Active Directory (Azure AD) to authorize requests to Service Bus entities (queues, topics, subscriptions, or filters). With Azure AD, you can use role-based access control (RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal [my emphasis].
(Source)
However, I can't find a way to do it.
What I've Tried
Registered the application in Azure AD.
Granted the application the user_impersonation permission on Microsoft.ServiceBus. (Application permissions is disabled [1], so I selected Delegated permissions and checked user_impersonation [2]. No idea if that's right. I posted another question a while ago about Application permissions being disabled, but the accepted answer of editing the manifest doesn't work in this case.)
In my Service Bus queue, selected Role assignments.
Clicked Add.
Searched for my application.
Issue
My application doesn't appear in the search results in Role assignments.
A service principal is the instance of an application in a given tenant. (Multi-tenant applications can have service principals in many tenants, all referring back to a single app registration.)
To grant an Azure role to an application, a service principal must first exist in the tenant. To check if the service principal for an app registration already exists in the same tenant where the app is registered (and create it if it doesn't):
Using the Azure portal:
Navigate to Azure AD > App registrations > (app) > Overview
Under the Managed application in local directory heading:
If you see a link with the name of the app, the service principal already exists.
If you see a "Create service principal" link, clicking it will attempt to create the service principal.
Using Azure CLI:
az ad sp show --id {app-id}
az ad sp create --id {app-id}
Using Azure AD PowerShell:
Get-AzureADServicePrincipal -Filter "appId eq '{app-id}'"
New-AzureADServicePrincipal -AppId "{app-id}"

Azure AAD Role for Octopus Webapp deployments

I'm using Octopus Deploy to deploy an Azure WebApp, using Service Principal as the authentication mechanism. Following online instructions, I was able to obtain all the id's and a key, and I created permissions in AAD for the app with a Reader role.
Octopus can successfully retrieve a list of webapps from Azure for the account, but when I deploy I get the following:
System.AggregateException: One or more errors occurred. --->
System.Exception: Retrieving publishing credentials failed with HTTP
status 403 - Forbidden
I'm guessing that the Reader role is not authorized for deployments - which would be the most appropriate role? Or is there something else I need to do?
Your Service Principal will need the Contributor role in order to deploy on Azure.
If you take a look at the example PowerShell script we provide in our Azure Service Principal Account guide, you'll see that we assign "Contributor" for the role definition argument.
ie.
New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $azureAdApplication.ApplicationId
Hope this helps.
If you only use the Service Principal to deploy web app, you could give it Website Contributor role.
Website Contributor Can manage websites, but not the web plans to
which they are connected
Actions that Website Contributor could access please refer to this link.
If you want the service principal to create app service plan, you also need give it Web Plan Contributor role.
Owner and Contributor can manage everything, if you need to fine-tune permissions, I suggest you select Website Contributor role. More information please refer to this link:Built-in roles for Azure role-based access control.
Please refer to this link:Assign application to role.

Resources