I have a multi-tenant application in azure and was looking to find a way to login using Azure CLI. So far I have been unsuccessful.
The following command works well with service principal but fails with application
azure login --service-principal -u <app-id> -p <password> --tenant <tenant-id>
Is it possible to use Azure AD application with Azure CLI?
No , service principal is the identity for the app and could be used to authenticate the app with its own credentials. So if you have an app that needs to access resources , you need to create a service principal for an Active Directory application, and the service principal has permissions on your subscription, then you can use the azure login command to authenticate the service principal.
Related
Been looking for a while but couldn't find the answer. I've been using service principle on my azure devops to modify my azure infrastructure via piplines (proper permissions). I need to run some of the commands locally using powershell, for example delete some of my azure roles.
Is there a way to use my service principle's permissions via cli / powershell to achieve what I'm looking for? Cannot do it via Connect-Azure as my user account's role has insufficient permissions. I need to do it with service principle.
Yes, you can login to the Azure CLI with a Service Principal.
To sign in with a service principal, you need:
The URL or name associated with the service principal
The service principal password, or the X509 certificate used to create the service principal in PEM format
The tenant associated with the service principal, as either an .onmicrosoft.com domain or Azure object ID
az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>
https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli#sign-in-with-a-service-principal
As per my understanding, Azure Kubernetes Service(AKS) allows getting credentials for admin and user identities. Can the user identity be an AD app or a managed identity?
I'm writing .Net code. Can you provide some sample where we can get the user credentials from AKS cluster by using AD app credentials, assuming I have already done AD integration with my AKS cluster and have already assigned the appropriate role binding for my AD app?
The security section here - https://learn.microsoft.com/en-us/rest/api/aks/managedclusters/getaccessprofile needs implicit flow. How does implicit flow work for AD app credentials?
You can use Implicit grant flow to get access token.
You'll need the Azure Kubernetes Service Cluster User built-in role to access an Azure AD enabled cluster.
Get the user credentials to access the cluster:
az aks get-credentials --resource-group myResourceGroup --name MyManagedCluster
Or use List Cluster User Credentials API.
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ContainerService/managedClusters/{resourceName}/listClusterUserCredential?api-version=2020-04-01
Because Get Access Profile API will be deprecated in the futhure.
I'm trying to add Azure CDN as a service account, in order to connect it to KeyVault.
Following the official guide and other suggestions such as Can't add Microsoft.Azure.Cdn service principal to Key Vault access policies
However this command:
New-AzureRmADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"
is giving me this error:
New-AzureRmADServicePrincipal : When using this permission, the backing application of the service principal being created must in the local tenant.
Even after I've set the context to the correct tenant using Set-AzureRmContext -TenantId xxx.
any help is appreciated!
The error
When using this permission, the backing application of the service principal being created must in the local tenant.
is reported when you don't have sufficient permissions in AAD to add service principal for application defined in different tenant. This is case of e.g. normal user, who does not have any specific Azure Active Directory Role. With Global Administrator or Application Administrator (or possibly other roles) the command would succeed (please note that these are AAD Administrative Roles, not RBAC roles which are used for resources).
The same error could be reported by az cli call to create principal:
az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8
I am attempting to automate the registration of a new application in Azure Active Directory. Upon running the command in Azure CLI, it returns with the following error:
Insufficient privileges to complete the operation.
The command was run using a Service Principal which has Owner permissions at the Subscription level. When attempting to run other Azure AD commands (e.g. az ad app list), the same error is thrown. However, it works fine if we run commands relating to Azure API Manager (e.g. az apim list).
We have tried creating the Service Principal using both the Azure console (https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) and CLI by running the following command but neither works.
az ad sp create-for-rbac --role Owner --name some-service-principal
Is there anything else required to perform this operation?
The Owner role you mention is part of Azure RBAC, which does not apply to Azure AD.
The Azure AD tenant is above the Azure subscriptions and has its own permissions.
You need to give the SP application permissions to MS Graph API / AAD Graph API (not sure which one the CLI is trying to use), or a directory role.
The first you give through API permissions on the app registration for the SP.
A directory role can be added through the Roles and administrators tab.
that happens because Azure AD and Azure subscription are completely unrelated in terms of permissions. You need Application Read\Write Azure AD permissions for your principal (user\service principal\application) to be able to carry out that task
https://learn.microsoft.com/en-us/graph/permissions-reference#application-resource-permissions
az ad app permission: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-add
followed by az ad app grant: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-grant
or you could do it using the portal, like the other answer suggests
I am trying to create a service principal from azure cli.
az login --service-principal -u servicePrincipalGuid -p spPassword --tenant tenantGuid
az ad sp create-for-rbac --skip-assignment
It works if i assign to the service principal Global administrator but it does not work with the Application Administration which according to the documentations should be sufficient.
I am wondering what roles/permissions are needed to be able to create a service principal without global administrator?
I can reproduce your issue, it is really weird, based on my knowledge, the Application administrator role should work.
The command az ad sp create-for-rbac --skip-assignment creates the app registration successfully, but it can't create the corresponding service principal. Even if I test with the command below to create service principal for the app.
az ad sp create --id '<object-id of the app registration>'
or powershell
New-AzureADServicePrincipal -AppId <object-id of the app registration>
I am wondering what roles/permissions are needed to be able to create a service principal without global administrator?
If you just want to let the command work without the global admin, you could add Application.ReadWrite.All permission of Azure Active Directory Graph like below, then it will work.