I looked for multiple solutions but could not find a proper solution for the creation of Azure AD application using PowerShell. I'm not looking to create an Azure AD itself but an application inside it.
Yes, you can do it through PowerShell. Please look at New-AzureADApplication Cmdlet: https://msdn.microsoft.com/en-us/library/dn986794.aspx.
Yes, you can use the Azure ARM commandlets:
https://msdn.microsoft.com/en-us/library/dn757692.aspx
You should look specifically at:
New-AzureADApplication - https://msdn.microsoft.com/en-us/library/mt603747.aspx
New-AzureADServicePrincipal - https://msdn.microsoft.com/en-us/library/mt603780.aspx
Here's an example of how you'd run them:
Login-AzureRmAccount
$app = New-AzureRmADApplication –DisplayName "My App" – HomePage "http://myapp" –IdentifierUris "http://myapp"
New-AzureRmADServicePrincipal –ApplicationId $app.ApplicationId
Note that the "classic" Azure Portal (manage.windowsazure.com) only shows "Service Principals" in the Applications tab. So if you only create the AD Application without creating the Service Principal, you won't see an entry in the portal.
You can find more info about Application Principals and Service Principals here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-objects/
Key points from that article: Application object: This object represents a definition for your app. You can find a detailed description of its properties in the Application Object section below.
ServicePrincipal object: This object represents an instance of your app in your directory tenant. You can apply policies to ServicePrincipal objects, including assigning permissions to the ServicePrincipal that allow the app to read your tenant’s directory data. Whenever you change your Application object, the changes are also applied to the associated ServicePrincipal object in your tenant.
Related
I am configuring Harness Cost Management report for my Azure Dev subscription and getting the below error while creating the service principle.
When using this permission, the backing application of the service principal being created must in the local tenant
Used below command to create Service Principle.
az ad sp create --id 0211763d-24fb-4d63-865d-xxxxxxxxx
Here is the Harness link I am following for this setup
https://docs.harness.io/article/7idbmchsim-set-up-cost-visibility-for-azure
How can I resolve this issue?
To resolve the above issue ,You may refer the below workaround
Make sure that CCM has been enabled properly as shown in the given DOC.
After enabling CCM, it takes about 24 hours for the data to be
available for viewing and analysis.
Also make sure that you have the Application Administrator role assigned for your Azure AD and select the correct subscription where you need to create .
As you are using az ad sp create --id 0211763d-24fb-4d63-865d-xxxxxxxxx instead of that use below cmdlts to create Service principle .
az ad sp create --id 00000000-0000-0000-0000-000000000000
For more information please refer this Blogpost, & refer this SO THREAD for similar error.
I would like to add an Azure app as member of the Azure Group. I am owner of the Group but when I click on Add-->Member , it only lists individual users and there is no option for adding an app:-
I am not trying to provide access to the SG so it can access the app (for that I will have to go to the specific app page) rather I am trying to make the app as the 'member' of an Azure group that I already own. But I just don't see an option for doing that.
If your group is an Office group, it does not support to add the service principal as a member(i.e. the MSI of your datafactory, which is essentially a service principal created by azure automatically in general, see this link).
If you want to add the service principal to the group, you need to use the Security group, see this link.
If your User type is member, but you are not able to create the Security group, the UsersPermissionToCreateGroupsEnabled setting should be set with false in your Azure AD tenant.
See To restrict the default permissions for member users:
For more details, refer to this link.
You need to run this command first from powershell to create the managed identity
Set-AzDataFactoryV2 -ResourceGroupName <resourceGroupName> -Name <dataFactoryName> -Location <region>
https://learn.microsoft.com/en-us/azure/data-factory/data-factory-service-identity
I would like to create a least permission custom role in Azure to assign to a service principal that only allows the service principal to register Azure AD applications and service principals.
The "Contributor" standard role has all the needed rights but also a great many that are not needed, and I can't find anything in the list of available operations that seems to correspond to application registrations which could be used to produce a custom role.
It turns out the question is misguided - I had thought the assignment of Microsoft.Azure.ActiveDirectory permissions to the service principal was insufficient to create and edit app registrations. But it turns out I was just running up against a 5-10 minute lag between permissions being set in the Azure portal and the permissions taking effect. Granting the contributor role to the service principal just happened to take enough time for the original permissions to take effect.
AFAIK, you would not need to create a custom role in Azure to allow registering Azure AD Applications and Service Principals.
Who can register an application through Azure AD is controlled by user's membership in Azure Active Directory itself and their "Directory Role" in that Azure AD for some operations but not the usual RBAC built-in or custom roles which you are looking at (as you mention the list of ARM Resource Provider operations in your question)
Please refer to this Microsoft Documentation: Who has permission to add applications to my Azure AD instance?
UPDATE: Answering query from comments after Simon's edit to original question.
How to provide application registration privileges to a service principal?
Again, you will not use RBAC roles or create custom roles as you mention in your question but instead provide specific "application permissions" to the relevant Service Principal in Azure AD. I'll give steps below.
Go to your Azure AD, "Registered applications"
Find your service principal (may need to look at all applications instead of just my)
Add required permissions as shown below:
Once you've selected the right permissions and done. Please click on "Grant Permissions" because these permissions need Admin consent.
Use a custom AAD role as described here.
This is preferable to granting the built-in "Application Developer" role because it's too permissive and has the 250 App limit..
#Requires -Modules AzureADPreview
# 3 October 2020
# Connect-AzureAD
$ParameterList = #{
DisplayName = 'Application Registration Creator'
Description = 'Can create an unlimited number of application registrations.'
TemplateId = (New-Guid).Guid
IsEnabled = $true
RolePermissions = #{
allowedResourceActions = #(
'microsoft.directory/applications/create'
'microsoft.directory/applications/createAsOwner'
)
}
}
$customRole = New-AzureAdMSRoleDefinition #ParameterList
Three topics in Azure AD I'm constantly confused on:
Service Principal
Enterprise Application
App Registration
What is the difference?
I can easily go into "App Registrations" and register an "app" while that "app" doesn't even need to exist. All it requires is a URL which can also be totally random. This app registration then becomes a service principal which you can use to connect to Azure to from PowerShell for instance? Why? I don't understand this.
Please advise, and as you can probably tell, I'm new to Azure :)
When you write an application as a developer, you will register it in a given tenant, and will specify it's properties. This happens in the App Registration blade in Azure AD.
I'll dare an analogy by saying that the app is like a "class" in object oriented languages (with some static properties, which will be common to all instances)
By registering the application, in that given tenant if you use the portal this also automatically created a service principal for this application, which you can find in the "Enterprise Applications" blade of the Azure portal.
To continue with my analogy the portal creates a kind of instance of that class. This service principal contains information which are related to both the application and the tenants and its users. For instance it contain the activity of the users, what they have consented to in particular.
Now if during the app registration / app management, you decide that your application is "multi-tenant", then, when the application is accessed in other tenants, another service principal (remember this instance) will be created in that tenant.
BTW, you go to the new App Registration (Preview) blade in the azure portal, when you create an application, you can now see nicely grouped by categories all the properties of the app (all the properties which are common to all the service principal). Now if, in the "Overview" tab of the app, you click on the link "Managed application in local directory", you'll get to the corresponding service principal in the same tenant (where you'll see which users have accessed the app, when, where you can grant admin consent - if you are tenant admin -, and see the activity and the audit logs)
This is indeed confusing, and you are not the only one who feel that way. I guess this whole application/service principal is designed from the perspective of web applications, which can be scaled across multiple Azure AD tenants. For someone, who just wants to create some small scripts which connects to Azure services, understanding this whole thing is too much. Unfortunately there is no way around it. Azure Portal is also little bit confusing for this part, it only started to make some sense when I used Azure CLI for it.
To access Azure resources programmatically, we need to use Service Principal credentials. Service Principal is actually an instance of application, so we need to create an Application(App Registration) first too. If App Registration is added from portal, Service Principal is created automatically. With Azure CLI creating Application and Service Principal are two distinct steps.
Tricky part is, credentials has to be obtained from Application(App Registrations -> select app -> Certificates & Secrets). While the role assignment for the Service Principal has to be done from Subscriptions(select subscription -> Access control(IAM) -> Role Assignments) or any other resource which supports IAM. Same process using CLI makes more sense.
Using Azure CLI
Register/create app
$ az ad app create --display-name "displayName"
Create service principal for the app just created
$ az ad sp create --id "applicationId"
Set application credentials
$ az ad app credential reset --credential-description "some_description" --id "applicationId"
OR
$ az ad sp credential reset --credential-description "some_description" --name "applicationDisplayName" --append
Assign roles to Service Principal to access resources in Azure.
$ az role assignment create --assignee "service principal object id/ApplicationId" --role role_name
And if you don't care about all this application/service principal stuff and just want to use Service Principal for accessing Azure resources, there is a shortcut.
$ az ad sp create-for-rbac --name "service_principal_name"
This will create application, service principal, set credentials on app, assign Contributor role at subscription scope to service principal and print the credentials !!
Since the name of the Application(in App Registrations) and Service Principal(Enterprise/All Applications) is same, we need to look carefully at Object ID and Application ID to find out which is which. On the top of that, Service Principals are listed as Enterprise Applications/All Applications in Azure Portal.
'Enterprise Applications' is just a category of Service Principal which satisfies two conditions.
Service Principal and Application registration should be in same tenant.
Service Principal should have tag 'WindowsAzureActiveDirectoryIntegratedApp'. If this tag is removed from Service Principal, it won't show under Enterprise Applications, but still be listed under 'All Applications'. ( Do not try in production!! )
Note that service principals created from cli did not appear in 'Enterprise Applications' and I had to add the tag manually.
$ az ad sp update --id "service_principal_object_id" --add tags WindowsAzureActiveDirectoryIntegratedApp
I am trying to use Microsoft.Azure.Management.Logic.LogicManagementClient to programmatically create a Logic App workflow in Azure. Authentication has already worked, but when I call logicManagementClient.Workflows.CreateOrUpdateAsync(), I am getting a CloudException saying that the client does not have authorization to perform action 'Microsoft.Logic/workflows/write'.
How can I give the app the required permissions?
I have already given it (in the Azure Portal) all permissions for Azure AD and Microsoft Graph. But when I try to add permissions for Windows Azure Service Management API (which I assume is the relevant API here), it says "No application permissions available":
You need to give your app at least Contributor access to the resource group via the Access Control (IAM) tab.
To manage Azure resources through the ARM API, you always need a role via RBAC.
I did this via PowerShell. I assigned the Contributor role to my App Registration. Here are the commands.
az login
az account set --subscription "YOURSUBSCRIPTIONNAME"
NOTE: Had to create Resource Group in Portal, Use the Application (client) ID of the App Registration Client
New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName Application(client)ID -ResourceGroupName YOURRESOURCEGROUPNAME