It is possible to assign app role access for an app registration in terraform using required_resource_access for azuread_application. This will give access to a custom role to my API to another application/service principal.
I would like to do the same for a managed identity, but cannot figure a way to do that with terraform. It can be done with powershell like that e.g.:
New-AzureADServiceAppRoleAssignment -ObjectId $managedIdentityObjectId -Id $appRoleId -PrincipalId $managedIdentityObjectId -ResourceId $serverServicePrincipalObjectId
This call to graph api would achieve the same I think:
POST /servicePrincipals/{objectId}/appRoleAssignments
But I'd really love to do that with terraform if possible.
There is no such built-in resource in Terraform to achieve this, the only related thing here - azuread_application_app_role, if you want to do that, the workaround is to run the powershell command in Terraform manually via local-exec Provisioner.
Related
I create successfully a ServicePrincipal (SP) in AzureAD and able to do a lot of stull like {Connect to Azure, Create resource, etc...}
I need my SP to use command Get-AzNetworkServiceTag but it always return empty values.
When I try command command Get-AzNetworkServiceTag with my own account I get expected result. I believe problem come from permission and your help is very welcome to set least privilege.
My current permissions looks like:
Do you know which one should I use ?
Alternative question is what is best practices to determine permissions based on powershell command ? Although permissions could name to determine there is so many that it's difficult to choose correct one. Thanks you.
The command Get-AzNetworkServiceTag essentially calls the Azure Management REST API - Service Tags - List, it is not related to Azure AD, to solve the issue, you need to assign the Azure RBAC role(not Azure AD admin role) to your service principal.
To solve the issue, the easiest way is to assign the built-in role e.g. Reader, Contributor to your service principal at the subscription scope. But if you want to the
least privilege, your option is to create a custom role then use it, you could follow the steps below.
1.Navigate to your subscription in the portal -> Access control (IAM) -> Add -> Add custom role, follow the screenshots.
Then skip the Permissions, in the JSON, click Edit, add Microsoft.Network/*/read to actions -> Next and create it.
After creating the custom role, wait for a while, navigate to the Access control (IAM) -> add the custom role to your service principal.
In conclusion, the Microsoft.Network/*/read action permission is the least privilege in this case, after giving the role, it will work fine.
Alternative question is what is best practice to determine permissions based on powershell command?
You just need to know what does the command do, then find the operation in the Azure resource provider operations, in this case, there is no such operation like Microsoft.Network/serviceTags/read, so we need to use Microsoft.Network/*/read at least.
You are facing this issue because Powershell cmdlet works differently than compared to MS Graph. Instead of permissions, Powershell require roles to do this operations. Please add Global Administrator role to your service principle and then try the Connect-AzAccount so that, the issue will be fixed.
For more details, you may refer to Assigning administrator roles in Azure Active Directory.
New to Azure.
I was trying to use az cli in 18.04.1-Ubuntu to manage a resource group [The VM is part of the resource group]. I enabled the system managed assigned identity for the VM and also gave RBAC access of owner to the VM from the resource group IAM.
But when I try to use the az resource list -g 'resource_group_name' I get
Please run 'az login' to setup account.
After some research I figured out that the identity has to be used for first time login to get the token for the cli. As per the docs
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-sign-in
So basically the step is
Create an identity for the VM
Give a role to the identity from the resource that you intend the VM to manage.
Use the identity as an authenticator for the initial login using az login --identity to get the token which is valid till 90 days of inactivity.Since the identity is already related to the VM, the token is generated without passwords or usernames.
Then the VM can use the role to manage the resource.
Sharing it as this maybe useful to others
I have a script which (among many other things) creates a service principal in our corp AAD instance. Since I've collected a good number of service principals during my time here, it would be nice to distinguish them visually using a photo. Is there any way to do this via script? I've found Set-AzureADUserThumbnailPhoto but it doesn't seem to work for AAD applications.
You are looking for Set-AzureADApplicationLogo, when you use it set the logo of the AD App(app registration), its service principal(enterprise application) logo will also change.
Set-AzureADApplicationLogo -ObjectId <app-objectid> -FilePath C:\Users\joyw\Desktop\pic.jpg
We have an enterprise application in our Azure AD tenant for provisioning users to another SaaS platform. Currently it is only setup with the option "Sync only assigned users and groups" since we do not want the whole directory brought over.
My question is simple, is there a way to use the az-cli (currently have version 2.0.60 installed) to add users to that enterprise application?
I checked out the:
az ad sp
az ad app
az role assignment (seems to only work with subscriptions and resources below)
I would expect there would be a simple role assignment command to run that adds a user by upn/objectId to the enterprise application.
Everyone in my team are using Mac's and we could use PowerShellCore if that has better support.
Thanks!
If it helps, I did this using az rest. We all use Macs here and PowerShell core seems broken in a few places (doesn't support certificate-based logins and the New-AzureADUserAppRoleAssignment cmdlet didn't work for us. We were using the preview version. The Graph API docs are also quite wrong so took a bit of fiddling to get the right endpoint and payload. Example below:
az rest \
--method post \
--uri https://graph.microsoft.com/beta/users/$user/appRoleAssignments \
--body "{\"appRoleId\": \"$appRoleId\", \"principalId\": \"$user\", \"resourceId\": \"$spObjectId\"}" \
--headers "Content-Type=application/json"
Can post a sample bash script for the above that sets the vars if anyone's interested?
It seems you could not do that via Azure CLI, my workaround is to use powershell to do that.
Everyone in my team are using Mac's and we could use PowerShellCore if that has better support.
First, you need to install the AzureAD.Standard.Preview powershell module which supports powershell core, you can understand the module is an equivalent of AzureAD module in powershell core, they have the same usage, it is a preview version, for more details see this link.
Then try the command New-AzureADUserAppRoleAssignment as below, this sample assigns a user to an application with default app role id.
New-AzureADUserAppRoleAssignment -ObjectId "<user objectid>" -PrincipalId "<user objectid>" -ResourceId "<service principal objectid(i.e. Enterprise Application objectid)>" -Id ([Guid]::Empty)
Check in the portal:
If you want to assign a user to a specific app role within an application, try the command below.
$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"
# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
#Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
Is it possible to create Azure AD B2C tenants programmatically (e.g. with Powershell, REST API)?
We are developing a multi-tenant SaaS solution for which we would like to create an Azure B2C tenant automatically whenever a new tenant registers.
I'm afraid currently you cannot create Azure AD using either the APIs or using PowerShell. Although you can create additional directories in a subscription you cannot create one using any automation.
You can use PowerShell AzureADPreview 2.0 module to manage custom policies, applications, etc. Although not such a complete thing like ARM Templates, but you can automate many things for now.
Full doc is here: AzureADPreview 2 docs
I had no success to install this module to "old" PowerShell (5.x) so I gave a shot to the 'new' PowerShell 7 (Core). The only issue with PowerShell 7 and AzureAD module is that Connect-AzureAD uses a cryptographic function which is not in .NET Core, so you must import the AzureADPreview module using the -UseWindowsPowerShell option.
Here is a sample, works with PowerShell 7:
Install-Module AzureADPreview
Import-Module AzureADPreview -UseWindowsPowerShell
$tenantId = "yourb2ctenant.onmicrosoft.com"
# Note: this will interactively ask your credentials.
# If you want to run this unattended, use the -Credential parameter with a PSCredential object with a SecureString
Connect-AzureAD -TenantId $tenantId
# ready to go
#list your all custom policies:
Get-AzureADMSTrustFrameworkPolicy
# upload a policy:
$policyId = "B2C_1A_TrustFrameworkBase"
$policyFileName "YourTrustFrameworkBase.xml"
Set-AzureADMSTrustFrameworkPolicy -Id $policyId -InputFilePath $policyFileName
#list your all apps
Get-AzureADApplication
# examine one of you app and get ideas
$application = Get-AzureADApplication -ObjectId af46a788-8e55-4301-b2df-xxxxxxxxx
# create an application
$applicationName = "yourappname"
$application = New-AzureADApplication -DisplayName $applicationName -PublicClient $true etc