Currently I am trying to read the ObjectId of an Active Directory Group from a GitHub Action where I am logged in with a Service Principal.
The Service Principal is a Contributor with the following additional permissions:
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/read"
when running the following command with the Azure CLI:
az ad group show -g {NAME OF GROUP}
I receive the following output:
ValidationError: Insufficient privileges to complete the operation.
Error: Error: az cli script failed.
I have tried granting permission to the service principal through the Microsoft Graph API through the following permissions:
Directory.Read.All (Granted)
Group.Read.All (Granted)
However these are not sufficient to grant read permissions.
Two ways to fix the issue(the sceond one is recommended):
This command essentially calls the Azure AD Graph not Microsoft Graph, so the permission of Microsoft Graph will not take effect, what you need here is the Application permission(not Delegated permission) Directory.Read.All in Azure AD Graph.
Another way is to give the Azure AD admin role to the service principal, e.g. Directory Readers, this role's permission is less than Directory.Read.All above, and AAD Graph is a Supported legacy API, so the second way is recommended. After giving the role, wait for a while to take effect, then it will work fine.
Related
I would like to automate deployment and it requires to update settings for Azure AD Application registration.
So far I am able to :
create an Azure AD Appregistration and Service Principal with certificate (thx MS documentation)
then use command Connect-AzureAD with previous service Principal with its certificate
use command like Get-AzureADApplication -ObjectId 11111111-2222-3333-4444-555555555555
In previous bullet ObjectId 11111111-2222-3333-4444-555555555555 match with application i created on first bullet
However i am unable to execute command like:
Get-AzureADApplication -Filter "DisplayName eq '$aADApplicationame'"
and $aADApplicationame matches with application created previously
Set-AzureADApplication -ObjectId $aADApplication.ObjectId -ReplyUrls $ReplyUrls
Get-AzADServicePrincipal
I get following error message
Set-AzureADApplication : Error occurred while executing SetApplication
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation
Based on my research, i set up some API permissions as follow:
Unfortunately no luck and still get insufficient privilege although all permissions were granted.
Do you know if I miss something ? Is there any specific permissions i should add to make it works ?
Regards.
As mentioned by another reply, you could give the Global Administrator role to the service principal, it is correct, but the permission of Global Administrator is too large in this case, it may cause some security issues.
In this case, the commands Get-AzureADApplication and Set-AzureADApplication you used essentially call the Azure AD Graph API, so to solve the issue, a better solution is to add the permission of Azure AD Graph API, please follow the steps below.
1.Navigate to the API permissions of your AD App -> select Azure Active Directory Graph(not Microsoft Graph).
2.Select Application permissions(not Delegated permissions) -> Application.ReadWrite.All -> click Add permissions.
3.At last, click the Grant admin consent for xxx button.
After a while, try the commands again, it will work fine.
Update:
After I check the doc, I find there are already some new commands released by MS which call the Microsoft Graph, haven't seen them before.
e.g. In your case, you can use Get-AzureADMSApplication instead of Get-AzureADApplication.
Get-AzureADMSApplication -Filter "DisplayName eq 'joyttt'"
Use Set-AzureADMSApplication instead of Set-AzureADApplication.
Set-AzureADMSApplication -ObjectId <object-id> -Web #{ RedirectUris = "https://mynewapp.contoso.com/" }
For Get-AzADServicePrincipal, there is no equivalent currently, there should be one in the future. When using the commands above, the permissions of Microsoft Graph will work, no need to use Azure AD Graph, but you should use Application permission, not Delegated permission (you used the Delegated permission in your question.)
You are facing this issue because Powershell cmdlet works differently than compared to MS Graph. Instead of permissions, Powershell require roles to do this operations. Please add Global Administrator role to your service principle and then try the Connect-AzureAD so that, the issue will be fixed.
For more details, you may refer to Assigning administrator roles in Azure Active Directory.
I was also facing similar issue, make sure are doing below two things:
Set Run as account for azure automation account
In newly created app registration for azure automation account after setting Run as account, make sure you add Cloud application administrator role explicitly.
Add API permission for Application.ReadWrite.All (Microsoft graph)
In my case the app registration was showing cloud application administrator role under Roles and Administrator screen, which I thought gives the new app registration required permission but that was not the case. PowerShell script only worked after we assigned the cloud application administrator role explicitly.
In the beginning thanks for previous posts it gave a lot of inspiration according topic. Problem occurred in our case at automated bicep mechanism that is supposed to add API permissions for Microsoft Graph.
Error: Authorization_RequestDenied
Solution:
We needed to give Enterprise Application running mechanism Microsoft Graph (not Azure Active Directory Graph it will be deprecated) Application permissions:
Application.ReadWrite.All
AppRoleAssignment.ReadWrite.All
Directory.ReadWrite.All
I am trying to run a PowerShell script for assigning appRoles from a DevOps service principal.
The DevOps service principal has the following permissions assigned and admin consented:
Application.Read.All
AppRoleAssignment.ReadWrite.All
User.Read
It fails on the step where it gets the service principal which is the owner of the roles to assign:
$sp = Get-AzureADServicePrincipal -filter "displayName eq '$AppName'"
with the error message:
Error occurred while executing GetServicePrincipals
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: a8fadf67-94d6-40ec-ad88-6562cf9f6d80
DateTimeStamp: Tue, 23 Jun 2020 16:51:36 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
I expected Application.Read.All to grant this permission, since the resource I am searching for is an Application.
What permission do I need to run this line of script, and where is this documented? I am applying the principle of least-privilege and don't want to give the Devops sp an administrative role. I only want to apply the specific permission required to do the job.
I notice that you assigned a permission User.Read which only exists in Delegated permissions. So I guess the other 2 permissions Application.Read.All and AppRoleAssignment.ReadWrite.All you configured are also Delegated permissions.
But now you are run Get-AzureADServicePrincipal from a service principal, that means it needs Application permissions (no user here).
And when I track this cmd via Fiddler4, the backend request is GET https://graph.windows.net/exxxxx4e-bd27-40d5-8459-23xxxxa757fb/servicePrincipals?api-version=1.6&%24filter=displayName%20eq%20%27xxxx%27
graph.windows.net is for Azure AD Graph and graph.microsoft.com is for Microsoft Graph.
So it is calling Azure AD Graph instead of Microsoft Graph. What you need are Application permissions of Azure AD Graph.
Based on my test, Application.ReadWrite.All and Directory.Read.All can meet your needs. If you don't want the service principal to have the write permission, you can choose Directory.Read.All.
I am trying to create a new service principal using the command below using azure cli v2.0.
az ad sp create-for-rbac --name ServicePrincipalName
Changing "ServicePrincipalName" to a valid URI of "http://ServicePrincipalName", which is the required format used for service principal names
Found an existing application instance of "abcd-8f27-47cf-9976-xkkfigif5e1de". We will patch it
Insufficient privileges to complete the operation.
I am not sure what privileges the Azure Admin of my tenant should assign to my user so i can create a servicePrincipal any guidelines or document pointers please
First, you have to know what this command will do. The command az ad sp create-for-rbac --name ServicePrincipalName will create an AD App(app registration) along with a service principal in your tenant, the AD App will have an Application ID URI named http://ServicePrincipalName, a Display name named ServicePrincipalName. Then the command will add the service principal to your subscription as a Contributor.
The error you got means there is already an AD App with the Application ID URI equals http://ServicePrincipalName existing in your tenant. And you are not the Owner of the AD App. (Note: in the tenant, the Display name is not unique, but the Application ID URI is.)
To solve the issue and use this command successfully, follow the tips below.
1.Change the ServicePrincipalName to a different one. (Or if your admin allow you to use the existing AD App mentioned above, just let him add your user account as an Owner to the AD App. - not recommend)
2.If your account's User type is just a Member in the tenant. Make sure in the portal -> AAD -> User settings -> Users can register applications is Yes. If your account is a Guest , except the Users can register applications need to be Yes, also User settings -> External collaboration settings -> Guest users permissions are limited need to be No.
3.Your user account should be the Owner of the subscription. Otherwise you can create the service principal successfully, but you cannot add it to the subscription.
I have a build pipeline which deploys some ARM templates. It's a requirement for some of those resources to have role assignments for RBAC.
The service principle that the pipeline uses to connect to subscription is an owner, but if either the templates try to create role assignment resources, or I try to run az cli in the pipeline to create the assignments, there's insufficient permissions.
What permissions above owner is required to allow this?
I suppose you misunderstood the Global admin and Owner. The Global admin is an Administrator role in Azure AD, and the Owner is an RBAC role in the subscription. They are different things.
When you use the azure cli like below to create the role assignment, it adds the service principal joytestsp as an Owner to the storage account. The service principal which you login needs to call the AAD Graph to get the object first and then call the azure mangement rest api to add it to the storage account.
az role assignment create --assignee 'joytestsp' --role 'Owner' --scope '/subscriptions/xxxxxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/joyfunction'
So to fix the issue, you could navigate to the Azure Active Directory in the portal -> Roles and administrators -> click the Global administrator -> Add assignments-> add your service principal which used to login as a Global administrator. Then it should work.
Besides, if you don't want to give it the Global administrator to the service principal, you can also specify the object id of the service principal/user in the command, then it will also work.
az role assignment create --assignee 'b4d3c922-xxxxxxx-3ab785333011' --role 'Owner' --scope '/subscriptions/xxxxxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/joyfunction'
I have a Desktop application using ADAL to authenticate to a multi-tenanted Azure AD v1 application.
Version 1 of my application only required delegated permissions that didn't require Admin consent:
Microsoft Graph - sign in and read user profile
Skype for Business online - Create skype meetings
Version 2 now requires an additional permission, which requires Admin consent:
Microsoft Graph - Access directory as the signed in user
I've updated the Azure AD app with this permission, and granted admin consent through the Azure AD portal using an admin user homed in the same tenant as the application.
Signing in as a non-admin user who had already consented to the Version 1 permission set (also homed in the same tenant as the application), I don't see the new permission in the "scp" property of the access token I receive - so I'm assuming this means I haven't been given the new permission.
I then try and re-consent as the user, using "prompt=consent", but receive
AADSTS90094: The grant requires admin permission
Implying that admin consent has not been set - although the portal is reporting that it has been set.
From all that i've read, it looks like this should work just fine, so I'm struggling to see what's going wrong. How can I get this working?
I think this is a configuration issue. First, check that your permission type is following the 'as an application' flow.
The clue here is how you described your permission: " Access directory as the signed in user"
That sounds to me like the 'on behalf of' flow, not the 'as an application' flow.