I create successfully a ServicePrincipal (SP) in AzureAD and able to do a lot of stull like {Connect to Azure, Create resource, etc...}
I need my SP to use command Get-AzNetworkServiceTag but it always return empty values.
When I try command command Get-AzNetworkServiceTag with my own account I get expected result. I believe problem come from permission and your help is very welcome to set least privilege.
My current permissions looks like:
Do you know which one should I use ?
Alternative question is what is best practices to determine permissions based on powershell command ? Although permissions could name to determine there is so many that it's difficult to choose correct one. Thanks you.
The command Get-AzNetworkServiceTag essentially calls the Azure Management REST API - Service Tags - List, it is not related to Azure AD, to solve the issue, you need to assign the Azure RBAC role(not Azure AD admin role) to your service principal.
To solve the issue, the easiest way is to assign the built-in role e.g. Reader, Contributor to your service principal at the subscription scope. But if you want to the
least privilege, your option is to create a custom role then use it, you could follow the steps below.
1.Navigate to your subscription in the portal -> Access control (IAM) -> Add -> Add custom role, follow the screenshots.
Then skip the Permissions, in the JSON, click Edit, add Microsoft.Network/*/read to actions -> Next and create it.
After creating the custom role, wait for a while, navigate to the Access control (IAM) -> add the custom role to your service principal.
In conclusion, the Microsoft.Network/*/read action permission is the least privilege in this case, after giving the role, it will work fine.
Alternative question is what is best practice to determine permissions based on powershell command?
You just need to know what does the command do, then find the operation in the Azure resource provider operations, in this case, there is no such operation like Microsoft.Network/serviceTags/read, so we need to use Microsoft.Network/*/read at least.
You are facing this issue because Powershell cmdlet works differently than compared to MS Graph. Instead of permissions, Powershell require roles to do this operations. Please add Global Administrator role to your service principle and then try the Connect-AzAccount so that, the issue will be fixed.
For more details, you may refer to Assigning administrator roles in Azure Active Directory.
Related
I need some help understanding the behavior of AD and the security around it.
In a nutshell I have a requirement to automate just in time elevation to certain privileged groups, where Domain Admins is one of the groups we need to add membership to.
Here is a summary on the way I set things up
I created a new group called DomainAdminJit which is a member of "Domain Admins", I add a service account as a delegate to DomainAdminJit to modify membership where I expect to add users to this group instead of the domain admin group directly, for organization purposes mainly.
This works fine but a few minutes later all permissions are to the service account are being stripped, researching this turms out to be done because the AdminSDHolder is reverting those permissions.
My initial reaction was to add the service account with write properties and write permissions to the AdminSDHolder container, but somehow that doesn't work.
I do see the service account now at the DomainAdminsJit group however I get insufficient rights when attempting to add a user to the DomainAdminsJit using that service account.
What am I missing and how do I ensure that service account is always able to add members to a group that is a member of Domain admins and not have the permissions revert?
Your help would greatly be appreciated
Thank you
I am trying to remove the assigement for a particular object id.Below is the error I am getting.
I am attaching my service principal access level in AD.
When I am trying to exectute the same command using devops pipline I am getting different errror.
To remove the access what is the permission is required to my service prinicpal in API permission
section only read can work ? and why I am geeting the clould.execption errror. Any advice.
I can reproduce your issue, the command Remove-AzRoleAssignment will call the Azure AD Graph to validate the $objectid you passed, so you need give the Application permission Directory.Read.All of Azure AD Graph(not Microsoft Graph,not Delegated permission).
After adding the permission, there is some delay(30m - 1h), then test the command, it works. (I test in local, the same in cloud shell)
Note: Except the permission in Azure AD, your service principal also need to have the permission in the subscription/specific resource scope, e.g. the servcie principal is the Owner/User Access Admin role in the Access control (IAM) of the subscription/specific resource scope(in your case, the storage account). If the service principal does not have the role, please add it as below.
In Azure Devops, you don't need to login with Connect-AzAccount(Actually in cloud shell, you also don’t need to login, but if you want to do so, it's also ok), it will login automatically with the service principal related to the service connection(Task version >= 4.*).
So please make sure the secret of your service principal is correct and the connection was verified. To run Remove-AzRoleAssignment, also add the permission above for the App Registration related to the service connection.
Then test it, it works.
Joy Wang is correct, but I would like to add that, you shouldn't give a service principal owner to the entire subscription if its not absolutely needed. its a security consideration.
The better way would be to create a custom role in the subscription with only the permissions you need. in this case, some of the permissions you'll need to get it to work in the custom role are:
"Microsoft.Management/managementGroups/read"
"Microsoft.Authorization/roleAssignments/*"
"Microsoft.Authorization/roleDefinitions/*"
Also, I tried to run get-azroleassignment without directory.read.all with a service principal, and it works as long as you have the role permissions assigned in the subscription. that leads me to believe the powershell get-add-remove-azroleassignment does not use the graph api permissions at all.
Update
As joy stated, its possible that the custom role may be useless as it could technically give itself ownership, however, here is proof that you dont need api graph permissions for the service principal to do this:
Update2:
proof that removing the subscription rule, and only having api permissions does not work, it can only get the role assignments for itself, (the service principal itself) nothing else.
I am added to project collection administrator group in VSTS. Still not able to add a new user. I am added using my official email ID i.e. Microsoft work account.
Its says
Guest users are not allowed to perform this action.
I saw the reason on this link
I believe the primary reason for this error is because when a co-admin
with Microsoft account is added to a subscription, it gets added into
the subscription AD as Guest user type.
but since it is very old thread i like to know if there is an easy way to get myself ability to add new user or basically manage VSTS on behalf of client. I hate requesting client to add a new user in team. Also he is not tech savvy so I would like suggest him a simple solution (running Powershell might be annoying for him).
You are inviting users from outside directory. The user will be able to access the account and its resources, so you need the enough permission to add new user to the AD, but you are the Guest user, so it throws Guest Users are not allowed to perform this action.
You need to contact to the corresponding user (e.g. AD admin) to add users to AD or grant the enough role and permission to you to add user to AD.
No easy way to do this, because it is related to security.
I need to give users access to edit specific Azure Logic App workflows. I find I can support this with the Logic App Contributor role. At times, I have workflows that contain an XML Validation action. I do want users to be able to edit business rules before and after that action, and even configure the action such as selecting a different XSD. However, I do not want them to be able to configure the Integration account that supports the XML Validation action, or even have a read-only view to the Integration account. When I have such an action, a would-be editor is blocked with the error:
it does not have permission to perform action 'Microsoft.Logic/integrationAccounts/join/action' on the linked scope(s)
Is there a way to apply roles so that a user can edit such a workflow with no direct access to the Integration Account?
You should be able to configure a custom role that matches your scenario.
Essentially you would grant the user the following permissions
Microsoft.Logic/workflows/*
Microsoft.Logic/integrationAccounts/join/action
The Microsoft.Logic/integrationAccounts/join/action perimssion allows the user to modify a logic app linked with an integration account, but does not grant any permissions on the integration account itself (the user would need Microsoft.Logic/integrationAccounts/* for that)
You can restrict the Microsoft.Logic/workflows/* permission further (e.g. by scoping it down to write action only).
As mentioned by #SzymonWylezol, MS made a change on its end and the error no longer occurs. In the case where the IA in a separate Resource Group than the Workflow, I find the user must be given the join action permission on the IA, in that Resource Group.
I have an Azure Active Directory (AAD) set up in my Azure subscription associated with an email address of mine, which we'll call A.
Some time later, I updated my Microsoft Account to use a new email address B as the primary email address, with A being associated with it still so it can still be used and the two email addresses treated as being one.
In AAD there is one user, whose user Id is A which appears not to be able to be changed as it is greyed-out. Attempting to add B fails with the error: You cannot add yourself.
Is there a way I can force the user name of the AAD user to be B instead of A?
The reason I ask is because I am trying to setup an Azure Key Vault in my subscription as it appears to be failing because whether or not I sign in as A or B in Azure Powershell, I am always signed in as B. This then causes this error message, which I appear to be unable to work around:
New-AzureKeyVault : Cannot find the Active Directory object 'B' in tenant
'{Tenant Id}'. Please make sure that the user or application service principal you are
authorizing is registered in the current subscription's Azure Active directory. The TenantID displayed by the cmdlet
'get-AzureSubscription -current' is the current subscription's Azure Active directory.
Can you check that you are using the latest bits for Key Vault PowerShell?
I talked with some folks internally and we believe that an experience like this may be expected if you are using an older version of the PowerShell CMDLETs, but the lastest version should be update to date and not run into the issue you are having.
If you find that you still hit this issue after upgrading, we may have a bug on our side that we should fix.
In that case, my suggestion is for you to create a new Admin User. Then delete the old Admin Account (you may need to Transfer Onwership of your AAD Subscription to the new Admin), and then recreate your account, which will pull the lastest information from that user.
However, I only reccommend trying this after having updated the PowerShell bits.
Please let us know if either of these methods resolves your issues.
Thanks,
Shawn Tabrizi