What are the required permissions for Get-AzureADServicePrincipal? - azure-active-directory

I am trying to run a PowerShell script for assigning appRoles from a DevOps service principal.
The DevOps service principal has the following permissions assigned and admin consented:
Application.Read.All
AppRoleAssignment.ReadWrite.All
User.Read
It fails on the step where it gets the service principal which is the owner of the roles to assign:
$sp = Get-AzureADServicePrincipal -filter "displayName eq '$AppName'"
with the error message:
Error occurred while executing GetServicePrincipals
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: a8fadf67-94d6-40ec-ad88-6562cf9f6d80
DateTimeStamp: Tue, 23 Jun 2020 16:51:36 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
I expected Application.Read.All to grant this permission, since the resource I am searching for is an Application.
What permission do I need to run this line of script, and where is this documented? I am applying the principle of least-privilege and don't want to give the Devops sp an administrative role. I only want to apply the specific permission required to do the job.

I notice that you assigned a permission User.Read which only exists in Delegated permissions. So I guess the other 2 permissions Application.Read.All and AppRoleAssignment.ReadWrite.All you configured are also Delegated permissions.
But now you are run Get-AzureADServicePrincipal from a service principal, that means it needs Application permissions (no user here).
And when I track this cmd via Fiddler4, the backend request is GET https://graph.windows.net/exxxxx4e-bd27-40d5-8459-23xxxxa757fb/servicePrincipals?api-version=1.6&%24filter=displayName%20eq%20%27xxxx%27
graph.windows.net is for Azure AD Graph and graph.microsoft.com is for Microsoft Graph.
So it is calling Azure AD Graph instead of Microsoft Graph. What you need are Application permissions of Azure AD Graph.
Based on my test, Application.ReadWrite.All and Directory.Read.All can meet your needs. If you don't want the service principal to have the write permission, you can choose Directory.Read.All.

Related

Graph API permission in Azure AD

As per MS article only GroupMember.Read.All permission is required to list the group owner. I assigned this API permission to my Azure AD application. however, when I run the below query it throws the 403 error. It works without "$expand=owners" parameter
https://graph.microsoft.com/v1.0/groups?`$expand=owners
Error
Invoke-RestMethod : The remote server returned an error: (403) Forbidden.
Also, the above graph query works if assign Group.Read.All permission. But I don't want to assign this permission it will allow the application to read calendars, conversations, files, and other group content of all groups.
Please note that we have more than 2 million groups in Azure AD. So running two separate queries for the group and owner will be very time-consuming.
I tried to reproduce the same in my environment by granting GroupMember.Read.All permission and got the 403 error like below:
https://graph.microsoft.com/v1.0/groups?$expand=owners
Response:
Using GroupMember.Read.All permission, you cannot expand the owners($expand=owners) but can list the owner of specific group like below:
https://graph.microsoft.com/v1.0/groups/GroupID/owners
Response:
Please note that you must need Group.Read.All permission to expand owners($expand=owners) that includes owners of all groups in response.
https://graph.microsoft.com/v1.0/groups?$expand=owners
After granting Group.Read.All permission, got the response successfully like below:
Response:
References:
Use query parameters to customize responses - Microsoft Graph | Microsoft Docs

Insufficient prvileges for Revoke-AzureADUserAllRefreshToken

I am trying to revoke the refresh tokens of a specific user (my own) in AzureAD to force a completely new logon to an applicaiton.
As there is no UI option for this in the Azure Portal (there actually is -> see in one of the anwers) I am using the 'Windows Terminal's 'Azure Cloud Shell' option as follows directly from the built-in Azure Cloud shell:
Connect-AzureAD
PS /home/...> Revoke-AzureADUserAllRefreshToken -ObjectId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
The GUID I pass in the parameteter is the object ID of my user.
Unfortunately this fails due to a permission issue:
Revoke-AzureADUserAllRefreshToken: Error occurred while executing RevokeUserAllRefreshTokens
Code: Authorization_RequestDenied
Message: Access to invalidate refresh tokens operation is denied.
RequestId: fd5f5256-3909-46af-b709-8068e0744f25
DateTimeStamp: Mon, 09 Aug 2021 16:56:28 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
If I try to execute the same in the Cloud Shell within the azure portal, the result is the same.
If I use a 'classic' PowerShell, then it works. So apparently something is missing with the authentication of the Cloud Shell.
When I log in I get to select the right tenant, and my read access e.g. to the user list works perfectly.
I have no more clues what I would be missing:
I am Owner of the subscription in the azure role assignments
I do have the Global Administrator role assigned in AzureAD
Is there some special command to 'elevate' the permissions?
I tried to reproduce the issue on my Azure AD tenant , but unfortunately I didn’t receive the error you are getting .
Note: Make sure you connect with AD with your Global Admin account i.e. admin#domainname.onmicrosoft.com or username_outlook.com#EXT##domainname.onmicrosoft.com, so that you see the correct details in every column in the above red box.
Other options :
From Portal you can go to the user profile and click on revoke
sessions .
Using Graph Explorer you can revoke signin Sessions.
Post https://graph.microsoft.com/v1.0//users/UserObjectID/revokeSignInSessions
Reference:
user: revokeSignInSessions - Microsoft Graph v1.0 | Microsoft Docs

How to grant a Service Principal read access to the Active Directory Groups?

Currently I am trying to read the ObjectId of an Active Directory Group from a GitHub Action where I am logged in with a Service Principal.
The Service Principal is a Contributor with the following additional permissions:
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/read"
when running the following command with the Azure CLI:
az ad group show -g {NAME OF GROUP}
I receive the following output:
ValidationError: Insufficient privileges to complete the operation.
Error: Error: az cli script failed.
I have tried granting permission to the service principal through the Microsoft Graph API through the following permissions:
Directory.Read.All (Granted)
Group.Read.All (Granted)
However these are not sufficient to grant read permissions.
Two ways to fix the issue(the sceond one is recommended):
This command essentially calls the Azure AD Graph not Microsoft Graph, so the permission of Microsoft Graph will not take effect, what you need here is the Application permission(not Delegated permission) Directory.Read.All in Azure AD Graph.
Another way is to give the Azure AD admin role to the service principal, e.g. Directory Readers, this role's permission is less than Directory.Read.All above, and AAD Graph is a Supported legacy API, so the second way is recommended. After giving the role, wait for a while to take effect, then it will work fine.

Insufficient privilege for operation like Get-AzureADApplication and Set-AzureADApplication

I would like to automate deployment and it requires to update settings for Azure AD Application registration.
So far I am able to :
create an Azure AD Appregistration and Service Principal with certificate (thx MS documentation)
then use command Connect-AzureAD with previous service Principal with its certificate
use command like Get-AzureADApplication -ObjectId 11111111-2222-3333-4444-555555555555
In previous bullet ObjectId 11111111-2222-3333-4444-555555555555 match with application i created on first bullet
However i am unable to execute command like:
Get-AzureADApplication -Filter "DisplayName eq '$aADApplicationame'"
and $aADApplicationame matches with application created previously
Set-AzureADApplication -ObjectId $aADApplication.ObjectId -ReplyUrls $ReplyUrls
Get-AzADServicePrincipal
I get following error message
Set-AzureADApplication : Error occurred while executing SetApplication
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation
Based on my research, i set up some API permissions as follow:
Unfortunately no luck and still get insufficient privilege although all permissions were granted.
Do you know if I miss something ? Is there any specific permissions i should add to make it works ?
Regards.
As mentioned by another reply, you could give the Global Administrator role to the service principal, it is correct, but the permission of Global Administrator is too large in this case, it may cause some security issues.
In this case, the commands Get-AzureADApplication and Set-AzureADApplication you used essentially call the Azure AD Graph API, so to solve the issue, a better solution is to add the permission of Azure AD Graph API, please follow the steps below.
1.Navigate to the API permissions of your AD App -> select Azure Active Directory Graph(not Microsoft Graph).
2.Select Application permissions(not Delegated permissions) -> Application.ReadWrite.All -> click Add permissions.
3.At last, click the Grant admin consent for xxx button.
After a while, try the commands again, it will work fine.
Update:
After I check the doc, I find there are already some new commands released by MS which call the Microsoft Graph, haven't seen them before.
e.g. In your case, you can use Get-AzureADMSApplication instead of Get-AzureADApplication.
Get-AzureADMSApplication -Filter "DisplayName eq 'joyttt'"
Use Set-AzureADMSApplication instead of Set-AzureADApplication.
Set-AzureADMSApplication -ObjectId <object-id> -Web #{ RedirectUris = "https://mynewapp.contoso.com/" }
For Get-AzADServicePrincipal, there is no equivalent currently, there should be one in the future. When using the commands above, the permissions of Microsoft Graph will work, no need to use Azure AD Graph, but you should use Application permission, not Delegated permission (you used the Delegated permission in your question.)
You are facing this issue because Powershell cmdlet works differently than compared to MS Graph. Instead of permissions, Powershell require roles to do this operations. Please add Global Administrator role to your service principle and then try the Connect-AzureAD so that, the issue will be fixed.
For more details, you may refer to Assigning administrator roles in Azure Active Directory.
I was also facing similar issue, make sure are doing below two things:
Set Run as account for azure automation account
In newly created app registration for azure automation account after setting Run as account, make sure you add Cloud application administrator role explicitly.
Add API permission for Application.ReadWrite.All (Microsoft graph)
In my case the app registration was showing cloud application administrator role under Roles and Administrator screen, which I thought gives the new app registration required permission but that was not the case. PowerShell script only worked after we assigned the cloud application administrator role explicitly.
In the beginning thanks for previous posts it gave a lot of inspiration according topic. Problem occurred in our case at automated bicep mechanism that is supposed to add API permissions for Microsoft Graph.
Error: Authorization_RequestDenied
Solution:
We needed to give Enterprise Application running mechanism Microsoft Graph (not Azure Active Directory Graph it will be deprecated) Application permissions:
Application.ReadWrite.All
AppRoleAssignment.ReadWrite.All
Directory.ReadWrite.All

Access denied error while adding certificate credential to Azure AD Application

I am adding a certificate credential to a registered application on an Azure AD tenant by executing following commands:
connect-msolservice
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$cer.Import("<Cert path>")
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert);
New-MsolServicePrincipalCredential -AppPrincipalId "<AppID>" -Type asymmetric -Value $credValue -Usage verify
These commands are taken from this sample . I am signing with the account of a user on the directory. However, the last command is throwing an exception of 'Access Denied. You do not have permissions to call this
cmdlet'. According to the documentation, it is not mentioned if this command execution requires to be from an administrator account. If i change the user role to be service/global administrator on the Azure AD, the command succeeds. Interestingly, I am able to execute the command on a different Azure AD, where the account is just an user. Is there anything else in play here? Can a user account be given permission to execute this cmdlet?
Probably you have reached your subscription limit or your subscription has expired.
you need to follow up with ms team. This is not a code issue.

Resources