Can't Create Role Assignment in Pipeline with Owner Service Principle - azure-active-directory

I have a build pipeline which deploys some ARM templates. It's a requirement for some of those resources to have role assignments for RBAC.
The service principle that the pipeline uses to connect to subscription is an owner, but if either the templates try to create role assignment resources, or I try to run az cli in the pipeline to create the assignments, there's insufficient permissions.
What permissions above owner is required to allow this?

I suppose you misunderstood the Global admin and Owner. The Global admin is an Administrator role in Azure AD, and the Owner is an RBAC role in the subscription. They are different things.
When you use the azure cli like below to create the role assignment, it adds the service principal joytestsp as an Owner to the storage account. The service principal which you login needs to call the AAD Graph to get the object first and then call the azure mangement rest api to add it to the storage account.
az role assignment create --assignee 'joytestsp' --role 'Owner' --scope '/subscriptions/xxxxxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/joyfunction'
So to fix the issue, you could navigate to the Azure Active Directory in the portal -> Roles and administrators -> click the Global administrator -> Add assignments-> add your service principal which used to login as a Global administrator. Then it should work.
Besides, if you don't want to give it the Global administrator to the service principal, you can also specify the object id of the service principal/user in the command, then it will also work.
az role assignment create --assignee 'b4d3c922-xxxxxxx-3ab785333011' --role 'Owner' --scope '/subscriptions/xxxxxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/joyfunction'

Related

Not able to access any tabs in AAD

I'm not able to access any tabs in AAD. What could be the issue?
Please check if below points can be worked around in your case.
Buttions or options being greyed out maybe because , you may not have had global admin rights/user administrator rights on the azure AD tenant. There are a few roles which can create users within the directory. You may not have any roles within the directory which permit the operations.
Reference: github issue.
Even in Azure AD free edition ,one should be able to create the users if you have proper roles .
On completion of the first 30 days of Microsoft Azure’s free trial,
your ‘Free Trial’ Azure Subscription will be disabled. To fix this,
the subscription needs to be changed to the ‘Pay-As-You-Go’ plan
instead of the ‘Free Trial’ plan which it is currently on.
For example :For applications under Enterprise application, one of the following roles: Global Administrator, Cloud Application
Administrator, Application Administrator, or owner of the service
principal.
You can check Azure AD built-in roles, and by checking the
description of role , assign the required one to manage identity .
You can Assign Azure AD roles to users to manage the identities
if you have global or role administrator rights. Approach the
admin to assign the roles .Also see custom roles in Azure AD
if needed.
Please check if this issue in - Microsoft Q&A can relate .
If issue still remains you can raise a support request in troubleshoot+support blade.

How to grant a Service Principal read access to the Active Directory Groups?

Currently I am trying to read the ObjectId of an Active Directory Group from a GitHub Action where I am logged in with a Service Principal.
The Service Principal is a Contributor with the following additional permissions:
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/read"
when running the following command with the Azure CLI:
az ad group show -g {NAME OF GROUP}
I receive the following output:
ValidationError: Insufficient privileges to complete the operation.
Error: Error: az cli script failed.
I have tried granting permission to the service principal through the Microsoft Graph API through the following permissions:
Directory.Read.All (Granted)
Group.Read.All (Granted)
However these are not sufficient to grant read permissions.
Two ways to fix the issue(the sceond one is recommended):
This command essentially calls the Azure AD Graph not Microsoft Graph, so the permission of Microsoft Graph will not take effect, what you need here is the Application permission(not Delegated permission) Directory.Read.All in Azure AD Graph.
Another way is to give the Azure AD admin role to the service principal, e.g. Directory Readers, this role's permission is less than Directory.Read.All above, and AAD Graph is a Supported legacy API, so the second way is recommended. After giving the role, wait for a while to take effect, then it will work fine.

Google Cloud Platform (GCP): How to give additional roles to service account?

How can I give additional roles to the default Google App Engine (GAE) service account:
Specifically, I want to give "Cloud SQL client" role to the default app engine service account. When I try to modify the role I get this message:
As it was answered in the comment section by #John Hanley, to add roles to a service account, go to IAM & Admin -> IAM, find your service account in the table and edit it to grant necessary roles.
In addition, please have a look st the documentation Understanding service accounts section Granting access to service accounts:
Granting access to a service account to access a resource is similar
to granting access to any other identity. For example, if you have an
application running on Compute Engine and you want the application to
only have access to create objects in Cloud Storage. You can create a service account for the application and grant it the Storage Object
Creator role.
Learn about Granting roles to all types of members, including
service accounts.

Azure create servicePrincipal results in Insufficient privileges to complete the operation

I am trying to create a new service principal using the command below using azure cli v2.0.
az ad sp create-for-rbac --name ServicePrincipalName
Changing "ServicePrincipalName" to a valid URI of "http://ServicePrincipalName", which is the required format used for service principal names
Found an existing application instance of "abcd-8f27-47cf-9976-xkkfigif5e1de". We will patch it
Insufficient privileges to complete the operation.
I am not sure what privileges the Azure Admin of my tenant should assign to my user so i can create a servicePrincipal any guidelines or document pointers please
First, you have to know what this command will do. The command az ad sp create-for-rbac --name ServicePrincipalName will create an AD App(app registration) along with a service principal in your tenant, the AD App will have an Application ID URI named http://ServicePrincipalName, a Display name named ServicePrincipalName. Then the command will add the service principal to your subscription as a Contributor.
The error you got means there is already an AD App with the Application ID URI equals http://ServicePrincipalName existing in your tenant. And you are not the Owner of the AD App. (Note: in the tenant, the Display name is not unique, but the Application ID URI is.)
To solve the issue and use this command successfully, follow the tips below.
1.Change the ServicePrincipalName to a different one. (Or if your admin allow you to use the existing AD App mentioned above, just let him add your user account as an Owner to the AD App. - not recommend)
2.If your account's User type is just a Member in the tenant. Make sure in the portal -> AAD -> User settings -> Users can register applications is Yes. If your account is a Guest , except the Users can register applications need to be Yes, also User settings -> External collaboration settings -> Guest users permissions are limited need to be No.
3.Your user account should be the Owner of the subscription. Otherwise you can create the service principal successfully, but you cannot add it to the subscription.

modify permissions of global administrator using graph explorer

I used Graph explorer->Logged in with Global administrator -> Modify Permissions-> chose User.ReadWriteAll,Group.ReadWriteAll,Directory.AccessAsUser.All and then select "access to your entire organization" and logged in again with global administrator
I get below error.
Selected user account does not exist in tenant 'Microsoft' and cannot
access the application 'de8bc8b5-d9f9-48b1-a8ad-b748da725064' in that
tenant. The account needs to be added as an external user in the
tenant first. Please use a different account.
How can I add permissions to global administrator user?
Since your account is a guest in the tenant, you could not use the account to query the tenant, even if you are a global admin.
For more details, refer to this post.
Credentials are only owned by a single tenant. The tenant is discovered by Graph Explorer based on domain. You cannot use Graph Explorer to query tenants your account is a guest on, it can only query the tenant that owns the account. The only way to use those creds with another tenant would be to force the OAuth uri to use that tenants ID instead of "common". This isn't supported by Explorer. You'd have to download the source an reengineer the auth process

Resources