I have registered an app under a tenant. I was using Object Id of Service Principal that was generated. I realized that the Object Id isn't working any more & when i debugged, I realized it has changed.
Im not sure when does it change. Im not finding documentation stating the scenarios when it does change. Also, is there a way to track changes to it?
objectId of a Service Principal is it's unique identifier. It should never change for the lifetime of the service principal.
So the only way you can see the objectId of a service principal changing would be that for some reason, service principal got deleted and then created again.
One possible case is a multi-tenant application where consent was already given and Service Principal got created with let's say ID1.. now if you delete the service principal and go through consent process again, service principal will be created again and hence objectId may be a new one.
Other cases could be if you're again deleting and recreating the service principal (or the application for service principal itself) through some UI or through programmatic options like PowerShell, CLI, Azure AD Graph API or Microsoft Graph API.
Related
TL;DR
To grant admin consent to a newly created single-tenant app I need to know its Service Principal Id. Is there a way of getting the Service Principal Id of a newly created app registration when it is not listed in the results from a call to the MS Graph API ServicePrincipals endpoint?
I am using the Microsoft Graph Beta SDK to add functionality that enables users of our application to create and maintain SDS Sync Profiles.
I have a multi-tenant app registration which, given user consent, enables me to create a single-tenant app registration in the user's tenant using the graphClient.Applications.Request().AddAsync({application}) method. The process I have works fine and the single-tenant app registration is created with the necessary permissions but these require admin consent. Currently I am sending users to the adminconsent endpoint: (https://login.microsoftonline.com/{tenantId}/adminconsent) where the user can grant the necessary permissions. This is also working fine but it requires the user to log in again, having already logged in once to grant consent to the multi-tenant app. This is clearly not great from a UX point of view so I would like to avoid the necessity of the user having to log in again if possible.
I came across this post: https://winsmarts.com/how-to-grant-admin-consent-to-an-api-programmatically-e32f4a100e9d which explains how to grant the admin consent programmatically . This involves creating an oAuth2PermissionGrant object with the scopes listed that admin consent is required for.
The issue I have is that in order to add the oAuth2PermissionGrant I need to know the Service Principal Id of the single-tenant app registration just created. However, when I make a call to the Graph API to list the Service Principals (graphClient.ServicePrincipals.Request().GetAsync()) the single tenant app registration is not listed, so I have no way of getting the Service Principal Id and thus cannot create the oAuth2PermissionGrant.
Once I grant admin consent to the permissions on the single-tenant app registration, either manually in Azure AD or via the adminconsent endpoint, the single-tenant app registration shows in the results from the call to ServicePrincipals endpoint.
Additionally, if I haven't granted admin consent, and just make a call to any Graph endpoint, and, when (having logged in again) the grant permissions page is shown, I don't tick the "consent for my organization" box, the permissions remain (as expected) in "require admin consent" status, however the single-tenant app registration now shows amongst the Service Principals list.
Sorry for the long question but any advice would be most appreciated.
Thanks
David.
However, when I make a call to the Graph API to list the Service Principals (graphClient.ServicePrincipals.Request().GetAsync()) the single tenant app registration is not listed, so I have no way of getting the Service Principal Id and thus cannot create the oAuth2PermissionGrant.
That's because a service principal is not created automatically when you create an application through the APIs or with PowerShell. Azure Portal creates it for you at the same time when using it for convenience, but the raw APIs don't do that. You need to create the service principal, the only mandatory parameter is the appId (your app id/client id) if I recall correctly. Here is the documentation page for that: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=http
Once the service principal has been created, you should be able to create the oauth2PermissionGrant objects that grant the permissions you want for all users in your directory.
TL;DR
How can I delegate my user permissions to a service principal in Azure Ad when the usual interactive way (e.g. web app with consent screen popup) is not feasible? This is because I cannot configure the MSI in the Azure Portal properly to work that way.
More detail
I want to grant an application permission to access the Graph API on behalf of a user. Usually, this is a well-documented scenario in which you create an app registration, acquire delegated user permissions by asking permission for the needed scopes, and then use these permissions in the app.
The app that needs Graph access is a background service that is to work on its own without user intervention/activity. For this use case, the common approach is to use application permissions. In my case this is not feasible, because application permissions require admin-consent and are all-or-nothing kind of permissions. There is no way this will be granted for me. Rightfully so, because its overkill.
But on the other hand that's really a pity. A pity, because I've found an example on how to assign Graph API application permissions directly to a Managed Service Identity rather than to a self-registered app. And my service (as an Azure Functions app) already has a MSI assigned to it. So this would be the perfect fit, b then again, there is no way I'll get those application permissions.
So what is the workaround? We have this one user principal which has all the required permissions we need for our background service. What I want to do is to delegate this user's permissions to the Function App/MSI. In order to do this, I used this SPA-template by the MSAL team to have something that will prompt me the permissions popup.
This however failed because the implicit oauth flow was not enabled. To remedy this, you usually need to update the app manifest in the portal. However, since this is a MANAGED service identity, and not a self-registered one, the MSI is not listed in the portal under app registrations. So I cannot set this property to true.
Doing the same via Azure CLI also failed because apparently the MSI is not identified as an app.
az ad app update --oauth2-allow-implicit-flow true --id <appId_of_MSI>
This yields the following error:
ResourceNotFoundError: Resource '<appId_of_MSI>' does not exist or one of its queried reference-property objects are not present.
It shows fine when doing this
az ad sp show --id <appId_of_MSI>
So in summary: I cannot complete the process of delegating that user's permissions interactively. Is there any other way? Maybe via CLI?
The fallback the solution is to create a separate unmanaged/self-registered app identity. But I want to really avoid this because then I would need to manage and rotate client (app) credentials again, which the MSI took care of for me.
Why o why can't I just assign fine-scoped application permissions 😒
Any help on this is greatly appreciated. Cheers.
In my experience Managed Identities don't support the scenario you are suggesting.
They do not have an app registration and in that way cannot authenticate users interactively.
I would go with your fallback solution; a normal app registration and use that to access Graph API on behalf of the user.
This is what we do in our projects at least.
App permissions -> Managed Identity if possible. Delegated permissions -> normal app registration + secret/certificate in Key Vault, retrieved with Managed Identity.
I'm a newbie on GCP and going to transfer tables from azure blob storage to the cloud bucket.
I follow the instructions here (use data fusion).
When I finished deploying the pipeline and was going to run it, I got an error and in the advanced log is said
INVALID_ARGUMENT: User not authorized to act as service account '####-compute#developer.gserviceaccount.com'.
I looked through several documentation and also tried looking for answers on stackoverflow but none of them work for me.
How should I grant access to a service account and which service account should I be attached to?
Now on my IAM/service accounts console, I am also assigned as Service Account User, and I only have two default services one for compute engine and one for app engine.
Really don't know what to do. Thanks in advance for any help!
You need to grant the Service Account User role. Here is an example of that. This should be perofrmed to the current user/service account you are using to run the job. As exemplified below:
Go to the IAM & Admin Console
Click on IAM
Select the member you are using to run your job
Click on the pen icon in the right side of the member's info
Add the Service Account user role
In general terms, the error is related to the lack of Service Account user role (roles/iam.serviceAccountUser) associate to the user/service account used to run the job.
Keep in mind that service accounts are used to make authorised API calls, through the service account itself or through delegated users within it. Moreover, about impersonation service accounts, an user with particular permissions can act as another service account with the necessary permission to execute a specific job.
I am trying to set up an authenticated webhook call from an Azure Event Grid Domain subscription to a web app service in the same tenant. I am able to do everything up to a certain point which is that I am trying to tie the authentication to a specific app role in the subscribing app. Currently, the authentication works, but I cannot seem to figure out how to include a specific role in the token that gets sent to the subscribing endpoint. It may be that it's more of a generic question on setting up an enterprise app registration (which event grid uses) with a configurable role for app registrations. My issue is that I know how to do it when there's an app registration, but in this case I only have an enterprise app.
I have followed the documentation, and this article seems to try to do the same thing, but I don't want to do it in powershell as we have an Identity-responsible who is going to do the actual work as well as me wanting to understand what happens behind the scenes.
https://learn.microsoft.com/en-us/azure/event-grid/secure-webhook-delivery
Does anybody know how to set up the event grid webhook authentication so it includes a specific role (most probably an app role defined in the manifest of the subscribing app's app registration)?
You are following correct way of configuring event subscription.
The role which you wants to add in application can be done as below -
Azure Portal>>All Services>>Subscription>>Select Subscription>>IAM Role>>Add Role assignment>>1.Select the role which he need 2. Assign access to Azure AD user or Service Principal 3. Select the application >> Save.
or
If need to assign some customise role you can create the custom role as below -
https://learn.microsoft.com/bs-cyrl-ba/azure/role-based-access-control/custom-roles?toc=%2Fazure%2Fvirtual-network%2Ftoc.json
Azure Active Directory to secure the connection between your Event Subscription and your webhook endpoint.
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/event-grid/secure-webhook-delivery.md
I'm currently trying to configure Azure Ad for user provisioning in a Salesforce Sandbox. I'm using a personal dev org and a trial Azure account to make this work.
I've been able to map attributes and it works for most of them, except one. ManagerID.
I'm trying to replicate the Azure AD manager information into Salesforce's managerID field using an attribute reference. However it doesn't seem to work.
Has anyone here been completing this kind of setup previously and would be able to point me to the correct Attribute expression to be mapped/referenced on the Azure AD side?
The default mapping is from Salesforce->ManagerId to AAD->Manager, where AAD-> Manager is a reference to User.
The field in Salesforce used for matching is the FederationIdentifier, which corresponds to AAD-> User.userPrincipalName
The logic would be that if I'm doing a reference to the AAD User, I would expect AAD to fetch that manager's UPN in AAD and pass it back to the SCIM interface to be able to match it on the Salesforce side (since it's mapped to the FederationIdentifier).
I'm also trying to force the reference of "Manager" on the AAD side to pick the User.UserPrincipalName but it seems to always bring it back to User.
Anyhow, I'm a bit fishing here and wondering if there is someone with whom I can share the settings in such way that I can compare how it's been done in a successful implementation.