Develop Reference

Can we use Graph API delegated permission for Azure Data Factory?

I am trying to get "/groups" endpoint of Microsoft Graph API in my tenants via Azure Data Factory. I have given "Delegated permission" for my service principal. To my knowledge, when there is no user to act on behalf of, we should use "Application permission".
However, organization requirement does not allow me to use Application permission.
Therefore, when I try to execute my pipeline, I get "insufficient privileges to complete the operation."
Can this be the reason because ADF does not allow to use delegated permissions as there is no user to act on behalf of?

I tried to reproduce the same in my environment to get groups endpoint using graph api from ADF
And got same error:
Insufficient privileges to complete the operation
Make sure you have Microsoft graph permissions to query groups and users.
The user here do not has Data Factory contributor role .
Or make sure you ADF has proper access to the resources .So give it contributor role
And if your are using storage account to store the rest response, make sure user , app or group has Storage blob data contributor role.
Reference:
Copy and transform data from and to a REST endpoint - Azure Data Factory & Azure Synapse | Microsoft Learn

Difference between "System Assigned" Identity and App Registration "Service Principal"

Can someone help me understand the difference between the Service Principal created when I create an App Registration in AAD and the Managed Identity that gets created when I enable "System Assigned" on the Identity blade of an App Service?
We have an App Service that we are developing that we have created an App Registration for and we have also enabled the System Assigned identity. When we go into Enterprise Applications under AAD and search for our app, it comes up with 2 entries. One for the Managed Identity and one for the Service Principal created as part of the App Registration. We are trying to understand which one we would use to give the app permissions to write to an Azure SQL DB.

Managed Identities are essentially service principals wrapped with Microsoft logic to make accessing resources simpler. Although, sometimes adding more layers may complicate things, the idea is to make it easier, simpler, and less consumer interactive.
For your scenario, you'll want to think about what you would like to do. Would you like to have more control and implement your own logic with an Azure SQL DB protected by AAD, or try utilizing Microsoft's Managed Identity to protect/access the Azure SQL DB resource. (Ideally the Managed Identity path should be less work)
The tutorial for using Managed Identities to access an azure SQL db from an app service can be found here :
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi
The docs for protecting an Azure SQL DB using Azure AD can be found here :
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication
Furthermore Managed Identities are explained in the official Microsoft documentation here :
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
It's important to note that there are two kinds of Managed Identities.
From the documentation:
A system-assigned managed identity is enabled directly on an Azure
service instance. When the identity is enabled, Azure creates an
identity for the instance in the Azure AD tenant that's trusted by the
subscription of the instance. After the identity is created, the
credentials are provisioned onto the instance. The lifecycle of a
system-assigned identity is directly tied to the Azure service
instance that it's enabled on. If the instance is deleted, Azure
automatically cleans up the credentials and the identity in Azure AD.
A user-assigned managed identity is created as a standalone Azure
resource. Through a create process, Azure creates an identity in the
Azure AD tenant that's trusted by the subscription in use. After the
identity is created, the identity can be assigned to one or more Azure
service instances. The lifecycle of a user-assigned identity is
managed separately from the lifecycle of the Azure service instances
to which it's assigned.
The picture from the official docs also gives a good example of a VM using MSI(Managed Service Identity).
This is Provided below:
In addition to that, the App Service Managed Identity documentation can be found here :
https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity

I would like to elaborate a little further as the topic around service principals and app registrations in Azure can be confusing.
As you noticed, a service principal will get created in your AAD tenant when you turn on system-assigned managed identity for a resource in Azure. This service principal is tied to the lifecycle of your resource or in other words: If you delete your App Service, Azure will delete the service principal for you [2].
Beside service principals, there are other object types that live inside a tenant: User principals and application objects. As the name suggests, user principals identify a user while a service principal can be used to either identify a resource in Azure or an application object. To both types of principals you can assign roles, as you mentioned you can create a new user in your database and use the system-assigned identity (Service Principal 1 in the image below) to let Azure SQL know that your App Service has permissions to access the database [3]. This is marked in red in the image.
When you create an app registration, two objects are created: An application object and a service principal in your tenant (this is "Service Principal 2") [4]. You could now use this service principal as well to give it permissions to access the database (marked in orange in the image) but this service principal is not tied to your Azure App Service and doesn't represent it. In other words, if you want to use Service Principal 2 in your App Service, beside creating a user for this service principal in your database you'd additionally also need to get an access token for this service principal whenever you create a new SQL connection to the database in your application. It's possible but a bit more inconvenient and the beauty of using system-assigned identities is that your App Service knows about its service principal already and you don't have to manage it on your own (e.g., delete it when your App Service gets deleted).
Long story short: Use the system-assigned managed identity in your use case.
[2] https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types
[3] https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi#grant-permissions-to-managed-identity
[4] https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals

You can only use the managed identity that you have enabled in your App Service for authentication to AAD which eventually allows you to access your Azure SQL instance based on roles/permissions. I'd tried using the service principal/Enterprise Application created as part of App Registration process for authentication and it didn't work.
The way I see it is that the App Service is what runs/hosts your application and only this managed identity/SP is available to your running application for authentication to AAD.
The Service principal/Enterprise Application is being used internally for some other purpose and, it is not available to our application for authentication to AAD.

Just a wee note. App Registration may live without Service Principal. App Registration may represent an application that is consumed, not necessarily the consumer.

Managed Identity is solely a client-based identity.
E.g. Your App Service is acting as a client, when accessing Azure SQL. In this case you don't need an app registration and its service principal at all. You will only need a Managed Identity (which is a Service Principal).
When your App Service (A) is opposed to access another App Service (B) then again your App Service (A) does not need an app registration. But App Service B needs to have an app registration.
Imo when you want to use the credential-less approach in Azure, an app registration is acting as the server part and a Managed Identity (system - or user-assigned) is considered to be the client part.

Refer applicationID of Azure AD Service principal

when an application is registered to Azure AD via consent, a service principal is created. The application object resides in another tenant.
From my understanding, the applicationID refers back to the application object.
When the application object resides in another tenant, is it possible to find out in which tenant based on the applicationID? Or may there is another value on a service principal which is an indicator where the application object resides (if its not an app registration).
BR
Thomas

Yes, you can. But you need to make sure the service principal is in your tenant.
Navigate to the Azure Active Directory-> Enterprise applications in the portal. Search for the APPLICATION ID (select the Application Type with All Applications option), then you will find the service principal, copy the OBJECT ID.
Then navigate to the MS Graph Explorer, call the MS Graph API : Get servicePrincipal as below, in the result you could find the "appOwnerOrganizationId": "xxxxxxxx","publisherName": "Organization name" which is the tenant id and name you are looking for.
GET https://graph.microsoft.com/beta/servicePrincipals/{OBJECT ID}

Application's Service Principal added to a Group within User Assignment receiving AADSTS50105 error

Using Azure Active Director PowerShell, I added an Application's Service Principal to an Azure Active Directory Group. This group was then added to User Assignment. When users attempt to access this Application via the User Assignment, they receive the following error:
AADSTS50105: Application 'D246xxxx-xxxx-xxxx-xxxx-xxxxxx35926B'
is not assigned to a role for the application '85cdxxxx-xxxx-xxxx-xxxx-xxxxxxb879eb'
Is this possible? I know that if I add the Application's Service Principal directly to the User Assignment, it works. It just will not work for the Application's Service Principal if it is assigned via a Group.

can a non-dbo sql server user create a queue in service broker?

we have an application being developed where it is running as the AD user connecting to a service broker enabled SQL Server 2008 database.
We are having trouble granting the right permissions to get the app to work for the specific user,
(the app creates/deletes queues during its operation) unless we make that user a member of dbo for the database being used for the service broker application.
Is this the only way we can get the app to work, put each user as a member of dbo in the database?
Granting CREATE QUEUE/SERVICE TO user and SELECT on the specfic tables doesnt seem to be enough.
thanks

Due to the distributed nature of Service Broker, queues and services should be long lived objects. An application that creates and drops queues and services is very unlikely to act correctly.
That being said, the required permission is RECEIVE to operate on a queue (BEGIN CONVERSATION/SEND/RECEIVE). The user that created a queue is the queue owner and has this permission implicitly. To deliver messages to a target service the initiator service must have SEND permission, but be carefull that identity is established using Service Broker dialog security which is based on certificates. Note though that * within a SQL Server instance* the Service Broker conversation security model will emulate the familiar model of user-id (ie. no certificates are required to establish identity), but is subject to EXECUTE AS context.
If you can be more specific about which operation fails, we can be more specific about what permission is required.

Create separate schema per user and make the user the owner of that schema. Service broker will create the sprocs and queues in the default schema of the user. This post on how to setup service broker permissions may help you: http://kreelbits.blogspot.com/2014/10/microsoft-sql-useful-database-role-for.html