assign permission to group managed service account - active-directory

I have been advised that it is better to run a scheduled task as a Group Managed Service Account (gMSA) rather than as a domain user account. I can find plenty of information about how to create the gMSA, and how to configure the scheduled task to run as that gMSA, but all of the tutorials and training I have found stop there. I can't find any information on how to assign permission to that gMSA.
For example, a scheduled task needs permission to write to a folder. Normally, if the scheduled task is running as a domain user, I would go into the properties for that folder and set the security so that the domain user has write permission. But I am finding that I cannot give a gMSA permission in the same way.
What am I misunderstanding about gMSAs?

I have not find a way to assign permissions to a GMSA directly to the file system. My workaround is to add the GMSA account to an AD group and then assign permissions to the group.

Related

Insufficient privilege for operation like Get-AzureADApplication and Set-AzureADApplication

I would like to automate deployment and it requires to update settings for Azure AD Application registration.
So far I am able to :
create an Azure AD Appregistration and Service Principal with certificate (thx MS documentation)
then use command Connect-AzureAD with previous service Principal with its certificate
use command like Get-AzureADApplication -ObjectId 11111111-2222-3333-4444-555555555555
In previous bullet ObjectId 11111111-2222-3333-4444-555555555555 match with application i created on first bullet
However i am unable to execute command like:
Get-AzureADApplication -Filter "DisplayName eq '$aADApplicationame'"
and $aADApplicationame matches with application created previously
Set-AzureADApplication -ObjectId $aADApplication.ObjectId -ReplyUrls $ReplyUrls
Get-AzADServicePrincipal
I get following error message
Set-AzureADApplication : Error occurred while executing SetApplication
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation
Based on my research, i set up some API permissions as follow:
Unfortunately no luck and still get insufficient privilege although all permissions were granted.
Do you know if I miss something ? Is there any specific permissions i should add to make it works ?
Regards.
As mentioned by another reply, you could give the Global Administrator role to the service principal, it is correct, but the permission of Global Administrator is too large in this case, it may cause some security issues.
In this case, the commands Get-AzureADApplication and Set-AzureADApplication you used essentially call the Azure AD Graph API, so to solve the issue, a better solution is to add the permission of Azure AD Graph API, please follow the steps below.
1.Navigate to the API permissions of your AD App -> select Azure Active Directory Graph(not Microsoft Graph).
2.Select Application permissions(not Delegated permissions) -> Application.ReadWrite.All -> click Add permissions.
3.At last, click the Grant admin consent for xxx button.
After a while, try the commands again, it will work fine.
Update:
After I check the doc, I find there are already some new commands released by MS which call the Microsoft Graph, haven't seen them before.
e.g. In your case, you can use Get-AzureADMSApplication instead of Get-AzureADApplication.
Get-AzureADMSApplication -Filter "DisplayName eq 'joyttt'"
Use Set-AzureADMSApplication instead of Set-AzureADApplication.
Set-AzureADMSApplication -ObjectId <object-id> -Web #{ RedirectUris = "https://mynewapp.contoso.com/" }
For Get-AzADServicePrincipal, there is no equivalent currently, there should be one in the future. When using the commands above, the permissions of Microsoft Graph will work, no need to use Azure AD Graph, but you should use Application permission, not Delegated permission (you used the Delegated permission in your question.)
You are facing this issue because Powershell cmdlet works differently than compared to MS Graph. Instead of permissions, Powershell require roles to do this operations. Please add Global Administrator role to your service principle and then try the Connect-AzureAD so that, the issue will be fixed.
For more details, you may refer to Assigning administrator roles in Azure Active Directory.
I was also facing similar issue, make sure are doing below two things:
Set Run as account for azure automation account
In newly created app registration for azure automation account after setting Run as account, make sure you add Cloud application administrator role explicitly.
Add API permission for Application.ReadWrite.All (Microsoft graph)
In my case the app registration was showing cloud application administrator role under Roles and Administrator screen, which I thought gives the new app registration required permission but that was not the case. PowerShell script only worked after we assigned the cloud application administrator role explicitly.
In the beginning thanks for previous posts it gave a lot of inspiration according topic. Problem occurred in our case at automated bicep mechanism that is supposed to add API permissions for Microsoft Graph.
Error: Authorization_RequestDenied
Solution:
We needed to give Enterprise Application running mechanism Microsoft Graph (not Azure Active Directory Graph it will be deprecated) Application permissions:
Application.ReadWrite.All
AppRoleAssignment.ReadWrite.All
Directory.ReadWrite.All

What permission do I need to assign managed identities to app roles?

I want to authorize several Logic Apps to access operations on an API secured by an app registration, which has several app roles describing different operations. Currently a directory administrator is doing this manually using New-AzureADServiceAppRoleAssignment once the Logic Apps are created, because the associated service principal doesn't exist until then.
I'd rather this were automated, because especially in development, the manual work of asking a directory administrator to re-run this script is very tedious. However I don't know how to grant the scripting account - a service principal linked to a DevOps service connection - only the permissions to do this, and not make it a directory administrator able to do anything. If the service connection is a directory administrator, developers would be able to supply it scripts to tell it to create or delete any combination of role assignments, enabling them to let themselves into anything, and also shut out people who should be able to prevent this. This is an unacceptable security hole.
What is the minimal permission needed to allow an automated process to script the creation of app role assignments but nothing else, and where is this documented?
For this requirement, you can just add the scripting account as owner of your app(just create a new user without any roles and add it as the app's owner). Then it can just add role assignment in this app but can't do other operations on role assignment of other apps.

AD Permission denied when adding a user to a group in a trusted domain

I have 2 domains with a two way trust between them. I want to modify a group on one of the domains but running on the other domain.
Lets say the domain I am running my script on is mydomain.com, and I would like to add a user to yourdomain.com
I tried through VBScript as well as DSMod, but get permission denied
dsmod group "CN=DCComics,OU=Comics,DC=yourdomain,DC=com" -addmbr "CN=Dark Knight,OU=Comics,DC=yourdomain,DC=com"
When I run the above, I get this
dsmod failed:CN=DCComics,OU=Comics,DC=yourdomain,DC=com:Insufficient access rights to perform the operation.
I'm able to query data on yourdomain.com and I have checked the trusts are working just fine. I have logged in as administrator on mydomain.com.
Ideally I am looking to do this in VBScript, so I wrote this just to test:
user = "LDAP://CN=Clark Kent,OU=Comics,DC=yourdomain,DC=com"
group = "LDAP://CN=DCComics,OU=Comics,DC=yourdomain,DC=com"
Dim objgroup
SET objGroup = GETOBJECT(group)
objGroup.Add(user)
Once again, I get an error about permissions:
C:\tmp\foo.vbs(6, 1) Microsoft VBScript runtime error: Permission denied
Any guidance where I need to muck about with permissions for this? Might I add, I am still learning about AD, so please be gentle :)
Thanks
Being an admin in mydomain.com does not make you an admin in Yourdomain.com - trust or no trust. You need your mydomain\account added to the Administrators group in yourdomain.com

How to make permission re-apply for a logged-in user in Windows AD without making him log in again

I am remotely removing a user U from a Group G.
But I have to log off and log on the user U to ensure that permissions for Group G do not apply any more to User U.
This is on a Windows 2008 server.
Is there a way to force the entire exercise of calculating permissions (which is done when a user logs in) while the user is logged in?
Thanks in advance.
You can purge the Kerberos TGT (and all your service tickets) using something like klist purge. I don't know what APIs to call to do this programmatically.
This will just refresh the groups (and rights) in your token when you access remote resources, though.
The list of groups SIDs a user belongs to is computed in the user token, which is inserted in his processes, so in my opinion, you need the logoff/logon.
You can find the source of Klist.exe discribed by #Brian Desmond in the Windows Platform SDK (the API in us is LsaCallAuthenticationPackage)
C:\Program Files\Microsoft SDKs\Windows\v7.0\Samples\security\authorization\klist

MSMQ AD permissions

We have a system using two machines to do some processing. Let's call the machine that does the processing PROCESSOR, and the machine giving it items to process SERVER. Both are running Windows Server 2008. We have one Windows Service running on SERVER which needs to use MSMQ to send messages to a public queue PROCESSOR.
On PROCESSOR, we have another Windows Service which pulls items from the queue for processing.
The two machines are in the same domain, and all works fine if we run both services under accounts with domain admin privileges. However, we need the accounts to have the minimum privileges possible (particularly for the service on SERVER).
Before elevating the rights of the account we're using for the service on PROCESSOR, I tried giving it full rights to MSMQ. However, this didn't seem to be enough, and as soon as the service tried to do anything with MSMQ (first thing it does on starting is to check if relevant queues exist), I got an exception saying "Access to Message Queuing is denied".
Does anybody know what permissions need to be granted to an AD account in order for it to be able to use MSMQ?
Thanks,
Andrew
Run your service under a defined system account, like (I believe Network), then set the permissions on the MSMQ to full control for that.
When I've used this in the past I just cheated and allowed access to "Everyone". But in a domain setting the best way is to create a domain user and set that for the service and permissions on the MQ.
You need to set permissions on the objects in Active Directory.
So you'll need Get Properties permission if you are querying objects, for example.
This should be on the MSMQ object under the computer object and the queue object(s) under the MSMQ object.
Also, the defaults are going to be restricted to allowing everyone to send but not receive so you will need to add that access for the domain account you are using to be able to read messages.

Resources