I have service principal where I assigned multiple roles to it which are required in accessing Azure resources by doing user_impersonation.
Now I want to get these list of roles from Powershell/CLI/REST API.
I'm finding documents for fetching appRoleAssignments of service principal using MS graph :
GET https://graph.microsoft.com/v1.0/servicePrincipals/00063ffc-54e9-405d-b8f3-56124728e051/appRoleAssignedTo
But that is not what I need. Are there any existing commands that helps me to achieve my requirement?
check out this link:
Get-Azroleassignment
Updating my answer with Powershell:
$spn = Get-AzADServicePrincipal -DisplayName "your spn display name"
Get-AzRoleAssignment -ObjectID $spn.id
Also, you must have an atleast active directory reader access to execute this command successfully.
Related
I am in the process of trying to learn Bicep, as a part of that self-instruction I have been trying unsuccessfully to create a management group hierarchy. I am attempting to create a single management group using the following but am getting an error message when I deploy the bicep file.
targetScope = 'tenant'
param mgName string = 'test-displayname'
resource mgmtGroup 'Microsoft.Management/managementGroups#2021-04-01' = {
name: mgName
}
When I attempt to deploy I get the following error message:
"Deployment failed for c:\bicep\Management Groups\azuredeploy.bicep. Tenant scope deployment is not currently supported."
I have tried changing API versions, deploying to the management group scope, etc. all with no success.
Any ideas are greatly appreciated!
Thanks
By default, the SPN does not have permission to deploy tenant resources. You need to grant it at the root scope "/" to make it work.
First, you need to elevate your permissions as user Global Administrator into Azure AD:
https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
Connect-AzAccount
$user = Get-AzADUser -SignedIn
New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id
Now you are able to set your SPN with the correct permissions:
https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md
$spndisplayname = "<SPN Display Name>"
$spn = (Get-AzADServicePrincipal -DisplayName $spndisplayname).id
New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $spn
I think you may be running into a few different issues.
How are you deploying the template? The error you posted doesn't sound like it's coming from the service but the client...
Your bicep file is targeting the tenant scope, for that you need permission to create template deployments at tenant scope (even if you create no resources). The principal deploying the template will need permission (contributor at least, owner is not required) at the tenant scope as Wesley mentioned. The thing to be aware of here is that this gives that principal contributor access to everything in the tenant - all MGs, All subs, All RGs. It's very permissive and needs to be used carefully/sparingly. Also, note that you do not need to target the tenant scope to create the MG in a template. You can set the targetScope in bicep to a RG, Sub or MG. But the principal deploying the template must have permission at whatever scope you target the bicep file to.
A principal need not be given any special permission to simply create a MG - all users have this permission. You can test this by creating an MG on the cmd line. When that user creates the MG, the user is made the "owner" of that MG.
Point being, be very careful about granting perms at the tenant level and use only when necessary.
All that said, if your goal is to create MGs and deploy resources to those MGs in the same bicep deployment, the best path is to give the principal permissions (contributor is best) at the tenant level. Otherwise you will run into replication delays with permissions on the newly created MGs.
HTH
In order to run migrations on my Test Azure SQL which is configured with PrivateLink I temporarly enable public access and then disable it again.
Set-AzSqlServer
-ServerName $sqlServerName
-ResourceGroupName $(IntegrationResourceGroupName)
-PublicNetworkAccess "Enabled"
And it worked for months, but recently I started receiving this error message.
Cannot find the Azure Active Directory object 'My_DB_Admins_Group_Name'.
Please make sure that the user or group or application you are authorizing is registered
in the current subscription's Azure Active directory. To get a list of Azure Active Directory
groups use Get-AzADGroup, or to get a list of Azure Active Directory
users use Get-AzADUser or to get a list of Azure Active Directory applications use Get-AzADApplication.
Release pipeline was not modified. What might be the reason?
I can execute this PS command from my local machine, as me, and it works fine.
As per the error message : Only azaduser and azadgroup are filtered by azsqlserveractivedirectoryadministrator. It is unlikely that it will look for service principles. You might make an azure ad group called dbas or something similar. To that group, then add the service principal to it.
Then add the group to the sql server using that set-azsqlcommand
$sp = Get-AzADServicePrincipal -DisplayName "theserviceprincipalname"
Add-AzADGroupMember -MemberObjectId $($sp.id) -TargetGroupDisplayName "AAD Group Name"
Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName 'data-eastus2' -ServerName 'data-eastus2-sqlsvr' -DisplayName "AAD Group Name"
I need to get access to an existing PowerBI group on our online PowerBI instance. Unfortunately the group creator / owner is not currently available.
I have the 'PowerBI Admin Role' - however when i try an access the group I get the error below:
I can see the group that I am trying to access from the PowerBI admin portal:
I have tried the PowerShell commandlet: Add-PowerBIWorkspaceUser
Add-PowerBIWorkspaceUser -UserPrincipalName myusername#tenancy.com -Id 12345678-ABCD-1234-ABCD-1234567890AB -AccessRight Member
This fails with an unauthorized response. I assume this is because commandlet is for workspaces and not groups.
Is there a way for an admin user to amend the membership of a group they are not already a member of?
We recently purchased an Azure App Service Certificate. I created a new Key Vault Store in the set up process for this certificate, and imported the certificate.
Now I'm trying to create a local copy of an App Service Certificate, using the powershell script provided here: https://blogs.msdn.microsoft.com/appserviceteam/2017/02/24/creating-a-local-pfx-copy-of-app-service-certificate/
However, I get an error:
Set-AzureRmKeyVaultAccessPolicy : Cannot find the Active Directory object '' in tenant 'my tenant id'. Please make sure that the user or application service principal you are authorizing is registered in the curren
t subscription's Azure Active directory. The TenantID displayed by the cmdlet 'Get-AzureRmContext' is the current subsc
ription's Azure Active directory.
At C:\Projekt\Certificates\Azure\copyasc.ps1:22 char:1...
I'm not sure what else is relevant, but here's a few notes:
The username I'm sending into the failing Set-AzureRmKeyVaultAccessPolicy -UserPrincipalName temp#outlook.com, corresponds to the username of the only user I see in the default directory of Azure Active Directory.
This user's ObjectId is in the list of access policies for the keyvault (I see this by adding -Debug to the cmdlet that fails).
There are no keys in the keyvault. There is one (unmanaged) secret, the certificate.
Some threads mention stuff about AD applications. I'm not sure I understood what I read about these. Is this something I need to do when creating a keyvault?
Hope someone can help me? :)
According to the error log, your UserPrincipalName value is wrong. Please execute following command to get the UserPrincipalName.
Get-Azureaduser
temp#outlook.com is not a Azure AD account, its userprincipalname should be temp#outlook.com#EXT##<your AD>.
Or you could replace UserPrincipalName to user's object id.
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -ObjectId $userobjectid -PermissionsToSecrets get
This question already has an answer here:
Insufficent privileges when accessing azure graph api users list
(1 answer)
Closed 5 years ago.
I have registered an AAD Application in my Tenant/Directory, and I want to call the Graph API in the App Only Context. (Using the Client Credential Flow)
When making certain AAD Graph API calls, I get the error:
"odata.error":{
"code":"Authorization_RequestDenied",
"message":{
"lang":"en","value":"Insufficient privileges to complete the operation."
}
}
I want to give this application full access to the Graph API in the context of my tenant.
Or
I want to grant this application permissions to my tenant which are not currently supported with the permissions exposed by the AAD Graph API.
You can elevate the level of access an Application has in your tenant by adding the service principal of that application to the Company Administrator Directory Role. This will give the Application the same level of permissions as the Company Administrator, who can do anything. You can follow these same instructions for any type of Directory Role depending on the level of access you want to give to this application.
Note that this will only affect the access your app has in your tenant.
Also you must already be a Company Administrator of the tenant to follow these instructions.
In order to make the change, you will need to install the Azure Active Directory PowerShell Module.
Once you have the module installed, authenticate to your tenant with your Administrator Account:
Connect-MSOLService
Then we need to get the Object ID of both the Service Principal we want to elevate, and the Company Administrator Role for your tenant.
Search for Service Principal by App ID GUID:
$sp = Get-MsolServicePrincipal -AppPrincipalId <App ID GUID>
Search for Directory Role by Name
$role = Get-MsolRole -RoleName "Company Administrator"
Now we can use the Add-MsolRoleMember command to add this role to the service principal.
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
To check everything is working, lets get back all the members of the Company Administrator role:
Get-MsolRoleMember -RoleObjectId $role.ObjectId
You should see your application in that list, where RoleMemberType is ServicePrincipal and DisplayName is the name of your application.
Now your application should be able to perform any Graph API calls that the Company Administrator could do, all without a user signed-in, using the Client Credential Flow.
Let me know if this helps!