We are trying to figure out all the rights an Azure Active Directory Service Principal (AADSP) has to objects in our Azure tenant.
For example an AADSP might have:
Read rights to SharePoint Online site collection A
Write permissions to SharePoint Online site collection B
Get permission to Azure Function A
Post permission to Azure Function B
Select permissions to SQL Database A
We are hoping that this information to stored in a collection within the Service Principal object. But we have not been able to locate the collection using Azure Graph.
https://graph.microsoft.com/v1.0/servicePrincipals
Is our only option to loop thru all Azure objects and check each object's permission and see which Service Principal have been granted rights?
There's no single API to query all sets of permissions given to a SP: application permissions AKA app roles, Azure AD directory permissions, and Azure RBAC.
You can obtain application permissions using MS Graph List appRoleAssignments operation, Azure AD role assignments trough List unifiedRoleAssignments, and Azure RABC permissions using Azure REST API Permissions - List For Resource operation.
Depending on the set of permissions, you may have to list all resources to find what assignments are available for a given SP.
Related
I wish to grant users in a given AD group access to the Development Tools > Console function of the Production environment. I believe this is Kudu permission granted by assigning the Microsoft.Web/sites/publish/Action.
Is this possible without granting a member of the group the ability to publish web sites?
It is not possible to granting a member of the group the ability to publish web sites.
From the microsoft document it stated clear that you required microsoft.web/sites/publish/action resource provider operation.
Ones with Kudu access are ones owning the site - regardless if
read-only or not. To expand, they can deploy any codes (good or
malicious) to and able to read any secret settings of the site (eg.
KeyVault, SQL and Storage credentials, Private Certificates, etc.).
Hence for Azure, only those with Contributor / Owner access (to be
exact, with microsoft.web/sites/publish/action or, for slot,
microsoft.web/sites/slots/publish/action) can access to Kudu (SCM).
Refer this document for more information.
Active Directory Graph API is now fully deprecated, in favor of MS Graph API.
My company has given me my own Visual Studio Professional subscription. I also have a DevOps organization. I am the Owner role in both.
with AADG API, I could use Terraform, for example, to create Service Principals and manage roles. Service Connections in DevOps were scoped to my subscription.
Example:
## These are in my resource group
...
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
app_role_assignment_required = false
owners = [data.azuread_client_config.current.object_id]
}
...
resource "azurerm_role_assignment" "kubweb_to_acr" {
scope = azurerm_container_registry.acr.id
role_definition_name = "AcrPull"
principal_id = azurerm_kubernetes_cluster.kubweb.kubelet_identity[0].object_id
}
This used to work great. Now it does not. Now I get errors like:
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '3520c717-e1cc-4d0b-b021-2f93a1b05d80' with object id '3520c717-e1cc-4d0b-b021-2f93a1b05d80' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write
and
ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData
│ error: Authorization_RequestDenied: Insufficient privileges to complete the
│ operation.
Even though I own my subscription, there is a parent organization above me. My SPs get scoped to their AD where I can't manage them. I can't use "Grant Admin Consent" through MS Graph API. Also, in DevOps, when I create an ARM Service Connection, for example, I scope it to my Subscription. It never scopes to my subscription, but the parent's, and I can't change its permissions.
How do I alter my development or scope my resources so that I don't have to defer to parent organization?
What role do they need to give me so I don't have to involve them?
I'm already the owner of my subscription. How do I create these types of resources in a way that I have full control over managing them again?
Side-note, it's interesting. I can use Azure CLI and run the same commands via terminal, and I have no problems creating or altering resources. The same commands az ad sp create-for-rbac don't throw any errors at all, and it's using the same permissions and scope defined in the pipelines.
Both errors you show are due to the service principal that Terraform is running as has not been authorized to perform the action in question. (From the Azure role assignment error, we can know this is the service principal with object ID "3520c717-e1cc-4d0b-b021-2f93a1b05d80".)
To assign an Azure role to a user, group, or service principal (your first error), the service principal used by Terraform needs to be have been granted a role that includes the "Microsoft.Authorization/roleAssignments/write" operation, scoped to (at least) scope you're trying to grant the role at (e.g. the specific Azure resource, the resource group it's in, or the subscription it's in). Typically, if you need to create Azure role assignments, this is the "Owner" role. More details from Terraform in Allowing the Service Principal to manage the Subscription. If you're "Owner" of the Azure subscription, then you will be able to do this yourself.
To create Azure AD application and service principals (your second error): The service principal used by Terraform needs to be granted permission to do this in the Azure AD tenant in question. For example, the app roles (application permissions) Application.Read.All and Application.ReadWrite.OwnedBy would suffice in many cases. These are actions that take place in the Azure AD tenant, so an Azure AD administrator will need to grant this access—you cannot do this on your own if you're not an admin of the Azure AD tenant. More details from Terraform in Configuring a User or Service Principal for managing Azure Active Directory.
How do I alter my development or scope my resources so that I don't have to defer to parent organization?
You could have an entirely separate Azure AD tenant (where you'd be administrator), and point the Azure subscription to trust that tenant. This may or may not be compatible with your organization's policies and practices.
I'm already the owner of my subscription. How do I create these types of resources in a way that I have full control over managing them again?
Azure AD applications and service principals are not a part of your Azure subscription, they're in the "parent" Azure AD tenant. You (the user) probably do have permission over these objects (e.g. you're owner of them in Azure AD), but Terraform isn't running as you—it's running as a separate service principal.
Side-note, it's interesting. I can use Azure CLI and run the same commands via terminal, and I have no problems creating or altering resources. The same commands az ad sp create-for-rbac don't throw any errors at all, and it's using the same permissions and scope defined in the pipelines.
You're probably connecting to Azure CLI as yourself (i.e. your user account), instead of the service principal Terraform is using. If you connect to Azure CLI using the same service principal (e.g. az login --service-principal ...), you'd likely experience the same errors, because that service principal hasn't been granted privileges over the Azure AD tenant and the Azure subscription yet.
I'm trying to connect my Azure DevOps Organization to my Azure AD Tenant. I'm the only user in both. I connect to both using my personal microsoft (#outlook.com) account. However, when I'm trying to link my DevOps orga to my Azure AD Tenant, Azure DevOps doesn't see me as a member of the Azure AD Tenant that I'm trying to connect to, even though I'm connected in Azure with the same Microsoft account that I use on Azure DevOps... I'm following the steps mentioned here.
Below pic shows the error message I'm getting while trying to connect my Azure DevOps orga to my Default Azure AD Tenant :
Here, you can see that I'm connected in my Azure AD Tenant with the same Microsoft account that in the previous picture :
Tried to do the same where only one member who is the only admin is present in the azure AD tenant.But could successfully connect to azure devops.
Please make sure you are connecting already existed AAD tenant and then creating connection. check if admin permissions are given .
I had these roles assigned .
I had guest user access same as member access
Could smoothly connect without any warnings to the same domain as that of azure ad.
I tried to reproduce the issue and so tried connect with the other tenant /directory and got the error similar to yours which is not your case as you mentioned you have same directory domain.
So in your case , please close all other tabs and signin to only the required tenant both in azure ad and also in azure devops.
Please check the access permissions for this organization, if the organization is denied access for external access.
See Access via Azure AD FAQs | Microsoft Docs which can guide to troubleshoot your error cause and it says to have co-admin or service admin permissions.
Also please take the points by #jessehouwing in the comments into consideration , if issue is still there :Create a new Global Admin user account in AAD,Add this user to the DevOps organisation and set as owner and give Project Collection Administrators permission,Remove that domain from the DevOps org and Re-add to the org and re-assign as the owner.
Else it might be some issue with the default directory permissions. You may contact and report a problem in https://developercommunity.
I've manually created an Azure Active Directory tenant in the Azure Portal. The portal, however, doesn't present an interface where I can grant permission to other principals to own OR contribute to the AAD. For instance, adding users OR applications. Is that intentional? Or is this permissible via Powershell only. If so, what Powershell commands enable this programmatically? Thanks
I want to get details of Azure Subscription of my client. But I do not want to ask for special permission from client.
What I need is the bare minimum things from my client so that I can login from powershell or rest api and read status of runbook jobs.
If i login from admin account of the subscription than I can easily get those details. But you understand it is not possible to have admin account credential of my client.
Please suggest some workaround.
What you need to do is create a user in Azure Active Directory and grant that user specific rights using either the Azure Portal or PowerShell\Cli\SDK.
Say read all, or read properties of desired automation account. If you would want like a super minumim, you would need to create a custom role first.
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-custom-roles/
If your client placed specific resources within a Resource Group, they may grant you permissions on just that Resource Group (including read-only permissions). This would allow you to have access to needed resources, without having access to other areas of their subscription.