Active Directory Graph API is now fully deprecated, in favor of MS Graph API.
My company has given me my own Visual Studio Professional subscription. I also have a DevOps organization. I am the Owner role in both.
with AADG API, I could use Terraform, for example, to create Service Principals and manage roles. Service Connections in DevOps were scoped to my subscription.
Example:
## These are in my resource group
...
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
app_role_assignment_required = false
owners = [data.azuread_client_config.current.object_id]
}
...
resource "azurerm_role_assignment" "kubweb_to_acr" {
scope = azurerm_container_registry.acr.id
role_definition_name = "AcrPull"
principal_id = azurerm_kubernetes_cluster.kubweb.kubelet_identity[0].object_id
}
This used to work great. Now it does not. Now I get errors like:
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '3520c717-e1cc-4d0b-b021-2f93a1b05d80' with object id '3520c717-e1cc-4d0b-b021-2f93a1b05d80' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write
and
ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData
│ error: Authorization_RequestDenied: Insufficient privileges to complete the
│ operation.
Even though I own my subscription, there is a parent organization above me. My SPs get scoped to their AD where I can't manage them. I can't use "Grant Admin Consent" through MS Graph API. Also, in DevOps, when I create an ARM Service Connection, for example, I scope it to my Subscription. It never scopes to my subscription, but the parent's, and I can't change its permissions.
How do I alter my development or scope my resources so that I don't have to defer to parent organization?
What role do they need to give me so I don't have to involve them?
I'm already the owner of my subscription. How do I create these types of resources in a way that I have full control over managing them again?
Side-note, it's interesting. I can use Azure CLI and run the same commands via terminal, and I have no problems creating or altering resources. The same commands az ad sp create-for-rbac don't throw any errors at all, and it's using the same permissions and scope defined in the pipelines.
Both errors you show are due to the service principal that Terraform is running as has not been authorized to perform the action in question. (From the Azure role assignment error, we can know this is the service principal with object ID "3520c717-e1cc-4d0b-b021-2f93a1b05d80".)
To assign an Azure role to a user, group, or service principal (your first error), the service principal used by Terraform needs to be have been granted a role that includes the "Microsoft.Authorization/roleAssignments/write" operation, scoped to (at least) scope you're trying to grant the role at (e.g. the specific Azure resource, the resource group it's in, or the subscription it's in). Typically, if you need to create Azure role assignments, this is the "Owner" role. More details from Terraform in Allowing the Service Principal to manage the Subscription. If you're "Owner" of the Azure subscription, then you will be able to do this yourself.
To create Azure AD application and service principals (your second error): The service principal used by Terraform needs to be granted permission to do this in the Azure AD tenant in question. For example, the app roles (application permissions) Application.Read.All and Application.ReadWrite.OwnedBy would suffice in many cases. These are actions that take place in the Azure AD tenant, so an Azure AD administrator will need to grant this access—you cannot do this on your own if you're not an admin of the Azure AD tenant. More details from Terraform in Configuring a User or Service Principal for managing Azure Active Directory.
How do I alter my development or scope my resources so that I don't have to defer to parent organization?
You could have an entirely separate Azure AD tenant (where you'd be administrator), and point the Azure subscription to trust that tenant. This may or may not be compatible with your organization's policies and practices.
I'm already the owner of my subscription. How do I create these types of resources in a way that I have full control over managing them again?
Azure AD applications and service principals are not a part of your Azure subscription, they're in the "parent" Azure AD tenant. You (the user) probably do have permission over these objects (e.g. you're owner of them in Azure AD), but Terraform isn't running as you—it's running as a separate service principal.
Side-note, it's interesting. I can use Azure CLI and run the same commands via terminal, and I have no problems creating or altering resources. The same commands az ad sp create-for-rbac don't throw any errors at all, and it's using the same permissions and scope defined in the pipelines.
You're probably connecting to Azure CLI as yourself (i.e. your user account), instead of the service principal Terraform is using. If you connect to Azure CLI using the same service principal (e.g. az login --service-principal ...), you'd likely experience the same errors, because that service principal hasn't been granted privileges over the Azure AD tenant and the Azure subscription yet.
Related
i am implementing CI/CD pipeline that needs to register an AAD Application with permissions to read/write into Site collections, this would mean that the pipeline itself need to have permission to 'Sites.FullControl.All'. I want to understand from the security perspective, if this is desirable, i.e., a pipeline having FullControl access to a SharePoint tenant. What are the recommended practices w.r.t. this, will the application registration in such scenarios be manually done by Ops team?
According to your description, it seems that you want to use the service connection in the Azure CI/CD pipeline.
We can create a service connection with Service principal (automatic) or Service principal (manual).
Use the following parameters to define and secure a connection to a Microsoft Azure subscription using Service Principal Authentication (SPA) or an Azure managed Service Identity.
Automated subscription detection. In this mode, Azure Pipelines
queries Azure for all of the subscriptions and instances to which you
have access. They use the credentials you're currently signed in with
in Azure Pipelines (including Microsoft accounts and School or Work
accounts).
If you don't see the subscription you want to use, sign out of Azure Pipelines and sign in again using the appropriate account credentials.
Manual subscription pipeline. In this mode, you must specify the
service principal you want to use to connect to Azure. The service
principal specifies the resources and the access levels that are
available over the connection.
For more information, you could refer to Azure Resource Manager service connection.
I want to get information about a service principal in an Azure PowerShell task in my DevOps pipeline using Get-AzRoleAssignment.
Also, After getting the Az-roleAssignment, I want to do : New-AZroleasssignment.
but I get this error.
[Authorization_RequestDenied] : Insufficient privileges to complete the operation
The DevOps service principal has Contributor rights in the subscription. I have created a custom role but unsure as to what permissions to assign to it so that I can run the command in my pipelines. My user account is Subscription Owner.
In order to assign roles, you need to have "Owner" role in this Azure Subscription:https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin
The Contribute Role for this service principal is not enough. Assign this service principal an Azure Subscription Owner Role.
The Azure Powershell Task is not using your User Account's Role permission, it is using the Role permission of the corresponding service principal.
We've been told by Microsoft support that Azure DevOps Services supports tenant restrictions. While we have tenant restrictions enabled on a number of other services, it does't seem to apply to DevOps. Not only can we still log in to organizations outside of our tenant, we can also log in to our own organization and, if our corp email is added as a user in that org, the organization also shows up. I'd expect that our users would be blocked from logging into or accessing any external orgs.
I'm a little confused about why this isn't just working as expected and despite them saying Azure DevOps Services supports tenant restrictions, I'm not finding much documentation to back that up.
Have you been able to migrate to Azure DevOps Services and ensure that your users are only able to access orgs within your own tenant? How?
Azure DevOps Service supports the Azure Active Directory (Azure AD) tenant policy to restrict users from creating an organization in Azure DevOps. This policy is turned off, by default. You must be an Azure DevOps Administrator in Azure AD to manage this policy.
Check following link for more details:
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/azure-ad-tenant-policy-restrict-org-creation?view=azure-devops
Notice:
This policy is supported only for company owned (Azure Active
Directory) organizations. Users creating organization using their
personal account (MSA or GitHub) have no restrictions.
https://devblogs.microsoft.com/devops/policy-support-to-restrict-creating-new-azure-devops-organizations/
We finally received a more concrete answer to this question from Premier Support. Sounds like this wasn't entirely clear internally either. Azure DevOps Services supports TRv1 which provides tenant restrictions from client to proxy, but does not support TRv2 tenant restrictions which provides server to server restrictions. TRv1 will prevent you from authenticating against an org outside your tenant directly but does nothing to prevent the background authentication that happens if your account is configured to be able to access a secondary tenant's org. The server to server connection strips off the header information necessary to restrict you from accessing the secondary tenant. While this feature may be on their radar there is no expectation or firm timeline for it's release at this time.
I want to get information about a service principal in an Azure PowerShell task in my DevOps pipeline using Get-AzADServicePrincipal but I get this error.
[Authorization_RequestDenied] : Insufficient privileges to complete the operation
The DevOps service principal has Contributor rights in the subscription.
I have created a custom role but unsure as to what permissions to assign to it so that I can run the command in my pipelines. My user account is Subscription Owner.
This error usually occurs when you do not have permission to read service principals, maybe Directory.Read.All or Application.Read.All are not being enabled. Please provide the service connection to those permissions by granting admin consent.
To enable that, go through the following steps:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your DevOps resource -> API Permissions
Now, click on Grant Admin Consent and it will change the status to
granted (Green) .
After performing all these, redeploy the DevOps Pipeline and run Get-AzADServicePrincipal to get the information about service principal.
If still it does not work, assign Directory Readers and Application Administrator roles to service principal of DevOps pipeline.
References:
Service Principal considerations when using Azure DevOps to manage
RBAC on Azure Resource Groups | by Andrew Kelleher | Azure
Architects | Medium
Azure: permissions to list service principals - Stack Overflow
In the quickstart it talks about creating a service principle for the current user. I want to have more of a hierarchical security structure. I would be the current user and I want to have "super-user" or admin rights to this key vault. However I have created another user that would have lower access rights. For both of these scenarios I gather I need to generate a unique service principle name. How do I generate a service principle name for an arbitrary Azure User?
You can just create another service principal name under your current account for this created user. And you just need to assign the lower access rights to the key vault for this service principal. Then the user can access to the key vault with this service principal which has lower access permission.
An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. You can create as many as service principals as you want for different access permissions. If you want to generate a service principal under the created user account, you might have to login as this created user. Otherwise, i am afraid it cannot be done.
You can also set the access permission for this user to this key vault directory without using service principal. See here
az keyvault set-policy --name keyVaultName --object-id userObjectId --secret-permissions permissions --key-permissions permissions
You can get the user's Object id with below command: See here
az ad user show --id <email-address-of-user>