I've been adding permissions to a custom Azure DevOps Services group through the Azure CLI (az devops version 0.11.0) and I've usually been able to do the following:
az devops security permission namespace list, find namespaceId of specific namespace (like EventSubscription)
Get the Project Admin's descriptor
az devops security permission list --id $namespaceId --subject $projectAdmin.descriptor...
Find an allow bit in the ACES dictionary, find the respective token
az devops security permission update... with the new token
But when I run security permission list for the EventSubscription namespace, it returns with empty JSON for the project admins group so I can't find the token. I've tried "$SUBSCRIPTION" as it looked like what a TFS 2010 user used, but that doesn't work.
Questions:
How can I list tokens on the project admins group for the EventSubscription namespace? I tried to see if tfssecurity would pull anything up, but didn't work. Also tried using Fiddler to see if it would find a token but also nothing. Can't use Fiddler with the UI.
Or what token do I use for Azure DevOps to update the EventSubscription permission for a group?
I tested with EventSubscription namespace id and project admins group descriptor as subject parameters and got the same result as you.
$env:AZURE_DEVOPS_EXT_PAT = 'ckdhd6wuma5uw2h35dv37pgdum5eyjviqneineixxxxx'
$output = az devops security permission namespace list | ConvertTo-Json -Depth 100
#get descriptor
$output2 = az devops security group list --scope project | ConvertTo-Json -Depth 100
#eventSubscription namespaceId: 58b176e7-3411-457a-89d0-c6xxx/ Project namespaceId:52d39943-cb85-4d7f-8fa8-c6xxx
$output3 = az devops security permission list --namespace-id 58b176e7-3411-457a-89d0-c6xxxx --subject vssgp.Uy0xLTktMTU1MTM3NDI0NS00MjQ3MDQ2OTMyLTI2ODA1Nzg2MjktMjkxMzgyMjE4MC0yNDQ0MjYxxxxx | ConvertTo-Json -Depth 100
Write-Host $output3
But when I tested with Project namespace id and project admins group descriptor, I can get the token normally.
So I think this could be a problem with the association between the EventSubscription namespace and the project admins group descriptor. Can you share the corresponding operation in the UI? This will help me investigate further.
Related
I want to get information about a service principal in an Azure PowerShell task in my DevOps pipeline using Get-AzADServicePrincipal but I get this error.
[Authorization_RequestDenied] : Insufficient privileges to complete the operation
The DevOps service principal has Contributor rights in the subscription.
I have created a custom role but unsure as to what permissions to assign to it so that I can run the command in my pipelines. My user account is Subscription Owner.
This error usually occurs when you do not have permission to read service principals, maybe Directory.Read.All or Application.Read.All are not being enabled. Please provide the service connection to those permissions by granting admin consent.
To enable that, go through the following steps:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your DevOps resource -> API Permissions
Now, click on Grant Admin Consent and it will change the status to
granted (Green) .
After performing all these, redeploy the DevOps Pipeline and run Get-AzADServicePrincipal to get the information about service principal.
If still it does not work, assign Directory Readers and Application Administrator roles to service principal of DevOps pipeline.
References:
Service Principal considerations when using Azure DevOps to manage
RBAC on Azure Resource Groups | by Andrew Kelleher | Azure
Architects | Medium
Azure: permissions to list service principals - Stack Overflow
So I'm creating a script in powershell to reset the project's team members as well as the admins, but currently I can only remove the admins if they are members for the team. Most of the projects that will be affected by my script have team admins that are not team members... I can't seem to figure it out. Any help? Thank's!
Project administrators must be in the Project Administrators group of the project, so we can remove administrator through the following two azure cli.
Get Project Administrators group id:
az devops security group list --project xxx --output table
Remove member from Project Administrators group:
az devops security group membership remove --group-id --member-id
group-id: Required. Descriptor of the group from which member needs
to be removed.
member-id: Required. Descriptor of the group or email address of the
user to be removed.
In my project, I want to create a few AzureRM service connections with different levels of access. I want to allow only certain pipelines to use the service connections. And I am aiming to use API or az devops extension to do this. Portal already allows to choose which pipelines are allowed to use the service connection through service connection security settings.
So far I was able to find the relevant permission in the ServiceEndpoints namespace
Name Permission Description Permission Bit
Use Use Service Connection 1
However, I do not know how to grant the permission to the pipeline. I think i should use 'az devops security permission update' from the extension however can not figure what the subject should be in case of a pipeline. Looking at the output of 'az pipelines build definition show' i do not see any unique identifier for a pipeline and documentation for security permission update says subject should be a user of group.
If i want to use the API, i will need to know how to create the descriptor to pass to Set Access Control Lists.
Any hint is appreciated.
Grant permission to pipeline to use a service connection
According to the document az devops security permission, we could use az devops security permission update to update the azure devops security permission:
az devops security permission update --id
--subject
--token
[--allow-bit]
[--deny-bit]
[--detect {false, true}]
[--merge {false, true}]
[--org]
however can not figure what the subject should be in case of a
pipeline.
As the statement for the Parameters, we could to know:
--subject
User Email ID or Group descriptor.
So, if we update the permission to given user, we just need provide the User Email in above command. If we want to update the permission to given group, we need to provide the Group descriptor.
To get the Group descriptor, we could use the az devops security group list.
You could check this thread for some details.
I'm trying to create a Service Principal account using the instructions here
https://learn.microsoft.com/en-us/azure/media-services/latest/stream-files-tutorial-with-api#examine-the-code-that-uploads-encodes-and-streams
However when I run the command
az ams account sp create --account-name *media_service_account_name* --resource-group *resource_group_name*
Where media_service_account_name is the name shown for the media service I have created and resource_group_name the name of the resource group shown on the same page.
The problem is I get the message ResourceGroupNotFound:
Resource group 'resource_group_name' could not be found.
I just can't see what I am doing wrong. Any help appreciated.
If you have multiple subscriptions, set your subscription first and then try:
To list all subscriptions - az account list --output table
To set your subscription - az account set --subscription <subscription-id>
I had the same issue and verified the subscription with az account show, but what I was missing is that I was working in powershell and needed to set the correct subscription in powershell.
Verify context: Get-Azcontext
Set context: Set-Azcontext <subscription_id>
You may have multiple subscriptions. Set the subscription to default which you want to use in CLI.
Reference: https://learn.microsoft.com/en-us/cli/azure/manage-azure-subscriptions-azure-cli?view=azure-cli-latest
Kindly follow these steps to get over an above error:
az login
It will ask you to provide credentials
az account list --o table // Will list all subscription
Set your subscription on which you want to execute query
3. az account set --subscription "VS Subscription"
Hope it will help
I was running a task: AzureCLI#2 in azure pipeline for creating an azure vwan.
I put az account set --subscription xxxxxxx-xxxx-xxx-xxxx-xxxxxxxxx but it still didn't work and was throwing:
ERROR: (ResourceGroupNotFound) Resource group 'test-rg' could not be found.
Then I added --subscription "xxxxxxx-xxxx-xxx-xxxx-xxxxxxxxx" at the end of he az network vwan create even though it wasn't shown in the documentation.
Here's how I did:
az network vwan create --name testwan01 --resource-group test-rg --subscription "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" --type Standard
Hope it helps if you are running it from some orchestration tools like Jenkins or Azure pipelines.
Keep in mind that Resource Groups in Azure are things that you create, so the article was only providing an example of a Resource Group name.
The command to create the service principal expects you to use the resource group that you used to create your media service account.
az ams account sp create --account-name amsaccount --resource-group **amsResourceGroup**
Make sure that you are using the right resource group name that you used when you created your Media Services account first, and use a unique named one in the same region as your account. I usually call az group create before creating a new account to put it into it's own Resource Group along with the storage account I create for it.
Example
Create a new resource group named "MyResourceGroup" in the West US region.
az group create -l westus -n
Hope that helps!
I have around 100 Azure Web Apps and Azure Functions which I created using Azure PowerShell and CLI, now I need to assign Owner Access to these Web Apps to users (Separate users for each Web Apps)
I am unable to find any sample for this, most sample are pointing to Assigning Resource Group Level Access, but not to the Specific Resource.
The task is achievable in the Azure Portal, just need the PowerShell or CLI command to assign users owner or contributor rights to these specific resources.
If possible please provide a sample command
For Power Shell, you could use New-AzureRmRoleAssignment to do this.
For example.
New-AzureRmRoleAssignment -SignInName "test#hotmail.com" -RoleDefinitionName Owner -Scope "/subscriptions/*************/resourceGroups/shuiapp/providers/Microsoft.Web/sites/shuicli"
or
New-AzureRmRoleAssignment -ObjectId "859f0f40-057b-4afc-9d05-fe8b3933ae87" -RoleDefinitionName Owner -Scope "/subscriptions/*****************/resourceGroups/shuiapp/providers/Microsoft.Web/sites/shuicli"
Note: You could get your user object ID with cmdlet get-azureaduser.
Azure CLI
You could use az role assignment create to do this.
For example.
az role assignment create --assignee <user object id> --role Owner --scope "/subscriptions/3b4d41fa-e91d-4bc7-bc11-13d221b3b77d/resourceGroups/shuiapp/providers/Microsoft.Web/sites/shuicli"
Note: If your user is Azure AD user, you could use az ad user list to get user's object id. If your user is a service principal, you could use az ad sp list to get object id.