I have around 100 Azure Web Apps and Azure Functions which I created using Azure PowerShell and CLI, now I need to assign Owner Access to these Web Apps to users (Separate users for each Web Apps)
I am unable to find any sample for this, most sample are pointing to Assigning Resource Group Level Access, but not to the Specific Resource.
The task is achievable in the Azure Portal, just need the PowerShell or CLI command to assign users owner or contributor rights to these specific resources.
If possible please provide a sample command
For Power Shell, you could use New-AzureRmRoleAssignment to do this.
For example.
New-AzureRmRoleAssignment -SignInName "test#hotmail.com" -RoleDefinitionName Owner -Scope "/subscriptions/*************/resourceGroups/shuiapp/providers/Microsoft.Web/sites/shuicli"
or
New-AzureRmRoleAssignment -ObjectId "859f0f40-057b-4afc-9d05-fe8b3933ae87" -RoleDefinitionName Owner -Scope "/subscriptions/*****************/resourceGroups/shuiapp/providers/Microsoft.Web/sites/shuicli"
Note: You could get your user object ID with cmdlet get-azureaduser.
Azure CLI
You could use az role assignment create to do this.
For example.
az role assignment create --assignee <user object id> --role Owner --scope "/subscriptions/3b4d41fa-e91d-4bc7-bc11-13d221b3b77d/resourceGroups/shuiapp/providers/Microsoft.Web/sites/shuicli"
Note: If your user is Azure AD user, you could use az ad user list to get user's object id. If your user is a service principal, you could use az ad sp list to get object id.
Related
I am in the process of trying to learn Bicep, as a part of that self-instruction I have been trying unsuccessfully to create a management group hierarchy. I am attempting to create a single management group using the following but am getting an error message when I deploy the bicep file.
targetScope = 'tenant'
param mgName string = 'test-displayname'
resource mgmtGroup 'Microsoft.Management/managementGroups#2021-04-01' = {
name: mgName
}
When I attempt to deploy I get the following error message:
"Deployment failed for c:\bicep\Management Groups\azuredeploy.bicep. Tenant scope deployment is not currently supported."
I have tried changing API versions, deploying to the management group scope, etc. all with no success.
Any ideas are greatly appreciated!
Thanks
By default, the SPN does not have permission to deploy tenant resources. You need to grant it at the root scope "/" to make it work.
First, you need to elevate your permissions as user Global Administrator into Azure AD:
https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
Connect-AzAccount
$user = Get-AzADUser -SignedIn
New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id
Now you are able to set your SPN with the correct permissions:
https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md
$spndisplayname = "<SPN Display Name>"
$spn = (Get-AzADServicePrincipal -DisplayName $spndisplayname).id
New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $spn
I think you may be running into a few different issues.
How are you deploying the template? The error you posted doesn't sound like it's coming from the service but the client...
Your bicep file is targeting the tenant scope, for that you need permission to create template deployments at tenant scope (even if you create no resources). The principal deploying the template will need permission (contributor at least, owner is not required) at the tenant scope as Wesley mentioned. The thing to be aware of here is that this gives that principal contributor access to everything in the tenant - all MGs, All subs, All RGs. It's very permissive and needs to be used carefully/sparingly. Also, note that you do not need to target the tenant scope to create the MG in a template. You can set the targetScope in bicep to a RG, Sub or MG. But the principal deploying the template must have permission at whatever scope you target the bicep file to.
A principal need not be given any special permission to simply create a MG - all users have this permission. You can test this by creating an MG on the cmd line. When that user creates the MG, the user is made the "owner" of that MG.
Point being, be very careful about granting perms at the tenant level and use only when necessary.
All that said, if your goal is to create MGs and deploy resources to those MGs in the same bicep deployment, the best path is to give the principal permissions (contributor is best) at the tenant level. Otherwise you will run into replication delays with permissions on the newly created MGs.
HTH
I want to get information about a service principal in an Azure PowerShell task in my DevOps pipeline using Get-AzRoleAssignment.
Also, After getting the Az-roleAssignment, I want to do : New-AZroleasssignment.
but I get this error.
[Authorization_RequestDenied] : Insufficient privileges to complete the operation
The DevOps service principal has Contributor rights in the subscription. I have created a custom role but unsure as to what permissions to assign to it so that I can run the command in my pipelines. My user account is Subscription Owner.
In order to assign roles, you need to have "Owner" role in this Azure Subscription:https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin
The Contribute Role for this service principal is not enough. Assign this service principal an Azure Subscription Owner Role.
The Azure Powershell Task is not using your User Account's Role permission, it is using the Role permission of the corresponding service principal.
Active Directory Graph API is now fully deprecated, in favor of MS Graph API.
My company has given me my own Visual Studio Professional subscription. I also have a DevOps organization. I am the Owner role in both.
with AADG API, I could use Terraform, for example, to create Service Principals and manage roles. Service Connections in DevOps were scoped to my subscription.
Example:
## These are in my resource group
...
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
app_role_assignment_required = false
owners = [data.azuread_client_config.current.object_id]
}
...
resource "azurerm_role_assignment" "kubweb_to_acr" {
scope = azurerm_container_registry.acr.id
role_definition_name = "AcrPull"
principal_id = azurerm_kubernetes_cluster.kubweb.kubelet_identity[0].object_id
}
This used to work great. Now it does not. Now I get errors like:
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '3520c717-e1cc-4d0b-b021-2f93a1b05d80' with object id '3520c717-e1cc-4d0b-b021-2f93a1b05d80' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write
and
ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData
│ error: Authorization_RequestDenied: Insufficient privileges to complete the
│ operation.
Even though I own my subscription, there is a parent organization above me. My SPs get scoped to their AD where I can't manage them. I can't use "Grant Admin Consent" through MS Graph API. Also, in DevOps, when I create an ARM Service Connection, for example, I scope it to my Subscription. It never scopes to my subscription, but the parent's, and I can't change its permissions.
How do I alter my development or scope my resources so that I don't have to defer to parent organization?
What role do they need to give me so I don't have to involve them?
I'm already the owner of my subscription. How do I create these types of resources in a way that I have full control over managing them again?
Side-note, it's interesting. I can use Azure CLI and run the same commands via terminal, and I have no problems creating or altering resources. The same commands az ad sp create-for-rbac don't throw any errors at all, and it's using the same permissions and scope defined in the pipelines.
Both errors you show are due to the service principal that Terraform is running as has not been authorized to perform the action in question. (From the Azure role assignment error, we can know this is the service principal with object ID "3520c717-e1cc-4d0b-b021-2f93a1b05d80".)
To assign an Azure role to a user, group, or service principal (your first error), the service principal used by Terraform needs to be have been granted a role that includes the "Microsoft.Authorization/roleAssignments/write" operation, scoped to (at least) scope you're trying to grant the role at (e.g. the specific Azure resource, the resource group it's in, or the subscription it's in). Typically, if you need to create Azure role assignments, this is the "Owner" role. More details from Terraform in Allowing the Service Principal to manage the Subscription. If you're "Owner" of the Azure subscription, then you will be able to do this yourself.
To create Azure AD application and service principals (your second error): The service principal used by Terraform needs to be granted permission to do this in the Azure AD tenant in question. For example, the app roles (application permissions) Application.Read.All and Application.ReadWrite.OwnedBy would suffice in many cases. These are actions that take place in the Azure AD tenant, so an Azure AD administrator will need to grant this access—you cannot do this on your own if you're not an admin of the Azure AD tenant. More details from Terraform in Configuring a User or Service Principal for managing Azure Active Directory.
How do I alter my development or scope my resources so that I don't have to defer to parent organization?
You could have an entirely separate Azure AD tenant (where you'd be administrator), and point the Azure subscription to trust that tenant. This may or may not be compatible with your organization's policies and practices.
I'm already the owner of my subscription. How do I create these types of resources in a way that I have full control over managing them again?
Azure AD applications and service principals are not a part of your Azure subscription, they're in the "parent" Azure AD tenant. You (the user) probably do have permission over these objects (e.g. you're owner of them in Azure AD), but Terraform isn't running as you—it's running as a separate service principal.
Side-note, it's interesting. I can use Azure CLI and run the same commands via terminal, and I have no problems creating or altering resources. The same commands az ad sp create-for-rbac don't throw any errors at all, and it's using the same permissions and scope defined in the pipelines.
You're probably connecting to Azure CLI as yourself (i.e. your user account), instead of the service principal Terraform is using. If you connect to Azure CLI using the same service principal (e.g. az login --service-principal ...), you'd likely experience the same errors, because that service principal hasn't been granted privileges over the Azure AD tenant and the Azure subscription yet.
I am unable to execute this line as a System Managed Identity on an Azure VM Powershell -
Connect-AzAccount -Identity #--To connect using managed identity of the VM
$user = Get-AzADUser -ObjectId '****'
$user comes out to be null if I am using Managed Identity whereas I am getting valid $user if I use my microsoft account to connect.
How do I identify whether an object ID is an AAD User using Managed Identity running powershell on a VM?
The use case is I need to automatically remove users having access to AKV in production. For that I need to know if an object id belongs to a user and proceed with deleting role as needed.
If you execute Get-AzADUser directly, you will get this error Insufficient privileges to complete the operation.
This is because you didn't assign an AAD role (for example User Administrator) to the managed identity of the VM. So it has no access to the AAD user.
You can assign the AAD role like this:
Azure Portal -> Azure Active Directory -> Roles and administrators -> enter "user admin" -> click on "User administrator".
Click on "Add assignments" -> Select member(s) -> enter the name of your VM or object id of the managed identity.
Then the managed identity of the VM can get the users through Get-AzADUser.
I raised a request to AAD Admin of my tenant to provide Directory.Read.All permissions to the Managed Identity App ID in Azure AD Graph (not Microsoft Graph).
Once the Managed Identity got the Admin Consent for this permission, I was able to get the users using Get-AzADUser.
My Azure account having one subscription is added as a contributor to another Azure account. Using Login-AzureRmAccount in PowerShell, I login to my account and Get-AzureSubscription returns only my own subscription. On the Azure portal, I can switch between these two subscriptions and create/remove resources on the other subscription.
I have checked Select-AzureSubscription, and it can be used in case Get-AzureSubscription returns multiple accounts to choose among them.
I also do not have the credentials of the other account to login manually.
Is there any way to access my contributor-role subscription in PowerShell and run Azure scripts on it?
"Contributor" is an RBAC (Role based access control) role, so you have access to the subscription throught Azure Resource Manager.
To find this subscription in PowerShell, you can use the Get-AzureRmSubscription cmdlet instead of Get-AzureSubscription. Then you can use the cmdlet Select-AzureRmSubscription to select the subscription instead of Select-AzureSubscription.