What Role or Scopes Does An Azure Service Principal Need to Create Applications

Asked 11/2, 2022 at 11:39 Answered 22/2, 2023 at 15:54

azure azure-active-directory terraform pulumi azure-service-principal

I currently create a service principal using the Azure CLI:

az ad sp create-for-rbac --name foo --role Contributor

I need the service principal to have enough permissions to create/modify/delete various Azure AD resources including Applications, other Service Principals and Service Principal Passwords. When I use the above service principal to create other service principals, I currently get 403 Forbidden errors.

I have also tried using the 'Owner' and 'User Access Administrator' roles but these still give me a 403 error. What do I need to add to the above Azure CLI command or what additional role assignments do I need to add?

I'd like to use the service principal in a Pulumi program with their Azure AD provider (based on Terraform's Azure AD provider). See:

https://github.com/pulumi/pulumi-azuread/issues/246

Eatmon answered 11/2, 2022 at 11:39 Comment(1)

Did my answer help solve your question or is something still unclear? – Yolanthe 24/2, 2023 at 8:6

In order for a service principal to be able to manage applications it requires API permissions. There is no such thing as a scope, because the API permissions are against the Azure AD API. Scopes are only applicable when it is related to the Resource Manager API. These are not the same thing.

When you go to application registrations in Azure AD, you can find the application, this is also where you will be able to assign the API permissions and grant consent. You will do this either on the Azure Active Directory Graph, or on the Microsoft Graph. In my experience only the permissions assigned with the Azure Active Directory Graph worked.

Application.ReadWrite.All Application Read and write all applications

Application.ReadWrite.OwnedBy Application Manage apps that this app creates or owns

You will find these two application permissions that you could use. The first you can use manage all applications.

The az cli command you are using is to create a role assignment. This is RBAC on the subscription, it has nothing to do with Azure AD aside from the service principal being an AAD resource.

Sain answered 25/2, 2022 at 12:20 Comment(6)

Thank you for explaining that. Is there a way to add the necessary Azure AD permissions via the Azure CLI or PowerShell commandlets? – Eatmon 25/2, 2022 at 13:40

I have never used these, but the documentation on it seems solid: learn.microsoft.com/nl-nl/cli/azure/ad/app/… – Sain 3/3, 2022 at 9:32

Also this one for powershell on SO is solid: #61457929. Please mark my reply as the answer if it answered ur initial question. – Sain 3/3, 2022 at 9:33

this is exact, but you would need to admin consent to grant permission. – Bolognese 2/6, 2022 at 6:49

The 'grant admin permission' part is already in the answer @Thomas. And did the answer help you out @Muhammad? – Sain 10/6, 2022 at 7:46

MS has disabled the ability to add Azure Active Directory Graph permissions via the portal. I know there are some half-arsed REST APIs and Powershell commands that can be used to do the same thing, but that's not a product and I don't appreciate having to write and test a program just to change a setting in a product. Does anyone know whether a user friendly way of managing this still exits? – Slumgullion 19/2 at 11:14

You need to add the scope of this service principal and also change the Azure role of this Service Principal to 'User Access Administrator' to enable you to modify resources in Azure AD. Also, 'User Access Administrator' role will give the service principal the required permissions for that Azure role to assign RBAC permissions. Please refer the below command for more details: -

  az ad sp create-for-rbac --name foo --role User Access Administrator --scopes /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup1}

Also, ensure that the user ID through which you are creating this service principal and assigning the role to it has permissions to register and create applications in Azure AD. If not, then please assign that ID 'Application Administrator' Azure AD role or you should be allowed to create and register applications by an administrator even though being a 'User'.

Neilson answered 11/2, 2022 at 14:22 Comment(7)

The User Access Administrator role doesn't seem to give the right permissions and Application Administrator doesn't exist when using the --role argument above. – Eatmon 11/2, 2022 at 17:38

I would suggest you to mention 'User Access Administrator' as role in the command as above and give the user ID through which this command has to be executed the 'Application Administrator' Azure AD role and try it. – Neilson 11/2, 2022 at 18:6

I still seem to get a 403, so I don't think that is the correct role. – Eatmon 22/2, 2022 at 11:16

Are you the subscription owner?? If yes, then please execute my stated given command with those credentials in powershell. As you are assigning a 'Administrator' level role assignment to a service principal, so you should have higher privileges to assign that role to the concerned service principal. – Neilson 24/2, 2022 at 6:47

That command still doesn't seem to give me enough permissions. Unless there is something wrong with Pulumi which I am using to deploy my Azure resources. See github.com/pulumi/pulumi-azuread/issues/246 for more info. – Eatmon 24/2, 2022 at 14:46

@Sain seems to have the answer for why your solution doesn't work. – Eatmon 25/2, 2022 at 13:53

@Marco, explained the permissions required for the particular task as specified by you to work. Whereas the solution provided by me uses the already created built in Azure AD roles and Azure role assignments which include the above specified permissions with it. You can also create a custom role assignments with the specified permissions if you wish. – Neilson 27/2, 2022 at 14:10

You need to give your service principal "App admin" permissions. This allows you to create application registrations and also set their credentials. And it does not give it rights to do anything else such as manage users and groups. If your intent is to include those, you need to add additional roles to the service principal.

https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator

Pulsifer answered 11/2, 2022 at 16:52 Comment(1)

How can I set these in the above Azure CLI command? – Eatmon 11/2, 2022 at 17:38

As was mentioned in other answers, your default RBAC role assignments don't apply because you need permissions on the AAD level, not on the level of subscriptions or resources. You need to assign the serviceprincipal a role on the level of the Active Directory.

As far as I can see, the required permission to create service principals would be "Cloud Application Administrator". You might be able to get away with "Application Developer" in some situations, but from the way your question is phrased I believe this is the correct one. You can check the built in roles in the documentation if you have a clearer understanding for what actions you want to execute.

To create a service principal with such permissions using the Azure CLI:

$sp=az ad sp create-for-rbac --name ServicePrincipalToCreateOtherPrincipals
$spDetails=az ad sp show --id $sp.id
$spObjectId=$spDetails.id

#RoleDefinitionId of Cloud Application Administrator 
$Body="{'principalId':'$spObjectId', 'roleDefinitionId': '62e90394-69f5-4237-9190-012177145e10', 'directoryScopeId': '/'}"
# Assign role to service principal
az rest --method POST --uri https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments --headers "Content-Type=application/json" --body $Body

# Sign in as created SP, allow-no-subscriptions because I did not assign any other permissions
az login --service-principal -u $sp.id -p $sp.password --allow-no-subscriptions

# Will now work
az ad sp create-for-rbac --name createdbySP

These commands are fully tested and working, except for the parts like $spDetails.id where I manually used copy paste instead.

Yolanthe answered 22/2, 2023 at 15:54 Comment(5)

I need a fully working tried and tested solution. I'd also like to apply the minimum level of permissions. I've spent a lot of time trying to figure this out. Not sure why this is so hard. – Eatmon 24/2, 2023 at 9:59

@MuhammadRehanSaeed my solution is tried and tested. Just parts like $spDetails.id are pseudo code. And I believe these are the minimal permissions for the things mentioned in your question. – Yolanthe 24/2, 2023 at 10:33

@MuhammadRehanSaeed the solution is complete for the question "I need the service principal to have enough permissions to create/modify/delete various Azure AD resources including Applications, other Service Principals and Service Principal Passwords". You can also do the role assignment to Cloud Application Administrator manually in AAD if you don't need that as a script. Do you need anything else? – Yolanthe 27/2, 2023 at 15:52

A Cloud Application Administrator has too many permissions. – Eatmon 28/2, 2023 at 15:13

@MuhammadRehanSaeed this is the role with the least permissions of all built in roles that still can do everything that you described in your question. Just search for /applications/. If you need something in between, you will have to create a custom role. Does this solve your question? – Yolanthe 28/2, 2023 at 15:52

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags