Using IAM for Azure Service Bus, how can I assign a role to an application?
Background
I want to give an application ownership of several of my Azure Service Bus queues ... specifically, by granting it the Azure Service Bus Data Owner role.
The Azure Service Bus documentation says this is possible:
Azure Service Bus supports using Azure Active Directory (Azure AD) to authorize requests to Service Bus entities (queues, topics, subscriptions, or filters). With Azure AD, you can use role-based access control (RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal [my emphasis].
(Source)
However, I can't find a way to do it.
What I've Tried
- Registered the application in Azure AD.
- Granted the application the
user_impersonationpermission onMicrosoft.ServiceBus. (Application permissionsis disabled [1], so I selectedDelegated permissionsand checkeduser_impersonation[2]. No idea if that's right. I posted another question a while ago aboutApplication permissionsbeing disabled, but the accepted answer of editing the manifest doesn't work in this case.)
- In my Service Bus queue, selected
Role assignments. - Clicked
Add. - Searched for my application.
Issue
My application doesn't appear in the search results in Role assignments.
A service principal is the instance of an application in a given tenant. (Multi-tenant applications can have service principals in many tenants, all referring back to a single app registration.)
To grant an Azure role to an application, a service principal must first exist in the tenant. To check if the service principal for an app registration already exists in the same tenant where the app is registered (and create it if it doesn't):
Using the Azure portal:
- Navigate to Azure AD > App registrations > (app) > Overview
- Under the Managed application in local directory heading:
- If you see a link with the name of the app, the service principal already exists.
- If you see a "Create service principal" link, clicking it will attempt to create the service principal.
Using Azure CLI:
az ad sp show --id {app-id}
az ad sp create --id {app-id}
Using Azure AD PowerShell:
Get-AzureADServicePrincipal -Filter "appId eq '{app-id}'"
New-AzureADServicePrincipal -AppId "{app-id}"
- Unable to locate executable file: 'bash'. Please verify either the file path exists
- "We're sorry, your sql database is unavailable" What does this mean exactly in Azure SQL?
- How do I login to an Azure AD Joined VM using Azure AD Credentials on an Windows Server 2019?
- Migrating from validate-jwt to validate-azure-ad-token policy
- Azure C# Cosmos DB: Property "id" is missing when it's actually present
- Azure Permission - needed for creating resource group - RBAC
- Can the Azure Service Bus be delayed before retrying a message?
- azure documentdb create document duplicates Id property
- JWT validation failure error in azure apim
- How to Add JVM Arguments in Azure Application Service?
- Azure App Service and Application Insights where is performance test?
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Change Default Service Version of Microsoft Azure Blob - PHP
- Microsoft Graph: How to filter users by domain name
- Azure App Service Plan CPU Spikes to 100%
- Unable to Authenticate to DevOps API with Angual MSAL
- Query all Azure WAF rules using Azure Resource Graph Explorer
- Azure Databricks: Not able to parameterize keys option of dlt.apply_changes
- ASP.NET Core 3.1 Azure AD Authentication throws OptionsValidationException
- Attaching a private static ip address to Azure Container Instance
- Azure Synapse severless SQL pool - query execution fails
- How to login via Service Principal having Federated Credentials rather than Client Secrets
- Where can I find the resource id of an Azure function app in the Azure portal?
- How to forward access-control-allow-origin header from a Web App to a Front Door?
- Basic SQL commands in Terraform
- Linux Azure Webjob in nodejs referring to node.exe
- Running Azure functions locally gives "No runtime" error after .NET7 upgrade
- Azure DataSync tables not showing up
- Azure ML: Unable to find workspace
- unable to start 'Docker for windows' on Azure Win 10 VM