azure-devopsazure-powershellazure-pipelines-yamlazure-service-principal
What are the required permssions for Azure DevOps to execute Get-AzureADServicePrincipal cmdlet?
I am deploying Azure Function based application using Azure DevOps pipeline, as part of deployment the required infrastructure is also provisioned (using ARM templates). The Azure function needs to access Microsoft Graph & SharePoint REST API's, to achieve this following steps are taken:
- Azure function is created with system assigned identity (MSI).
- The MSI (identity) is passed to below PowerShell script for enabling access to Graph & SharePoint API.
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id
$azureFunctionServicePrincipal = Get-AzureADServicePrincipal -Filter "ObjectId eq '$PrincipalId'"
#Graph service principal
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
$GraphFilesReadWriteAllAppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -in 'Files.ReadWrite.All' -and $_.AllowedMemberTypes -contains 'Application'}
New-AzureAdServiceAppRoleAssignment -ObjectId $EcaseServicePrincipal.ObjectId -PrincipalId $EcaseServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $GraphFilesReadWriteAllAppRole.Id
$SharePointOnlineServicePrinciple = Get-AzureADServicePrincipal -SearchString “Office 365 SharePoint”
$SharePointOnlineSitesReadWriteAllAppRole = $SharePointOnlineServicePrinciple.AppRoles | Where-Object {$_.Value -in 'Sites.ReadWrite.All' -and $_.AllowedMemberTypes -contains 'Application'}
New-AzureAdServiceAppRoleAssignment -ObjectId $EcaseServicePrincipal.ObjectId -PrincipalId $EcaseServicePrincipal.ObjectId -ResourceId $SharePointOnlineServicePrinciple.ObjectId -Id $SharePointOnlineSitesReadWriteAllAppRole.Id
The PowerShell script while executing Get-AzureADServicePrincipal command fails due to insufficient privileges, this command is executing under the DevOps's ServiceConnection identity. The ServiceConnection is assigned with following additional privileges,
I am unable to figure out what other privileges are required for GetServicePrincipal to succeed, and, also for execution of New-AzureAdServiceAppRoleAssignment cmdlet.
[Update 31st Aug, 2020] Thanks to solution by AlleWu, the permission issue related GetServicePrincipal is resolved. However, the permission issue for the execution of NewServicePrincipalAppRoleAssignment persists in spite of below permission, am i missing some step. I have additionally made the ServiceConnection object as owner of the ResourceGroup, but this too failed.
NewServicePrincipalAppRoleAssignment execution error log:
2020-08-31T05:24:55.5613075Z ##[debug]+ New-AzureAdServiceAppRoleAssignment -ObjectId $EcaseServicePrincipal. ...
2020-08-31T05:24:55.5639370Z ##[debug]+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2020-08-31T05:24:55.5721318Z ##[debug] + CategoryInfo : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException
2020-08-31T05:24:55.5744883Z ##[debug] + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewServ icePrincipalAppRoleAssignment
2020-08-31T05:24:55.5765560Z ##[debug]
2020-08-31T05:24:55.5834409Z ##[debug]Script stack trace:
2020-08-31T05:24:55.5976760Z ##[debug]at <ScriptBlock>, D:\a\1\s\azure.pipelines\pwsh\provision_service_principle_for_sharepoint_graph.ps1: line 23
2020-08-31T05:24:55.6006045Z ##[debug]at <ScriptBlock>, <No file>: line 1
2020-08-31T05:24:55.6029248Z ##[debug]at <ScriptBlock>, D:\a\_tasks\AzurePowerShell_72a1931b-effb-4d2e-8fd8-f8472a07cb62\4.173.1\azurepowershell.ps1: line 229
2020-08-31T05:24:55.6188575Z ##[debug]at <ScriptBlock>, D:\a\_tasks\AzurePowerShell_72a1931b-effb-4d2e-8fd8-f8472a07cb62\4.173.1\azurepowershell.ps1: line 225
2020-08-31T05:24:55.6219503Z ##[debug]at <ScriptBlock>, <No file>: line 1
2020-08-31T05:24:55.6243577Z ##[debug]at <ScriptBlock>, <No file>: line 22
2020-08-31T05:24:55.6281986Z ##[debug]at <ScriptBlock>, <No file>: line 18
2020-08-31T05:24:55.6331521Z ##[debug]at <ScriptBlock>, <No file>: line 1
2020-08-31T05:24:55.6497107Z ##[debug]Exception:
2020-08-31T05:24:55.6577566Z ##[debug]Microsoft.Open.AzureAD16.Client.ApiException: Error occurred while executing NewServicePrincipalAppRoleAssignment
2020-08-31T05:24:55.6607345Z ##[debug]Code: Authorization_RequestDenied
2020-08-31T05:24:55.6683059Z ##[debug]Message: Insufficient privileges to complete the operation.
2020-08-31T05:24:55.6712669Z ##[debug]RequestId: 14e5694e-bfde-404f-a441-4543871b1e56
2020-08-31T05:24:55.6760142Z ##[debug]DateTimeStamp: Mon, 31 Aug 2020 05:24:53 GMT
2020-08-31T05:24:55.6794376Z ##[debug]HttpStatusCode: Forbidden
2020-08-31T05:24:55.6818439Z ##[debug]HttpStatusDescription: Forbidden
2020-08-31T05:24:55.6842869Z ##[debug]HttpResponseStatus: Completed
2020-08-31T05:24:55.6890342Z ##[debug]
2020-08-31T05:24:55.6915727Z ##[debug] at Microsoft.Open.AzureAD16.Client.Configuration.<>c.<.cctor>b__47_0(String methodName, IRestResponse response) in X:\bt\1137570\repo\src\dev\PowerShell.V2\AzureAD16.Client\Client\Configuration.cs:line 188
2020-08-31T05:24:55.6947059Z ##[debug] at Microsoft.Open.AzureAD16.Api.ServicePrincipalApi.NewServicePrincipalAppRoleAssignmentWithHttpInfo(String tenantId, String objectId, String authorization, String cmdletName, String clientRequestId, String apiVersion, AppRoleAssignment appRoleAssignment) in X:\bt\1137570\repo\src\dev\PowerShell.V2\AzureAD16.Client\Api\ServicePrincipalApi.cs:line 4006
2020-08-31T05:24:55.6977721Z ##[debug] at Microsoft.Open.AzureAD16.PowerShell.NewServicePrincipalAppRoleAssignment.ProcessRecord() in X:\bt\1137570\repo\src\dev\PowerShell.V2\AzureAD16.PowerShell\AzureAD16.PowerShell.AutoGen\API\ServicePrincipalApi.cs:line 2019
2020-08-31T05:24:55.7008421Z ##[debug] at System.Management.Automation.CommandProcessor.ProcessRecord()
2020-08-31T05:24:55.7366976Z ##[error]Error occurred while executing NewServicePrincipalAppRoleAssignment
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: 14e5694e-bfde-404f-a441-4543871b1e56
DateTimeStamp: Mon, 31 Aug 2020 05:24:53 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
Update 1st Set, 2020: The alternate solution suggested above worked, below i have updated the script used to provision required permissions,
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id
$webAppServicePrincipal = Get-AzureADServicePrincipal -Filter "ObjectId eq '$PrincipalId'" #$PrincipalId is the ObjectId of the webApp instance
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
$GraphFilesReadWriteAllAppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -in 'Files.ReadWrite.All' -and $_.AllowedMemberTypes -contains 'Application'}
#It appears that the Azure DevOps's service connection need to have Global Administrator permissions to successfully execute the below statement; which is not recommended, hence, this is implemented calling Graph API
#New-AzureAdServiceAppRoleAssignment -ObjectId $EcaseServicePrincipal.ObjectId -PrincipalId $EcaseServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $GraphFilesReadWriteAllAppRole.Id
$resourceId = $GraphServicePrincipal.ObjectId
$body = @{
"principalId"= $webAppServicePrincipal.ObjectId
"resourceId"= $resourceId
"appRoleId"= $GraphFilesReadWriteAllAppRole.Id
}
$apiUrl = "https://graph.microsoft.com/v1.0/servicePrincipals/$resourceId/appRoleAssignedTo"
Invoke-RestMethod -Uri $apiUrl -Headers @{Authorization = "Bearer $($graphToken)" } -Method POST -Body $($body | convertto-json) -ContentType "application/json"
Solution
The Get-AzureADServicePrincipal command is calling Azure AD Graph rather than Microsoft Graph.
GET https://graph.windows.net/{tenant id}/servicePrincipals?api-version=1.6 HTTP/1.1
So you should give the Azure AD Graph permission:
UPDATE:
Found something interesting:
Although I assigned all the AAD Graph application permissions to the service principal, it still shows "Insufficient privileges to complete the operation".
So I use another method: assign Global Administrator role to this service principal. But it has a delay about 10-15 minutes. Then the service principal can execute New-AzureAdServiceAppRoleAssignment successfully.
I also test with Application Administrator role but it doesn't work. I think AAD Graph has some changes and won't be maintained. So it's unrecommended to use it.
As a workaround, you can call Microsoft Graph API: Grant an appRoleAssignment for a service principal in your Powershell script.
- How to get project iterations through the Azure API
- Download and publish artifact only if exist in azure pipeline
- Azure DevOps yaml pipeline: configure Azure Artifacts "package" resource
- Unable to locate executable file: 'bash'. Please verify either the file path exists
- Unable to Authenticate to DevOps API with Angual MSAL
- GitVersion doesn't cause error in Azure Devops Pipeline
- Azure Pipelines Trying to Find Correct Environment Value repository checkout
- How to login via Service Principal having Federated Credentials rather than Client Secrets
- Can I have two Libraries within one Azure Repo and install them using requirements.txt
- Writing a secret from AzureKeyVault in a Azure DevOps Pipeline to a file with powershell
- Azure ML: Unable to find workspace
- The app build failed to produce artifact folder Angular Azure Static Web App Deployment Issue
- How do I get MSSQL service container working in Azure DevOps pipeline?
- How to manually publish a file to Azure Artifacts?
- "Build after the previous execution has succeeded" in Azure Devops
- Azure Pipelines, Using Bash Output Variables in conditions on jobs is not working correctly
- Azure Devops - Clean Destination Directory Before Deployment
- How to exclude code coverage for Program.cs and all files under specific folder in Azure DevOps pipeline
- Azure devops pipeline - Specific verion for Sqlpackage
- Create KeyVault backed SecretScope for Databricks
- Need to send azure devops widget dashboard in MS teams
- Adding paramters to VSTS Task Group
- how to open the azure devops signin screen from powershell?
- Updating yaml pipeline variables
- Solution is still in Azure DevOps which is not in repo
- Helm plugin install from Azure devops repo url
- Terraform code not creating multiple rules in Azure Storage lifecycle
- Azure global admin cannot(disabled) add roles under "Access Control(IAM)"
- NPM broken TypeError: Cannot read property 'loaded' of undefined
- Are pipeline variables available in PowerShell task in Azure DevOps?