I have 2 Azure subscriptions. Subscription_1 is used to create a VNET/SUBNET. Subscription_2 is used to create a VM inside that VNET.
To do the deployment, I am creating 2 Services principals. SPN_1 will deploy the VNET/SUBNET. SPN_2 will deploy the VM.
az ad sp create-for-rbac --name SP_1 --role contributor --scopes /subscriptions/mySubscriptionID_of_Subscription_1
az ad sp create-for-rbac --name SP_2 --role contributor --scopes /subscriptions/mySubscriptionID_of_Subscription_2
However, for SPN_2 To deploy the VM , I need SP_2 to have "network contributor" RBAC to Subscription_1.
I looked at the documentation, and it is very poor and does not give examples of update : https://learn.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-update
How can I update the SP_1 to do so ? What are the CLI to achieve this ?
You dont need to create multiple service principal:
az ad sp create-for-rbac.az role assignment create.Here is a powershell example:
# Create service principal
$spCredentials = az ad sp create-for-rbac --name SP_1 | ConvertFrom-Json
# Get SP details
$spDetails = az ad sp show --id $spCredentials.appId | ConvertFrom-Json
# Create contributor role assignment for subscription1
az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id $spDetails.id --role "contributor" --scope /subscriptions/mySubscriptionID_of_Subscription_1
# Create network contributor role assignment for subscription1
az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id $spDetails.id --role "network contributor" --scope /subscriptions/mySubscriptionID_of_Subscription_1
# Create contributor role assignment for subscription2
az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id $spDetails.id --role "contributor"--scope /subscriptions/mySubscriptionID_of_Subscription_2