I'm working on a script for adding app roles for given users. I can do so using the following HTTP call (Graph API):
curl --silent -X POST -H 'Content-Type: application/json' \
-H "Authorization: Bearer ${TOKEN}" \
-d "{\"appRoleId\":\"${AIRLOCK_MANAGER_ROLE_ID}\",\"principalId\":\"${AIRLOCK_MANAGER_USER}\",\"resourceId\":\"${WORKSPACE_APP_REG}\"}" \
https://graph.microsoft.com/v1.0/servicePrincipals/${WORKSPACE_APP_REG}/appRoleAssignments
I acquire the token using my personal user with the Tenant. That's the user I use daily for regular work, and everything goes fine. It means I make the call and the app role is assigned to given user. For the moment the token is acquired, my user has Privileged Role Administrator
enabled.
For login I use az login
, and for acquiring the token I use az account get-access-token --resource-type ms-graph
.
In production I want to use a service principal. Actually, this service principal belongs to the app registration to whom the target app role belongs to. I have created a secret, and acquired a token using:
az login --service-principal --allow-no-subscriptions --tenant "${TENANT_ID}" --username "${CLIENT_ID}" --password "${CLIENT_SECRET}"
Using this I can make the following call, for getting roles assigned to the target user:
https://graph.microsoft.com/v1.0/users/${AIRLOCK_MANAGER_USER}/appRoleAssignments
However, when trying to assign an app role using the same POST call shown above, I receive the following error message:
It's quite clear that the service principal doesn't have enough privileges. For solving this, I tried the following API permissions assginment:
Permissions Application.Read.All
and AppRoleAssignment.ReadWrite.All
are assigned according to this link. I have also tried Application
type (with Admin consent granted) and received the same error message. After each change in permissions, I waited around 20 minutes.
Do you know which other permissions are supposed to be assigned?
EDIT 1
The problems were:
Application.Read.All
and AppRoleAssignment.ReadWrite.All
were assigned.Application.Read.All
and AppRoleAssignment.ReadWrite.All
must be of Application
type.The new token includes the required roles assigned:
The error occurred as you are using permissions of
Delegated
type while signing in as a service principal.
Initially, I too got same error when I ran the below script by signing as service principal with Delegated permissions:
az login --service-principal --allow-no-subscriptions --tenant "${TENANT_ID}" --username "${CLIENT_ID}" --password "${CLIENT_SECRET}"
TOKEN=$(az account get-access-token --resource-type ms-graph --query 'accessToken' --output tsv)
curl --silent -X POST -H 'Content-Type: application/json' \
-H "Authorization: Bearer ${TOKEN}" \
-d "{\"appRoleId\":\"${AIRLOCK_MANAGER_ROLE_ID}\",\"principalId\":\"${AIRLOCK_MANAGER_USER}\",\"resourceId\":\"${WORKSPACE_APP_REG}\"}" \
https://graph.microsoft.com/v1.0/servicePrincipals/${WORKSPACE_APP_REG}/appRoleAssignments
Response:
To resolve the error, make sure to grant permissions of Application type while signing in as service principal and acquire the token again.
If the error still persists, try assigning Application Administrator role to the service principal like this:
Now, I generated token again by running below script and got the response successfully like this:
az login --service-principal --allow-no-subscriptions --tenant "${TENANT_ID}" --username "${CLIENT_ID}" --password "${CLIENT_SECRET}"
TOKEN=$(az account get-access-token --resource-type ms-graph --query 'accessToken' --output tsv)
curl --silent -X POST -H 'Content-Type: application/json' \
-H "Authorization: Bearer ${TOKEN}" \
-d "{\"appRoleId\":\"${AIRLOCK_MANAGER_ROLE_ID}\",\"principalId\":\"${AIRLOCK_MANAGER_USER}\",\"resourceId\":\"${WORKSPACE_APP_REG}\"}" \
https://graph.microsoft.com/v1.0/servicePrincipals/${WORKSPACE_APP_REG}/appRoleAssignments
Response: