Log in using Service Principal for assigning app roles to users
I'm working on a script for adding app roles for given users. I can do so using the following HTTP call (Graph API):
curl --silent -X POST -H 'Content-Type: application/json' \
-H "Authorization: Bearer ${TOKEN}" \
-d "{\"appRoleId\":\"${AIRLOCK_MANAGER_ROLE_ID}\",\"principalId\":\"${AIRLOCK_MANAGER_USER}\",\"resourceId\":\"${WORKSPACE_APP_REG}\"}" \
https://graph.microsoft.com/v1.0/servicePrincipals/${WORKSPACE_APP_REG}/appRoleAssignments
I acquire the token using my personal user with the Tenant. That's the user I use daily for regular work, and everything goes fine. It means I make the call and the app role is assigned to given user. For the moment the token is acquired, my user has Privileged Role Administrator enabled.
For login I use az login, and for acquiring the token I use az account get-access-token --resource-type ms-graph.
In production I want to use a service principal. Actually, this service principal belongs to the app registration to whom the target app role belongs to. I have created a secret, and acquired a token using:
az login --service-principal --allow-no-subscriptions --tenant "${TENANT_ID}" --username "${CLIENT_ID}" --password "${CLIENT_SECRET}"
Using this I can make the following call, for getting roles assigned to the target user:
https://graph.microsoft.com/v1.0/users/${AIRLOCK_MANAGER_USER}/appRoleAssignments
However, when trying to assign an app role using the same POST call shown above, I receive the following error message:
It's quite clear that the service principal doesn't have enough privileges. For solving this, I tried the following API permissions assginment:
Permissions Application.Read.All and AppRoleAssignment.ReadWrite.All are assigned according to this link. I have also tried Application type (with Admin consent granted) and received the same error message. After each change in permissions, I waited around 20 minutes.
Do you know which other permissions are supposed to be assigned?
EDIT 1
The problems were:
- Token was acquired before permissions
Application.Read.AllandAppRoleAssignment.ReadWrite.Allwere assigned. - Permissions
Application.Read.AllandAppRoleAssignment.ReadWrite.Allmust be ofApplicationtype.
The new token includes the required roles assigned:
The error occurred as you are using permissions of
Delegatedtype while signing in as a service principal.
Initially, I too got same error when I ran the below script by signing as service principal with Delegated permissions:
az login --service-principal --allow-no-subscriptions --tenant "${TENANT_ID}" --username "${CLIENT_ID}" --password "${CLIENT_SECRET}"
TOKEN=$(az account get-access-token --resource-type ms-graph --query 'accessToken' --output tsv)
curl --silent -X POST -H 'Content-Type: application/json' \
-H "Authorization: Bearer ${TOKEN}" \
-d "{\"appRoleId\":\"${AIRLOCK_MANAGER_ROLE_ID}\",\"principalId\":\"${AIRLOCK_MANAGER_USER}\",\"resourceId\":\"${WORKSPACE_APP_REG}\"}" \
https://graph.microsoft.com/v1.0/servicePrincipals/${WORKSPACE_APP_REG}/appRoleAssignments
Response:
To resolve the error, make sure to grant permissions of Application type while signing in as service principal and acquire the token again.
If the error still persists, try assigning Application Administrator role to the service principal like this:
Now, I generated token again by running below script and got the response successfully like this:
az login --service-principal --allow-no-subscriptions --tenant "${TENANT_ID}" --username "${CLIENT_ID}" --password "${CLIENT_SECRET}"
TOKEN=$(az account get-access-token --resource-type ms-graph --query 'accessToken' --output tsv)
curl --silent -X POST -H 'Content-Type: application/json' \
-H "Authorization: Bearer ${TOKEN}" \
-d "{\"appRoleId\":\"${AIRLOCK_MANAGER_ROLE_ID}\",\"principalId\":\"${AIRLOCK_MANAGER_USER}\",\"resourceId\":\"${WORKSPACE_APP_REG}\"}" \
https://graph.microsoft.com/v1.0/servicePrincipals/${WORKSPACE_APP_REG}/appRoleAssignments
Response:
- Azure C# Cosmos DB: Property "id" is missing when it's actually present
- Azure Permission - needed for creating resource group - RBAC
- Unable to locate executable file: 'bash'. Please verify either the file path exists
- Can the Azure Service Bus be delayed before retrying a message?
- azure documentdb create document duplicates Id property
- JWT validation failure error in azure apim
- Azure App Service and Application Insights where is performance test?
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Change Default Service Version of Microsoft Azure Blob - PHP
- Microsoft Graph: How to filter users by domain name
- Azure App Service Plan CPU Spikes to 100%
- Unable to Authenticate to DevOps API with Angual MSAL
- Azure Databricks: Not able to parameterize keys option of dlt.apply_changes
- ASP.NET Core 3.1 Azure AD Authentication throws OptionsValidationException
- Attaching a private static ip address to Azure Container Instance
- Azure Synapse severless SQL pool - query execution fails
- How to login via Service Principal having Federated Credentials rather than Client Secrets
- Where can I find the resource id of an Azure function app in the Azure portal?
- How to forward access-control-allow-origin header from a Web App to a Front Door?
- Basic SQL commands in Terraform
- Linux Azure Webjob in nodejs referring to node.exe
- Running Azure functions locally gives "No runtime" error after .NET7 upgrade
- Azure DataSync tables not showing up
- Azure ML: Unable to find workspace
- unable to start 'Docker for windows' on Azure Win 10 VM
- How to enable virtualization in Azure VM
- Configuring AppSettings with ASP.Net Core on Azure Web App for Containers: Whither Colons?
- how to get v2 type token using msal python
- The mock in my pester test keeps calling Connect-AzAccount
- HttpResponseError in Azure Ai search