How to Test IAM Roles for an App Registration
I'm troubleshooting an issue where an app registration is unable to query the subscriptions within an Azure tenant, despite a role assignment granting it access at the tenant root group level. Wondering if there's a straightforward method to run the relevant command, either through CLI or the web interface, to validate this behavior.
Specific test command is: az account management-group list
But I don't see any way to invoke that as a particular user or app, and I already know my own user account has the right permissions, and can run that command. Any suggestions would be appreciated.
Initially, fetch your service principal's ObjectID that can be found in Enterprise Applications like this:
To check the IAM roles assigned for that app registration, you can make use of below CLI Command by passing above ObjectID like this:
principalId="SPObjectID"
az role assignment list --all --query "[?principalId=='$principalId'].{RoleName:roleDefinitionName,Scope:scope, PrincipalID:principalId, PrincipalName:'$(az ad sp show --id $principalId --query displayName -o tsv)'}" --output table
Response:
As @KonTheCat suggested, you can login as service principal and connect to Azure by running below CLI command:
az login --service-principal -u "appID" -p "client_secret" --tenant "tenant.onmicrosoft.com"
Response:
When I ran below CLI command now, I got the response with list of subscriptions successfully like this:
az account subscription list
Response:
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday
- Diagnostic setting not included in Azure Portal ARM template export
- How do I read the original pdf file in set indexer datasource in a custom WebApiSkill after enabling "Allow Skillset to read file data"
- How do I store vectors generated by AzureOpenAIEmbeddingSkill in indexer given my current setup
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- Azure Function App - frequent hang and deadlocks
- Sign Tool for Azure Trusted Service Account Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
- How to convert the premium file share to premium block blob storage account or standard general purpose v2 storage account?
- How to generate an azure blob url with SAS signature in nodejs sdk v12?
- How to Assign Role to New User with Graph API
- Directory disappears from azure cloud shell (home)
- Application Insights Logging Exceptions as Trace
- Issue with Azure key vault and Azure storage account deployment
- AddDataProtection().PersistKeysToAzureBlobStorage().ProtectKeysWithAzureKeyVault() getting httpVerb Error while accessing the blob storage
- temporary_name_for_rotation must be specified when changing any of the following properties: pod_subnet_id
- Native Node.js Metrics in Application Insights
- Azure Key Vault Disabled public access, how to access it through the portal via internet
- Using Google.Cloud.BigQuery.V2 API in Azure Functions
- Azure Functions no job found (python)
- Azure Machine Learning - Online Endpoint Schedule/Cost management
- Is it possible to read File from same folder where Azure function exists
- Make WAF policy to only allow Azure Load Testing or Azure Services
- port 7071 is unavailable. Close the process using that port, or specify another port using --port [-p]
- Azure - RBAC to Management Group
- Why is AVD remove client's maximize to current display option grayed out?
- Azure get EID List with API
- Synchronise Azure files to blob store
- trigger logic app from Azure Service bus in sequance