azurepowershellentra
Azure App Registration - Read Subscriptions/resources/entra GAs
I assume this is a role I am missing..
I created an app registration that has certificate based authentication. When I authenticate I want to be able to pull all subscriptions because I plan on looping through them and finding all VMs in each subscription/resource group.
I also want to pull down the global admins in the entra tenant from this certificate.
Permissions I am assigning my app registration
$app = Get-AzADApplication -ApplicationId $sp.AppId
$appObjectId = $app.Id
# GraphAPI - Directory.Read.All
# Add-AzADAppPermission -ObjectId $appObjectId -ApiId "00000003-0000-0000-c000-000000000000" -PermissionId "4e9b66a2-74a1-4d86-a0cb-1a01e40e7d77"
# # Add-AzADAppPermission -ObjectId "55fad647-6f5d-489f-b85e-00f96406ee9b" -ApiId "00000003-0000-0000-c000-000000000000" -PermissionId "5f8c59db-677d-491f-a6b8-5f174b11ec1d"
# Add Microsoft Graph Directory.Read.All permission
Add-AzADAppPermission -ObjectId $appObjectId -ApiId "00000003-0000-0000-c000-000000000000" -PermissionId "aef1f2db-fc2a-4d63-bcf5-e9a7a7802c9b"
# Add Microsoft Graph Directory.Read.All permission
Add-AzADAppPermission -ObjectId $appObjectId -ApiId "00000003-0000-0000-c000-000000000000" -PermissionId "df021288-bdef-4463-88db-98f22de89214"
# Azure Service Management - Reader
Add-AzADAppPermission -ObjectId $appObjectId -ApiId "00000002-0000-0000-c000-000000000000" -PermissionId "b7d27f52-6659-42b8-8164-4a0e63a2c156"
Creating app registration:
$cert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject $applicationName -KeySpec KeyExchange -NotAfter (Get-Date).AddYears(1)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
# Assign Certificate to App in Entra
$sp = New-AzADServicePrincipal -DisplayName $applicationName -CertValue $keyValue -EndDate $cert.NotAfter -StartDate $cert.NotBefore
Start-Sleep -Seconds 3
# Export the certificate to a PFX file
$cert | Export-PfxCertificate -FilePath $certFilePath -Password (ConvertTo-SecureString -String $certPassword -Force -AsPlainText)
Solution
Initially, I created one certificate same as you and uploaded it to app registration as below:
To add Directory.Read.All permission of Application type and Reader role to service principal at root level, make use of below updated script:
$applicationName = "SriCertApp"
$spId = (Get-AzADServicePrincipal -DisplayName $applicationName).Id
# Assign Reader role to the Service Principal under specific subscription
New-AzRoleAssignment -ObjectId $spId `
-RoleDefinitionName "Reader" `
-Scope "/"
Write-Host "Reader role assigned to Service Principal."
# Get the Azure AD Application by AppId
$app = Get-AzADApplication -ApplicationId $sp.AppId
$appObjectId = $app.Id
# Add Microsoft Graph Directory.Read.All permission of Application type
Add-AzADAppPermission -ObjectId $appObjectId `
-ApiId "00000003-0000-0000-c000-000000000000" `
-PermissionId "7ab1d382-f21e-4acd-a863-ba3e13f7da61" `
-Type Role
Write-Host "Microsoft Graph Directory.Read.All permission granted."
Response:
To confirm that, you can check the same in Azure Portal where role and permission assigned successfully like this:
Reader role:
Directory.Read.All permission
Make sure to grant admin consent to above permission that allows service principal to read directory data:
Now, make use of below script to fetch all VMs across all subscriptions connecting with certificate authentication:
$appId = "appId"
$tenantId = "tenantId"
$thumbprint = "cert_thumbprint"
Connect-AzAccount -ApplicationId $appId -Tenant $tenantId -CertificateThumbprint $thumbprint
$subscriptions = Get-AzSubscription
$allVms = @()
foreach ($subscription in $subscriptions) {
Set-AzContext -SubscriptionId $subscription.Id
$vms = Get-AzVM
foreach ($vm in $vms) {
$vmDetails = [PSCustomObject]@{
VMName = $vm.Name
SubscriptionName = $subscription.Name
ResourceGroupName = $vm.ResourceGroupName
}
$allVms += $vmDetails
}
}
$allVms | Format-Table -AutoSize
$allVms | Export-Csv -Path "C:\test\vms.csv" -NoTypeInformation
Response:
To pull down the global admins in the Microsoft Entra tenant with certificate authentication, make use of below Microsoft Graph script:
$appId = "appId"
$tenantId = "tenantId"
$thumbprint = "thumbprint"
$roleName = "Global Administrator"
Connect-MgGraph -ClientId $appId -TenantId $tenantId -CertificateThumbprint $thumbprint
$adminRole = Get-MgDirectoryRole -Filter "DisplayName eq '$roleName'"
if ($adminRole) {
$roleMembers = Get-MgDirectoryRoleMember -DirectoryRoleId $adminRole.Id
if ($roleMembers) {
$roleMembers | ForEach-Object {
[PSCustomObject]@{
DisplayName = $_.AdditionalProperties["displayName"]
Id = $_.Id
}
} | Format-Table DisplayName, Id
} else {
Write-Host "No members found for the role: $roleName"
}
} else {
Write-Host "Role '$roleName' not found"
}
Response:
- How can I define compile time constants in bicep configuration language?
- Outlook calendar don't render with FullCalendar
- Azure functions decoding error for IotHub device connection state message schema
- How do I set scope in Azure API Manager (APIM) when using D_application_id
- How to mount multiple disks in a loop using ansible
- How can I get sub value in nested json via KQL?
- Azure .NET SDK: Scale Azure SQL databases through SDK
- How can I invoke Azure Trusted Signing from a Linux OS?
- How to transfer "Set Variable" activity output into Json file using "Copy Data" activity or any other options?
- Verify Microsoft Access token on my ASP.NET Core Web API
- I'm trying to install the package from a private Azure DevOps repository using the pip install command, but I'm encountering an error
- Unable to define the sites for an App Registration for SahrePoint with Site.Selected
- Check if the resource exists before using data
- Not able to see azure 'LifecyclePolicyCompleted event' log
- Direct Web Push gives Error when used from Notification Hub
- Azure Remove User Consent to API
- Flutter-Azure Deviops pipelineThe discrepancy between the number of tests reported as passed or failed in the pipeline output and the test report
- App_location on deployment of a static webapp
- MSINotEnabled - Can't use KeyVault Reference in Azure Function
- Reading values from a key value based file and passing these values to azure devops template
- Deleting an Azure Loadbalancer Frontend IP configuration from python?
- How to retrieve the front door id from a Microsoft CDN (classic)
- What is HEAD operation in CosmosDB reported in Azure Monitoring
- Deploying a Python App to Azure App Service with Github Actions
- How to Query User Access Logs for Azure Front Door
- How can I add email recipients to a Graph API request programmatically?
- How to create Azure Devops Service Connection Docker Registry Type Other
- Problem with CORS policy in React front end with FastAPI on the back trying to use Microsoft Single Sign-on
- Azure Document Intelligence Custom Classification Python API
- Azure Function App unaccounted for time in Application Insights Timeline